Bug 15765 - Fix heap-user-after-free with association groups
Summary: Fix heap-user-after-free with association groups
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.20.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-12-10 10:07 UTC by Andreas Schneider
Modified: 2025-01-06 15:34 UTC (History)
1 user (show)

See Also:


Attachments
patch for 4.21/4.20 (24.56 KB, patch)
2024-12-12 08:11 UTC, Andreas Schneider
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2024-12-10 10:07:30 UTC
Fix heap-user-after-free with association groups.

==381007==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d000004f80 at pc 0x7f15fc12e0ac bp 0x7ffe43267780 sp 0x7ffe43267778
READ of size 8 at 0x50d000004f80 thread T0
    #0 0x7f15fc12e0ab in dcesrv_iface_state_destructor ../../librpc/rpc/dcesrv_handles.c:166
    #1 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #2 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #3 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #4 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #5 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #6 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #7 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #8 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #9 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #10 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #11 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #12 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #13 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #14 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #15 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #16 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #17 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #18 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #19 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #20 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #21 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #22 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #23 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #24 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #25 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #26 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #27 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #28 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #29 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #30 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #31 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #32 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #33 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #34 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #35 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #36 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #37 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #38 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #39 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #40 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #41 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #42 0x7f15fbff9691 in tstream_bsd_readv_handler ../../lib/tsocket/tsocket_bsd.c:2080
    #43 0x7f15fbff6f85 in tstream_bsd_fde_handler ../../lib/tsocket/tsocket_bsd.c:1764
    #44 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #45 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #46 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #47 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #48 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #49 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #50 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #51 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #52 0x7f15f7c2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #53 0x5632ae162e64 in _start ../sysdeps/x86_64/start.S:115

0x50d000004f80 is located 112 bytes inside of 136-byte region [0x50d000004f10,0x50d000004f98)
freed by thread T0 here:
    #0 0x7f15fcefb418 in free ../../../../libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7f15fc0f857d in _tc_free_internal ../../lib/talloc/talloc.c:1222
    #2 0x7f15fc0f8d0f in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #3 0x7f15fc0f8d0f in talloc_unlink ../../lib/talloc/talloc.c:1473
    #4 0x7f15fc934580 in rpc_worker_connection_terminated ../../source3/rpc_server/rpc_worker.c:143
    #5 0x7f15fc9310bd in dcesrv_connection_destructor ../../source3/rpc_server/rpc_worker.c:175
    #6 0x7f15fc0f7d76 in _tc_free_internal ../../lib/talloc/talloc.c:1158
    #7 0x7f15fc0f7acd in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #8 0x7f15fc0f7acd in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #9 0x7f15fc0f924c in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #10 0x7f15fc0f924c in _talloc_free ../../lib/talloc/talloc.c:1792
    #11 0x7f15fadac024 in ncacn_terminate_connection ../../source3/rpc_server/rpc_server.c:263
    #12 0x7f15fadac024 in dcesrv_transport_terminate_connection ../../source3/rpc_server/rpc_server.c:251
    #13 0x7f15fc11e5ef in dcesrv_terminate_connection ../../librpc/rpc/dcesrv_core.c:2968
    #14 0x7f15fc125446 in dcesrv_read_fragment_done ../../librpc/rpc/dcesrv_core.c:3196
    #15 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #16 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #17 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #18 0x7f15fb4f69a1 in _tevent_req_nterror ../../lib/util/tevent_ntstatus.c:46
    #19 0x7f15fabda2f4 in dcerpc_read_ncacn_packet_done ../../librpc/rpc/dcerpc_util.c:612
    #20 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #21 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #22 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #23 0x7f15fbff4228 in tstream_readv_pdu_readv_done ../../lib/tsocket/tsocket_helpers.c:313
    #24 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #25 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #26 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #27 0x7f15fbff1800 in tstream_readv_done ../../lib/tsocket/tsocket.c:593
    #28 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #29 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234
    #30 0x7f15fb7dcdb7 in _tevent_req_error ../../lib/tevent/tevent_req.c:252
    #31 0x7f15fadbc1a3 in tstream_npa_readv_msg_mode_handler ../../libcli/named_pipe_auth/npa_tstream.c:697
    #32 0x7f15fb7dcae5 in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177
    #33 0x7f15fb7dcd1c in tevent_req_finish ../../lib/tevent/tevent_req.c:234

previously allocated by thread T0 here:
    #0 0x7f15fcefc777 in malloc ../../../../libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7f15fc0fbc57 in __talloc_with_prefix ../../lib/talloc/talloc.c:783
    #2 0x7f15fc0fd8cf in __talloc ../../lib/talloc/talloc.c:825
    #3 0x7f15fc0fd8cf in _talloc_named_const ../../lib/talloc/talloc.c:982
    #4 0x7f15fc0fd8cf in _talloc_zero ../../lib/talloc/talloc.c:2421
    #5 0x7f15fc93156e in rpc_worker_assoc_group_new ../../source3/rpc_server/rpc_worker.c:681
    #6 0x7f15fc93156e in rpc_worker_assoc_group_find ../../source3/rpc_server/rpc_worker.c:730
    #7 0x7f15fc120a18 in dcesrv_bind ../../librpc/rpc/dcesrv_core.c:1158
    #8 0x7f15fc120a18 in dcesrv_process_ncacn_packet ../../librpc/rpc/dcesrv_core.c:2324
    #9 0x7f15fc120a18 in dcesrv_loop_next_packet ../../librpc/rpc/dcesrv_core.c:3222
    #10 0x7f15fc933722 in rpc_worker_new_client ../../source3/rpc_server/rpc_worker.c:489
    #11 0x7f15fc933722 in rpc_worker_new_client_filter ../../source3/rpc_server/rpc_worker.c:558
    #12 0x7f15fbef95ca in messaging_dispatch_waiters ../../source3/lib/messages.c:1343
    #13 0x7f15fbefb589 in messaging_dispatch_rec ../../source3/lib/messages.c:1371
    #14 0x7f15fbefb589 in messaging_recv_cb ../../source3/lib/messages.c:431
    #15 0x7f15faddba9e in msg_dgm_ref_recv ../../lib/messaging/messages_dgm_ref.c:144
    #16 0x7f15fadd6cc3 in messaging_dgm_recv ../../lib/messaging/messages_dgm.c:1426
    #17 0x7f15fadd7618 in messaging_dgm_read_handler ../../lib/messaging/messages_dgm.c:1316
    #18 0x7f15fb7d9ac1 in tevent_common_invoke_fd_handler ../../lib/tevent/tevent_fd.c:174
    #19 0x7f15fb7ef185 in epoll_event_loop ../../lib/tevent/tevent_epoll.c:696
    #20 0x7f15fb7ef185 in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:926
    #21 0x7f15fb7e77b8 in std_event_loop_once ../../lib/tevent/tevent_standard.c:110
    #22 0x7f15fb7d7549 in _tevent_loop_once ../../lib/tevent/tevent.c:820
    #23 0x7f15fc936b7c in rpc_worker_main ../../source3/rpc_server/rpc_worker.c:1249
    #24 0x5632ae1e1ec3 in main ../../source3/rpc_server/rpcd_lsad.c:132
    #25 0x7f15f7c2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Comment 1 Stefan Metzmacher 2024-12-11 17:10:20 UTC
Just as reminder the problem can be reproduced using the following diff
(on top of the fixes):

@@ -177,7 +177,7 @@ void dcesrv_assoc_group_common_destructor(struct dcesrv_assoc_group *assoc_group
 
        for (cur = assoc_group->iface_states; cur != NULL; cur = next) {
                next = cur->next;
-               cur->assoc = NULL;
+               cur->assoc += 1000000000; //NULL;
                DLIST_REMOVE(assoc_group->iface_states, cur);
        }
 }


And running:

make test FAIL_IMMEDIATELY=1 TESTS='netlogon.*nt4_dc'
Comment 2 Samba QA Contact 2024-12-12 07:23:04 UTC
This bug was referenced in samba master:

5b929860e269e2968a0ec3759a6125ae990b43c3
627a7857844804a29c6612df5da4605c94edb3f9
19657be71d7cec5ac58a5d6969dc1d6ae7c5b517
Comment 3 Andreas Schneider 2024-12-12 08:11:07 UTC
Created attachment 18508 [details]
patch for 4.21/4.20
Comment 4 Jule Anger 2024-12-16 09:47:30 UTC
Pushed to autobuild-v4-{21,20}-test.
Comment 5 Samba QA Contact 2024-12-16 17:37:03 UTC
This bug was referenced in samba v4-21-test:

f2ed20c201142f7f3443207e162f9c3a151f1f4f
b7d2e29c59aceab3f27fad473bb6ddf4efadc4af
aee855de33bbe60b42ff2a553223b98f87e9ad6e
Comment 6 Samba QA Contact 2024-12-18 09:52:03 UTC
This bug was referenced in samba v4-20-test:

34618ab0a5071a6bdea5167608c18c033a08f8d4
5920780965574b51af665aa262e2d30198639e29
ec098fbe840c82b30fef12c7de9e48cbcab1de7b
Comment 7 Jule Anger 2024-12-18 09:54:53 UTC
Closing out bug report.

Thanks!
Comment 8 Samba QA Contact 2025-01-06 15:34:44 UTC
This bug was referenced in samba v4-21-stable (Release samba-4.21.3):

f2ed20c201142f7f3443207e162f9c3a151f1f4f
b7d2e29c59aceab3f27fad473bb6ddf4efadc4af
aee855de33bbe60b42ff2a553223b98f87e9ad6e