Bug 15784 - Regression: stack-use-after-return in crypt_as_best_we_can()
Summary: Regression: stack-use-after-return in crypt_as_best_we_can()
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Python (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Douglas Bagnall
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2025-01-17 12:14 UTC by Andreas Schneider
Modified: 2025-01-23 15:16 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schneider 2025-01-17 12:14:46 UTC
=================================================================
==1142671==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f5701f00020 at pc 0x7f5704480b46 bp 0x7fff7949d6f0 sp 0x7fff7949ceb0
READ of size 64 at 0x7f5701f00020 thread T0
    #0 0x7f5704480b45 in strlen ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391
    #1 0x7f5702b489cc in talloc_crypt_blob ../../lib/util/util_crypt.c:84
    #2 0x7f5702b553d8 in py_crypt ../../python/pyglue.c:548
    #3 0x7f5703fd047f  (/lib64/libpython3.11.so.1.0+0x1d047f) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #4 0x7f5703fb490e in _PyObject_MakeTpCall (/lib64/libpython3.11.so.1.0+0x1b490e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #5 0x7f5703fbd272 in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1bd272) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #6 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #7 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #8 0x7f570405587c  (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #9 0x7f5703fc9145  (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #10 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #11 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #12 0x7f5703fcfc75  (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #13 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #14 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #15 0x7f5703fc24df in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c24df) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #16 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #17 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #18 0x7f570405587c  (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #19 0x7f5703fc9145  (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #20 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #21 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #22 0x7f5703fcfc75  (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #23 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #24 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #25 0x7f5703fc24df in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c24df) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #26 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #27 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #28 0x7f570405587c  (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #29 0x7f5703fc9145  (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #30 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #31 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #32 0x7f5703fcfc75  (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #33 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #34 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #35 0x7f5703fc24df in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c24df) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #36 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #37 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #38 0x7f570405587c  (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #39 0x7f5703fc9145  (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #40 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #41 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #42 0x7f5703fcfc75  (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #43 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #44 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #45 0x7f5703fc9145  (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #46 0x7f5703fc8702 in PyObject_Vectorcall (/lib64/libpython3.11.so.1.0+0x1c8702) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #47 0x7f5703fbd272 in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1bd272) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #48 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #49 0x7f5704009f47  (/lib64/libpython3.11.so.1.0+0x209f47) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #50 0x7f5704009e67  (/lib64/libpython3.11.so.1.0+0x209e67) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #51 0x7f5703fbdb21 in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1bdb21) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #52 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #53 0x7f5703ff12e6  (/lib64/libpython3.11.so.1.0+0x1f12e6) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #54 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #55 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #56 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #57 0x7f5703fb969e  (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #58 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #59 0x7f570405b15c  (/lib64/libpython3.11.so.1.0+0x25b15c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #60 0x7f5704057849  (/lib64/libpython3.11.so.1.0+0x257849) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #61 0x7f570406d941  (/lib64/libpython3.11.so.1.0+0x26d941) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #62 0x7f570406d0e2 in _PyRun_SimpleFileObject (/lib64/libpython3.11.so.1.0+0x26d0e2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #63 0x7f570406cd93 in _PyRun_AnyFileObject (/lib64/libpython3.11.so.1.0+0x26cd93) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #64 0x7f5704066619 in Py_RunMain (/lib64/libpython3.11.so.1.0+0x266619) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #65 0x7f570402ee26 in Py_BytesMain (/lib64/libpython3.11.so.1.0+0x22ee26) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d)
    #66 0x7f5703a2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #67 0x7f5703a2a378 in __libc_start_main_impl ../csu/libc-start.c:360
    #68 0x5634a11d6074 in _start (/usr/bin/python3.11+0x1074) (BuildId: bd8bb468217777c56c1cf4c11e50cbf7b7969ecc)

Address 0x7f5701f00020 is located in stack of thread T0 at offset 32 in frame
    #0 0x7f5702b48578 in crypt_as_best_we_can ../../lib/util/util_crypt.c:11

  This frame has 1 object(s):
    [32, 32800) 'crypt_data' (line 16) <== Memory access at offset 32 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391 in strlen
Shadow bytes around the buggy address:
  0x7f5701effd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f5701effe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f5701effe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f5701efff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7f5701efff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7f5701f00000: f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f5701f00080: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f5701f00100: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f5701f00180: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f5701f00200: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7f5701f00280: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1142671==ABORTING
Comment 1 Andreas Schneider 2025-01-17 12:30:35 UTC
Looks like the return value of crypt_r(n) points into the stack variable `crypt_data`!

Which makes sense in a thread-safe environment. I missed that during review.

Either we pass down a struct holding `struct crypt_data` to crypt_as_best_we_can() and use that, or pass down a talloc context and duplicate hash!
Comment 2 Andreas Schneider 2025-01-17 12:31:13 UTC
I created an MR duplicating the hash in crypt_as_best_we_can()
Comment 3 Douglas Bagnall 2025-01-17 20:59:52 UTC
(In reply to Andreas Schneider from comment #2)
Oh yeah.

I'll put this on into the backport for bug 15756, which hasn't gone through due to other mistakes I made that week.
Comment 4 Samba QA Contact 2025-01-17 23:22:03 UTC
This bug was referenced in samba master:

6cd9849b58ec653cbffc602e3c96996a082faf53
Comment 5 Samba QA Contact 2025-01-23 15:16:21 UTC
This bug was referenced in samba v4-21-test:

f3518ee95b6f56bf96deca09cd6b74d817485853