================================================================= ==1142671==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f5701f00020 at pc 0x7f5704480b46 bp 0x7fff7949d6f0 sp 0x7fff7949ceb0 READ of size 64 at 0x7f5701f00020 thread T0 #0 0x7f5704480b45 in strlen ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391 #1 0x7f5702b489cc in talloc_crypt_blob ../../lib/util/util_crypt.c:84 #2 0x7f5702b553d8 in py_crypt ../../python/pyglue.c:548 #3 0x7f5703fd047f (/lib64/libpython3.11.so.1.0+0x1d047f) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #4 0x7f5703fb490e in _PyObject_MakeTpCall (/lib64/libpython3.11.so.1.0+0x1b490e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #5 0x7f5703fbd272 in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1bd272) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #6 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #7 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #8 0x7f570405587c (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #9 0x7f5703fc9145 (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #10 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #11 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #12 0x7f5703fcfc75 (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #13 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #14 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #15 0x7f5703fc24df in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c24df) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #16 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #17 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #18 0x7f570405587c (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #19 0x7f5703fc9145 (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #20 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #21 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #22 0x7f5703fcfc75 (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #23 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #24 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #25 0x7f5703fc24df in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c24df) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #26 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #27 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #28 0x7f570405587c (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #29 0x7f5703fc9145 (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #30 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #31 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #32 0x7f5703fcfc75 (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #33 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #34 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #35 0x7f5703fc24df in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c24df) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #36 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #37 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #38 0x7f570405587c (/lib64/libpython3.11.so.1.0+0x25587c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #39 0x7f5703fc9145 (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #40 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #41 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #42 0x7f5703fcfc75 (/lib64/libpython3.11.so.1.0+0x1cfc75) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #43 0x7f5703ff0dff in PyObject_CallMethodObjArgs (/lib64/libpython3.11.so.1.0+0x1f0dff) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #44 0x7f5703ff09a2 in PyImport_ImportModuleLevelObject (/lib64/libpython3.11.so.1.0+0x1f09a2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #45 0x7f5703fc9145 (/lib64/libpython3.11.so.1.0+0x1c9145) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #46 0x7f5703fc8702 in PyObject_Vectorcall (/lib64/libpython3.11.so.1.0+0x1c8702) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #47 0x7f5703fbd272 in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1bd272) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #48 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #49 0x7f5704009f47 (/lib64/libpython3.11.so.1.0+0x209f47) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #50 0x7f5704009e67 (/lib64/libpython3.11.so.1.0+0x209e67) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #51 0x7f5703fbdb21 in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1bdb21) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #52 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #53 0x7f5703ff12e6 (/lib64/libpython3.11.so.1.0+0x1f12e6) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #54 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #55 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #56 0x7f5703fc0c5d in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1c0c5d) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #57 0x7f5703fb969e (/lib64/libpython3.11.so.1.0+0x1b969e) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #58 0x7f570403f187 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x23f187) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #59 0x7f570405b15c (/lib64/libpython3.11.so.1.0+0x25b15c) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #60 0x7f5704057849 (/lib64/libpython3.11.so.1.0+0x257849) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #61 0x7f570406d941 (/lib64/libpython3.11.so.1.0+0x26d941) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #62 0x7f570406d0e2 in _PyRun_SimpleFileObject (/lib64/libpython3.11.so.1.0+0x26d0e2) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #63 0x7f570406cd93 in _PyRun_AnyFileObject (/lib64/libpython3.11.so.1.0+0x26cd93) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #64 0x7f5704066619 in Py_RunMain (/lib64/libpython3.11.so.1.0+0x266619) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #65 0x7f570402ee26 in Py_BytesMain (/lib64/libpython3.11.so.1.0+0x22ee26) (BuildId: 5347a868d2a98bca42035503437483549b29ee8d) #66 0x7f5703a2a2ad in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #67 0x7f5703a2a378 in __libc_start_main_impl ../csu/libc-start.c:360 #68 0x5634a11d6074 in _start (/usr/bin/python3.11+0x1074) (BuildId: bd8bb468217777c56c1cf4c11e50cbf7b7969ecc) Address 0x7f5701f00020 is located in stack of thread T0 at offset 32 in frame #0 0x7f5702b48578 in crypt_as_best_we_can ../../lib/util/util_crypt.c:11 This frame has 1 object(s): [32, 32800) 'crypt_data' (line 16) <== Memory access at offset 32 is inside this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-use-after-return ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:391 in strlen Shadow bytes around the buggy address: 0x7f5701effd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f5701effe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f5701effe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f5701efff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x7f5701efff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x7f5701f00000: f5 f5 f5 f5[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x7f5701f00080: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x7f5701f00100: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x7f5701f00180: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x7f5701f00200: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 0x7f5701f00280: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1142671==ABORTING
Looks like the return value of crypt_r(n) points into the stack variable `crypt_data`! Which makes sense in a thread-safe environment. I missed that during review. Either we pass down a struct holding `struct crypt_data` to crypt_as_best_we_can() and use that, or pass down a talloc context and duplicate hash!
I created an MR duplicating the hash in crypt_as_best_we_can()
(In reply to Andreas Schneider from comment #2) Oh yeah. I'll put this on into the backport for bug 15756, which hasn't gone through due to other mistakes I made that week.
This bug was referenced in samba master: 6cd9849b58ec653cbffc602e3c96996a082faf53
This bug was referenced in samba v4-21-test: f3518ee95b6f56bf96deca09cd6b74d817485853