15803 – smbd segfault in smb2_lease_key_equal()

Bug 15803 - smbd segfault in smb2_lease_key_equal()

Summary: smbd segfault in smb2_lease_key_equal()

Status:	ASSIGNED

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	4.20.7
Hardware:	All All

Importance:	P5 regression (vote)
Target Milestone:	---
Assignee:	Ralph Böhme
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-02-10 12:15 UTC by Richard Schütz
Modified:	2025-02-11 09:19 UTC (History)
CC List:	0 users

See Also:	15608

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Richard Schütz 2025-02-10 12:15:21 UTC

After upgrading from 4.20.6 to 4.20.7, smbd regularly segfaults in smb2_lease_key_equal(). Considering the call stack, the patches included for bug 15697 look suspicious.

#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fbbd96a4859 in __GI_abort () at abort.c:79
#2  0x00007fbbd9ba29b8 in dump_core () at ../../source3/lib/dumpcore.c:338
#3  0x00007fbbd9bb0248 in smb_panic_s3 (why=<optimized out>) at ../../source3/lib/util.c:720
#4  0x00007fbbd98d3db8 in smb_panic (why=why@entry=0x7ffd503bfcd0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:209
#5  0x00007fbbd98d3e44 in fault_report (sig=11) at ../../lib/util/fault.c:83
#6  sig_fault (sig=11) at ../../lib/util/fault.c:94
#7  <signal handler called>
#8  0x00007fbbd90b853c in smb2_lease_key_equal (k1=k1@entry=0x18, k2=k2@entry=0x7ffd503c04c8) at ../../libcli/smb/smb2_lease.c:93
#9  0x00007fbbd90b858d in smb2_lease_equal (g1=<optimized out>, k1=k1@entry=0x18, g2=g2@entry=0x7ffd503c04b4, k2=k2@entry=0x7ffd503c04c8) at ../../libcli/smb/smb2_lease.c:101
#10 0x00007fbbd9d727cd in delay_rename_lease_break_fn (e=0x7ffd503c0490, private_data=0x7ffd503c05c0) at ../../source3/smbd/smb2_setinfo.c:202
#11 0x00007fbbd9cd7237 in share_mode_forall_leases_fn (e=e@entry=0x7ffd503c0490, modified=modified@entry=0x7ffd503c042f, private_data=private_data@entry=0x7ffd503c0560) at ../../source3/locking/locking.c:1327
#12 0x00007fbbd9ce4d95 in share_mode_for_one_entry (writeback=<synthetischer Zeiger>, num_share_modes=<synthetischer Zeiger>, data=0x5623991d635f "\362\302=", i=<synthetischer Zeiger>, private_data=0x7ffd503c0560,
    fn=0x7fbbd9cd7131 <share_mode_forall_leases_fn>) at ../../source3/locking/share_mode_lock.c:2161
#13 share_mode_forall_entries (lck=lck@entry=0x5623991abae0, fn=fn@entry=0x7fbbd9cd7131 <share_mode_forall_leases_fn>, private_data=private_data@entry=0x7ffd503c0560) at ../../source3/locking/share_mode_lock.c:2265
#14 0x00007fbbd9cd93d4 in share_mode_forall_leases (lck=lck@entry=0x5623991abae0, fn=fn@entry=0x7fbbd9d72790 <delay_rename_lease_break_fn>, private_data=private_data@entry=0x7ffd503c05c0) at ../../source3/locking/locking.c:1344
#15 0x00007fbbd9d723c4 in delay_rename_for_lease_break (req=req@entry=0x5623991e5ca0, smb2req=smb2req@entry=0x5623991e3850, ev=ev@entry=0x5623991699c0, fsp=fsp@entry=0x5623991e3010, lck=lck@entry=0x5623991abae0, data=0x5623991ba190 "\001",
    data_size=92) at ../../source3/smbd/smb2_setinfo.c:245
#16 0x00007fbbd9d731a6 in smbd_smb2_setinfo_send (in_additional_information=<optimized out>, in_input_buffer=..., in_file_info_class=<optimized out>, in_info_type=<optimized out>, fsp=0x5623991e3010, smb2req=0x5623991e3850,
    ev=0x5623991699c0, mem_ctx=0x5623991e3850) at ../../source3/smbd/smb2_setinfo.c:491
#17 smbd_smb2_request_process_setinfo (req=req@entry=0x5623991e3850) at ../../source3/smbd/smb2_setinfo.c:112
#18 0x00007fbbd9d57b7f in smbd_smb2_request_dispatch (req=req@entry=0x5623991e3850) at ../../source3/smbd/smb2_server.c:3580
#19 0x00007fbbd9d57e43 in smbd_smb2_request_dispatch_immediate (ctx=<optimized out>, im=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/smb2_server.c:3908
#20 0x00007fbbd9ad0970 in tevent_common_invoke_immediate_handler (im=0x5623991e0670, removed=removed@entry=0x0) at ../../lib/tevent/tevent_immediate.c:190
#21 0x00007fbbd9ad0995 in tevent_common_loop_immediate (ev=ev@entry=0x5623991699c0) at ../../lib/tevent/tevent_immediate.c:236
#22 0x00007fbbd9ad7a55 in epoll_event_loop_once (ev=0x5623991699c0, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:904
#23 0x00007fbbd9ad4f72 in std_event_loop_once (ev=0x5623991699c0, location=0x7fbbd9e09f70 "../../source3/smbd/smb2_process.c:2128") at ../../lib/tevent/tevent_standard.c:110
#24 0x00007fbbd9acf6b7 in _tevent_loop_once (ev=ev@entry=0x5623991699c0, location=location@entry=0x7fbbd9e09f70 "../../source3/smbd/smb2_process.c:2128") at ../../lib/tevent/tevent.c:820
#25 0x00007fbbd9acf905 in tevent_common_loop_wait (ev=0x5623991699c0, location=0x7fbbd9e09f70 "../../source3/smbd/smb2_process.c:2128") at ../../lib/tevent/tevent.c:949
#26 0x00007fbbd9ad4f1c in std_event_loop_wait (ev=0x5623991699c0, location=0x7fbbd9e09f70 "../../source3/smbd/smb2_process.c:2128") at ../../lib/tevent/tevent_standard.c:141
#27 0x00007fbbd9acf965 in _tevent_loop_wait (ev=ev@entry=0x5623991699c0, location=location@entry=0x7fbbd9e09f70 "../../source3/smbd/smb2_process.c:2128") at ../../lib/tevent/tevent.c:968
#28 0x00007fbbd9d44882 in smbd_process (ev_ctx=0x5623991699c0, msg_ctx=<optimized out>, sock_fd=34, interactive=<optimized out>) at ../../source3/smbd/smb2_process.c:2128
#29 0x000056236b6a458b in smbd_accept_connection (ev=0x5623991699c0, fde=<optimized out>, flags=<optimized out>, private_data=<optimized out>) at ../../source3/smbd/server.c:1031
#30 0x00007fbbd9ad0418 in tevent_common_invoke_fd_handler (fde=0x5623991a4410, flags=<optimized out>, removed=removed@entry=0x0) at ../../lib/tevent/tevent_fd.c:174
#31 0x00007fbbd9ad7efc in epoll_event_loop (tvalp=0x7ffd503c0c40, epoll_ev=0x562399169b60) at ../../lib/tevent/tevent_epoll.c:696
#32 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent_epoll.c:926
#33 0x00007fbbd9ad4f72 in std_event_loop_once (ev=0x5623991699c0, location=0x56236b6a89f8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent_standard.c:110
#34 0x00007fbbd9acf6b7 in _tevent_loop_once (ev=ev@entry=0x5623991699c0, location=location@entry=0x56236b6a89f8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:820
#35 0x00007fbbd9acf905 in tevent_common_loop_wait (ev=0x5623991699c0, location=0x56236b6a89f8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent.c:949
#36 0x00007fbbd9ad4f1c in std_event_loop_wait (ev=0x5623991699c0, location=0x56236b6a89f8 "../../source3/smbd/server.c:1373") at ../../lib/tevent/tevent_standard.c:141
#37 0x00007fbbd9acf965 in _tevent_loop_wait (ev=<optimized out>, location=<optimized out>) at ../../lib/tevent/tevent.c:968
#38 0x000056236b6a5e4f in smbd_parent_loop (parent=0x562399166460, ev_ctx=0x5623991699c0) at ../../source3/smbd/server.c:1373
#39 main (argc=<optimized out>, argv=<optimized out>) at ../../source3/smbd/server.c:2131

Comment 1 Ralph Böhme 2025-02-10 13:41:01 UTC

The fixes for bug 15608 fix this, unfortunately those have not been backported yet. I have already done a backport for 4.21, 4.20 is next.

Comment 2 Ralph Böhme 2025-02-11 04:43:01 UTC

Would you be able to test the backport from bug 15608?

Comment 3 Richard Schütz 2025-02-11 09:19:49 UTC

I have applied the backported patches to 4.20.7-SerNet. So far there have been no new crashes.