Bug 4214 - smbd 3.0.21c up to 3.0.24-svn trash memory
smbd 3.0.21c up to 3.0.24-svn trash memory
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: User/Group Accounts
3.0.23c
All Linux
: P3 critical
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2006-11-08 05:29 UTC by Peter Marquardt
Modified: 2006-11-15 04:36 UTC (History)
0 users

See Also:


Attachments
level 10 logile string overflow WinXP -> OSF smbd (603.16 KB, text/plain)
2006-11-08 05:36 UTC, Peter Marquardt
no flags Details
simple valgrind log (39.90 KB, text/plain)
2006-11-08 06:36 UTC, Peter Marquardt
no flags Details
this is a tcpdump on the smbd-running machine while it crashed (6.38 KB, application/octet-stream)
2006-11-09 09:12 UTC, Peter Marquardt
no flags Details
Patch (759 bytes, patch)
2006-11-14 14:19 UTC, Jeremy Allison
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Peter Marquardt 2006-11-08 05:29:07 UTC
samba 3.0.21c, 3.0.23c and even 3.0.24pre1-SVN-build-19601 seem to trash memory
'somewhere' when accessing shares. First I thought it has something to to with
glibc 2.3.6 (as suspected in some other bugreports) but then I found this in my
winxp-client-logfile on OSF samba:


[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 1 in safe_strcat [-1]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 10 in safe_strcat [-537783676]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 2 in safe_strcat [-1]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 2 in safe_strcat [-0]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 2 in safe_strcat [-0]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 11 in safe_strcat [-1076392016]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
[...]
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 32448 (3.0.23c)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 13:00:33, 0] lib/util.c:smb_panic(1591)
  PANIC (pid 32448): internal error
[2006/11/07 13:00:33, 0] lib/util.c:log_stack_trace(1749)
  unable to produce a stack trace on this platform
[2006/11/07 13:00:33, 0] lib/fault.c:dump_core(173)
  dumping core in /var/samba/cores/smbd


This is a Digital Unix OSF 4.0f box running definitly NO glibc 8-)

root@warthole# gdb /usr/local/samba/bin/smbd core 
GNU gdb 5.2.1
This GDB was configured as "alpha-dec-osf4"...
Core was generated by `smbd'.
Program terminated with signal 6, Aborted.
[...]
#0  0x3ff800e9b78 in kill () from /usr/shlib/libc.so
(gdb) bt
#0  0x3ff800e9b78 in kill () from /usr/shlib/libc.so
#1  0x3ff801a508c in tis_lock_global () from /usr/shlib/libc.so
#2  0x3ff80112014 in tis_raise () from /usr/shlib/libc.so
#3  0x3ff8015f6d4 in raise () from /usr/shlib/libc.so
#4  0x3ff801766ec in abort () from /usr/shlib/libc.so
#5  0x12024b18c in dump_core () at lib/fault.c:5
#6  0x120267058 in log_stack_trace () at lib/util.c:5



since I didn't expect it to crash I had no --enable-debug-version on osf.


here is now a freshly built 3.0.23c with debug, no debuglevel:

[2006/11/08 12:08:07, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 8 in safe_strcat [-1650601842]
[2006/11/08 12:08:10, 1] smbd/service.c:make_connection_snum(941)
  waldi (141.14.22.101) connect to service mamepimages initially as user imgdata (uid=1087, gid=372) (pid 506

I'll attach the corresponding level 10 logfile.



On our linux-boxes it is even more mystical:




[2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 17:20:08, 11] passdb/lookup_sid.c:sid_to_gid(1347)
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)
[2006/11/07 17:20:08, 10] smbd/service.c:make_connection_snum(750)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 16945 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 17:20:08, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 16945): internal error
[2006/11/07 17:20:08, 0] lib/util.c:log_stack_trace(1709)
  BACKTRACE: 16 stack frames:
   #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x555555809058]
   #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x555555808eae]
   #2 /usr/local/samba/bin/smbd [0x5555557f10a3]
   #3 /usr/local/samba/bin/smbd [0x5555557f10b6]
   #4 /lib/libc.so.6 [0x2b0567c3d680]
   #5 /usr/local/samba/bin/smbd(Debug1+0x22c) [0x5555557f0a8e]
   #6 /usr/local/samba/bin/smbd(dbghdr+0x163) [0x5555557f0d63]
   #7 /usr/local/samba/bin/smbd(make_connection+0x856) [0x555555677e01]
   #8 /usr/local/samba/bin/smbd(reply_tcon_and_X+0x3fb) [0x555555623a1a]
   #9 /usr/local/samba/bin/smbd [0x555555672bc5]
   #10 /usr/local/samba/bin/smbd [0x555555672c83]
   #11 /usr/local/samba/bin/smbd [0x555555672eda]
   #12 /usr/local/samba/bin/smbd(smbd_process+0x144) [0x555555674193]
   #13 /usr/local/samba/bin/smbd(main+0x953) [0x5555559d8121]
   #14 /lib/libc.so.6(__libc_start_main+0xd3) [0x2b0567c2b493]
   #15 /usr/local/samba/bin/smbd [0x5555555e075a]




here's another one:



[2006/11/08 09:59:57, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/11/08 09:59:57, 3] smbd/uid.c:push_conn_ctx(350)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/11/08 09:59:57, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2006/11/08 09:59:57, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-1-1087]
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-372]
[2006/11/08 09:59:57, 5] lib/privileges.c:get_privileges_for_sids(459)
  get_privileges_for_sids: sid = S-1-1-0
  Privilege set:
  SE_PRIV  0x0 0x0 0x0 0x0
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 22811 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/08 09:59:57, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 22811): internal error
[2006/11/08 09:59:57, 0] lib/util.c:log_stack_trace(1709)
  BACKTRACE: 16 stack frames:
   #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x555555809058]
   #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x555555808eae]
   #2 /usr/local/samba/bin/smbd [0x5555557f10a3]
   #3 /usr/local/samba/bin/smbd [0x5555557f10b6]
   #4 /lib/libc.so.6 [0x2b0567c3d680]
   #5 /usr/local/samba/bin/smbd(Debug1+0x22c) [0x5555557f0a8e]
   #6 /usr/local/samba/bin/smbd(dbghdr+0x163) [0x5555557f0d63]
   #7 /usr/local/samba/bin/smbd(make_connection+0x856) [0x555555677e01]
   #8 /usr/local/samba/bin/smbd(reply_tcon_and_X+0x3fb) [0x555555623a1a]
   #9 /usr/local/samba/bin/smbd [0x555555672bc5]
   #10 /usr/local/samba/bin/smbd [0x555555672c83]
   #11 /usr/local/samba/bin/smbd [0x555555672eda]
   #12 /usr/local/samba/bin/smbd(smbd_process+0x144) [0x555555674193]
   #13 /usr/local/samba/bin/smbd(main+0x953) [0x5555559d8121]
   #14 /lib/libc.so.6(__libc_start_main+0xd3) [0x2b0567c2b493]
   #15 /usr/local/samba/bin/smbd [0x5555555e075a]
[2006/11/08 09:59:57, 0] lib/util.c:smb_panic(1610)
  smb_panic(): calling panic action [/bin/sleep 90000]



The error messages differ.. on an x86_64 system, running 3.0.21c, 3.0.23c and even
3.0.24pre1-SVN we find this in the logs:



[2006/11/07 11:51:51, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 11:51:51, 11] passdb/lookup_sid.c:sid_to_gid(1347)
*** glibc detected *** malloc(): memory corruption: 0x0000555555db12d0 ***
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)



[2006/11/07 12:47:56, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
*** glibc detected *** malloc(): memory corruption: 0x0000555555dc7240 ***



[2006/11/07 14:16:03, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 14:16:03, 0] lib/fault.c:fault_report(41)
*** glibc detected *** malloc(): memory corruption: 0x0000555555db12c0 ***



[2006/11/07 14:37:25, 10] smbd/service.c:make_connection_snum(750)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 28350 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(44)
    From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 14:37:25, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 28350): internal error
*** glibc detected *** corrupted double-linked list: 0x0000555555dcbed0 ***




[2006/11/07 16:18:54, 11] passdb/lookup_sid.c:sid_to_gid(1347)
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)
[2006/11/07 16:18:54, 10] smbd/service.c:make_connection_snum(750)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 1924 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 16:18:54, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 1924): internal error
*** glibc detected *** corrupted double-linked list: 0x0000555555dc65d0 ***




[2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 16:47:30, 11] passdb/lookup_sid.c:sid_to_gid(1347)
*** glibc detected *** malloc(): memory corruption: 0x0000555555db31f0 ***
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)




and so on and so on.


facts:
   * we are using NIS
   * we have about 340 shares in smb.conf
   * we do not use netgroup BUT group for access
   * the share is defined like this:

[prj_template]
  path                  = /tmp
  inherit permissions   = yes
  delete readonly       = yes
  writeable             = yes

[mamepimages]
  comment         = blah bla
  path            = /project/mamepimages
  copy            = prj_template
  force user      = imgdata
  force group     = +abt_her
  
   * abt_her is a unix group, served by NIS (not NIS+) and has about 29 members (the
idea is to have all members store data in this share which gets owned by user imgdata)



possible dupes of this bug:

  https://bugzilla.samba.org/show_bug.cgi?id=4171
Comment 1 Peter Marquardt 2006-11-08 05:36:42 UTC
Created attachment 2202 [details]
level 10 logile string overflow WinXP -> OSF smbd 

This is the level 10 debug log where we can find string overflow errors.
These errors pop up when trying to access a share with group permissions.

Interestingly enough they end with

[2006/11/08 12:11:58, 10] smbd/service.c:make_connection_snum(736)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it

before crashing.
Comment 2 Peter Marquardt 2006-11-08 06:36:37 UTC
Created attachment 2203 [details]
simple valgrind log

this is a valgrind log created by starting smdb via valgrind on x86_64 platform
reply_tcon_and_X() pops up here several times ... hmmm....
Comment 3 Peter Marquardt 2006-11-09 09:12:54 UTC
Created attachment 2204 [details]
this is a tcpdump on the smbd-running machine while it crashed

tcpdump -i eth0 host waldi # win-xp doing a "net use \\ex\mamepimages"

and then this happens:

[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 27981 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 27981): internal error
*** glibc detected *** corrupted double-linked list: 0x0000555555dbf450 ***
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 27982 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 27982): internal error
[2006/11/09 16:06:05, 0] lib/util.c:log_stack_trace(1709)
  BACKTRACE: 5 stack frames:
   #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x5555557ffd60]
   #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x5555557ffbb6]
   #2 /usr/local/samba/bin/smbd [0x5555557e8673]
   #3 /usr/local/samba/bin/smbd [0x5555557e8686]
   #4 /lib/libc.so.6 [0x2b6b4412a680]
[2006/11/09 16:06:05, 0] lib/fault.c:dump_core(173)
  dumping core in /var/samba/cores/smbd
Comment 4 Peter Marquardt 2006-11-14 05:22:27 UTC
Ok, thanks to valgrind I found the first logical bug in smbd/service.c:

At the end of function    find_forced_group()

	if (force_user && user_must_be_member) {
		if (user_in_group_sid(username, &group_sid)) {
			sid_copy(pgroup_sid, &group_sid);
			*pgid = gid;
		} else {
	DEBUG(0,("XXX WEEEE !!! FALSE = user_in_group_sid(%s, &group_sid)\n",username));
		}
	} else {
		sid_copy(pgroup_sid, &group_sid);
		*pgid = gid;
	}


if "WEEE" happens... pgroup_sid doesn't get initialised.

this is ... not good 8-)


Comment 5 Jeremy Allison 2006-11-14 11:41:15 UTC
Got it - thanks !
I'll make sure this gets fixed for 3.0.23d.
Jeremy.
Comment 6 Jeremy Allison 2006-11-14 14:19:43 UTC
Created attachment 2219 [details]
Patch

Proposed patch.
Comment 7 Peter Marquardt 2006-11-15 04:36:56 UTC
Cool, fixed.

This patch revealed a misconfiguration which triggered the bug:

My smb.conf said

force user = foo
force group = +bar

and user foo wasn't member of grou bar. So, in this case, now an error-message will be dropped:

[2006/11/15 11:14:17, 0] smbd/service.c:find_forced_group(498)
  find_forced_group: forced user foo is not a member of forced group bar. Disallowing access.

All valgrind hits related to this bug are gone now.

Thanks!