4214 – smbd 3.0.21c up to 3.0.24-svn trash memory

Bug 4214 - smbd 3.0.21c up to 3.0.24-svn trash memory

Summary: smbd 3.0.21c up to 3.0.24-svn trash memory

Status:	RESOLVED FIXED

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	User/Group Accounts (show other bugs)
Version:	3.0.23c
Hardware:	All Linux

Importance:	P3 critical
Target Milestone:	none
Assignee:	Samba Bugzilla Account
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2006-11-08 05:29 UTC by Peter Marquardt
Modified:	2006-11-15 04:36 UTC (History)
CC List:	0 users

See Also:

Attachments
level 10 logile string overflow WinXP -> OSF smbd (603.16 KB, text/plain) 2006-11-08 05:36 UTC, Peter Marquardt	no flags	Details
simple valgrind log (39.90 KB, text/plain) 2006-11-08 06:36 UTC, Peter Marquardt	no flags	Details
this is a tcpdump on the smbd-running machine while it crashed (6.38 KB, application/octet-stream) 2006-11-09 09:12 UTC, Peter Marquardt	no flags	Details
Patch (759 bytes, patch) 2006-11-14 14:19 UTC, Jeremy Allison	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Peter Marquardt 2006-11-08 05:29:07 UTC

samba 3.0.21c, 3.0.23c and even 3.0.24pre1-SVN-build-19601 seem to trash memory
'somewhere' when accessing shares. First I thought it has something to to with
glibc 2.3.6 (as suspected in some other bugreports) but then I found this in my
winxp-client-logfile on OSF samba:


[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 1 in safe_strcat [-1]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 10 in safe_strcat [-537783676]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 2 in safe_strcat [-1]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 2 in safe_strcat [-0]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 2 in safe_strcat [-0]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 11 in safe_strcat [-1076392016]
[2006/11/07 13:00:33, 0] lib/util_str.c:safe_strcat_fn(636)
[...]
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 32448 (3.0.23c)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 13:00:33, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 13:00:33, 0] lib/util.c:smb_panic(1591)
  PANIC (pid 32448): internal error
[2006/11/07 13:00:33, 0] lib/util.c:log_stack_trace(1749)
  unable to produce a stack trace on this platform
[2006/11/07 13:00:33, 0] lib/fault.c:dump_core(173)
  dumping core in /var/samba/cores/smbd


This is a Digital Unix OSF 4.0f box running definitly NO glibc 8-)

root@warthole# gdb /usr/local/samba/bin/smbd core 
GNU gdb 5.2.1
This GDB was configured as "alpha-dec-osf4"...
Core was generated by `smbd'.
Program terminated with signal 6, Aborted.
[...]
#0  0x3ff800e9b78 in kill () from /usr/shlib/libc.so
(gdb) bt
#0  0x3ff800e9b78 in kill () from /usr/shlib/libc.so
#1  0x3ff801a508c in tis_lock_global () from /usr/shlib/libc.so
#2  0x3ff80112014 in tis_raise () from /usr/shlib/libc.so
#3  0x3ff8015f6d4 in raise () from /usr/shlib/libc.so
#4  0x3ff801766ec in abort () from /usr/shlib/libc.so
#5  0x12024b18c in dump_core () at lib/fault.c:5
#6  0x120267058 in log_stack_trace () at lib/util.c:5



since I didn't expect it to crash I had no --enable-debug-version on osf.


here is now a freshly built 3.0.23c with debug, no debuglevel:

[2006/11/08 12:08:07, 0] lib/util_str.c:safe_strcat_fn(636)
  ERROR: string overflow by 8 in safe_strcat [-1650601842]
[2006/11/08 12:08:10, 1] smbd/service.c:make_connection_snum(941)
  waldi (141.14.22.101) connect to service mamepimages initially as user imgdata (uid=1087, gid=372) (pid 506

I'll attach the corresponding level 10 logfile.



On our linux-boxes it is even more mystical:




[2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2006/11/07 17:20:08, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 17:20:08, 11] passdb/lookup_sid.c:sid_to_gid(1347)
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)
[2006/11/07 17:20:08, 10] smbd/service.c:make_connection_snum(750)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 16945 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 17:20:08, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 17:20:08, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 16945): internal error
[2006/11/07 17:20:08, 0] lib/util.c:log_stack_trace(1709)
  BACKTRACE: 16 stack frames:
   #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x555555809058]
   #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x555555808eae]
   #2 /usr/local/samba/bin/smbd [0x5555557f10a3]
   #3 /usr/local/samba/bin/smbd [0x5555557f10b6]
   #4 /lib/libc.so.6 [0x2b0567c3d680]
   #5 /usr/local/samba/bin/smbd(Debug1+0x22c) [0x5555557f0a8e]
   #6 /usr/local/samba/bin/smbd(dbghdr+0x163) [0x5555557f0d63]
   #7 /usr/local/samba/bin/smbd(make_connection+0x856) [0x555555677e01]
   #8 /usr/local/samba/bin/smbd(reply_tcon_and_X+0x3fb) [0x555555623a1a]
   #9 /usr/local/samba/bin/smbd [0x555555672bc5]
   #10 /usr/local/samba/bin/smbd [0x555555672c83]
   #11 /usr/local/samba/bin/smbd [0x555555672eda]
   #12 /usr/local/samba/bin/smbd(smbd_process+0x144) [0x555555674193]
   #13 /usr/local/samba/bin/smbd(main+0x953) [0x5555559d8121]
   #14 /lib/libc.so.6(__libc_start_main+0xd3) [0x2b0567c2b493]
   #15 /usr/local/samba/bin/smbd [0x5555555e075a]




here's another one:



[2006/11/08 09:59:57, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:push_sec_ctx(208)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2006/11/08 09:59:57, 3] smbd/uid.c:push_conn_ctx(350)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:set_sec_ctx(241)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2006/11/08 09:59:57, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2006/11/08 09:59:57, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2006/11/08 09:59:57, 3] smbd/sec_ctx.c:pop_sec_ctx(356)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-1-1087]
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-372]
[2006/11/08 09:59:57, 5] lib/privileges.c:get_privileges_for_sids(459)
  get_privileges_for_sids: sid = S-1-1-0
  Privilege set:
  SE_PRIV  0x0 0x0 0x0 0x0
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2006/11/08 09:59:57, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 22811 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/08 09:59:57, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/08 09:59:57, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 22811): internal error
[2006/11/08 09:59:57, 0] lib/util.c:log_stack_trace(1709)
  BACKTRACE: 16 stack frames:
   #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x555555809058]
   #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x555555808eae]
   #2 /usr/local/samba/bin/smbd [0x5555557f10a3]
   #3 /usr/local/samba/bin/smbd [0x5555557f10b6]
   #4 /lib/libc.so.6 [0x2b0567c3d680]
   #5 /usr/local/samba/bin/smbd(Debug1+0x22c) [0x5555557f0a8e]
   #6 /usr/local/samba/bin/smbd(dbghdr+0x163) [0x5555557f0d63]
   #7 /usr/local/samba/bin/smbd(make_connection+0x856) [0x555555677e01]
   #8 /usr/local/samba/bin/smbd(reply_tcon_and_X+0x3fb) [0x555555623a1a]
   #9 /usr/local/samba/bin/smbd [0x555555672bc5]
   #10 /usr/local/samba/bin/smbd [0x555555672c83]
   #11 /usr/local/samba/bin/smbd [0x555555672eda]
   #12 /usr/local/samba/bin/smbd(smbd_process+0x144) [0x555555674193]
   #13 /usr/local/samba/bin/smbd(main+0x953) [0x5555559d8121]
   #14 /lib/libc.so.6(__libc_start_main+0xd3) [0x2b0567c2b493]
   #15 /usr/local/samba/bin/smbd [0x5555555e075a]
[2006/11/08 09:59:57, 0] lib/util.c:smb_panic(1610)
  smb_panic(): calling panic action [/bin/sleep 90000]



The error messages differ.. on an x86_64 system, running 3.0.21c, 3.0.23c and even
3.0.24pre1-SVN we find this in the logs:



[2006/11/07 11:51:51, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 11:51:51, 11] passdb/lookup_sid.c:sid_to_gid(1347)
*** glibc detected *** malloc(): memory corruption: 0x0000555555db12d0 ***
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)



[2006/11/07 12:47:56, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
*** glibc detected *** malloc(): memory corruption: 0x0000555555dc7240 ***



[2006/11/07 14:16:03, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 14:16:03, 0] lib/fault.c:fault_report(41)
*** glibc detected *** malloc(): memory corruption: 0x0000555555db12c0 ***



[2006/11/07 14:37:25, 10] smbd/service.c:make_connection_snum(750)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 28350 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(44)
    From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 14:37:25, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 14:37:25, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 28350): internal error
*** glibc detected *** corrupted double-linked list: 0x0000555555dcbed0 ***




[2006/11/07 16:18:54, 11] passdb/lookup_sid.c:sid_to_gid(1347)
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)
[2006/11/07 16:18:54, 10] smbd/service.c:make_connection_snum(750)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 1924 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/07 16:18:54, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/07 16:18:54, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 1924): internal error
*** glibc detected *** corrupted double-linked list: 0x0000555555dc65d0 ***




[2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-5-11]
[2006/11/07 16:47:30, 3] lib/privileges.c:get_privileges(261)
  get_privileges: No privileges assigned to SID [S-1-22-2-392]
[2006/11/07 16:47:30, 11] passdb/lookup_sid.c:sid_to_gid(1347)
*** glibc detected *** malloc(): memory corruption: 0x0000555555db31f0 ***
  sid_to_gid: no one knows the SID S-1-22-1-1087 (tried local, then winbind)




and so on and so on.


facts:
   * we are using NIS
   * we have about 340 shares in smb.conf
   * we do not use netgroup BUT group for access
   * the share is defined like this:

[prj_template]
  path                  = /tmp
  inherit permissions   = yes
  delete readonly       = yes
  writeable             = yes

[mamepimages]
  comment         = blah bla
  path            = /project/mamepimages
  copy            = prj_template
  force user      = imgdata
  force group     = +abt_her
  
   * abt_her is a unix group, served by NIS (not NIS+) and has about 29 members (the
idea is to have all members store data in this share which gets owned by user imgdata)



possible dupes of this bug:

  https://bugzilla.samba.org/show_bug.cgi?id=4171

Comment 1 Peter Marquardt 2006-11-08 05:36:42 UTC

Created attachment 2202 [details]
level 10 logile string overflow WinXP -> OSF smbd 

This is the level 10 debug log where we can find string overflow errors.
These errors pop up when trying to access a share with group permissions.

Interestingly enough they end with

[2006/11/08 12:11:58, 10] smbd/service.c:make_connection_snum(736)
  Could not convert SID S-1-22-1-1087 to gid, ignoring it

before crashing.

Comment 2 Peter Marquardt 2006-11-08 06:36:37 UTC

Created attachment 2203 [details]
simple valgrind log

this is a valgrind log created by starting smdb via valgrind on x86_64 platform
reply_tcon_and_X() pops up here several times ... hmmm....

Comment 3 Peter Marquardt 2006-11-09 09:12:54 UTC

Created attachment 2204 [details]
this is a tcpdump on the smbd-running machine while it crashed

tcpdump -i eth0 host waldi # win-xp doing a "net use \\ex\mamepimages"

and then this happens:

[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 27981 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 27981): internal error
*** glibc detected *** corrupted double-linked list: 0x0000555555dbf450 ***
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(41)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(42)
  INTERNAL ERROR: Signal 11 in pid 27982 (3.0.24pre1-SVN-build-19601)
  Please read the Trouble-Shooting section of the Samba3-HOWTO
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(44)
  
  From: http://www.samba.org/samba/docs/Samba3-HOWTO.pdf
[2006/11/09 16:06:05, 0] lib/fault.c:fault_report(45)
  ===============================================================
[2006/11/09 16:06:05, 0] lib/util.c:smb_panic(1605)
  PANIC (pid 27982): internal error
[2006/11/09 16:06:05, 0] lib/util.c:log_stack_trace(1709)
  BACKTRACE: 5 stack frames:
   #0 /usr/local/samba/bin/smbd(log_stack_trace+0x1c) [0x5555557ffd60]
   #1 /usr/local/samba/bin/smbd(smb_panic+0x7e) [0x5555557ffbb6]
   #2 /usr/local/samba/bin/smbd [0x5555557e8673]
   #3 /usr/local/samba/bin/smbd [0x5555557e8686]
   #4 /lib/libc.so.6 [0x2b6b4412a680]
[2006/11/09 16:06:05, 0] lib/fault.c:dump_core(173)
  dumping core in /var/samba/cores/smbd

Comment 4 Peter Marquardt 2006-11-14 05:22:27 UTC

Ok, thanks to valgrind I found the first logical bug in smbd/service.c:

At the end of function    find_forced_group()

	if (force_user && user_must_be_member) {
		if (user_in_group_sid(username, &group_sid)) {
			sid_copy(pgroup_sid, &group_sid);
			*pgid = gid;
		} else {
	DEBUG(0,("XXX WEEEE !!! FALSE = user_in_group_sid(%s, &group_sid)\n",username));
		}
	} else {
		sid_copy(pgroup_sid, &group_sid);
		*pgid = gid;
	}


if "WEEE" happens... pgroup_sid doesn't get initialised.

this is ... not good 8-)

Comment 5 Jeremy Allison 2006-11-14 11:41:15 UTC

Got it - thanks !
I'll make sure this gets fixed for 3.0.23d.
Jeremy.

Comment 6 Jeremy Allison 2006-11-14 14:19:43 UTC

Created attachment 2219 [details]
Patch

Proposed patch.

Comment 7 Peter Marquardt 2006-11-15 04:36:56 UTC

Cool, fixed.

This patch revealed a misconfiguration which triggered the bug:

My smb.conf said

force user = foo
force group = +bar

and user foo wasn't member of grou bar. So, in this case, now an error-message will be dropped:

[2006/11/15 11:14:17, 0] smbd/service.c:find_forced_group(498)
  find_forced_group: forced user foo is not a member of forced group bar. Disallowing access.

All valgrind hits related to this bug are gone now.

Thanks!