Bug 5323 - Segfaults in smbd
Segfaults in smbd
Status: NEW
Product: Samba 3.0
Classification: Unclassified
Component: File Services
3.0.28
Other Linux
: P3 major
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-14 07:50 UTC by Wilco Baan Hofman
Modified: 2008-11-18 15:02 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wilco Baan Hofman 2008-03-14 07:50:11 UTC
I'm getting segfaults in smbd. I'm on debian x86_64 using debian packages for 3.0.28 and my setup uses pdb_ldap. 

It could be me, but this very much looks like a recursion problem.

Using host libthread_db library "/lib/libthread_db.so.1".
[Thread debugging using libthread_db enabled]
[New Thread 0x2b4632180500 (LWP 19122)]
0x00002b4631525a95 in waitpid () from /lib/libc.so.6
#0  0x00002b4631525a95 in waitpid () from /lib/libc.so.6
#1  0x00002b46314c5dc1 in ?? () from /lib/libc.so.6
#2  0x000000000060d45b in smb_panic (why=<value optimized out>)
    at lib/util.c:1639
#3  0x00000000004b8d67 in push_sec_ctx () at smbd/sec_ctx.c:195
#4  0x00000000004ae379 in become_root () at smbd/uid.c:391
#5  0x00000000005cb1b0 in lookup_global_sam_rid (mem_ctx=0xac6080, rid=101014, 
    name=0x7fff7bf7fb90, psid_name_use=0xac60e0, unix_id=0x0)
    at passdb/pdb_interface.c:1534
#6  0x00000000005cb636 in pdb_default_lookup_rids (
    methods=<value optimized out>, domain_sid=<value optimized out>, 
    num_rids=1, rids=0xac6020, names=0xac6080, attrs=<value optimized out>)
    at passdb/pdb_interface.c:1637
#7  0x00000000005c9c39 in pdb_lookup_rids (domain_sid=0xa9dcc4, num_rids=1, 
    rids=0xac6020, names=0xac6080, attrs=0xac60e0)
    at passdb/pdb_interface.c:961
#8  0x00000000005ce8fe in lookup_sids (mem_ctx=<value optimized out>, 
    num_sids=1, sids=<value optimized out>, level=1, 
    ret_domains=0x7fff7bf7fda8, ret_names=0x7fff7bf7fda0)
    at passdb/lookup_sid.c:475
#9  0x00000000005cf449 in lookup_sid (mem_ctx=0xaa2600, sid=0xaa3d00, 
    ret_domain=0x0, ret_name=0x0, ret_type=0x7fff7bf7fdec)
    at passdb/lookup_sid.c:912
#10 0x00000000005c4b40 in pdb_get_group_sid (sampass=0x9cd630)
    at passdb/pdb_get_set.c:226
#11 0x00000000005cd10f in pdb_get_group_rid (sampass=0x4ac6)
    at passdb/pdb_compat.c:46
#12 0x00000000005c580d in init_buffer_from_sam_v3 (buf=0x7fff7bf800e0, 
    sampass=0x9cd630, size_only=0) at passdb/passdb.c:1114
#13 0x00000000005c6f11 in pdb_copy_sam_account (dst=0xac43f0, 
    src=0x7fff7bf7f79c) at passdb/passdb.c:1335
#14 0x00000000005cb0ef in pdb_getsampwsid (sam_acct=0xac43f0, 
    sid=0x7fff7bf803f0) at passdb/pdb_interface.c:288
#15 0x00000000005cb1bb in lookup_global_sam_rid (mem_ctx=0xaa3be0, rid=101014, 
    name=0x7fff7bf804a0, psid_name_use=0xaa3c40, unix_id=0x0)
    at passdb/pdb_interface.c:1535
#16 0x00000000005cb636 in pdb_default_lookup_rids (
    methods=<value optimized out>, domain_sid=<value optimized out>, 
    num_rids=1, rids=0xac4300, names=0xaa3be0, attrs=<value optimized out>)
    at passdb/pdb_interface.c:1637
#17 0x00000000005c9c39 in pdb_lookup_rids (domain_sid=0xac52f4, num_rids=1, 
    rids=0xac4300, names=0xaa3be0, attrs=0xaa3c40)
    at passdb/pdb_interface.c:961
#18 0x00000000005ce8fe in lookup_sids (mem_ctx=<value optimized out>, 
    num_sids=1, sids=<value optimized out>, level=1, 
    ret_domains=0x7fff7bf806b8, ret_names=0x7fff7bf806b0)
    at passdb/lookup_sid.c:475
#19 0x00000000005cf449 in lookup_sid (mem_ctx=0xa9bb10, sid=0xaa4600, 
    ret_domain=0x0, ret_name=0x0, ret_type=0x7fff7bf806fc)
    at passdb/lookup_sid.c:912
#20 0x00000000005c4b40 in pdb_get_group_sid (sampass=0x9cd630)
    at passdb/pdb_get_set.c:226
#21 0x00000000005cd10f in pdb_get_group_rid (sampass=0x4ac6)
    at passdb/pdb_compat.c:46
#22 0x00000000005c580d in init_buffer_from_sam_v3 (buf=0x7fff7bf809f0, 
    sampass=0x9cd630, size_only=0) at passdb/passdb.c:1114
#23 0x00000000005c6f11 in pdb_copy_sam_account (dst=0xaa39e0, 
    src=0x7fff7bf7f79c) at passdb/passdb.c:1335
#24 0x00000000005cb0ef in pdb_getsampwsid (sam_acct=0xaa39e0, 
    sid=0x7fff7bf80d00) at passdb/pdb_interface.c:288
#25 0x00000000005cb1bb in lookup_global_sam_rid (mem_ctx=0xac67f0, rid=101014, 
    name=0x7fff7bf80db0, psid_name_use=0xac6850, unix_id=0x0)
    at passdb/pdb_interface.c:1535
#26 0x00000000005cb636 in pdb_default_lookup_rids (
    methods=<value optimized out>, domain_sid=<value optimized out>, 
    num_rids=1, rids=0xaa9430, names=0xac67f0, attrs=<value optimized out>)
    at passdb/pdb_interface.c:1637
#27 0x00000000005c9c39 in pdb_lookup_rids (domain_sid=0xac4694, num_rids=1, 
    rids=0xaa9430, names=0xac67f0, attrs=0xac6850)
    at passdb/pdb_interface.c:961
#28 0x00000000005ce8fe in lookup_sids (mem_ctx=<value optimized out>, 
    num_sids=1, sids=<value optimized out>, level=1, 
    ret_domains=0x7fff7bf80fc8, ret_names=0x7fff7bf80fc0)
    at passdb/lookup_sid.c:475
#29 0x00000000005cf449 in lookup_sid (mem_ctx=0xa99a70, sid=0x9cc010, 
    ret_domain=0x0, ret_name=0x0, ret_type=0x7fff7bf8100c)
    at passdb/lookup_sid.c:912
#30 0x00000000005c4b40 in pdb_get_group_sid (sampass=0x9cd630)
    at passdb/pdb_get_set.c:226
#31 0x00000000005cd10f in pdb_get_group_rid (sampass=0x4ac6)
    at passdb/pdb_compat.c:46
#32 0x00000000005c580d in init_buffer_from_sam_v3 (buf=0x7fff7bf81300, 
    sampass=0x9cd630, size_only=0) at passdb/passdb.c:1114
#33 0x00000000005c6f11 in pdb_copy_sam_account (dst=0xaa43a0, 
    src=0x7fff7bf7f79c) at passdb/passdb.c:1335
#34 0x00000000005cb0ef in pdb_getsampwsid (sam_acct=0xaa43a0, 
    sid=0x7fff7bf81610) at passdb/pdb_interface.c:288
#35 0x00000000005cb1bb in lookup_global_sam_rid (mem_ctx=0xa55710, rid=101014, 
    name=0x7fff7bf816c0, psid_name_use=0x9eff20, unix_id=0x0)
    at passdb/pdb_interface.c:1535
#36 0x00000000005cb636 in pdb_default_lookup_rids (
    methods=<value optimized out>, domain_sid=<value optimized out>, 
    num_rids=1, rids=0xa9a060, names=0xa55710, attrs=<value optimized out>)
    at passdb/pdb_interface.c:1637
#37 0x00000000005c9c39 in pdb_lookup_rids (domain_sid=0xa9bde4, num_rids=1, 
    rids=0xa9a060, names=0xa55710, attrs=0x9eff20)
    at passdb/pdb_interface.c:961
#38 0x00000000005ce8fe in lookup_sids (mem_ctx=<value optimized out>, 
    num_sids=1, sids=<value optimized out>, level=1, 
    ret_domains=0x7fff7bf818d8, ret_names=0x7fff7bf818d0)
    at passdb/lookup_sid.c:475
#39 0x00000000005cf449 in lookup_sid (mem_ctx=0xaa21b0, sid=0xaa32f0, 
    ret_domain=0x0, ret_name=0x0, ret_type=0x7fff7bf8191c)
    at passdb/lookup_sid.c:912
#40 0x00000000005c4b40 in pdb_get_group_sid (sampass=0x9cd630)
    at passdb/pdb_get_set.c:226
#41 0x00000000005cd10f in pdb_get_group_rid (sampass=0x4ac6)
    at passdb/pdb_compat.c:46
#42 0x00000000005c580d in init_buffer_from_sam_v3 (buf=0x7fff7bf81c10, 
    sampass=0x9cd630, size_only=0) at passdb/passdb.c:1114
#43 0x00000000005c6f11 in pdb_copy_sam_account (dst=0xac65f0, 
    src=0x7fff7bf7f79c) at passdb/passdb.c:1335
#44 0x00000000005cb0ef in pdb_getsampwsid (sam_acct=0xac65f0, 
    sid=0x7fff7bf81d10) at passdb/pdb_interface.c:288
#45 0x000000000064ec8f in create_token_from_username (mem_ctx=0x9fe9e0, 
    username=0x7fff7bf81e10 "arnoud", is_guest=0, uid=0x7fff7bf81dec, 
    gid=0x7fff7bf81de8, found_username=0x7fff7bf81de0, token=0x7fff7bf81dd8)
    at auth/auth_util.c:1133
#46 0x000000000064f57a in user_in_group_sid (username=0x7fff7bf81e10 "arnoud", 
    group_sid=0xac09f8) at auth/auth_util.c:1317
#47 0x00000000004bea2c in uid_entry_in_group (uid_ace=0xa9b9d0, 
    group_ace=0xac09e0) at smbd/posix_acls.c:1060
#48 0x00000000004bf4f5 in ensure_canon_entry_valid (pp_ace=0x7fff7bf82118, 
    fsp=0xac3f60, pfile_owner_sid=<value optimized out>, 
    pfile_grp_sid=0x7fff7bf82310, pst=0x7fff7bf82280, setting_acl=1)
    at smbd/posix_acls.c:1138
#49 0x00000000004c08a7 in unpack_canon_ace (fsp=0xac3f60, pst=0x7fff7bf7f630, 
    pfile_owner_sid=0x7fff7bf82360, pfile_grp_sid=0x7fff7bf82310, 
    ppfile_ace=0x7fff7bf823c8, ppdir_ace=0x7fff7bf823c0, security_info_sent=7, 
    psd=0x9c65e0) at smbd/posix_acls.c:2012
#50 0x00000000004c41e5 in set_nt_acl (fsp=0xac3f60, security_info_sent=7, 
    psd=0x9c65e0) at smbd/posix_acls.c:3418
#51 0x0000000000481b34 in set_sd (fsp=0xac3f60, data=0xa9a0a0 "\001", 
    sd_len=128, security_info_sent=7) at smbd/nttrans.c:1093
#52 0x0000000000486d90 in handle_nttrans (conn=0xabf110, 
    state=<value optimized out>, inbuf=<value optimized out>, 
    outbuf=0xae78c0 "", size=<value optimized out>, bufsize=131072)
    at smbd/nttrans.c:2206
#53 0x0000000000488ed0 in reply_nttrans (conn=0xabf110, inbuf=0xac7470 "", 
    outbuf=0xae78c0 "", size=216, bufsize=131072) at smbd/nttrans.c:3111
#54 0x00000000004c669e in switch_message (type=160, inbuf=0xac7470 "", 
    outbuf=0xae78c0 "", size=216, bufsize=131072) at smbd/process.c:1003
#55 0x00000000004c7a22 in smbd_process () at smbd/process.c:1030
#56 0x00000000006bd1dd in main (argc=<value optimized out>, 
    argv=0x7fff7bf82c78) at smbd/server.c:1120
Comment 1 Volker Lendecke 2008-03-14 16:01:07 UTC
To me it seems that this can only happen when the ldap object for user "arnoud" has an invalid group sid or something like that. The recursion should not happen, but somehow a group sid ended up in the internal cache for a user sid. Can you check the ldap entry for arnoud that its user sid does not conflict with any group sid in your system?

Thanks,

Volker
Comment 2 Wilco Baan Hofman 2008-03-15 06:32:34 UTC
Correct. It seems that I had non-unique SID's, 2 groups and one user SID were identical. 

It still shouldn't segfault because of this though :)
Comment 3 Volker Lendecke 2008-03-15 06:34:51 UTC
Very true :-)

Thanks for checking.

Volker
Comment 4 Carsten Menke 2008-11-18 15:02:08 UTC
Same here on Debian Sarge x86 with Samba 3.0.32-23 (Sernet package). However I have just yet to check for duplicate SIDs