Bug 6688 - Multiple crashes in "net usershare list"
Multiple crashes in "net usershare list"
Status: RESOLVED FIXED
Product: Samba 3.4
Classification: Unclassified
Component: Client Tools
3.4.0
x86 Linux
: P3 normal
: ---
Assigned To: Karolin Seeger
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-09-03 10:35 UTC by Mike Pontillo
Modified: 2009-09-08 02:37 UTC (History)
0 users

See Also:


Attachments
Patch for 3.4 (724 bytes, patch)
2009-09-03 12:09 UTC, Volker Lendecke
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mike Pontillo 2009-09-03 10:35:30 UTC
While testing Ubuntu Karmic, I found what looks like a number of unchecked NULL pointers in the 'net' tool in Samba. I am not sure why I hit these in a different place each time.

$ apt-cache show samba | grep ^Version
Version: 2:3.4.0-3ubuntu1

$ valgrind net usershare list
==26355== Memcheck, a memory error detector.                                    
==26355== Copyright (C) 2002-2008, and GNU GPL'd, by Julian Seward et al.       
==26355== Using LibVEX rev 1884, a library for dynamic binary translation.      
==26355== Copyright (C) 2004-2008, and GNU GPL'd, by OpenWorks LLP.             
==26355== Using valgrind-3.4.1-Debian, a dynamic binary instrumentation framework.
==26355== Copyright (C) 2000-2008, and GNU GPL'd, by Julian Seward et al.         
==26355== For more details, rerun with: -v                                        
==26355==                                                                         
==26355== Use of uninitialised value of size 4                                    
==26355==    at 0x1B20D7: create_cs (netlookup.c:97)                              
==26355==    by 0x1B24D1: net_lookup_name_from_sid (netlookup.c:171)              
==26355==    by 0x1B0AF1: info_fn (net_usershare.c:408)                           
==26355==    by 0x1B0F6B: net_usershare_list (net_usershare.c:304)                
==26355==    by 0x1B7824: net_run_function (net_util.c:573)                       
==26355==    by 0x1B0247: net_usershare (net_usershare.c:1072)
==26355==    by 0x1B7824: net_run_function (net_util.c:573)
==26355==    by 0x185D4E: main (net.c:777)
==26355==
==26355== Invalid read of size 4
==26355==    at 0x1B20D7: create_cs (netlookup.c:97)
==26355==    by 0x1B24D1: net_lookup_name_from_sid (netlookup.c:171)
==26355==    by 0x1B0AF1: info_fn (net_usershare.c:408)
==26355==    by 0x1B0F6B: net_usershare_list (net_usershare.c:304)
==26355==    by 0x1B7824: net_run_function (net_util.c:573)
==26355==    by 0x1B0247: net_usershare (net_usershare.c:1072)
==26355==    by 0x1B7824: net_run_function (net_util.c:573)
==26355==    by 0x185D4E: main (net.c:777)
==26355==  Address 0x32 is not stack'd, malloc'd or (recently) free'd
==26355==
==26355== Process terminating with default action of signal 11 (SIGSEGV)
==26355==  Access not within mapped region at address 0x32
==26355==    at 0x1B20D7: create_cs (netlookup.c:97)
==26355==    by 0x1B24D1: net_lookup_name_from_sid (netlookup.c:171)
==26355==    by 0x1B0AF1: info_fn (net_usershare.c:408)
==26355==    by 0x1B0F6B: net_usershare_list (net_usershare.c:304)
==26355==    by 0x1B7824: net_run_function (net_util.c:573)
==26355==    by 0x1B0247: net_usershare (net_usershare.c:1072)
==26355==    by 0x1B7824: net_run_function (net_util.c:573)
==26355==    by 0x185D4E: main (net.c:777)
==26355==  If you believe this happened as a result of a stack overflow in your
==26355==  program's main thread (unlikely but possible), you can try to increase
==26355==  the size of the main thread stack using the --main-stacksize= flag.
==26355==  The main thread stack size used in this run was 8388608.
==26355==
==26355== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 73 from 1)
==26355== malloc/free: in use at exit: 406,395 bytes in 354 blocks.
==26355== malloc/free: 2,481 allocs, 2,127 frees, 604,481 bytes allocated.
==26355== For counts of detected errors, rerun with: -v
==26355== Use --track-origins=yes to see where uninitialised values come from
==26355== searching for pointers to 354 not-freed blocks.
==26355== checked 276,208 bytes.
==26355==
==26355== LEAK SUMMARY:
==26355==    definitely lost: 0 bytes in 0 blocks.
==26355==      possibly lost: 0 bytes in 0 blocks.
==26355==    still reachable: 406,395 bytes in 354 blocks.
==26355==         suppressed: 0 bytes in 0 blocks.
==26355== Rerun with --leak-check=full to see details of leaked memory.
Segmentation fault (core dumped)

$ gdb net           
(gdb) run usershare list
Starting program: /usr/bin/net usershare list
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x0030b0d7 in ndr_pull_winreg_QueryInfoKey (ndr=0x0, flags=<value optimized out>, r=0xb7fa63a0) at ../librpc/gen_ndr/ndr_winreg.c:2327
2327                    NDR_PULL_SET_MEM_CTX(ndr, r->in.handle, LIBNDR_FLAG_REF_ALLOC);
(gdb) bt
#0  0x0030b0d7 in ndr_pull_winreg_QueryInfoKey (ndr=0x0, flags=<value optimized out>, r=0xb7fa63a0) at ../librpc/gen_ndr/ndr_winreg.c:2327
#1  0x0030b4d2 in ndr_pull_winreg_QueryInfoKey (ndr=0xbfffe93c, flags=<value optimized out>, r=0xb7ad0f50) at ../librpc/gen_ndr/ndr_winreg.c:2341
#2  0x00309af2 in ndr_pull_winreg_QueryMultipleValues (ndr=0x0, flags=<value optimized out>, r=0xb7ad1148) at ../librpc/gen_ndr/ndr_winreg.c:3716
#3  0x00309f6c in ndr_pull_winreg_QueryValue (ndr=0xb7ad9260, flags=-1073747184, r=0x88b23c) at ../librpc/gen_ndr/ndr_winreg.c:2569
#4  0x00310825 in ndr_pull_initshutdown_Abort (ndr=0x88b238, flags=-1073746676, r=0x88b238) at ../librpc/gen_ndr/ndr_initshutdown.c:141
#5  0x00309248 in ndr_pull_winreg_QueryMultipleValues (ndr=0x8797e4, flags=<value optimized out>, r=0xbfffed20) at ../librpc/gen_ndr/ndr_winreg.c:3811
#6  0x00310825 in ndr_pull_initshutdown_Abort (ndr=0x88b234, flags=8927764, r=0x88b234) at ../librpc/gen_ndr/ndr_initshutdown.c:141
#7  0x002ded4f in ndr_pull_lsa_SetDomainInformationPolicy (ndr=0x88b0c8, flags=8958696, r=0xbffff2c4) at ../librpc/gen_ndr/ndr_lsa.c:10486
#8  0xb7e67b56 in __libc_start_main (main=0x2de5a0 <ndr_push_lsa_SetDomainInformationPolicy+48>, argc=3, ubp_av=0xbffff2b4,
    init=0x73c0d0 <__libc_csu_init>, fini=0x73c0c0 <__libc_csu_fini>, rtld_fini=0x986d30 <_dl_fini>, stack_end=0xbffff2ac) at libc-start.c:220
#9  0x002de4d1 in ndr_push_lsa_QueryDomainInformationPolicy (ndr=0x2de4a0, flags=<value optimized out>, r=0x3) at ../librpc/gen_ndr/ndr_lsa.c:10355
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
(gdb) l
2322
2323                    if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
2324                            NDR_PULL_ALLOC(ndr, r->in.handle);
2325                    }
2326                    _mem_save_handle_0 = NDR_PULL_GET_MEM_CTX(ndr);
2327                    NDR_PULL_SET_MEM_CTX(ndr, r->in.handle, LIBNDR_FLAG_REF_ALLOC);
2328                    NDR_CHECK(ndr_pull_policy_handle(ndr, NDR_SCALARS, r->in.handle));
2329                    NDR_PULL_SET_MEM_CTX(ndr, _mem_save_handle_0, LIBNDR_FLAG_REF_ALLOC);
2330                    if (ndr->flags & LIBNDR_FLAG_REF_ALLOC) {
2331                            NDR_PULL_ALLOC(ndr, r->in.classname);
(gdb) p r
$1 = (struct winreg_QueryInfoKey *) 0xb7fa63a0
(gdb) p *r
$2 = {in = {handle = 0x0, classname = 0x2}, out = {num_subkeys = 0x0, max_subkeylen = 0x0, max_classlen = 0x0, num_values = 0x0, max_valnamelen = 0x0,
    max_valbufsize = 0xb7ad91f0, secdescsize = 0x0, last_changed_time = 0x0, classname = 0x0, result = {v = 0}}}
(gdb) p ndr
$3 = (struct ndr_pull *) 0x0
(gdb) quit

$ gdb net
(gdb) run usershare list
Starting program: /usr/bin/net usershare list
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x006e40d7 in create_cs (c=<value optimized out>, ctx=<value optimized out>, perr=0xbfffe8ac) at utils/netlookup.c:97
97              nt_status = cli_full_connection(&cs->cli, global_myname(), global_myname(),
(gdb) bt
#0  0x006e40d7 in create_cs (c=<value optimized out>, ctx=<value optimized out>, perr=0xbfffe8ac) at utils/netlookup.c:97
#1  0x006e44d2 in net_lookup_name_from_sid (c=0x1c, ctx=0xb7e9df38, psid=0xb7e9e4f0, ppdomain=0xbfffe9a4, ppname=0xbfffe9a0) at utils/netlookup.c:171
#2  0x006e2af2 in info_fn (fl=0xb7ea6248, priv=0xbfffeb10) at utils/net_usershare.c:408
#3  0x006e2f6c in process_share_list (c=0xb7e340c8, argc=0, argv=0xb7e3423c) at utils/net_usershare.c:304
#4  net_usershare_list (c=0xb7e340c8, argc=0, argv=0xb7e3423c) at utils/net_usershare.c:1002
#5  0x006e9825 in net_run_function (c=0xb7e340c8, argc=1, argv=0xb7e34238, whoami=0xb275bc "net usershare", table=0xbfffecbc) at utils/net_util.c:573
#6  0x006e2248 in net_usershare (c=0xb7e340c8, argc=1, argv=0xb7e34238) at utils/net_usershare.c:1072
#7  0x006e9825 in net_run_function (c=0xb7e340c8, argc=2, argv=0xb7e34234, whoami=0xb152e2 "net", table=0xc5c780) at utils/net_util.c:573
#8  0x006b7d4f in main (argc=3, argv=0xbffff2b4) at utils/net.c:777
#9  0x00339b56 in ndr_push_srvsvc_NetCharDevQGetInfo (ndr=DWARF-2 expression error: DW_OP_reg operations must be used either alone or in conjuction with DW_OP_piece.
) at ../librpc/gen_ndr/ndr_srvsvc.c:13771
#10 0x006b74d1 in _start () at ../sysdeps/i386/elf/start.S:106

$ gdb net
(gdb) run usershare list
Starting program: /usr/bin/net usershare list
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x003370d7 in ndr_pull_srvsvc_NetCharDevCtr (ndr=0x0, ndr_flags=-1211539044, r=0xbfffe8ac) at ../librpc/gen_ndr/ndr_srvsvc.c:534
534                                     NDR_CHECK(ndr_pull_generic_ptr(ndr, &_ptr_ctr0));
(gdb) bt
#0  0x003370d7 in ndr_pull_srvsvc_NetCharDevCtr (ndr=0x0, ndr_flags=-1211539044, r=0xbfffe8ac) at ../librpc/gen_ndr/ndr_srvsvc.c:534
#1  0x003374d2 in ndr_pull_srvsvc_NetCharDevCtr1 (ndr=0xbfffe93c, ndr_flags=<value optimized out>, r=0xbfffe93c) at ../librpc/gen_ndr/ndr_srvsvc.c:288
#2  ndr_pull_srvsvc_NetCharDevCtr (ndr=0xbfffe93c, ndr_flags=<value optimized out>, r=0xbfffe93c) at ../librpc/gen_ndr/ndr_srvsvc.c:572
#3  0x00335af2 in ndr_print_srvsvc_NetShareCtr (ndr=0x0, name=0xbfffeb10 "8_ɷ", r=0xb7c96130) at ../librpc/gen_ndr/ndr_srvsvc.c:6198
#4  0x00335f6c in ndr_print_srvsvc_NetShareEnum (ndr=0xb7c9e248, name=0x0, flags=<value optimized out>, r=0xbfffeb10)
    at ../librpc/gen_ndr/ndr_srvsvc.c:18008
#5  0x0033c825 in ndr_pull_srvsvc_NetConnCtr1 (ndr=0xbfffed0c, ndr_flags=<value optimized out>, r=0xb7c2c0c8) at ../librpc/gen_ndr/ndr_srvsvc.c:1552
#6  ndr_pull_srvsvc_NetConnCtr (ndr=0xbfffed0c, ndr_flags=<value optimized out>, r=0xb7c2c0c8) at ../librpc/gen_ndr/ndr_srvsvc.c:1700
#7  0x00335248 in ndr_print_srvsvc_NetShareInfo (ndr=0x8a57e4, name=0x1 <Address 0x1 out of bounds>, r=0xbfffed20) at ../librpc/gen_ndr/ndr_srvsvc.c:5798
#8  0x0033c825 in ndr_pull_srvsvc_NetConnCtr1 (ndr=0x8afa14, ndr_flags=<value optimized out>, r=0xb7c2c0c8) at ../librpc/gen_ndr/ndr_srvsvc.c:1552
#9  ndr_pull_srvsvc_NetConnCtr (ndr=0x8afa14, ndr_flags=<value optimized out>, r=0xb7c2c0c8) at ../librpc/gen_ndr/ndr_srvsvc.c:1700
#10 0x0030ad4f in ndr_pull_winreg_QueryInfoKey (ndr=0xb7c2c0c8, flags=<value optimized out>, r=0xbffff2c4) at ../librpc/gen_ndr/ndr_winreg.c:2418
#11 0xb7e9eb56 in __libc_start_main (main=0x30a5a0 <ndr_pull_winreg_QueryValue+2384>, argc=3, ubp_av=0xbffff2b4, init=0x7680d0 <__libc_csu_init>,
    fini=0x7680c0 <__libc_csu_fini>, rtld_fini=0x154d30 <ndr_pull_drsuapi_DsGetDCConnectionCtr01+448>, stack_end=0xbffff2ac) at libc-start.c:220
#12 0x0030a4d1 in ndr_pull_winreg_QueryValue (ndr=0x3, flags=3187872, r=Cannot access memory at address 0x10
) at ../librpc/gen_ndr/ndr_winreg.c:2577


$ gdb net
(gdb) run usershare list
Starting program: /usr/bin/net usershare list
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x002ac0d7 in ndr_pull_samr_LookupRids (ndr=0x0, flags=<value optimized out>, r=0x89637c) at ../librpc/gen_ndr/ndr_samr.c:7391
7391                            NDR_PULL_ALLOC(ndr, r->out.types);
(gdb) bt
#0  0x002ac0d7 in ndr_pull_samr_LookupRids (ndr=0x0, flags=<value optimized out>, r=0x89637c) at ../librpc/gen_ndr/ndr_samr.c:7391
#1  0x002ac4d2 in ndr_pull_samr_LookupNames (ndr=0xbfffe93c, flags=<value optimized out>, r=0x895f38) at ../librpc/gen_ndr/ndr_samr.c:7222
#2  0x002aaaf2 in ndr_pull_samr_QueryDomainInfo (ndr=0x0, flags=<value optimized out>, r=0x896310) at ../librpc/gen_ndr/ndr_samr.c:6124
#3  0x002aaf6c in ndr_pull_samr_SetDomainInfo (ndr=0x896228, flags=<value optimized out>, r=0xbfffeb10) at ../librpc/gen_ndr/ndr_samr.c:6224
#4  0x002b1825 in ndr_pull_samr_QueryDisplayInfo (ndr=0xbfffed0c, flags=<value optimized out>, r=0x82c238) at ../librpc/gen_ndr/ndr_samr.c:9363
#5  0x002aa248 in ndr_push_samr_DomainInfo (ndr=0x81a7e4, r=0xbfffed20, ndr_flags=<value optimized out>) at ../librpc/gen_ndr/ndr_samr.c:928
#6  0x002b1825 in ndr_pull_samr_QueryDisplayInfo (ndr=0x824a14, flags=<value optimized out>, r=0x82c234) at ../librpc/gen_ndr/ndr_samr.c:9363
#7  0x0027fd4f in ndr_pull_wkssvc_NetrWorkstationStatisticsGet (ndr=0x82c0c8, flags=-1073745228, r=0x82c2e8) at ../librpc/gen_ndr/ndr_wkssvc.c:7508
#8  0xb7db5b56 in __libc_start_main (main=0x27f5a0 <ndr_pull_wkssvc_NetrWorkstationStatisticsGet+384>, argc=3, ubp_av=0xbffff2b4,
    init=0x6dd0d0 <__libc_csu_init>, fini=0x6dd0c0 <__libc_csu_fini>, rtld_fini=0x11dd30 <ndr_print_nb_flags+288>, stack_end=0xbffff2ac)
    at libc-start.c:220
#9  0x0027f4d1 in ndr_pull_wkssvc_NetrWorkstationStatisticsGet (ndr=0x3, flags=<value optimized out>, r=0x27f4a0) at ../librpc/gen_ndr/ndr_wkssvc.c:7527
Backtrace stopped: previous frame inner to this frame (corrupt stack?)
Comment 1 Volker Lendecke 2009-09-03 12:09:54 UTC
Created attachment 4641 [details]
Patch for 3.4

This has been fixed in master already.

I'm very sorry that this hit you, that we were not careful enough to include the fix into 3.4 yet.

Attached find the patch that fixed it in master.

Volker
Comment 2 Volker Lendecke 2009-09-03 12:15:22 UTC
Karolin, this needs to go into 3.4.1. Bo Yang did it for master, here's my Ack :-)

Volker
Comment 3 Mike Pontillo 2009-09-04 02:25:33 UTC
Thanks for your quick response. I have confirmed that this patch solves the problem.
Comment 4 Karolin Seeger 2009-09-08 02:37:28 UTC
Pushed, patch will be included in 3.4.1.
Closing out bug report.

Thanks!