Bug 8884 - samba crash on a wbinfo request
Summary: samba crash on a wbinfo request
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: All All
: P5 critical (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: samba4-qa@samba.org
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-19 22:37 UTC by Matthieu Patou
Modified: 2012-04-23 09:29 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Patou 2012-04-19 22:37:44 UTC
GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08
Copyright (C) 2011 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.launchpad.net/gdb-linaro/>...
Reading symbols from /usr/local/src/samba/bin/samba...done.
(gdb) r
Starting program: /usr/local/src/samba/bin/samba -i -M single -s /home/mat/workspace/samba/rodc_mat/etc/smb.conf
[Thread debugging using libthread_db enabled]
samba version 4.0.0alpha20-DEVELOPERBUILD started.
Copyright Andrew Tridgell and the Samba Team 1992-2012
samba: using 'single' process model
../source4/dsdb/dns/dns_update.c:294: Failed DNS update - NT_STATUS_IO_TIMEOUT
talloc: access after free error - first free may be at ../lib/talloc/talloc.c:1073
Bad talloc magic value - access after free
PANIC: Bad talloc magic value - access after free

Program received signal SIGABRT, Aborted.
0x00007ffff3d363a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64	../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
	in ../nptl/sysdeps/unix/sysv/linux/raise.c
(gdb) bt
#0  0x00007ffff3d363a5 in __GI_raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff3d39b0b in __GI_abort () at abort.c:92
#2  0x00007ffff66b6988 in smb_panic_default (why=0x7ffff6289bf0 "Bad talloc magic value - access after free") at ../lib/util/fault.c:149
#3  0x00007ffff66b69c6 in smb_panic (why=0x7ffff6289bf0 "Bad talloc magic value - access after free") at ../lib/util/fault.c:162
#4  0x00007ffff62851a1 in talloc_abort (reason=0x7ffff6289bf0 "Bad talloc magic value - access after free") at ../lib/talloc/talloc.c:320
#5  0x00007ffff628521d in talloc_abort_access_after_free () at ../lib/talloc/talloc.c:336
#6  0x00007ffff628529a in talloc_chunk_from_ptr (ptr=0x100f6a0) at ../lib/talloc/talloc.c:357
#7  0x00007ffff6286f28 in talloc_get_name (ptr=0x100f6a0) at ../lib/talloc/talloc.c:1152
#8  0x00007ffff62870a8 in _talloc_get_type_abort (ptr=0x100f6a0, name=0x7fffeb83cacc "struct composite_context", 
    location=0x7fffeb83cc40 "../source4/libnet/libnet_group.c:366") at ../lib/talloc/talloc.c:1205
#9  0x00007fffeb82120f in continue_group_info (ctx=0x16f6ab0) at ../source4/libnet/libnet_group.c:366
#10 0x00007ffff1461117 in composite_error (ctx=0x16f6ab0, status=...) at ../source4/libcli/composite/composite.c:114
#11 0x00007fffeb826f37 in continue_groupinfo_getgroup (subreq=0x0) at ../source4/libnet/groupinfo.c:188
#12 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x863840, location=0x7fffee6c7e40 "default/librpc/gen_ndr/ndr_samr_c.c:4522")
    at ../lib/tevent/tevent_req.c:101
#13 0x00007ffff6492505 in tevent_req_finish (req=0x863840, state=TEVENT_REQ_DONE, location=0x7fffee6c7e40 "default/librpc/gen_ndr/ndr_samr_c.c:4522")
    at ../lib/tevent/tevent_req.c:110
#14 0x00007ffff649252c in _tevent_req_done (req=0x863840, location=0x7fffee6c7e40 "default/librpc/gen_ndr/ndr_samr_c.c:4522") at ../lib/tevent/tevent_req.c:116
#15 0x00007fffee63dff2 in dcerpc_samr_QueryGroupInfo_r_done (subreq=0x9d8380) at default/librpc/gen_ndr/ndr_samr_c.c:4522
#16 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x9d8380, location=0x7ffff42c8850 "../librpc/rpc/binding_handle.c:492") at ../lib/tevent/tevent_req.c:101
#17 0x00007ffff6492505 in tevent_req_finish (req=0x9d8380, state=TEVENT_REQ_DONE, location=0x7ffff42c8850 "../librpc/rpc/binding_handle.c:492")
    at ../lib/tevent/tevent_req.c:110
#18 0x00007ffff649252c in _tevent_req_done (req=0x9d8380, location=0x7ffff42c8850 "../librpc/rpc/binding_handle.c:492") at ../lib/tevent/tevent_req.c:116
#19 0x00007ffff42c50b6 in dcerpc_binding_handle_call_done (subreq=0x0) at ../librpc/rpc/binding_handle.c:492
#20 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x8198b0, location=0x7ffff42c83c0 "../librpc/rpc/binding_handle.c:163") at ../lib/tevent/tevent_req.c:101
#21 0x00007ffff6492505 in tevent_req_finish (req=0x8198b0, state=TEVENT_REQ_DONE, location=0x7ffff42c83c0 "../librpc/rpc/binding_handle.c:163")
    at ../lib/tevent/tevent_req.c:110
#22 0x00007ffff649252c in _tevent_req_done (req=0x8198b0, location=0x7ffff42c83c0 "../librpc/rpc/binding_handle.c:163") at ../lib/tevent/tevent_req.c:116
#23 0x00007ffff42c45a5 in dcerpc_binding_handle_raw_call_done (subreq=0x0) at ../librpc/rpc/binding_handle.c:163
#24 0x00007ffff64924d3 in _tevent_req_notify_callback (req=0x13356a0, location=0x7ffff53444e8 "../source4/librpc/rpc/dcerpc.c:298") at ../lib/tevent/tevent_req.c:101
#25 0x00007ffff6492505 in tevent_req_finish (req=0x13356a0, state=TEVENT_REQ_DONE, location=0x7ffff53444e8 "../source4/librpc/rpc/dcerpc.c:298")
    at ../lib/tevent/tevent_req.c:110
#26 0x00007ffff6492623 in tevent_req_trigger (ev=0x6244b0, im=0x1a5c280, private_data=0x13356a0) at ../lib/tevent/tevent_req.c:166
#27 0x00007ffff6491a38 in tevent_common_loop_immediate (ev=0x6244b0) at ../lib/tevent/tevent_immediate.c:135
#28 0x00007ffff64959e4 in std_event_loop_once (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent_standard.c:554
#29 0x00007ffff6490c20 in _tevent_loop_once (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent.c:504
#30 0x00007ffff6490e45 in tevent_common_loop_wait (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent.c:605
#31 0x00007ffff6490f10 in _tevent_loop_wait (ev=0x6244b0, location=0x40faf7 "../source4/smbd/server.c:472") at ../lib/tevent/tevent.c:624
#32 0x000000000040b48c in binary_smbd_main (binary_name=0x40f4db "samba", argc=6, argv=0x7fffffffe678) at ../source4/smbd/server.c:472
#33 0x000000000040b4d2 in main (argc=6, argv=0x7fffffffe678) at ../source4/smbd/server.c:483
Comment 1 Matthieu Patou 2012-04-19 22:44:53 UTC
Highly reproducable:
./bin/wbinfo --group-info=administrator

In order to trigger the bug, group has to be a non valid group but a valid user name.
Comment 2 Andrew Bartlett 2012-04-23 09:29:55 UTC
Fixed with bb3d983f5bc4b49619f26af44c3c540c3030155f