Bug 9329 - Directory listing with SeBackup can crash smbd.
Summary: Directory listing with SeBackup can crash smbd.
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.0
Classification: Unclassified
Component: File services (show other bugs)
Version: unspecified
Hardware: All All
: P1 regression (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 8622
  Show dependency treegraph
 
Reported: 2012-10-24 18:35 UTC by Jeremy Allison
Modified: 2012-10-29 19:40 UTC (History)
2 users (show)

See Also:


Attachments
git-am fix for 4.0.0rc (3.43 KB, patch)
2012-10-26 00:15 UTC, Jeremy Allison
no flags Details
updated version of the patch (3.47 KB, patch)
2012-10-29 13:25 UTC, Michael Adam
obnox: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Allison 2012-10-24 18:35:01 UTC
A code change since the SeBackup code was added to the tree now means that we indirect through a null token pointer when evaluating ACLs.

Andrew Bartlett <abartlet@samba.org> wrote:

Thanks to a hint Jeremy gave me on a private list, I think I know the
issue.

We fault here, because token == NULL.

> /usr/local/samba/sbin/smbd: #8  <signal handler called>
> /usr/local/samba/sbin/smbd: No symbol table info available.
> /usr/local/samba/sbin/smbd: #9  0xb695556a in security_token_has_sid
> (token=0x0, sid=0x99f3790) at ../libcli/security/security_token.c:109
> /usr/local/samba/sbin/smbd:         i = 0
> /usr/local/samba/sbin/smbd: #10 0xb6955bb4 in se_access_check
> (sd=0x99f35d0, token=0x0, access_desired=1, access_granted=0xbf8dae78)
> at ../libcli/security/access_check.c:229
> /usr/local/samba/sbin/smbd:         ace = 0x99f3760
> /usr/local/samba/sbin/smbd:         i = 0
> /usr/local/samba/sbin/smbd:         bits_remaining = 1
> /usr/local/samba/sbin/smbd:         explicitly_denied_bits = 0
> /usr/local/samba/sbin/smbd:         owner_rights_allowed = 0
> /usr/local/samba/sbin/smbd:         owner_rights_denied = 0
> /usr/local/samba/sbin/smbd:         owner_rights_default = true
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "se_access_check"
> /usr/local/samba/sbin/smbd: #11 0xb6955e26 in se_file_access_check
> (sd=0x99f35d0, token=0x0, priv_open_requested=true, access_desired=1,
> access_granted=0xbf8dae78) at ../libcli/security/access_check.c:340
> /usr/local/samba/sbin/smbd:         bits_remaining = 149295168
> /usr/local/samba/sbin/smbd:         status = {v = 161424512}
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "se_file_access_check"
> /usr/local/samba/sbin/smbd: #12 0xb748ae21 in smbd_check_access_rights
> (conn=0x99a98d8, smb_fname=0x99f2eb0, use_privs=true, access_mask=1) at
> ../source3/smbd/open.c:137
> /usr/local/samba/sbin/smbd:         status = {v = 0}
> /usr/local/samba/sbin/smbd:         sd = 0x99f35d0
> /usr/local/samba/sbin/smbd:         rejected_share_access = 0
> /usr/local/samba/sbin/smbd:         rejected_mask = 1
> /usr/local/samba/sbin/smbd:         __FUNCTION__ =
> "smbd_check_access_rights"
> /usr/local/samba/sbin/smbd: #13 0xb742cd73 in dptr_create
> (conn=0x99a98d8, req=0x99f2590, fsp=0x0, path=0x99f2870
> "Administrator/Application Data/LibreOffice", old_handle=false,
> expect_close=true, spid=1344, wcard=0x99f28d0 "3", wcard_has_wild=false,
> attr=22, dptr_ret=0xbf8daf94) at ../source3/smbd/dir.c:534
> /usr/local/samba/sbin/smbd:         ret = 0
> /usr/local/samba/sbin/smbd:         backup_intent = true

Here we know the this is a trans2 with backup intent (due to Jeremy's
recent backup privileges work).

> /usr/local/samba/sbin/smbd:         smb_dname = 0x99f2eb0
> /usr/local/samba/sbin/smbd:         status = {v = 0}
> /usr/local/samba/sbin/smbd:         sconn = 0x99e8fa8
> /usr/local/samba/sbin/smbd:         dptr = 0x0
> /usr/local/samba/sbin/smbd:         dir_hnd = 0x94ce0e0
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "dptr_create"
> /usr/local/samba/sbin/smbd: #14 0xb7471c50 in call_trans2findfirst
> (conn=0x99a98d8, req=0x99f2590, pparams=0x911fe1c, total_params=104,
> ppdata=0x911fe24, total_data=0, max_data_bytes=16384) at
> ../source3/smbd/trans2.c:2499


> /usr/local/samba/sbin/smbd:         backup_priv = true
> /usr/local/samba/sbin/smbd:         __FUNCTION__ = "call_trans2findfirst"

At line 2393 of source3/smbd/trans2.c we call become_root().  We
correctly unbecome_root() later, but in the meantime we call
dptr_create(), which calls smbc_check_access_rights() and eventually
calls get_current_nttok().

Because we are in a become_root(), the token is NULL, and so we
segfault.
Comment 1 Jeremy Allison 2012-10-26 00:15:27 UTC
Created attachment 8109 [details]
git-am fix for 4.0.0rc
Comment 2 Michael Adam 2012-10-29 13:25:41 UTC
Created attachment 8114 [details]
updated version of the patch

This is the slightly updated version of the patch that is currently in autobuild for master. Two changes:

1) my reviewed-by tag in the commit message
2) minor indentation fix in debug and panic argument strings.

Michael
Comment 3 Michael Adam 2012-10-29 13:31:03 UTC
given that my updated patch essentially carries my review tag in the commit messages plus a minor intentation change, I regard this "review +" as sufficient and hand the bug to Karolin for inclusion into 4.0.0rcX

Michael
Comment 4 Karolin Seeger 2012-10-29 19:40:44 UTC
Pushed to autobuild-v4-0-test.
Closing out bug report.

Thanks!