Skip to content

vfs_aio_pthread: fix segfault if samba-tool ntacl get

Jones Syue requested to merge samba-team/devel/samba:jones2019_fix_segfault_samba_tool_aio_pthread into master

If configured as AD DC and aio_pthread appended into 'vfs objects'[1], run these commands would get segfault:

  1. sudo samba-tool ntacl get .
  2. sudo net vfs getntacl sysvol .

gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2], and the fsp->conn->sconn->client is null (0x0).

'sconn->client' memory is allocated when a new connection is accpeted:

smbd_accept_connection > smbd_process > smbXsrv_client_create

While running local commands looks like it would not go through smbXsrv_client_create so the 'client' is null, segfault might happen. We should not dereference 'client->server_multi_channel_enabled', if 'client' is null.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441

[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2 
[global]
        dns forwarder = 127.0.0.53
        netbios name = U22-JONES-88X1
        realm = U22-JONES-88X1.X88X1.JONES
        server role = active directory domain controller
        workgroup = X88X1
        idmap_ldb:use rfc2307 = yes
        vfs objects = dfs_samba4 acl_xattr aio_pthread

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
        read only = No
[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
#0  0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
#1  0x00007fffe0497b79 in smb_vfs_call_openat (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0) at ../../source3/smbd/vfs.c:1746
#2  0x00007fffe047f406 in non_widelink_open (dirfsp=0x8c3070, fsp=0x1af3550, smb_fname=0x10fe0c0, flags=196608, mode=0, link_depth=0) at ../../source3/smbd/open.c:810
#3  0x00007fffe047f90e in fd_openat (dirfsp=0x8c3070, smb_fname=0x10fe0c0, fsp=0x1af3550, flags=65536, mode=0) at ../../source3/smbd/open.c:954
#4  0x00007fffe04070ff in openat_pathref_fsp (dirfsp=0x8c3070, smb_fname=0x10fe0c0) at ../../source3/smbd/files.c:510
#5  0x00007fffe093cee3 in get_nt_acl_conn (mem_ctx=0x8c1550, fname=0x7ffff69517e0 ".", conn=0x742ed0, security_info_wanted=15, sd=0x7fffffffca50)
    at ../../source3/smbd/pysmbd.c:320
#6  0x00007fffe093e5e0 in py_smbd_get_nt_acl (self=0x7fffe3f13470, args=0x7fffd991fc80, kwargs=0x7fffda0cc550) at ../../source3/smbd/pysmbd.c:877
#7  0x00007ffff79107bf in _PyMethodDef_RawFastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0
#8  0x00007ffff7910a25 in _PyCFunction_FastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0
#9  0x00007ffff78eab02 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#10 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#11 0x00007ffff7910485 in _PyFunction_FastCallKeywords () from /usr/local/lib/libpython3.7m.so.1.0
#12 0x00007ffff78ea798 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#13 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#14 0x00007ffff7910307 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#15 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#16 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#17 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#18 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#19 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#20 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#21 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#22 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#23 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#24 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#25 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#26 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#27 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#28 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#29 0x00007ffff7910221 in _PyFunction_FastCallDict () from /usr/local/lib/libpython3.7m.so.1.0
#30 0x00007ffff7911541 in _PyObject_Call_Prepend () from /usr/local/lib/libpython3.7m.so.1.0
#31 0x00007ffff7912a39 in PyObject_Call () from /usr/local/lib/libpython3.7m.so.1.0
#32 0x00007ffff78e56e0 in _PyEval_EvalFrameDefault () from /usr/local/lib/libpython3.7m.so.1.0
#33 0x00007ffff79f6c9e in _PyEval_EvalCodeWithName () from /usr/local/lib/libpython3.7m.so.1.0
#34 0x00007ffff79f6dbe in PyEval_EvalCodeEx () from /usr/local/lib/libpython3.7m.so.1.0
#35 0x00007ffff79f6deb in PyEval_EvalCode () from /usr/local/lib/libpython3.7m.so.1.0
---Type <return> to continue, or q <return> to quit---
#36 0x00007ffff7a2ac8e in PyRun_FileExFlags () from /usr/local/lib/libpython3.7m.so.1.0
#37 0x00007ffff7a2ae06 in PyRun_SimpleFileExFlags () from /usr/local/lib/libpython3.7m.so.1.0
#38 0x00007ffff7a4e595 in ?? () from /usr/local/lib/libpython3.7m.so.1.0
#39 0x00007ffff7a4e81d in _Py_UnixMain () from /usr/local/lib/libpython3.7m.so.1.0
#40 0x00007ffff6995810 in __libc_start_main () from /lib/libc.so.6
#41 0x0000000000400729 in _start ()
(gdb) f
#0  0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)

Checklist

  • Commits have Signed-off-by: with name/author being identical to the commit author
  • (optional) This MR is just one part towards a larger feature.
  • (optional, if backport required) Bugzilla bug filed and BUG: tag added
  • Test suite updated with functionality tests
  • Test suite updated with negative tests
  • Documentation updated
  • CI timeout is 3h or higher (see Settings/CICD/General pipelines/ Timeout)

Reviewer's checklist:

  • There is a test suite reasonably covering new functionality or modifications
  • Function naming, parameters, return values, types, etc., are consistent and according to README.Coding.md
  • This feature/change has adequate documentation added
  • No obvious mistakes in the code

Merge request reports