git.samba.org / samba.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d23dd3e) | patch
vfs_aio_pthread: fix segfault if samba-tool ntacl get
authorJones Syue <jonessyue@qnap.com>
Wed, 2 Aug 2023 01:48:40 +0000 (09:48 +0800)
committerStefan Metzmacher <metze@samba.org>
Wed, 2 Aug 2023 11:16:40 +0000 (11:16 +0000)
commit8f4c1c67b4f118a9a47b09ac7908cd3d969b19c2
tree8a11e9a7d56517573d170c424cd1d3dade720277tree
parentd23dd3e26c5291a381f3576e3a864d8b697ec5aecommit | diff
vfs_aio_pthread: fix segfault if samba-tool ntacl get

If configured as AD DC and aio_pthread appended into 'vfs objects'[1],
run these commands would get segfault:
1. sudo samba-tool ntacl get .
2. sudo net vfs getntacl sysvol .
gdb said it goes through aio_pthread_openat_fn() @ vfs_aio_pthread.c[2],
and the fsp->conn->sconn->client is null (0x0).

'sconn->client' memory is allocated when a new connection is accpeted:
smbd_accept_connection > smbd_process > smbXsrv_client_create
While running local commands looks like it would not go through
smbXsrv_client_create so the 'client' is null, segfault might happen.
We should not dereference 'client->server_multi_channel_enabled',
if 'client' is null.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15441

[1] smb.conf example, samba-4.18.5, ubuntu 22.04.2
[global]
        dns forwarder = 127.0.0.53
        netbios name = U22-JONES-88X1
        realm = U22-JONES-88X1.X88X1.JONES
        server role = active directory domain controller
        workgroup = X88X1
        idmap_ldb:use rfc2307 = yes
        vfs objects = dfs_samba4 acl_xattr aio_pthread

[sysvol]
        path = /var/lib/samba/sysvol
        read only = No

[netlogon]
        path = /var/lib/samba/sysvol/u22-jones-88x1.x88x1.jones/scripts
        read only = No

[2] gdb
(gdb) run /usr/local/samba/bin/samba-tool ntacl get .
Starting program: /usr/local/Python3/bin/python3 /usr/local/samba/bin/samba-tool ntacl get .
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00007fffd0eb809e in aio_pthread_openat_fn (handle=0x8d5cc0, dirfsp=0x8c3070, smb_fname=0x18ab4f0, fsp=0x1af3550, flags=196608, mode=0)
    at ../../source3/modules/vfs_aio_pthread.c:467
warning: Source file is more recent than executable.
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) bt
    at ../../source3/modules/vfs_aio_pthread.c:467
    at ../../source3/smbd/pysmbd.c:320
---Type <return> to continue, or q <return> to quit---
(gdb) f
    at ../../source3/modules/vfs_aio_pthread.c:467
467             if (fsp->conn->sconn->client->server_multi_channel_enabled) {
(gdb) p fsp->conn->sconn->client
$1 = (struct smbXsrv_client *) 0x0
(gdb)

Signed-off-by: Jones Syue <jonessyue@qnap.com>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
source3/modules/vfs_aio_pthread.c diff | blob | history
Samba Shared Repository