Stefan Metzmacher [Wed, 30 Nov 2022 13:59:36 +0000 (14:59 +0100)]
CVE-2022-38023 s3:winbindd: also allow per domain "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
d60828f6391307a59abaa02b72b6a8acf66b2fef)
Stefan Metzmacher [Wed, 30 Nov 2022 15:16:05 +0000 (16:16 +0100)]
CVE-2022-38023 s3:net: add and use net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
Stefan Metzmacher [Wed, 30 Nov 2022 13:47:33 +0000 (14:47 +0100)]
CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(similar to commit
7e7adf86e59e8a673fbe87de46cef0d62221e800)
[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
getpid()]
Stefan Metzmacher [Wed, 30 Nov 2022 13:46:59 +0000 (14:46 +0100)]
CVE-2022-38023 libcli/auth: pass lp_ctx to netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
992f39a2c8a58301ceeb965f401e29cd64c5a209)
Ralph Boehme [Tue, 6 Dec 2022 15:05:26 +0000 (16:05 +0100)]
CVE-2022-38023 docs-xml: improve wording for several options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
830e865ba5648f6520bc552ffd71b61f754b8251)
Ralph Boehme [Tue, 6 Dec 2022 15:00:36 +0000 (16:00 +0100)]
CVE-2022-38023 docs-xml: improve wording for several options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
Andrew Bartlett [Tue, 6 Dec 2022 04:16:00 +0000 (17:16 +1300)]
selftest: make filter-subunit much more efficient for large knownfail lists
By compiling the knownfail lists ahead of time we change a 20min test
into a 90sec test.
This could be improved further by combining this into a single regular expression,
but this is enough for now. The 'reason' is thankfully not used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15258
Pair-programmed-with: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
22128c718cadd34af892df102bd52df6a6b03303)
Nicolas Williams [Wed, 12 Oct 2011 06:15:13 +0000 (01:15 -0500)]
CVE-2022-45141 source4/heimdal: Fix check-des
The previous fix was incomplete. But it also finally uncovered an
old check-des problem that I'd had once and which may have gotten
papered over by changing the default of one of the *strongest* KDC
parameters. The old problem is that we were passing the wrong
enctype to _kdc_encode_reply(): we were passing the session key
enctype where the ticket enc-part key's enctype was expected.
The whole enctype being passed in is superfluous anyways. Let's
clean that up next.
(cherry picked from Heimdal commit
4c6976a6bdf8a76c6f3c650ae970d46c931e5c71)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Nicolas Williams [Wed, 12 Oct 2011 04:57:58 +0000 (23:57 -0500)]
CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part key selection
When I added support for configuring how the KDC selects session,
reply, and ticket enc-part keys I accidentally had the KDC use the
session key selection algorithm for selecting the ticket enc-part
key. This becomes a problem when using a Heimdal KDC with an MIT
KDB as the HDB backend and when the krbtgt keys are not in
strongest-to-weakest order, in which case forwardable tickets minted
by the Heimdal KDC will not be accepted by MIT KDCs with the same
KDB.
(cherry picked from Heimdal commit
12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Joseph Sutton [Wed, 7 Dec 2022 07:13:25 +0000 (20:13 +1300)]
CVE-2022-44640 source4/heimdal: Fix use-after-free when decoding PA-ENC-TS-ENC
Upstream Heimdal fixed this in commit
7151d4e66c07b42c15187becd61fb20e0666458a (partial handling of
ENC-CHALLANGE).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Nicolas Williams [Wed, 10 Mar 2021 22:49:04 +0000 (16:49 -0600)]
CVE-2022-44640 HEIMDAL: asn1: Invalid free in ASN.1 codec
This is a 10.0 on the Common Vulnerability Scoring System (CVSS) v3.
Heimdal's ASN.1 compiler generates code that allows specially
crafted DER encodings of CHOICEs to invoke the wrong free function
on the decoded structure upon decode error. This is known to impact
the Heimdal KDC, leading to an invalid free() of an address partly
or wholly under the control of the attacker, in turn leading to a
potential remote code execution (RCE) vulnerability.
This error affects the DER codec for all CHOICE types used in
Heimdal, though not all cases will be exploitable. We have not
completed a thorough analysis of all the Heimdal components
affected, thus the Kerberos client, the X.509 library, and other
parts, may be affected as well.
This bug has been in Heimdal since 2005. It was first reported by
Douglas Bagnall, though it had been found independently by the
Heimdal maintainers via fuzzing a few weeks earlier.
While no zero-day exploit is known, such an exploit will likely be
available soon after public disclosure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929
[abartlet@samba.org Adapted from Heimdal commit
ea5ec8f174920cb80ce2b168b49195378420449e for older Heimdal in Samba 4.15
by dropping fuzz-inputs file and EXPORTS entry for fuzzing]
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Stefan Metzmacher [Wed, 16 Nov 2022 11:08:45 +0000 (12:08 +0100)]
CVE-2022-42898: HEIMDAL: lib/krb5: fix _krb5_get_int64 on systems where 'unsigned long' is just 32-bit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Wed Nov 23 18:54:37 UTC 2022 on sn-devel-184
Jule Anger [Tue, 15 Nov 2022 16:02:07 +0000 (17:02 +0100)]
VERSION: Bump version up to Samba 4.15.13...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Sun, 13 Nov 2022 17:35:07 +0000 (18:35 +0100)]
VERSION: Disable GIT_SNAPSHOT for the 4.15.12 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Sun, 13 Nov 2022 17:34:03 +0000 (18:34 +0100)]
WHATSNEW: Add release notes for Samba 4.15.12.
Signed-off-by: Jule Anger <janger@samba.org>
Joseph Sutton [Fri, 14 Oct 2022 03:45:37 +0000 (16:45 +1300)]
CVE-2022-42898 source4/heimdal: PAC parse integer overflows
Catch overflows that result from adding PAC_INFO_BUFFER_SIZE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
Heavily edited by committer Nico Williams <nico@twosigma.com>, original by
Joseph Sutton <josephsutton@catalyst.net.nz>.
Signed-off-by: Nico Williams <nico@twosigma.com>
[jsutton@samba.org Zero-initialised header_size in krb5_pac_parse() to
avoid a maybe-uninitialized error; added a missing check for ret == 0]
[jsutton@samba.org Backported to our older version of Heimdal; removed
lib/krb5/test_pac.c which we don't have]
Nicolas Williams [Wed, 16 Nov 2016 17:39:27 +0000 (11:39 -0600)]
CVE-2022-42898 source4/heimdal: Round #2 of scan-build warnings cleanup
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
[jsutton@samba.org Kept only the modification to lib/krb5/store.c to
avoid a build error]
Nicolas Williams [Thu, 21 May 2015 19:24:38 +0000 (14:24 -0500)]
CVE-2022-42898 source4/heimdal: Add krb5_ret/store_[u]int64()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
[jsutton@samba.org backported from Heimdal commit
996d4c5db3c8aee10b7496591db13f52a575cef5; removed changes to
lib/krb5/libkrb5-exports.def.in which we don't have]
Nicolas Williams [Thu, 21 May 2015 19:05:31 +0000 (14:05 -0500)]
CVE-2022-42898 source4/heimdal: Add bswap64()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15203
[jsutton@samba.org backported from Heimdal commit
0271b171e5331f0f562319b887f5f0b058ecc9b4; removed changes to
cf/roken-frag.m4 that we don't have]
Jule Anger [Tue, 25 Oct 2022 09:43:56 +0000 (11:43 +0200)]
VERSION: Bump version up to Samba 4.15.12...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 24 Oct 2022 10:35:24 +0000 (12:35 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.15.11 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Mon, 24 Oct 2022 10:19:04 +0000 (12:19 +0200)]
WHATSNEW: Add release notes for Samba 4.15.11.
Signed-off-by: Jule Anger <janger@samba.org>
Joseph Sutton [Wed, 12 Oct 2022 00:57:33 +0000 (13:57 +1300)]
CVE-2022-3437 source4/heimdal: Pass correct length to _gssapi_verify_pad()
We later subtract 8 when calculating the length of the output message
buffer. If padlength is excessively high, this calculation can underflow
and result in a very large positive value.
Now we properly constrain the value of padlength so underflow shouldn't
be possible.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 10 Oct 2022 07:33:09 +0000 (20:33 +1300)]
CVE-2022-3437 source4/heimdal: Check for overflow in _gsskrb5_get_mech()
If len_len is equal to total_len - 1 (i.e. the input consists only of a
0x60 byte and a length), the expression 'total_len - 1 - len_len - 1',
used as the 'len' parameter to der_get_length(), will overflow to
SIZE_MAX. Then der_get_length() will proceed to read, unconstrained,
whatever data follows in memory. Add a check to ensure that doesn't
happen.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 Aug 2022 04:54:23 +0000 (16:54 +1200)]
CVE-2022-3437 source4/heimdal: Check buffer length against overflow for DES{,3} unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 Aug 2022 04:53:55 +0000 (16:53 +1200)]
CVE-2022-3437 source4/heimdal: Check the result of _gsskrb5_get_mech()
We should make sure that the result of 'total_len - mech_len' won't
overflow, and that we don't memcmp() past the end of the buffer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Mon, 15 Aug 2022 04:53:45 +0000 (16:53 +1200)]
CVE-2022-3437 source4/heimdal: Avoid undefined behaviour in _gssapi_verify_pad()
By decrementing 'pad' only when we know it's safe, we ensure we can't
stray backwards past the start of a buffer, which would be undefined
behaviour.
In the previous version of the loop, 'i' is the number of bytes left to
check, and 'pad' is the current byte we're checking. 'pad' was
decremented at the end of each loop iteration. If 'i' was 1 (so we
checked the final byte), 'pad' could potentially be pointing to the
first byte of the input buffer, and the decrement would put it one
byte behind the buffer.
That would be undefined behaviour.
The patch changes it so that 'pad' is the byte we previously checked,
which allows us to ensure that we only decrement it when we know we
have a byte to check.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 12 Oct 2022 00:57:42 +0000 (13:57 +1300)]
CVE-2022-3437 source4/heimdal: Don't pass NULL pointers to memcpy() in DES unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 12 Oct 2022 00:57:55 +0000 (13:57 +1300)]
CVE-2022-3437 source4/heimdal: Use constant-time memcmp() in unwrap_des3()
The surrounding checks all use ct_memcmp(), so this one was presumably
meant to as well.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Joseph Sutton [Wed, 12 Oct 2022 00:57:13 +0000 (13:57 +1300)]
CVE-2022-3437 source4/heimdal: Use constant-time memcmp() for arcfour unwrap
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[jsutton@samba.org Adapted to small differences in comparisons, and
removed erroneous duplicate code in conflicting region]
Joseph Sutton [Wed, 12 Oct 2022 00:55:39 +0000 (13:55 +1300)]
CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[jsutton@samba.org Adapted to lack of 'samba.unittests.auth.sam' test,
renamed 'third_party' to 'source4' in paths, defined
HEIMDAL_NORETURN_ATTRIBUTE and HEIMDAL_PRINTF_ATTRIBUTE to fix compiler
error]
Joseph Sutton [Wed, 12 Oct 2022 00:55:51 +0000 (13:55 +1300)]
CVE-2022-3437 source4/heimdal_build: Add gssapi-subsystem subsystem
This allows us to access (and so test) functions internal to GSSAPI by
depending on this subsystem.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[jsutton@samba.org Adapted to older wscript_build file]
Joseph Sutton [Wed, 12 Oct 2022 00:56:08 +0000 (13:56 +1300)]
CVE-2022-3437 source4/heimdal: Remove __func__ compatibility workaround
As described by the C standard, __func__ is a variable, not a macro.
Hence this #ifndef check does not work as intended, and only serves to
unconditionally disable __func__. A nonoperating __func__ prevents
cmocka operating correctly, so remove this definition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15134
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Andrew Bartlett [Fri, 6 May 2022 05:53:29 +0000 (17:53 +1200)]
.gitlab-ci: Work around new git restrictions arising from CVE-2022-24765
It was realised that git would run commands found in a git repo
(eg from configuration).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit
dd568490089ae6d5bcf03068bfc4ca6b9103badb)
Andreas Schneider [Thu, 3 Feb 2022 14:43:54 +0000 (15:43 +0100)]
bootstrap: Migrate to CentOS8 Stream
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Fri Feb 4 21:11:40 UTC 2022 on sn-devel-184
[adapted from commit
136ec5bc01e2648bae34a1158f923fbf5a86d561 in the
hope of getting lmdb-devel to be available for the CentoS 8 image]
Andrew Bartlett [Fri, 6 May 2022 01:29:05 +0000 (13:29 +1200)]
bootstrap: chown the whole cloned repo, not just the subfolders
Modern git versions have started to notice the possible security issue.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
[abartlet@samba.org adapted from commit
c771d197eeebf2b01d46451cc51b698a99502935
with new sha1sum]
Andreas Schneider [Thu, 3 Feb 2022 06:53:33 +0000 (07:53 +0100)]
bootstrap: Fix CentOS8 runner
CentOS8 is EOL since December 31, 2021. The packages move to vault.centos.org.
We should migrate to CentOS8 Stream soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15193
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Feb 3 14:31:01 UTC 2022 on sn-devel-184
[abartlet@samba.org Adapted from commit
0c6554aa0d6812343a8155fca3d7a7993cd5c703
by updating sha1sum]
Jule Anger [Wed, 28 Sep 2022 15:32:01 +0000 (17:32 +0200)]
VERSION: Bump version up to Samba 4.15.11...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 28 Sep 2022 15:31:24 +0000 (17:31 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.15.10 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Wed, 28 Sep 2022 15:31:01 +0000 (17:31 +0200)]
WHATSNEW: Add release notes for Samba 4.15.10.
Signed-off-by: Jule Anger <janger@samba.org>
Jeremy Allison [Thu, 15 Sep 2022 00:05:05 +0000 (17:05 -0700)]
s3: smbd: Fix memory leak in smbd_server_connection_terminate_done().
The function smbd_server_connection_terminate_done() does not free subreq
which is allocated in smbXsrv_connection_shutdown_send, this can be a
memory leakage if multi-channel is enabled.
Suggested fix by haihua yang <hhyangdev@gmail.com>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15174
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Sep 23 09:51:20 UTC 2022 on sn-devel-184
(cherry picked from commit
b600b0c8d9690cb5eeded1e5925c8e667c11af04)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Wed Sep 28 09:36:41 UTC 2022 on sn-devel-184
Ralph Boehme [Thu, 1 Sep 2022 16:55:52 +0000 (18:55 +0200)]
smbd: check for streams support in unix_convert()
Fixes a regression introduced by the fixes for bug 15126 where we crash in
vfs_default in vfswrap_stat():
assert failed: !is_named_stream(smb_fname)
The frontend calls into the VFS from build_stream_path() with a stream path
without checking if the share supports streams.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
[slow@samba.org: change from master adapted for unix_convert()]
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Tue Sep 6 07:31:51 UTC 2022 on sn-devel-184
Ralph Boehme [Fri, 2 Sep 2022 10:09:53 +0000 (12:09 +0200)]
smbd: return NT_STATUS_OBJECT_NAME_INVALID if a share doesn't support streams
This is what a Windows server returns. Tested with a share residing on a FAT
formatted drive, a Windows filesystem that doesn't support streams.
Combinations tested:
file::$DATA
file:stream
file:stream:$DATA
All three fail with NT_STATUS_OBJECT_NAME_INVALID.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
201e1969bf31af07e8bd52876ff7f4d72b48a848)
Ralph Boehme [Thu, 1 Sep 2022 16:55:23 +0000 (18:55 +0200)]
smbtorture: add a test trying to create a stream on share without streams support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15161
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit
3dcdab86f13fabb7a8c6ce71c59a565287d11244)
[slow@samba.org: context changes from different tests]
Ralph Boehme [Sun, 14 Aug 2022 16:46:24 +0000 (18:46 +0200)]
smbd: implement access checks for SMB2-GETINFO as per MS-SMB2 3.3.5.20.1
The spec lists the following as requiring special access:
- for requiring FILE_READ_ATTRIBUTES:
FileBasicInformation
FileAllInformation
FileNetworkOpenInformation
FileAttributeTagInformation
- for requiring FILE_READ_EA:
FileFullEaInformation
All other infolevels are unrestricted.
We ignore the IPC related infolevels:
FilePipeInformation
FilePipeLocalInformation
FilePipeRemoteInformation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153
RN: Missing SMB2-GETINFO access checks from MS-SMB2 3.3.5.20.1
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Tue Aug 23 12:54:08 UTC 2022 on sn-devel-184
(cherry picked from commit
6d493a9d568c08cfe5242821ccbd5a5ee1fe5284)
Ralph Boehme [Fri, 19 Aug 2022 15:29:55 +0000 (17:29 +0200)]
smbtorture: check required access for SMB2-GETINFO
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
9b2d28157107602fcbe659664cf9ca25f08bb30b)
Ralph Boehme [Sun, 14 Aug 2022 16:51:30 +0000 (18:51 +0200)]
s4/libcli/smb2: avoid using smb2_composite_setpathinfo() in smb2_util_setatr()
smb2_composite_setpathinfo() uses SEC_FLAG_MAXIMUM_ALLOWED which can
have unwanted side effects like breaking oplocks if the effective access
includes [READ|WRITE]_DATA.
For changing the DOS attributes we only need SEC_FILE_WRITE_ATTRIBUTE. With this
change test_smb2_oplock_batch25() doesn't trigger an oplock break anymore.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15153
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
66e40690bdd41800a01333ce4243bd62ee2b1894)
Ralph Boehme [Sun, 14 Aug 2022 14:39:37 +0000 (16:39 +0200)]
smbd: directly pass fsp to SMB_VFS_FGETXATTR() in fget_ea_dos_attribute()
We're now consistently passing the base_fsp to SMB_VFS_FSET_DOS_ATTRIBUTES(), so
we don't need to check for a stream_fsp here anymore.
Additionally vfs_default will assert a non-stream fsp inside
vfswrap_fgetxattr(), so in case any caller wrongly passes a stream fsp, this is
caught in vfs_default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
968a5ae89f0d0da219e7dd05dd1f7f7c96dbb910)
Ralph Boehme [Thu, 11 Aug 2022 15:18:13 +0000 (17:18 +0200)]
smbd: add and use vfs_fget_dos_attributes()
Commit
d71ef1365cdde47aeb3465699181656b0655fa04 caused a regression where the
creation date on streams wasn't updated anymore on the stream fsp.
By adding a simple wrapper vfs_fget_dos_attributes() that takes care of
- passing only the base_fsp to the VFS, so the VFS can be completely agnostic of
all the streams related complexity like fake fds,
- propagating any updated btime from the base_fsp->fsp_name to the
stream_fsp->fsp_name
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(backported from commit
3f7d8db9945a325020e4d1574289dea9e8331c29)
[slow@samba.org: also update itime and file_id]
Ralph Boehme [Sat, 13 Aug 2022 14:13:07 +0000 (16:13 +0200)]
smbtorture: add test smb2.stream.attributes2
Specifically torture the creation date is the same for the file and its streams.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
e74b10e17ee5df0f77ac5349242841be8d71c4e8)
Ralph Boehme [Sat, 13 Aug 2022 15:04:50 +0000 (17:04 +0200)]
smbtorture: rename smb2.streams.attributes to smb2.streams.attributes1
A subsequent commit adds another streams test named "attributes2", this change
avoids matching the new testname with the existing knownfail entries.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
b5848d391be4f7633745d9c36e432ac8b1c9dba2)
Ralph Boehme [Wed, 27 Jul 2022 16:40:21 +0000 (18:40 +0200)]
vfs_default: assert all passed in fsp's and names are non-stream type
Enforce fsp is a non-stream one in as many VFS operations as possible in
vfs_default. We really need an assert here instead of returning an error, as
otherwise he can have very hard to diagnose bugs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Wed Aug 10 16:32:35 UTC 2022 on sn-devel-184
(backported from commit
fc45fcfde51b0b0bdcd524c82a0f9eabf7273045)
[slow@samba.org: skip some hunks that are not applicable]
Ralph Boehme [Fri, 29 Jul 2022 05:07:25 +0000 (07:07 +0200)]
vfs_streams_xattr: restrict which fcntl's are allowed on streams
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
51243e3849736acbbf1d8f52cc02cdec5995fde4)
Ralph Boehme [Wed, 27 Jul 2022 13:58:37 +0000 (15:58 +0200)]
smbd: skip access checks for stat-opens on streams in open_file()
For streams, access is already checked in create_file_unixpath() by
check_base_file_access().
We already skip the access check in this function when doing an IO open of a
file, see above in open_file(), also skip it for "stat opens".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit
f0299abf1b28a14518328710d9f84bef17fd2ecf)
[slow@samba.org: smbd_check_access_rights_fsp(dirfsp) -> smbd_check_access_rights_fsp(parent_dir->fsp)]
[slow@samba.org: posix_flags -> fsp->posix_flags & FSP_POSIX_FLAGS_OPEN]
Ralph Boehme [Wed, 27 Jul 2022 17:05:26 +0000 (19:05 +0200)]
smbd: use metadata_fsp() in get_acl_group_bits()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit
06555c6bcb5644fc9eea35b3cbae8d8801c65ab6)
[slow@samba.org: metadata_fsp(fsp) -> metadata_fsp(smb_fname->fsp)]
Ralph Boehme [Fri, 29 Jul 2022 12:56:41 +0000 (14:56 +0200)]
smbd: ignore request to set the SPARSE attribute on streams
As per MS-FSA 2.1.1.5 this is a per stream attribute, but our backends don't
support it in a consistent way, therefor just pretend success and ignore the
request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
3af8f8e8741cc8c889bbf416ccd38a1b702917ec)
Ralph Boehme [Fri, 29 Jul 2022 12:56:21 +0000 (14:56 +0200)]
smbd: use metadata_fsp() with SMB_VFS_FSET_DOS_ATTRIBUTES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
55e55804bb2d0f21c1bbe207257bb40555f3b7a2)
Ralph Boehme [Fri, 29 Jul 2022 12:55:08 +0000 (14:55 +0200)]
smbd: use metadata_fsp() with SMB_VFS_FGET_DOS_ATTRIBUTES()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
03b9ce84736d536ab2dd8a5ce1a2656e6a90c8c8)
Ralph Boehme [Fri, 29 Jul 2022 12:54:07 +0000 (14:54 +0200)]
smbd: use metadata_fsp() with SMB_VFS_FSET_NT_ACL()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
4ab29e2a345b48ebba652d5154e96adf954a6757)
Ralph Boehme [Fri, 29 Jul 2022 12:49:56 +0000 (14:49 +0200)]
smbd: use metadata_fsp() with SMB_VFS_FGET_NT_ACL()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(backported from commit
c949e4b2a42423ac3851e86e489fd0c5d46d7f1f)
[slow@samba.org: context mismatch due to smbd_check_access_rights_fname() call in master]
Ralph Boehme [Wed, 27 Jul 2022 11:37:32 +0000 (13:37 +0200)]
CI: add a test trying to delete a stream on a pathref ("stat open") handle
When using vfs_streams_xattr, for a pathref handle of a stream the system fd
will be a fake fd created by pipe() in vfs_fake_fd().
For the following callchain we wrongly pass a stream fsp to
SMB_VFS_FGET_NT_ACL():
SMB_VFS_CREATE_FILE(..., "file:stream", ...)
=> open_file():
if (open_fd):
-> taking the else branch:
-> smbd_check_access_rights_fsp(stream_fsp)
-> SMB_VFS_FGET_NT_ACL(stream_fsp)
This is obviously wrong and can lead to strange permission errors when using
vfs_acl_xattr:
in vfs_acl_xattr we will try to read the stored ACL by calling
fgetxattr(fake-fd) which of course faild with EBADF. Now unfortunately the
vfs_acl_xattr code ignores the specific error and handles this as if there was
no ACL stored and subsequently runs the code to synthesize a default ACL
according to the setting of "acl:default acl style".
As the correct access check for streams has already been carried out by calling
check_base_file_access() from create_file_unixpath(), the above problem is not
a security issue: it can only lead to "decreased" permissions resulting in
unexpected ACCESS_DENIED errors.
The fix is obviously going to be calling
smbd_check_access_rights_fsp(stream_fsp->base_fsp).
This test verifies that deleting a file works when the stored NT ACL grants
DELETE_FILE while the basic POSIX permissions (used in the acl_xattr fallback
code) do not.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
23bc760ec5d61208c2d8778991e3d7e202eab352)
Ralph Boehme [Wed, 27 Jul 2022 10:47:21 +0000 (12:47 +0200)]
vfs_xattr_tdb: add "xattr_tdb:ignore_user_xattr" option
Allows passing on "user." xattr to the backend. This can be useful for testing
specific aspects of operation on streams when "streams_xattr" is configured as
stream filesystem backend.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
92e0045d7ca7c0b94efd0244ba0e426cad0a05b6)
Ralph Boehme [Wed, 27 Jul 2022 09:59:54 +0000 (11:59 +0200)]
vfs_xattr_tdb: add a module config
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
451ad315a9bf32c627e1966ec30185542701c87e)
Ralph Boehme [Wed, 27 Jul 2022 10:43:01 +0000 (12:43 +0200)]
vfs_xattr_tdb: move close_xattr_db()
This just makes the diff of the next commit smaller and easier to digest.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
b26dc252aaf3f4b960bdfdb6a3dfe612b89fcdd5)
Ralph Boehme [Wed, 27 Jul 2022 14:04:24 +0000 (16:04 +0200)]
smdb: use fsp_is_alternate_stream() in open_file()
No change in behaviour.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15126
MR: https://gitlab.com/samba-team/samba/-/merge_requests/2643
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
(cherry picked from commit
0d3995cec10c5fae8c8b6a1df312062e38437e6f)
Volker Lendecke [Fri, 11 Feb 2022 08:45:30 +0000 (09:45 +0100)]
smbd: Introduce metadata_fsp()
Centralize the pattern
if (fsp->base_fsp != NULL) {
fsp = fsp->base_fsp;
}
with a descriptive name.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit
ac58b0b942cd73210100ee346816a0cf23900716)
[slow@samba.org: only backport the function, skip all updated callers]
Volker Lendecke [Fri, 11 Feb 2022 08:37:35 +0000 (09:37 +0100)]
smbd: Introduce fsp_is_alternate_stream()
To me this is more descriptive than "fsp->base_fsp != NULL". If this
turns out to be a performance problem, I would go and make this a
static inline in smbd/proto.h.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(backported from commit
21b380ca133417df096e2b262a5da41faff186ea)
[slow@samba.org: only backport the function, skip all changed callers]
Andreas Schneider [Tue, 2 Aug 2022 05:55:46 +0000 (07:55 +0200)]
lib:replace: Only include <sys/mount.h> on non-Linux systems
Details at:
https://sourceware.org/glibc/wiki/Release/2.36#Usage_of_.3Clinux.2Fmount.h.3E_and_.3Csys.2Fmount.h.3E
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15132
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
766151bf5b7ef95ae4c8c98b8994e5c21c5bbec0)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Tue Aug 23 07:34:22 UTC 2022 on sn-devel-184
Jeremy Allison [Wed, 17 Aug 2022 18:43:47 +0000 (11:43 -0700)]
s3: smbd: Plumb close_type parameter through close_file_in_loop(), file_close_conn()
Allows close_file_in_loop() to differentiate between SHUTDOWN_CLOSE
(previously it only used this close type) and ERROR_CLOSE - called
on error from smbXsrv_tcon_disconnect() in the error path. In that
case we want to close the fd, but not run any delete-on-close actions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra@samba.org>
Reivewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Thu Aug 18 14:10:18 UTC 2022 on sn-devel-184
(cherry picked from commit
cf5f7b1489930f6d64c3e3512f116ccf286d4605)
[npower@samba.org Adjusted for 4.15 only file_close_conn needs to
differentiate between SHUTDOWN_CLOSE & ERROR_CLOSE]
Jeremy Allison [Wed, 17 Aug 2022 18:39:36 +0000 (11:39 -0700)]
s3: smbd: Add "enum file_close_type close_type" parameter to file_close_conn().
Not yet used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
7005a6354df5522d9f665fb30052c458dfc93124)
[npower@samba.org Adjusted for 4.15 filename change
smb2-service.c -> service.c]
Jeremy Allison [Wed, 17 Aug 2022 18:35:29 +0000 (11:35 -0700)]
s3: smbd: Add "enum file_close_type close_type" parameter to close_cnum().
Not yet used, but needed so we can differentiate between
SHUTDOWN_CLOSE and ERROR_CLOSE in smbXsrv_tcon_disconnect()
if we fail to chdir. In that case we want to close the fd,
but not run any delete-on-close actions.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
9203d17106c0e55a30813ff1ed76869c7581a343)
[npower@samba.org Adjusted for 4.15 filename change
smb2-service.c -> service.c]
Jeremy Allison [Fri, 22 Jul 2022 15:28:03 +0000 (16:28 +0100)]
s3/smbd: Use after free when iterating smbd_server_connection->connections
Change conn_free() to just use a destructor. We now
catch any other places where we may have forgetten to
call conn_free() - it's implicit on talloc_free(conn).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Based on code from Noel Power <noel.power@suse.com>.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Wed Aug 17 09:54:06 UTC 2022 on sn-devel-184
(cherry picked from commit
f92bacbe216d2d74ea3ccf3fe0df5c1cc9860996)
Jeremy Allison [Tue, 16 Aug 2022 20:51:27 +0000 (13:51 -0700)]
s3/smbd: Use after free when iterating smbd_server_connection->connections
In SMB2 smbd_smb2_tree_connect() we create a new conn struct
inside make_connection_smb2() then move the ownership to tcon using:
tcon->compat = talloc_move(tcon, &compat_conn);
so the lifetime of tcon->compat is tied directly to tcon.
Inside smbXsrv_tcon_disconnect() we have:
908 ok = chdir_current_service(tcon->compat);
909 if (!ok) {
910 status = NT_STATUS_INTERNAL_ERROR;
911 DEBUG(0, ("smbXsrv_tcon_disconnect(0x%08x, '%s'): "
912 "chdir_current_service() failed: %s\n",
913 tcon->global->tcon_global_id,
914 tcon->global->share_name,
915 nt_errstr(status)));
916 tcon->compat = NULL;
917 return status;
918 }
919
920 close_cnum(tcon->compat, vuid);
921 tcon->compat = NULL;
If chdir_current_service(tcon->compat) fails, we return status without ever having
called close_cnum(tcon->compat, vuid), leaving the conn pointer left in the linked
list sconn->connections.
The caller frees tcon and (by ownership) tcon->compat, still leaving the
freed tcon->compat pointer on the sconn->connections linked list.
When deadtime_fn() fires and walks the sconn->connections list it
indirects this freed pointer. We must call close_cnum() on error also.
Valgrind trace from Noel Power <noel.power@suse.com> is:
==6432== Invalid read of size 8
==6432== at 0x52CED3A: conn_lastused_update (conn_idle.c:38)
==6432== by 0x52CEDB1: conn_idle_all (conn_idle.c:54)
==6432== by 0x5329971: deadtime_fn (smb2_process.c:1566)
==6432== by 0x5DA2339: smbd_idle_event_handler (util_event.c:45)
==6432== by 0x685F2F8: tevent_common_invoke_timer_handler (tevent_timed.c:376)
==6432== Address 0x19074b88 is 232 bytes inside a block of size 328 free'd
==6432== at 0x4C3451B: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6432== by 0x5B38521: _tc_free_internal (talloc.c:1222)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B39463: _tc_free_children_internal (talloc.c:1669)
==6432== by 0x5B38404: _tc_free_internal (talloc.c:1184)
==6432== by 0x5B385C5: _talloc_free_internal (talloc.c:1248)
==6432== by 0x5B3988D: _talloc_free (talloc.c:1792)
==6432== by 0x5349B22: smbd_smb2_flush_send_queue (smb2_server.c:4828)
==6432== Block was alloc'd at
==6432== at 0x4C332EF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==6432== by 0x5B378D9: __talloc_with_prefix (talloc.c:783)
==6432== by 0x5B37A73: __talloc (talloc.c:825)
==6432== by 0x5B37E0C: _talloc_named_const (talloc.c:982)
==6432== by 0x5B3A8ED: _talloc_zero (talloc.c:2421)
==6432== by 0x539873A: conn_new (conn.c:70)
==6432== by 0x532D692: make_connection_smb2 (smb2_service.c:909)
==6432== by 0x5352B5E: smbd_smb2_tree_connect (smb2_tcon.c:344)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15128
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(cherry picked from commit
0bdfb5a5e60df214c088df0782c4a1bcc2a4944a)
Stefan Metzmacher [Mon, 15 Aug 2022 20:45:17 +0000 (22:45 +0200)]
s3:smbd: only clear LEASE_READ if there's no read lease is left
If contend_level2_oplocks_begin_default() skips break it's
own lease, we should not clear SHARE_MODE_LEASE_READ
in share_mode_data->flags.
Otherwise that lease won't see any lease break notifications
for writes from other clients (file handles not using the same lease
key).
So we need to count the number existing read leases (including
the one with the same lease key) in order to know it's
safe to clear SMB2_LEASE_READ/SHARE_MODE_LEASE_READ.
Otherwise the next run (likely from another client)
will get the wrong result from file_has_read_lease().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15148
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug 18 19:41:33 UTC 2022 on sn-devel-184
(cherry picked from commit
96e2a82760ea06a89b7387b5cd3e864732afded3)
Stefan Metzmacher [Wed, 17 Aug 2022 15:07:08 +0000 (17:07 +0200)]
s4:torture/smb2: add smb2.lease.v[1,2]_bug_15148
This demonstrates the bug that happens with a
write to a file handle holding an R lease,
while there are other openers without any lease.
When one of the other openers writes to the file,
the R lease of the only lease holder isn't broken to NONE.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15148
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
9e5ff607eb1b9c45c8836d3cff9d51b418740b87)
Stefan Metzmacher [Mon, 15 Aug 2022 08:49:13 +0000 (10:49 +0200)]
s3:smbd: share_mode_flags_set() takes SMB2_LEASE_* values
We currently only ever pass SMB2_LEASE_READ and both
have the same value of 0x1, so for now it's only cosmetic,
but that will change soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15148
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit
7592aad4d7a84d0ac66a156a22af3ad77803e55c)
Joseph Sutton [Mon, 22 Aug 2022 04:56:46 +0000 (16:56 +1200)]
libcli/smb: Set error status if 'iov' pointer is NULL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15152
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Mon Aug 22 09:03:29 UTC 2022 on sn-devel-184
(cherry picked from commit
75e03ea021afa66842b6e0dea21072b1b8026d58)
Joseph Sutton [Mon, 22 Aug 2022 03:50:02 +0000 (15:50 +1200)]
libcli/smb: Ensure we call tevent_req_nterror() on failure
Commit
3594c3ae202688fd8aae5f7f5e20464cb23feea9 added a NULL check for
'inhdr', but it meant we didn't always call tevent_req_nterror() when we
should.
Now we handle connection errors. We now also set an error status if the
NULL check fails.
I noticed this when an ECONNRESET error from a server refusing SMB1
wasn't handled, and the client subsequently hung in epoll_wait().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15152
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
40d4912d841e6bcd7cd37810ef101d5f89268ee7)
Michael Tokarev [Tue, 24 May 2022 13:25:41 +0000 (16:25 +0300)]
s3/util/py_net.c: fix samba-tool domain join&leave segfault
We process python args using PyArg_ParseTupleAndKeywords(), and use "p"
type modifier there. According to documentation, this type modifier,
while works for a boolean type, expects an argument of type int. But in
py_net_join_member() and py_net_leave() we use argument of type uint8_t
(keep_account, r->in.debug). So when PyArg_ParseTupleAndKeywords()
tries to assign a value to &r->in.debug, it updates subsequent, unrelated bytes
too, - which ones depends on the stack and structure layout used by the compiler.
Fix this by using an int proxy variable "debug" (of the same type) for
r->in.debug.
While at it, also ensure all variables have sensible default values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15078
Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Wed May 25 06:19:32 UTC 2022 on sn-devel-184
Backported-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from commit
976326fa2b6423ac5866af682605cf7584e4991a, with
changes because 4.15 doesn't have no_dns_update, along with other
changes that foil the patch. Also the BUG: line was added above).
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Mon Aug 15 09:18:25 UTC 2022 on sn-devel-184
Andreas Schneider [Thu, 19 Aug 2021 10:09:28 +0000 (12:09 +0200)]
s3:rpcclient: Goto done in cmd_samr_setuserinfo_int()
We need to free the frame or we will run into:
smb_panic (why=0x7fa8c511aa88 "Frame not freed in order.")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15124
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit
2b32d932223e61935fc530eff1c05034ff817e21)
Autobuild-User(v4-15-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-15-test): Sun Jul 31 19:07:36 UTC 2022 on sn-devel-184
Ralph Boehme [Wed, 25 May 2022 15:37:22 +0000 (17:37 +0200)]
mdssvc: return all-zero policy handle if spotlight is disabled
A Mac SMB server returns an all zero handle and an empty path if Spotlight is
disabled on a share. We must return the exact same error return in order to
trigger client-side searching.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15086
pcap: https://www.samba.org/~slow/pcaps/mac-bigsur-smbserver-spotlight-disabled.pcapng.gz
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Tue Jul 12 15:42:52 UTC 2022 on sn-devel-184
(cherry picked from commit
23e6e50c0f82b997dea4a67069f65252045514c0)
Ralph Boehme [Tue, 7 Jun 2022 07:52:53 +0000 (09:52 +0200)]
CI: fix check for correct mdsvc resonse when connecting to a share with Spotlight disabled
A Mac SMB server returns an all zero handle and an empty path if Spotlight is
disabled on a share. We must return the exact same error return in order to
trigger client-side searching.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15086
pcap: https://www.samba.org/~slow/pcaps/mac-bigsur-smbserver-spotlight-disabled.pcapng.gz
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(backported from commit
8e997bd6e9250499fd8e569d708edc29e304a0e8)
[slow@samba.org: unrelated test changes in tests.py]
Ralph Boehme [Wed, 25 May 2022 15:26:29 +0000 (17:26 +0200)]
mdssvc: convert mds_init_ctx() to return NTSTATUS
No change in behavour. In preperation for returning a special error to signal
the caller that spotlight is disabled for a share.
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15086
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
(backported from commit
72468166b250de26747071cbbf3613c016ebfd42)
[slow@samba.org: use p->session_info as mds_init_ctx() arg]
Jule Anger [Wed, 27 Jul 2022 10:45:47 +0000 (12:45 +0200)]
VERSION: Bump version up to Samba 4.15.10...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Wed, 27 Jul 2022 10:43:19 +0000 (12:43 +0200)]
Merge tag 'samba-4.15.9' into v4-15-test
samba: tag release samba-4.15.9
Signed-off-by: Jule Anger <janger@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Jule Anger [Sun, 24 Jul 2022 09:47:09 +0000 (11:47 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.15.9 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Sun, 24 Jul 2022 09:18:25 +0000 (11:18 +0200)]
WHATSNEW: Add release notes for Samba 4.15.9.
Signed-off-by: Jule Anger <janger@samba.org>
Jeremy Allison [Wed, 8 Jun 2022 20:50:51 +0000 (13:50 -0700)]
CVE-2022-32742: s3: smbd: Harden the smbreq_bufrem() macro.
Fixes the raw.write.bad-write test.
NB. We need the two (==0) changes in source3/smbd/reply.c
as the gcc optimizer now knows that the return from
smbreq_bufrem() can never be less than zero.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
Remove knownfail.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Jeremy Allison [Tue, 7 Jun 2022 16:40:45 +0000 (09:40 -0700)]
CVE-2022-32742: s4: torture: Add raw.write.bad-write test.
Reproduces the test code in:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15085
Add knownfail.
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: David Disseldorp <ddiss@samba.org>
Joseph Sutton [Thu, 23 Jun 2022 01:59:11 +0000 (13:59 +1200)]
CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
We ensure that the KDC does not reject a TGS-REQ with our short-lived
TGT over an incoming trust.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Joseph Sutton [Fri, 10 Jun 2022 07:18:53 +0000 (19:18 +1200)]
CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets
If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.
Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Fixed knownfail conflicts]
Joseph Sutton [Fri, 10 Jun 2022 07:18:35 +0000 (19:18 +1200)]
CVE-2022-2031 s4:auth: Use PAC to determine whether ticket is a TGT
We use the presence or absence of a REQUESTER_SID PAC buffer to
determine whether the ticket is a TGT. We will later use this to reject
TGTs where a service ticket is expected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Fri, 10 Jun 2022 07:18:07 +0000 (19:18 +1200)]
CVE-2022-2031 auth: Add ticket type field to auth_user_info_dc and auth_session_info
This field may be used to convey whether we were provided with a TGT or
a non-TGT. We ensure both structures are zeroed out to avoid incorrect
results being produced by an uninitialised field.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Fri, 10 Jun 2022 07:17:11 +0000 (19:17 +1200)]
CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd
The kpasswd service should require a kpasswd service ticket, and
disallow TGTs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Fixed knownfail conflicts]
Joseph Sutton [Mon, 30 May 2022 07:16:02 +0000 (19:16 +1200)]
CVE-2022-32744 s4:kpasswd: Ensure we pass the kpasswd server principal into krb5_rd_req_ctx()
To ensure that, when decrypting the kpasswd ticket, we look up the
correct principal and don't trust the sname from the ticket, we should
pass the principal name of the kpasswd service into krb5_rd_req_ctx().
However, gensec_krb5_update_internal() will pass in NULL unless the
principal in our credentials is CRED_SPECIFIED.
At present, our principal will be considered obtained as CRED_SMB_CONF
(from the cli_credentials_set_conf() a few lines up), so we explicitly
set the realm again, but this time as CRED_SPECIFIED. Now the value of
server_in_keytab that we provide to smb_krb5_rd_req_decoded() will not
be NULL.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Removed knownfail as KDC no longer panics]
Joseph Sutton [Thu, 26 May 2022 04:39:20 +0000 (16:39 +1200)]
CVE-2022-32744 s4:kdc: Modify HDB plugin to only look up kpasswd principal
This plugin is now only used by the kpasswd service. Thus, ensuring we
only look up the kadmin/changepw principal means we can't be fooled into
accepting tickets for other service principals. We make sure not to
specify a specific kvno, to ensure that we do not accept RODC-issued
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed knownfail conflicts]
[jsutton@samba.org Renamed entry to entry_ex; fixed knownfail conflicts;
retained knownfail for test_kpasswd_from_rodc which now causes the KDC
to panic]
Joseph Sutton [Wed, 8 Jun 2022 01:53:29 +0000 (13:53 +1200)]
s4:kdc: Remove kadmin mode from HDB plugin
It appears we no longer require it.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Thu, 26 May 2022 04:36:30 +0000 (16:36 +1200)]
CVE-2022-32744 s4:kdc: Rename keytab_name -> kpasswd_keytab_name
This makes explicitly clear the purpose of this keytab.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed conflicts due to lacking HDBGET support]
Joseph Sutton [Wed, 25 May 2022 08:00:55 +0000 (20:00 +1200)]
CVE-2022-2031 s4:kdc: Don't use strncmp to compare principal components
We would only compare the first 'n' characters, where 'n' is the length
of the principal component string, so 'k@REALM' would erroneously be
considered equal to 'krbtgt@REALM'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 14 Jun 2022 03:23:55 +0000 (15:23 +1200)]
CVE-2022-2031 tests/krb5: Test truncated forms of server principals
We should not be able to use krb@REALM instead of krbtgt@REALM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed conflicts due to having older version of
_run_as_req_enc_timestamp()]