Replmetadata sort minimal #1

abartlet · 2015-08-18T03:27:23Z

These patches allow us to fix unsorted replPropertyMetaData values in dbcheck

This will fail once our python bindings correctly check value ranges Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

In particular, it is critical that we use unsigned integers of sufficient size in python for unsigned C integers, and it is critical that we check for overflow at both the python and C level. Otherwise, we may both represent and sort these incorrectly, in particular when sorting attributeID values from DRSUAPI which are represented as an signed enum in C and a uint32_t in IDL, but which often has the high bit set (in schema extensions). Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

The high bit may be set in these integers, so we need an unsigned int to store it in Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

Unknown attributeID values would cause an exception previously, and unsorted attributes cause a failure to replicate with Samba 4.2. In commit 61b9788 we started to sort these values correctly, but previous versions of Samba did not sort them correctly (we sorted high-bit-set values as negative), and then after 9c9df40 we stoped accepting these. To ensure we are allowed to make this unusual change to the replPropertyMetaData, a new OID is allocated and checked for in repl_meta_data.c Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

… searching in the db Profiling on dbcheck have shown that we spend 10% of the time looking for wellknown objects. Change-Id: I13ed58e8062d1b7b6179d17b0e7e56f943572c6c Signed-off-by: Matthieu Patou <mat@matws.net>

We do not write network services in Python, so this is not a security issue, but would cause a crash or other odd behaviour if the length was changed Signed-off-by: Andrew Bartlett <abartlet@samba.org> https://bugzilla.samba.org/show_bug.cgi?id=11430

This also documents an issue with our python bindings and lists, as changes to integers in a list of integers are not preserved Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

This allows us to know that the previous patches are correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973 Signed-off-by: Andrew Bartlett <abartlet@samba.org>

This may assist if this needs to be changed again Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

… sort order This ensures that the dbcheck rule fixes the sort order (and only fixes the sort order). Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

This was reported by Pavel Březina <pbrezina@redhat.com>: We found a crash in SSSD when a tevent signal is freed in its handler, tevent than crashes when it access siginfo. sig_info is freed in signal destructor: > #ifdef SA_SIGINFO > if (se->sa_flags & SA_SIGINFO) { > if (sig_state->sig_info[se->signum]) { > talloc_free(sig_state->sig_info[se->signum]); > sig_state->sig_info[se->signum] = NULL; > } > } > #endif (gdb) bt #0 0x00007f5d4d86cc74 in tevent_signal_destructor (se=0x7f5d5370f920) at ../tevent_signal.c:213 samba-team#1 0x00007f5d4d65f233 in _talloc_free_internal () from /lib64/libtalloc.so.2 samba-team#2 0x00007f5d4d6593a3 in _talloc_free () from /lib64/libtalloc.so.2 samba-team#3 0x00007f5d4342f3d4 in proxy_child_init_done (subreq=0x7f5d5370f600) at src/providers/proxy/proxy_auth.c:436 samba-team#4 0x00007f5d4d86b0c2 in _tevent_req_error (req=req@entry=0x7f5d5370f600, error=error@entry=5, location=location@entry=0x7f5d43433010 "src/providers/proxy/proxy_auth.c:356") at ../tevent_req.c:167 samba-team#5 0x00007f5d4342ef5e in pc_init_sig_handler (ev=<optimized out>, sige=<optimized out>, signum=<optimized out>, count=<optimized out>, __siginfo=<optimized out>, pvt=<optimized out>) at src/providers/proxy/proxy_auth.c:356 samba-team#6 0x00007f5d4d86d48c in tevent_common_check_signal (ev=0x7f5d536de670) at ../tevent_signal.c:428 samba-team#7 0x00007f5d4d86f28c in epoll_event_loop (tvalp=0x7fff7b568490, epoll_ev=0x7f5d536de8b0) at ../tevent_epoll.c:647 samba-team#8 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#9 0x00007f5d4d86d7d7 in std_event_loop_once (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#10 0x00007f5d4d869fbd in _tevent_loop_once (ev=ev@entry=0x7f5d536de670, location=location@entry=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:530 samba-team#11 0x00007f5d4d86a15b in tevent_common_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:634 samba-team#12 0x00007f5d4d86d777 in std_event_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#13 0x00007f5d50f96863 in server_loop (main_ctx=0x7f5d536dfac0) at src/util/server.c:668 samba-team#14 0x00007f5d5180aa42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 But then it is accessed again in tevent_common_check_signal: > #ifdef SA_SIGINFO > if (clear_processed_siginfo) { > uint32_t j; > for (j=0;j<count;j++) { > uint32_t ofs = (counter.seen + j) > % TEVENT_SA_INFO_QUEUE_COUNT; > memset((void*)&sig_state->sig_info[i][ofs], > '\0', > sizeof(siginfo_t)); > } > } > #endif (gdb) bt #0 0x00007fd7ba400505 in memset (__len=<optimized out>, __ch=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:84 samba-team#1 tevent_common_check_signal (ev=0x7fd7bfddf670) at ../tevent_signal.c:459 samba-team#2 0x00007fd7ba40228c in epoll_event_loop (tvalp=0x7fff85536430, epoll_ev=0x7fd7bfddf8b0) at ../tevent_epoll.c:647 samba-team#3 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#4 0x00007fd7ba4007d7 in std_event_loop_once (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#5 0x00007fd7ba3fcfbd in _tevent_loop_once (ev=ev@entry=0x7fd7bfddf670, location=location@entry=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:530 samba-team#6 0x00007fd7ba3fd15b in tevent_common_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:634 samba-team#7 0x00007fd7ba400777 in std_event_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#8 0x00007fd7bdb29343 in server_loop (main_ctx=0x7fd7bfde0ac0) at src/util/server.c:668 samba-team#9 0x00007fd7be39ca42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11308 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jun 2 21:02:11 CEST 2015 on sn-devel-104

The following warning/error is reported: [1891/4034] Compiling source4/dsdb/samdb/ldb_modules/dsdb_notification.c cc1: warnings being treated as errors ../source4/dsdb/samdb/ldb_modules/dsdb_notification.c: In function 'dsdb_notification_filter_search': ../source4/dsdb/samdb/ldb_modules/dsdb_notification.c:192: error: value computed is not used Waf: Leaving directory `/memdisk/autobuild/fl/b300949/samba/bin' Build failed: -> task failed (err #1): {task: cc dsdb_notification.c -> dsdb_notification_84.o} Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>

Valgrind reports the following: ==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s) ==26599== at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so) ==26599== by 0x79D1585: query_iface_speed_from_name (interfaces.c:152) ==26599== by 0x79D1BBA: _get_interfaces (interfaces.c:277) ==26599== by 0x79D1E80: get_interfaces (interfaces.c:368) ==26599== by 0x508A7E3: load_interfaces (interface.c:612) ==26599== by 0x150B30: main (net.c:963) ==26599== Address 0xffefff0d8 is on thread 1's stack ==26599== in frame #1, created by query_iface_speed_from_name (interfaces.c:130) ==26599== ==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s) ==26599== at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so) ==26599== by 0x79D15CC: query_iface_speed_from_name (interfaces.c:164) ==26599== by 0x79D1BBA: _get_interfaces (interfaces.c:277) ==26599== by 0x79D1E80: get_interfaces (interfaces.c:368) ==26599== by 0x508A7E3: load_interfaces (interface.c:612) ==26599== by 0x150B30: main (net.c:963) ==26599== Address 0xffefff0d8 is on thread 1's stack ==26599== in frame #1, created by query_iface_speed_from_name (interfaces.c:130) Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>

Valgrind reports the following: ==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s) ==26599== at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so) ==26599== by 0x79D1585: query_iface_speed_from_name (interfaces.c:152) ==26599== by 0x79D1BBA: _get_interfaces (interfaces.c:277) ==26599== by 0x79D1E80: get_interfaces (interfaces.c:368) ==26599== by 0x508A7E3: load_interfaces (interface.c:612) ==26599== by 0x150B30: main (net.c:963) ==26599== Address 0xffefff0d8 is on thread 1's stack ==26599== in frame #1, created by query_iface_speed_from_name (interfaces.c:130) ==26599== ==26599== Syscall param ioctl(SIOCETHTOOL) points to uninitialised byte(s) ==26599== at 0x7014707: ioctl (in /usr/lib64/libc-2.22.so) ==26599== by 0x79D15CC: query_iface_speed_from_name (interfaces.c:164) ==26599== by 0x79D1BBA: _get_interfaces (interfaces.c:277) ==26599== by 0x79D1E80: get_interfaces (interfaces.c:368) ==26599== by 0x508A7E3: load_interfaces (interface.c:612) ==26599== by 0x150B30: main (net.c:963) ==26599== Address 0xffefff0d8 is on thread 1's stack ==26599== in frame #1, created by query_iface_speed_from_name (interfaces.c:130) Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 2e2f811) BUG: https://bugzilla.samba.org/show_bug.cgi?id=11802 lib/socket/interfaces: fix valgrind warning Autobuild-User(v4-4-test): Karolin Seeger <kseeger@samba.org> Autobuild-Date(v4-4-test): Mon Mar 21 20:01:47 CET 2016 on sn-devel-144

This was reported by Pavel Březina <pbrezina@redhat.com>: We found a crash in SSSD when a tevent signal is freed in its handler, tevent than crashes when it access siginfo. sig_info is freed in signal destructor: > #ifdef SA_SIGINFO > if (se->sa_flags & SA_SIGINFO) { > if (sig_state->sig_info[se->signum]) { > talloc_free(sig_state->sig_info[se->signum]); > sig_state->sig_info[se->signum] = NULL; > } > } > #endif (gdb) bt #0 0x00007f5d4d86cc74 in tevent_signal_destructor (se=0x7f5d5370f920) at ../tevent_signal.c:213 samba-team#1 0x00007f5d4d65f233 in _talloc_free_internal () from /lib64/libtalloc.so.2 samba-team#2 0x00007f5d4d6593a3 in _talloc_free () from /lib64/libtalloc.so.2 samba-team#3 0x00007f5d4342f3d4 in proxy_child_init_done (subreq=0x7f5d5370f600) at src/providers/proxy/proxy_auth.c:436 samba-team#4 0x00007f5d4d86b0c2 in _tevent_req_error (req=req@entry=0x7f5d5370f600, error=error@entry=5, location=location@entry=0x7f5d43433010 "src/providers/proxy/proxy_auth.c:356") at ../tevent_req.c:167 samba-team#5 0x00007f5d4342ef5e in pc_init_sig_handler (ev=<optimized out>, sige=<optimized out>, signum=<optimized out>, count=<optimized out>, __siginfo=<optimized out>, pvt=<optimized out>) at src/providers/proxy/proxy_auth.c:356 samba-team#6 0x00007f5d4d86d48c in tevent_common_check_signal (ev=0x7f5d536de670) at ../tevent_signal.c:428 samba-team#7 0x00007f5d4d86f28c in epoll_event_loop (tvalp=0x7fff7b568490, epoll_ev=0x7f5d536de8b0) at ../tevent_epoll.c:647 samba-team#8 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#9 0x00007f5d4d86d7d7 in std_event_loop_once (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#10 0x00007f5d4d869fbd in _tevent_loop_once (ev=ev@entry=0x7f5d536de670, location=location@entry=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:530 samba-team#11 0x00007f5d4d86a15b in tevent_common_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:634 samba-team#12 0x00007f5d4d86d777 in std_event_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#13 0x00007f5d50f96863 in server_loop (main_ctx=0x7f5d536dfac0) at src/util/server.c:668 samba-team#14 0x00007f5d5180aa42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 But then it is accessed again in tevent_common_check_signal: > #ifdef SA_SIGINFO > if (clear_processed_siginfo) { > uint32_t j; > for (j=0;j<count;j++) { > uint32_t ofs = (counter.seen + j) > % TEVENT_SA_INFO_QUEUE_COUNT; > memset((void*)&sig_state->sig_info[i][ofs], > '\0', > sizeof(siginfo_t)); > } > } > #endif (gdb) bt #0 0x00007fd7ba400505 in memset (__len=<optimized out>, __ch=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:84 samba-team#1 tevent_common_check_signal (ev=0x7fd7bfddf670) at ../tevent_signal.c:459 samba-team#2 0x00007fd7ba40228c in epoll_event_loop (tvalp=0x7fff85536430, epoll_ev=0x7fd7bfddf8b0) at ../tevent_epoll.c:647 samba-team#3 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#4 0x00007fd7ba4007d7 in std_event_loop_once (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#5 0x00007fd7ba3fcfbd in _tevent_loop_once (ev=ev@entry=0x7fd7bfddf670, location=location@entry=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:530 samba-team#6 0x00007fd7ba3fd15b in tevent_common_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:634 samba-team#7 0x00007fd7ba400777 in std_event_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#8 0x00007fd7bdb29343 in server_loop (main_ctx=0x7fd7bfde0ac0) at src/util/server.c:668 samba-team#9 0x00007fd7be39ca42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11308 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jun 2 21:02:11 CEST 2015 on sn-devel-104 (cherry picked from commit 9d797ff)

GCC on a Ubuntu 16.04 instance said: [3174/4240] Compiling source3/modules/vfs_cap.c In file included from ../source3/include/includes.h:301:0, from ../source3/modules/vfs_fruit.c:20: ../source3/modules/vfs_fruit.c: In function ‘fruit_disk_free’: ../source3/../lib/util/debug.h:217:7: error: ‘bandsize’ may be used uninitialized in this function [-Werror=maybe-uninitialized] && (dbgtext body) ) ^ ../source3/modules/vfs_fruit.c:6302:9: note: ‘bandsize’ was declared here size_t bandsize; ^ [3175/4240] Compiling source3/modules/vfs_expand_msdfs.c [3176/4240] Compiling source3/modules/vfs_shadow_copy.c [3177/4240] Compiling source3/modules/vfs_shadow_copy2.c cc1: all warnings being treated as errors Waf: Leaving directory /home/ubuntu/autobuild/b17854/samba-o3/bin' Build failed: -> task failed (err #1): {task: cc vfs_fruit.c -> vfs_fruit_25.o} make: *** [all] Error 1 As far as I can tell, it is wrong, and the bandsize variable never gets passed uninititalised to DEBUG. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Ralph Boehme <slow@samba.org>

The change for https://bugzilla.samba.org/show_bug.cgi?id=7587 ("talloc_autofree_context() in shared libraries and plugins is a bad idea on FreeBSD") (ommit 41b6810) causes the following for sssd on Linux: Stack trace of thread 19667: #0 0x00007f2cab91ff6b __GI_raise (libc.so.6) #1 0x00007f2cab90a5c1 __GI_abort (libc.so.6) #2 0x00007f2cab90a491 __assert_fail_base (libc.so.6) #3 0x00007f2cab9186e2 __GI___assert_fail (libc.so.6) #4 0x00007f2cb10aaca5 k5_mutex_lock (libkrb5.so.3) #5 0x00007f2cb10ab790 k5_mutex_lock (libkrb5.so.3) #6 0x00007f2cb10ab8f5 profile_free_file (libkrb5.so.3) #7 0x00007f2cb10ab983 profile_close_file (libkrb5.so.3) #8 0x00007f2cb10af249 profile_release (libkrb5.so.3) #9 0x00007f2cb10a06c7 k5_os_free_context (libkrb5.so.3) #10 0x00007f2cb1075a9a krb5_free_context (libkrb5.so.3) #11 0x000055cea7cb2dd1 kcm_data_destructor (sssd_kcm) #12 0x00007f2cac153e96 _tc_free_internal (libtalloc.so.2) #13 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #14 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #15 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #16 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #17 0x00007f2cac14e648 _talloc_free (libtalloc.so.2) #18 0x00007f2cac14c480 talloc_lib_fini (libtalloc.so.2) #19 0x00007f2cb151da96 _dl_fini (ld-linux-x86-64.so.2) #20 0x00007f2cab9226bc __run_exit_handlers (libc.so.6) #21 0x00007f2cab9227ec __GI_exit (libc.so.6) #22 0x00007f2cb030dc61 orderly_shutdown (libsss_util.so) #23 0x00007f2cac365a46 tevent_common_check_signal (libtevent.so.0) #24 0x00007f2cac367975 epoll_event_loop_once (libtevent.so.0) #25 0x00007f2cac365dab std_event_loop_once (libtevent.so.0) #26 0x00007f2cac362098 _tevent_loop_once (libtevent.so.0) #27 0x00007f2cac3622eb tevent_common_loop_wait (libtevent.so.0) #28 0x00007f2cac365d3b std_event_loop_wait (libtevent.so.0) #29 0x00007f2cb030eb37 server_loop (libsss_util.so) #30 0x000055cea7cb29f4 main (sssd_kcm) #31 0x00007f2cab90c1eb __libc_start_main (libc.so.6) #32 0x000055cea7cb2c7a _start (sssd_kcm) We still only register one atexit handler instead of multiple ones like in talloc 2.1.11, but avoids using a library destructor. Bug #7587 seems to be fixed by not using talloc_autofree_context() within samba. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13366 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>

…debian/dvm6 * commit '599330c189084237da68ae1d3df8b8a8a85514cd': REL-5004: Updating for +svt3 build REL-5004: Updating for +svt2 build REL-5004: Setting up 4.4.0rc4+svt1 REL-5004: Setting up patch queue for dvm6 REL-5004: Importing DVM6 patch queue REL-5004: Importing 4.4.0rc4 Imported Upstream version 4.4.0rc4 Cleaning out debian branch before import of 4.4.0rc4 upstream Imported Upstream version 4.3.6+dfsg

We create machine accounts for 2 different purposes: 1). For traffic generation, i.e. testing realistic network packets. 2). For generating a realistic large DB. Unfortunately, we want to use different userAccountControl flags for the 2 different cases. Commit 3338a3e changed the flags used for case #2, but this breaks case #1. The problem is generate_users_and_groups() is called in both cases, so we want the 'traffic account' flag passed into that function. This ensures that the machine accounts get created with the appropriate userAccountControl flags for the particular case you want to test. Signed-off-by: Tim Beale <timbeale@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

This exhibited itself as a problem with OFD locks reported as: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770 However, due to underlying bugs in the vfs_fruit code the file locks were not being properly applied. There are two problems in fruit_check_access(). Problem #1: Inside fruit_check_access() we have: flags = fcntl(fsp->fh->fd, F_GETFL); .. if (flags & (O_RDONLY|O_RDWR)) { We shouldn't be calling fcntl(fsp->fh->fd, ..) directly. fsp->fh->fd may be a made up number from an underlying VFS module that has no meaning to a system call. Secondly, in all POSIX systems - O_RDONLY is defined as *zero*. O_RDWR = 2. Which means flags & (O_RDONLY|O_RDWR) becomes (flags & 2), not what we actually thought. Problem #2: deny_mode is *not* a bitmask, it's a set of discrete values. Inside fruit_check_access() we have: if (deny_mode & DENY_READ) and also (deny_mode & DENY_WRITE) However, deny modes are defined as: /* deny modes */ define DENY_DOS 0 define DENY_ALL 1 define DENY_WRITE 2 define DENY_READ 3 define DENY_NONE 4 define DENY_FCB 7 so if deny_mode = DENY_WRITE, or if deny_mode = DENY_READ then it's going to trigger both the if (deny_mode & DENY_READ) *and* the (deny_mode & DENY_WRITE) conditions. These problems allowed the original test test_netatalk_lock code to pass (which was added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584 to demonstrate the lock order violation). This patch refactors the fruit_check_access() code to be much simpler (IMHO) to understand. Firstly, pass in the SMB1/2 share mode, not old DOS deny modes. Secondly, read all the possible NetAtalk locks into local variables: netatalk_already_open_for_reading netatalk_already_open_with_deny_read netatalk_already_open_for_writing netatalk_already_open_with_deny_write Then do the share mode/access mode checks with the requested values against any stored netatalk modes/access modes. Finally add in NetATalk compatible locks that represent our share modes/access modes into the file, with an early return if we don't have FILE_READ_DATA (in which case we can't write locks anyway). The patch is easier to understand by looking at the completed patched fruit_check_access() function, rather than trying to look at the diff. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>

This exhibited itself as a problem with OFD locks reported as: BUG: https://bugzilla.samba.org/show_bug.cgi?id=13770 However, due to underlying bugs in the vfs_fruit code the file locks were not being properly applied. There are two problems in fruit_check_access(). Problem #1: Inside fruit_check_access() we have: flags = fcntl(fsp->fh->fd, F_GETFL); .. if (flags & (O_RDONLY|O_RDWR)) { We shouldn't be calling fcntl(fsp->fh->fd, ..) directly. fsp->fh->fd may be a made up number from an underlying VFS module that has no meaning to a system call. Secondly, in all POSIX systems - O_RDONLY is defined as *zero*. O_RDWR = 2. Which means flags & (O_RDONLY|O_RDWR) becomes (flags & 2), not what we actually thought. Problem #2: deny_mode is *not* a bitmask, it's a set of discrete values. Inside fruit_check_access() we have: if (deny_mode & DENY_READ) and also (deny_mode & DENY_WRITE) However, deny modes are defined as: /* deny modes */ define DENY_DOS 0 define DENY_ALL 1 define DENY_WRITE 2 define DENY_READ 3 define DENY_NONE 4 define DENY_FCB 7 so if deny_mode = DENY_WRITE, or if deny_mode = DENY_READ then it's going to trigger both the if (deny_mode & DENY_READ) *and* the (deny_mode & DENY_WRITE) conditions. These problems allowed the original test test_netatalk_lock code to pass (which was added for BUG: https://bugzilla.samba.org/show_bug.cgi?id=13584 to demonstrate the lock order violation). This patch refactors the fruit_check_access() code to be much simpler (IMHO) to understand. Firstly, pass in the SMB1/2 share mode, not old DOS deny modes. Secondly, read all the possible NetAtalk locks into local variables: netatalk_already_open_for_reading netatalk_already_open_with_deny_read netatalk_already_open_for_writing netatalk_already_open_with_deny_write Then do the share mode/access mode checks with the requested values against any stored netatalk modes/access modes. Finally add in NetATalk compatible locks that represent our share modes/access modes into the file, with an early return if we don't have FILE_READ_DATA (in which case we can't write locks anyway). The patch is easier to understand by looking at the completed patched fruit_check_access() function, rather than trying to look at the diff. Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org> (cherry picked from commit 3204dc6)

Because we just wrote the intermediate representation to have no zero distances, we can be sure it doesn't, but Coverity doesn't know. If distance is zero, `bitlen_nonzero_16(distance)` would be bad. CID 1517278 (#1 of 1): Bad bit shift operation (BAD_SHIFT)41. large_shift: In expression 1 << code_dist, left shifting by more than 31 bits has undefined behavior. The shift amount, code_dist, is 65535. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org>

We shouldn't get a node with a zero code, and there's probably nothing to do but stop. CID 1517261 (#1-2 of 2): Bad bit shift operation (BAD_SHIFT)11. negative_shift: In expression j >> offset - k, shifting by a negative amount has undefined behavior. The shift amount, offset - k, is -3. Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Dec 19 23:29:04 UTC 2022 on sn-devel-184

…level() ==12122==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fff494dd900 at pc 0x7fdaebea71e3 bp 0x7fff494dd430 sp 0x7fff494dd428 READ of size 4 at 0x7fff494dd900 thread T0 #0 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo8 librpc/gen_ndr/ndr_spoolss.c:8618 #1 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo librpc/gen_ndr/ndr_spoolss.c:8796 #2 0x7fdaebea7482 in ndr_push_spoolss_SetPrinterInfoCtr librpc/gen_ndr/ndr_spoolss.c:9163 #3 0x7fdaebea7580 in ndr_push_spoolss_SetPrinter librpc/gen_ndr/ndr_spoolss.c:27000 #4 0x7fdaee3e1b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416 #5 0x7fdaee3e2132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553 #6 0x7fdaecb103fd in dcerpc_spoolss_SetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1722 #7 0x559a7294c2f1 in test_SetPrinter ../../source4/torture/rpc/spoolss.c:1293 #8 0x559a7297b4d4 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2126 #9 0x559a7299cfa1 in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2344 #10 0x559a7299cfa1 in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2489 #11 0x559a7299cfa1 in test_printer_dm ../../source4/torture/rpc/spoolss.c:9083 #12 0x7fdaeda9867d in wrap_test_with_simple_test ../../lib/torture/torture.c:808 #13 0x7fdaeda9a40b in internal_torture_run_test ../../lib/torture/torture.c:516 #14 0x7fdaeda9a87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581 #15 0x7fdaeda9aeb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435 #16 0x559a72b51668 in run_matching ../../source4/torture/smbtorture.c:95 #17 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105 #18 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105 #19 0x559a72b523ef in torture_run_named_tests ../../source4/torture/smbtorture.c:172 #20 0x559a72b563eb in main ../../source4/torture/smbtorture.c:750 #21 0x7fdaea42c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #22 0x7fdaea42c678 in __libc_start_main_impl ../csu/libc-start.c:381 #23 0x559a72755824 in _start ../sysdeps/x86_64/start.S:115 Address 0x7fff494dd900 is located in stack of thread T0 at offset 32 in frame #0 0x559a7297b111 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2090 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>

…ull() ==17828==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc37790230 at pc 0x7fc37e2a3a11 bp 0x7ffc3778fec0 sp 0x7ffc3778feb8 READ of size 16 at 0x7ffc37790230 thread T0 #0 0x7fc37e2a3a10 in ndr_push_spoolss_GetPrinter librpc/gen_ndr/ndr_spoolss.c:27123 #1 0x7fc380629b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416 #2 0x7fc38062a132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553 #3 0x7fc37ed113c9 in dcerpc_spoolss_GetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1947 #4 0x5570ba6c4d03 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2249 #5 0x5570ba6e61ea in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2384 #6 0x5570ba6e61ea in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2488 #7 0x5570ba6e61ea in test_printer_dm ../../source4/torture/rpc/spoolss.c:9082 #8 0x7fc37fc7b67d in wrap_test_with_simple_test ../../lib/torture/torture.c:808 #9 0x7fc37fc7d40b in internal_torture_run_test ../../lib/torture/torture.c:516 #10 0x7fc37fc7d87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581 #11 0x7fc37fc7deb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435 #12 0x5570ba89a65d in run_matching ../../source4/torture/smbtorture.c:95 #13 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105 #14 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105 #15 0x5570ba89b3e4 in torture_run_named_tests ../../source4/torture/smbtorture.c:172 #16 0x5570ba89f3e0 in main ../../source4/torture/smbtorture.c:750 #17 0x7fc37c62c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #18 0x7fc37c62c678 in __libc_start_main_impl ../csu/libc-start.c:381 #19 0x5570ba49e824 in _start ../sysdeps/x86_64/start.S:115 Address 0x7ffc37790230 is located in stack of thread T0 at offset 160 in frame #0 0x5570ba6c4562 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2186 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Dec 20 06:55:45 UTC 2022 on sn-devel-184

Found by ASAN: $ bin/stress-nss-libwbclient ... ==1639426==ERROR: AddressSanitizer: unknown-crash on address 0x7f3907d85000 at pc 0x7f3907d649fb bp 0x7ffc6545f5b0 sp 0x7ffc6545f5a8 READ of size 4 at 0x7f3907d85000 thread T0 #0 0x7f3907d649fa in winbind_close_sock ../../nsswitch/wb_common.c:220 #1 0x7f3907d65866 in winbind_destructor ../../nsswitch/wb_common.c:246 #2 0x7f3907da5d3d in _dl_fini /usr/src/debug/glibc-2.35-20.fc36.x86_64/elf/dl-fini.c:142 #3 0x7f3907241044 in __run_exit_handlers (/lib64/libc.so.6+0x41044) #4 0x7f39072411bf in exit (/lib64/libc.so.6+0x411bf) #5 0x7f3907229516 in __libc_start_call_main (/lib64/libc.so.6+0x29516) #6 0x7f39072295c8 in __libc_start_main_impl (/lib64/libc.so.6+0x295c8) #7 0x56236a2042b4 in _start (/data/git/samba/scratch3/bin/default/nsswitch/stress-nss-libwbclient+0x22b4) Address 0x7f3907d85000 is a wild pointer inside of access range of size 0x000000000004. SUMMARY: AddressSanitizer: unknown-crash ../../nsswitch/wb_common.c:220 in winbind_close_sock The pthread key in wb_global_ctx.key is only initialized if wb_thread_ctx_initialize() is called via get_wb_global_ctx() -> get_wb_thread_ctx(). Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 6 15:04:46 UTC 2023 on sn-devel-184

This function already exists in bind9 but takes different arguments, so when the DLZ is loaded and this function is called bind crashes: named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: client @0x7f26caa90f68 192.168.101.118#58223/key DESKTOP-8BUKMBK\$\@AFOREST.AD: updating zone '101.168.192.in-addr.arpa/NONE': deleting rrset at '118.101.168.192.in-addr.ar named[1523]: name.c:664: REQUIRE(((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) failed, back trace Backtrace: #0 0x00007f2716c957ec in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007f2716c42816 in raise () from /lib64/libc.so.6 #2 0x00007f2716c2b81c in abort () from /lib64/libc.so.6 #3 0x000055d4de847995 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/main.c:237 #4 0x00007f27176388fc in isc_assertion_failed (file=file@entry=0x7f27173b0df6 "name.c", line=line@entry=664, type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f27173b0268 "((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))") at /usr/src/debug/bind-9.18.10/lib/isc/assertions.c:48 #5 0x00007f27172946f9 in dns_name_equal (name1=<optimized out>, name2=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/name.c:664 **** Here bind's dns_name_equal() is called instead of samba's dns_name_equal() **** #6 0x00007f27077ad6f2 in dns_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dnsserver_common.c:1346 #7 0x00007f271404732c in b9_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dlz_bind9.c:1830 #8 0x00007f2714047daa in dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=0x7f26c9c10000 "118.101.168.192.in-addr.arpa.\t1200\tIN\tPTR\tDESKTOP-8BUKMBK.aforest.ad.", dbdata=0x7f271003d300, version=0x7f26f8044b20) at ../../source4/dns_server/dlz_bind9.c:2077 #9 0x000055d4de84afb4 in dlopen_dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=<optimized out>, driverarg=<optimized out>, dbdata=0x7f270430f680, version=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/dlz_dlopen_driver.c:483 #10 0x00007f271738e734 in modrdataset.constprop.0 (db=0x7f2704291740, node=0x7f26c9c006e0, version=0x7f26f8044b20, rdataset=0x7f2706ff8830, mod_function=0x55d4de84af80 <dlopen_dlz_subrdataset>, options=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/sdlz.c:1107 #11 0x00007f2717251855 in diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, warn=warn@entry=true) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:370 #12 0x00007f2717251c8a in dns_diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:465 #13 0x00007f2717d105aa in do_one_tuple (tuple=tuple@entry=0x7f2706ff8e50, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, diff=diff@entry=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:454 #14 0x00007f2717d10fff in update_one_rr (rdata=0x7f2706ff8ee8, ttl=<optimized out>, name=<optimized out>, op=DNS_DIFFOP_DEL, diff=0x7f2706ff9400, ver=0x7f26f8044b20, db=0x7f2704291740) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:505 #15 delete_if_action (data=<optimized out>, rr=0x7f2706ff8ee0) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1427 #16 0x00007f2717d10ccd in foreach_rr (db=0x7f2704291740, ver=<optimized out>, name=0x7f26caa61d00, type=<optimized out>, covers=<optimized out>, rr_action=rr_action@entry=0x7f2717d10f60 <delete_if_action>, rr_action_data=0x7f2706ff9280) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:736 #17 0x00007f2717d10e76 in delete_if (predicate=predicate@entry=0x7f2717d0fb10 <true_p>, db=<optimized out>, ver=<optimized out>, name=<optimized out>, type=<optimized out>, covers=<optimized out>, update_rr=0x7f2706ff94b0, diff=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1454 #18 0x00007f2717d1bccd in update_action (task=<optimized out>, event=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:3299 #19 0x00007f271765eb4c in task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:823 #20 isc_task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:904 #21 0x00007f271762cb12 in isc__nm_async_task (worker=0x7f2716236560, ev0=0x7f26caa07000) at netmgr/netmgr.c:840 #22 process_netievent (worker=worker@entry=0x7f2716236560, ievent=0x7f26caa07000) at netmgr/netmgr.c:918 #23 0x00007f271762d197 in process_queue (worker=worker@entry=0x7f2716236560, type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c:1011 #24 0x00007f271762d3b3 in process_all_queues (worker=0x7f2716236560) at netmgr/netmgr.c:765 #25 async_cb (handle=0x7f27162368c0) at netmgr/netmgr.c:794 #26 0x00007f2717c4cb0d in uv__async_io (loop=0x7f2716236570, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163 #27 0x00007f2717c6825d in uv__io_poll (loop=0x7f2716236570, timeout=<optimized out>) at src/unix/epoll.c:374 #28 0x00007f2717c5247a in uv__io_poll (timeout=<optimized out>, loop=0x7f2716236570) at src/unix/udp.c:122 #29 uv_run (loop=loop@entry=0x7f2716236570, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:406 #30 0x00007f271762d834 in nm_thread (worker0=0x7f2716236560) at netmgr/netmgr.c:696 #31 0x00007f27176627f5 in isc__trampoline_run (arg=0x55d4dfe3ad70) at /usr/src/debug/bind-9.18.10/lib/isc/trampoline.c:189 #32 0x00007f2716c9398d in start_thread () from /lib64/libc.so.6 #33 0x00007f2716d19344 in clone () from /lib64/libc.so.6 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14030 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Samuel Cabrero <scabrero@samba.org> Autobuild-Date(master): Thu Jan 19 10:20:27 UTC 2023 on atb-devel-224

In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams" request has changed from string: kMDScopeArray sl_array_t(#1): { string: /foo/bar } to: string: kMDScopeArray sl_array_t(#1): { sl_array_t(#1): { string: /foo/bar } } With this patch we check both encodings. Bug fixed according to user feedback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299 RN: Spotlight doesn't work with latest macOS Ventura Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>

In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams" request has changed from string: kMDScopeArray sl_array_t(#1): { string: /foo/bar } to: string: kMDScopeArray sl_array_t(#1): { sl_array_t(#1): { string: /foo/bar } } With this patch we check both encodings. Bug fixed according to user feedback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299 RN: Spotlight doesn't work with latest macOS Ventura Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 1dd0cd2)

In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams" request has changed from string: kMDScopeArray sl_array_t(#1): { string: /foo/bar } to: string: kMDScopeArray sl_array_t(#1): { sl_array_t(#1): { string: /foo/bar } } With this patch we check both encodings. Bug fixed according to user feedback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299 RN: Spotlight doesn't work with latest macOS Ventura Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 1dd0cd2) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Fri Feb 10 10:43:35 UTC 2023 on sn-devel-184

In macOS Ventura marshalling of kMDScopeArray in the "openQueryWithParams" request has changed from string: kMDScopeArray sl_array_t(#1): { string: /foo/bar } to: string: kMDScopeArray sl_array_t(#1): { sl_array_t(#1): { string: /foo/bar } } With this patch we check both encodings. Bug fixed according to user feedback. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15299 RN: Spotlight doesn't work with latest macOS Ventura Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit 1dd0cd2) Autobuild-User(v4-16-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-16-test): Fri Feb 10 12:15:02 UTC 2023 on sn-devel-184

==7109==ERROR: AddressSanitizer: odr-violation (0x7f7d682b4f00): [1] size=88 'ndr_table_secrets' source3/librpc/gen_ndr/ndr_secrets.c:1002:34 [2] size=88 'ndr_table_secrets' source3/librpc/gen_ndr/ndr_secrets.c:1002:34 These globals were registered at these points: [1]: #0 0x7f7d6843eda8 (/lib64/libasan.so.8+0x3eda8) #1 0x7f7d682970ed in _sub_I_00099_1 (bin/shared/private/libsecrets3-samba4.so+0x1a0ed) #2 0x7f7d68af72fd in call_init /usr/src/debug/glibc-2.37/elf/dl-init.c:70 #3 0x7f7d68af72fd in call_init /usr/src/debug/glibc-2.37/elf/dl-init.c:26 [2]: #0 0x7f7d6843eda8 (/lib64/libasan.so.8+0x3eda8) #1 0x7f7d65d423fb in _sub_I_00099_1 (bin/shared/private/libndr-samba4.so+0x3423fb) #2 0x7f7d68af72fd in call_init /usr/src/debug/glibc-2.37/elf/dl-init.c:70 #3 0x7f7d68af72fd in call_init /usr/src/debug/glibc-2.37/elf/dl-init.c:26 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

The short version is: Running LOCAL-IDMAP-TDB-COMMON test_getnewid1: PASSED! test_setmap1: PASSED! test_unixid2sid1: PASSED! test_sid2unixid1: could not create uid map! TEST LOCAL-IDMAP-TDB-COMMON FAILED! LOCAL-IDMAP-TDB-COMMON took 0.029819 secs Freed frame ../../source3/torture/torture.c:15748, expected ../../source3/torture/test_idmap_tdb_common.c:986. =============================================================== INTERNAL ERROR: Frame not freed in order. in pid 3692106 (4.19.0pre1-DEVELOPERBUILD) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting =============================================================== PANIC (pid 3692106): Frame not freed in order. in 4.19.0pre1-DEVELOPERBUILD BACKTRACE: 11 stack frames: #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x32) [0x7f2f39b430ba] #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x1dd) [0x7f2f39b43037] #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x1c) [0x7f2f39b43056] #3 bin/shared/libsamba-util.so.0(+0x75309) [0x7f2f3a659309] #4 bin/shared/private/libtalloc-samba4.so(+0x5cc6) [0x7f2f3a758cc6] #5 bin/shared/private/libtalloc-samba4.so(+0x6173) [0x7f2f3a759173] #6 bin/shared/private/libtalloc-samba4.so(_talloc_free+0x10c) [0x7f2f3a75a54b] #7 /data/samba/samba-review/bin/smbtorture3(main+0xa97) [0x55cb3dc8cedc] #8 /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7f2f396d4d90] #9 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7f2f396d4e40] #10 /data/samba/samba-review/bin/smbtorture3(_start+0x25) [0x55cb3dc59895] smb_panic(): calling panic action [/data/samba/samba-review/selftest/gdb_backtrace 3692106] Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Fix the following error observed running samba.test.registry compiled with clang-17 and UBsan: lib/ldb/common/ldb_ldif.c:881:9: runtime error: applying non-zero offset 137438953440 to null pointer #0 0x7faa0eb3932f in ldb_ldif_read lib/ldb/common/ldb_ldif.c:881 #1 0x7faa0eb3aec6 in ldb_ldif_read_string lib/ldb/common/ldb_ldif.c:1004 #2 0x7faa077ed759 in dsdb_set_schema_from_ldif source4/dsdb/schema/schema_set.c:1113 #3 0x7faa068fcbbf in py_dsdb_set_schema_from_ldif source4/dsdb/pydsdb.c:929 #4 0x7faa1d1d4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507) [... a lot of Python calls skipped...] I.e. number of elements should be checked against zero before making an attempt to access an element by index. Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Strictly speaking, this is not a bug because parsing loop will just skip an empty ({NULL}, 0) blob. But it's better to avoid this case because UBSan (as of clang-17 at least) may complain on such a parsing attempt: source4/ntvfs/posix/posix_eadb.c:56:62: runtime error: applying zero offset to null pointer #0 0x7f9d71ce7b2a in posix_eadb_add_list source4/ntvfs/posix/posix_eadb.c:56 #1 0x7f9d71ce7b2a in push_xattr_blob_tdb_raw source4/ntvfs/posix/posix_eadb.c:178 #2 0x7f9d71cec1f5 in py_wrap_setxattr source4/ntvfs/posix/python/pyposix_eadb.c:64 #3 0x7f9d88bd4507 in cfunction_call (/lib64/libpython3.11.so.1.0+0x1d4507) [... a lot of Python calls skipped...] Signed-off-by: Dmitry Antipov <dantipov@cloudlinux.com> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

This function already exists in bind9 but takes different arguments, so when the DLZ is loaded and this function is called bind crashes: named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: client @0x7f26caa90f68 192.168.101.118#58223/key DESKTOP-8BUKMBK\$\@AFOREST.AD: updating zone '101.168.192.in-addr.arpa/NONE': deleting rrset at '118.101.168.192.in-addr.ar named[1523]: name.c:664: REQUIRE(((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) failed, back trace Backtrace: #0 0x00007f2716c957ec in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007f2716c42816 in raise () from /lib64/libc.so.6 #2 0x00007f2716c2b81c in abort () from /lib64/libc.so.6 #3 0x000055d4de847995 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/main.c:237 #4 0x00007f27176388fc in isc_assertion_failed (file=file@entry=0x7f27173b0df6 "name.c", line=line@entry=664, type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f27173b0268 "((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))") at /usr/src/debug/bind-9.18.10/lib/isc/assertions.c:48 #5 0x00007f27172946f9 in dns_name_equal (name1=<optimized out>, name2=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/name.c:664 **** Here bind's dns_name_equal() is called instead of samba's dns_name_equal() **** #6 0x00007f27077ad6f2 in dns_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dnsserver_common.c:1346 #7 0x00007f271404732c in b9_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dlz_bind9.c:1830 #8 0x00007f2714047daa in dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=0x7f26c9c10000 "118.101.168.192.in-addr.arpa.\t1200\tIN\tPTR\tDESKTOP-8BUKMBK.aforest.ad.", dbdata=0x7f271003d300, version=0x7f26f8044b20) at ../../source4/dns_server/dlz_bind9.c:2077 #9 0x000055d4de84afb4 in dlopen_dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=<optimized out>, driverarg=<optimized out>, dbdata=0x7f270430f680, version=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/dlz_dlopen_driver.c:483 #10 0x00007f271738e734 in modrdataset.constprop.0 (db=0x7f2704291740, node=0x7f26c9c006e0, version=0x7f26f8044b20, rdataset=0x7f2706ff8830, mod_function=0x55d4de84af80 <dlopen_dlz_subrdataset>, options=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/sdlz.c:1107 #11 0x00007f2717251855 in diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, warn=warn@entry=true) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:370 #12 0x00007f2717251c8a in dns_diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:465 #13 0x00007f2717d105aa in do_one_tuple (tuple=tuple@entry=0x7f2706ff8e50, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, diff=diff@entry=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:454 #14 0x00007f2717d10fff in update_one_rr (rdata=0x7f2706ff8ee8, ttl=<optimized out>, name=<optimized out>, op=DNS_DIFFOP_DEL, diff=0x7f2706ff9400, ver=0x7f26f8044b20, db=0x7f2704291740) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:505 #15 delete_if_action (data=<optimized out>, rr=0x7f2706ff8ee0) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1427 #16 0x00007f2717d10ccd in foreach_rr (db=0x7f2704291740, ver=<optimized out>, name=0x7f26caa61d00, type=<optimized out>, covers=<optimized out>, rr_action=rr_action@entry=0x7f2717d10f60 <delete_if_action>, rr_action_data=0x7f2706ff9280) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:736 #17 0x00007f2717d10e76 in delete_if (predicate=predicate@entry=0x7f2717d0fb10 <true_p>, db=<optimized out>, ver=<optimized out>, name=<optimized out>, type=<optimized out>, covers=<optimized out>, update_rr=0x7f2706ff94b0, diff=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1454 #18 0x00007f2717d1bccd in update_action (task=<optimized out>, event=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:3299 #19 0x00007f271765eb4c in task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:823 #20 isc_task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:904 #21 0x00007f271762cb12 in isc__nm_async_task (worker=0x7f2716236560, ev0=0x7f26caa07000) at netmgr/netmgr.c:840 #22 process_netievent (worker=worker@entry=0x7f2716236560, ievent=0x7f26caa07000) at netmgr/netmgr.c:918 #23 0x00007f271762d197 in process_queue (worker=worker@entry=0x7f2716236560, type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c:1011 #24 0x00007f271762d3b3 in process_all_queues (worker=0x7f2716236560) at netmgr/netmgr.c:765 #25 async_cb (handle=0x7f27162368c0) at netmgr/netmgr.c:794 #26 0x00007f2717c4cb0d in uv__async_io (loop=0x7f2716236570, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163 #27 0x00007f2717c6825d in uv__io_poll (loop=0x7f2716236570, timeout=<optimized out>) at src/unix/epoll.c:374 #28 0x00007f2717c5247a in uv__io_poll (timeout=<optimized out>, loop=0x7f2716236570) at src/unix/udp.c:122 #29 uv_run (loop=loop@entry=0x7f2716236570, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:406 #30 0x00007f271762d834 in nm_thread (worker0=0x7f2716236560) at netmgr/netmgr.c:696 #31 0x00007f27176627f5 in isc__trampoline_run (arg=0x55d4dfe3ad70) at /usr/src/debug/bind-9.18.10/lib/isc/trampoline.c:189 #32 0x00007f2716c9398d in start_thread () from /lib64/libc.so.6 #33 0x00007f2716d19344 in clone () from /lib64/libc.so.6 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14030 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Samuel Cabrero <scabrero@samba.org> Autobuild-Date(master): Thu Jan 19 10:20:27 UTC 2023 on atb-devel-224 (cherry picked from commit fcecdfa)

[2023/06/16 16:30:18.677249, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/cmdline/cmdline.c:56(_samba_cmdline_talloc_log) Bad talloc magic value - unknown value [2023/06/16 16:30:18.677374, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:173(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677388, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:177(smb_panic_log) INTERNAL ERROR: Bad talloc magic value - unknown value in pid 28112 (4.18.3) [2023/06/16 16:30:18.677398, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:182(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting [2023/06/16 16:30:18.677408, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:183(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677420, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:185(smb_panic_log) PANIC (pid 28112): Bad talloc magic value - unknown value in 4.18.3 [2023/06/16 16:30:18.677698, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:293(log_stack_trace) BACKTRACE: 22 stack frames: #0 /usr/lib64/samba/libgenrand-samba4.so(log_stack_trace+0x34) [0x7fcc04ad35d4] #1 /usr/lib64/samba/libgenrand-samba4.so(smb_panic+0xd) [0x7fcc04ad382d] #2 /lib64/libtalloc.so.2(+0x3121) [0x7fcc04650121] #3 /usr/sbin/winbindd(_wbint_InitConnection+0xe8) [0x55aa1fd79028] #4 /usr/sbin/winbindd(+0x59488) [0x55aa1fd7e488] #5 /lib64/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x69) [0x7fcc05890469] #6 /usr/sbin/winbindd(winbindd_dual_ndrcmd+0x3c5) [0x55aa1fd762d5] #7 /usr/sbin/winbindd(+0x4d664) [0x55aa1fd72664] #8 /lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x97) [0x7fcc03d2e707] #9 /lib64/libtevent.so.0(+0xef4f) [0x7fcc03d34f4f] #10 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #11 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #12 /usr/sbin/winbindd(+0x4fd14) [0x55aa1fd74d14] #13 /usr/sbin/winbindd(+0x505cd) [0x55aa1fd755cd] #14 /lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x182) [0x7fcc03d2ec72] #15 /lib64/libtevent.so.0(tevent_common_loop_immediate+0x27) [0x7fcc03d2eca7] #16 /lib64/libtevent.so.0(+0xed2f) [0x7fcc03d34d2f] #17 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #18 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #19 /usr/sbin/winbindd(main+0xd34) [0x55aa1fd402f4] #20 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fcc0339dd85] #21 /usr/sbin/winbindd(_start+0x2e) [0x55aa1fd40e8e] [2023/06/16 16:30:18.677828, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../source3/lib/dumpcore.c:318(dump_core) coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern BUG: https://bugzilla.samba.org/show_bug.cgi?id=15398 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jun 20 11:07:45 UTC 2023 on atb-devel-224

[2023/06/16 16:30:18.677249, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/cmdline/cmdline.c:56(_samba_cmdline_talloc_log) Bad talloc magic value - unknown value [2023/06/16 16:30:18.677374, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:173(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677388, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:177(smb_panic_log) INTERNAL ERROR: Bad talloc magic value - unknown value in pid 28112 (4.18.3) [2023/06/16 16:30:18.677398, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:182(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting [2023/06/16 16:30:18.677408, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:183(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677420, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:185(smb_panic_log) PANIC (pid 28112): Bad talloc magic value - unknown value in 4.18.3 [2023/06/16 16:30:18.677698, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:293(log_stack_trace) BACKTRACE: 22 stack frames: #0 /usr/lib64/samba/libgenrand-samba4.so(log_stack_trace+0x34) [0x7fcc04ad35d4] #1 /usr/lib64/samba/libgenrand-samba4.so(smb_panic+0xd) [0x7fcc04ad382d] #2 /lib64/libtalloc.so.2(+0x3121) [0x7fcc04650121] #3 /usr/sbin/winbindd(_wbint_InitConnection+0xe8) [0x55aa1fd79028] #4 /usr/sbin/winbindd(+0x59488) [0x55aa1fd7e488] #5 /lib64/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x69) [0x7fcc05890469] #6 /usr/sbin/winbindd(winbindd_dual_ndrcmd+0x3c5) [0x55aa1fd762d5] #7 /usr/sbin/winbindd(+0x4d664) [0x55aa1fd72664] #8 /lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x97) [0x7fcc03d2e707] #9 /lib64/libtevent.so.0(+0xef4f) [0x7fcc03d34f4f] #10 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #11 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #12 /usr/sbin/winbindd(+0x4fd14) [0x55aa1fd74d14] #13 /usr/sbin/winbindd(+0x505cd) [0x55aa1fd755cd] #14 /lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x182) [0x7fcc03d2ec72] #15 /lib64/libtevent.so.0(tevent_common_loop_immediate+0x27) [0x7fcc03d2eca7] #16 /lib64/libtevent.so.0(+0xed2f) [0x7fcc03d34d2f] #17 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #18 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #19 /usr/sbin/winbindd(main+0xd34) [0x55aa1fd402f4] #20 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fcc0339dd85] #21 /usr/sbin/winbindd(_start+0x2e) [0x55aa1fd40e8e] [2023/06/16 16:30:18.677828, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../source3/lib/dumpcore.c:318(dump_core) coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern BUG: https://bugzilla.samba.org/show_bug.cgi?id=15398 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit d34ff44) Autobuild-User(v4-18-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-18-test): Fri Jun 23 13:01:17 UTC 2023 on atb-devel-224

==395==ERROR: LeakSanitizer: detected memory leaks Direct leak of 96 byte(s) in 1 object(s) allocated from: #0 0x7f4c5dedc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: b10bafa0ba3304197db35cc24e0024cb0492168a) #1 0x7f4c5d252b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7f4c5d2543cc in __talloc ../../lib/talloc/talloc.c:825 #3 0x7f4c5d2543cc in _talloc_named_const ../../lib/talloc/talloc.c:982 #4 0x7f4c5d2543cc in talloc_named_const ../../lib/talloc/talloc.c:1751 #5 0x7f4c504acc53 in partition_metadata_get_uint64 ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:50 #6 0x7f4c504add29 in partition_metadata_sequence_number_increment ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:398 #7 0x7f4c504a66aa in partition_sequence_number ../../source4/dsdb/samdb/ldb_modules/partition.c:1401 #8 0x7f4c504a66aa in partition_extended ../../source4/dsdb/samdb/ldb_modules/partition.c:1680 #9 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #10 0x7f4c503980c8 in replmd_extended ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:8455 #11 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #12 0x7f4c502fae5c in samldb_extended ../../source4/dsdb/samdb/ldb_modules/samldb.c:5718 #13 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #14 0x7f4c52f0b94c in acl_extended ../../source4/dsdb/samdb/ldb_modules/acl.c:2854 #15 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #16 0x7f4c52eb019c in descriptor_extended ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1450 #17 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #18 0x7f4c52ed8687 in log_extended ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1824 #19 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #20 0x7f4c505aa337 in unlazy_op ../../source4/dsdb/samdb/ldb_modules/lazy_commit.c:40 #21 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #22 0x7f4c502d0f82 in schema_load_extended ../../source4/dsdb/samdb/ldb_modules/schema_load.c:593 #23 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #24 0x7f4c5035a010 in rootdse_extended ../../source4/dsdb/samdb/ldb_modules/rootdse.c:1780 #25 0x7f4c5c4914ef in ldb_request ../../lib/ldb/common/ldb.c:1244 #26 0x7f4c5c492a2d in ldb_extended ../../lib/ldb/common/ldb.c:1714 #27 0x7f4c5c492bdf in ldb_sequence_number ../../lib/ldb/common/ldb.c:1943 #28 0x7f4c503a9abd in replmd_add ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1316 #29 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543 #30 0x7f4c50458783 in rdn_name_add ../../lib/ldb/modules/rdn_name.c:206 #31 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543 #32 0x7f4c504f4852 in attr_handler ../../source4/dsdb/samdb/ldb_modules/objectclass_attrs.c:334 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

Indirect leak of 496 byte(s) in 1 object(s) allocated from: #0 0x7ffb062dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7ffb06025b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7ffb06027512 in __talloc ../../lib/talloc/talloc.c:825 #3 0x7ffb06027512 in _talloc_named_const ../../lib/talloc/talloc.c:982 #4 0x7ffb06027512 in _talloc_zero ../../lib/talloc/talloc.c:2421 #5 0x7ffb05a0332c in samu_new ../../source3/passdb/passdb.c:63 #6 0x7ffb05a2031f in pdb_getsampwnam ../../source3/passdb/pdb_interface.c:351 #7 0x7ffb05a0540b in local_password_change ../../source3/passdb/passdb.c:752 #8 0x56291ddd4b8b in password_change ../../source3/utils/smbpasswd.c:273 #9 0x56291ddd5b59 in process_root ../../source3/utils/smbpasswd.c:478 #10 0x56291ddd5b59 in main ../../source3/utils/smbpasswd.c:661 #11 0x7ffb024281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Commit e07f890 broke handling of NT4 domains which lack a DNS domain names. As the dns_name is NULL, talloc_steal(dns_name) returns NULL, which causes _wbint_ListTrustedDomains to return NT_STATUS_NO_MEMORY. To make things worse, at that point the new struct netr_DomainTrust is not yet initialized correctly and the "out->count = n + 1" already increased the array counter at the start of the loop without initializing it. Later when NDR-pushing the result in dcesrv_call_dispatch_local(), the ndr_push() can crash when accesssing the ununitialized values: 2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD) 2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting 2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames: 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5] 92023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #11 bin/shared/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x49b) [0x7f1397be6219] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #12 winbindd: domain child [ADDOMAIN](winbindd_dual_ndrcmd+0x375) [0x55741e67a204] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #13 winbindd: domain child [ADDOMAIN](+0x9cf0d) [0x55741e674f0d] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #14 winbindd: domain child [ADDOMAIN](+0x9f792) [0x55741e677792] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #15 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_fd_handler+0x121) [0x7f139802f816] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #16 bin/shared/private/libtevent-samba4.so(+0x19cef) [0x7f139803bcef] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #17 bin/shared/private/libtevent-samba4.so(+0x1a3dc) [0x7f139803c3dc] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #18 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #19 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #20 winbindd: domain child [ADDOMAIN](+0xa03ca) [0x55741e6783ca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #21 winbindd: domain child [ADDOMAIN](+0x9ba9c) [0x55741e673a9c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #22 bin/shared/private/libtevent-samba4.so(_tevent_req_notify_callback+0xba) [0x7f139803194a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #23 bin/shared/private/libtevent-samba4.so(+0xfadb) [0x7f1398031adb] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #24 bin/shared/private/libtevent-samba4.so(_tevent_req_done+0x25) [0x7f1398031b07] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #25 bin/shared/private/libtevent-samba4.so(+0xf125) [0x7f1398031125] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #26 bin/shared/private/libtevent-samba4.so(+0xe9cf) [0x7f13980309cf] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #27 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_immediate_handler+0x207) [0x7f1398030343] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #28 bin/shared/private/libtevent-samba4.so(tevent_common_loop_immediate+0x37) [0x7f13980304b5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #29 bin/shared/private/libtevent-samba4.so(+0x1a332) [0x7f139803c332] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #30 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #31 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #32 winbindd: domain child [ADDOMAIN](main+0x1689) [0x55741e6b210a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #33 /lib64/libc.so.6(+0x27b8a) [0x7f1396864b8a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #34 /lib64/libc.so.6(__libc_start_main+0x8b) [0x7f1396864c4b] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #35 winbindd: domain child [ADDOMAIN](_start+0x25) [0x55741e63a045] 2023-12-08T14:07:42.760685+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: smb_panic(): calling panic action [cd /data/git/samba/scratch3 && /data/git/samba/scratch3/selftest/gdb_backtrace 157227 ./bin/winbindd] Deferring assignment of r->out.domains->array and r->out.domains->count to the end of the function ensures we don't return inconsistent state in case of an error. Also, r->out.domains is already set by the NDR layer, no need to create and assign a struct netr_DomainTrustList object. Using talloc_move() ensures we don't leave dangling pointers. Better to crash reliably on accessing NULL, then accessing some unknown memory via a wild pointer. As talloc_move() can't fail, there's no need to check the return value. And using a struct initializer ensures all members are properly initialized. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224

==19938==ERROR: LeakSanitizer: detected memory leaks Direct leak of 77 byte(s) in 1 object(s) allocated from: #0 0x7f7d482841f8 in strdup (/lib64/libasan.so.8+0x841f8) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f7d47204846 (bin/shared/libsamba-util.so.0+0x4c846) (BuildId: 43b084eb9013442ac68eb1fc17649f142cbb0f94) #2 0x7f7d40b1d97a in pdb_init_tdbsam ../../source3/passdb/pdb_tdb.c:1361 #3 0x7f7d4715f266 (bin/shared/libsamba-passdb.so.0+0x76266) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) #4 0x7f7d4715f57a (bin/shared/libsamba-passdb.so.0+0x7657a) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) #5 0x7f7d47163700 (bin/shared/libsamba-passdb.so.0+0x7a700) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) #6 0x55a9177d3853 in main ../../source3/smbd/server.c:1928 #7 0x7f7d434281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>

Indirect leak of 291 byte(s) in 2 object(s) allocated from: #0 0x7fd77b6dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7fd77b094bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7fd77b096034 in __talloc ../../lib/talloc/talloc.c:825 #3 0x7fd77b096034 in __talloc_strlendup ../../lib/talloc/talloc.c:2454 #4 0x7fd77b096034 in talloc_strdup ../../lib/talloc/talloc.c:2470 #5 0x7fd779996633 in add_string_to_array ../../lib/util/util_strlist.c:504 #6 0x7fd77b10c754 in ads_create_machine_acct ../../source3/libads/ldap.c:2662 #7 0x7fd77b46705f in libnet_join_precreate_machine_acct ../../source3/libnet/libnet_join.c:390 #8 0x7fd77b46705f in libnet_DomainJoin ../../source3/libnet/libnet_join.c:2852 #9 0x7fd77b46705f in libnet_Join ../../source3/libnet/libnet_join.c:3036 #10 0x55fb9788d91a in net_ads_join ../../source3/utils/net_ads.c:1853 #11 0x55fb9793ab86 in net_join ../../source3/utils/net_join.c:45 #12 0x55fb9793084f in net_run_function ../../source3/utils/net_util.c:454 #13 0x55fb97889859 in main ../../source3/utils/net.c:1372 #14 0x7fd7768281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>

Direct leak of 68 byte(s) in 1 object(s) allocated from: #0 0x7f4f39cdc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f4f36fbe427 in malloc_ ../../source3/lib/util_malloc.c:38 #2 0x7f4f394b5e19 in pdb_generate_sam_sid ../../source3/passdb/machine_sid.c:90 #3 0x7f4f394b5e19 in get_global_sam_sid ../../source3/passdb/machine_sid.c:211 #4 0x7f4f394af366 in secrets_store_domain_sid ../../source3/passdb/machine_account_secrets.c:143 #5 0x7f4f394b5eb5 in pdb_generate_sam_sid ../../source3/passdb/machine_sid.c:110 #6 0x7f4f394b5eb5 in get_global_sam_sid ../../source3/passdb/machine_sid.c:211 #7 0x7f4f394af366 in secrets_store_domain_sid ../../source3/passdb/machine_account_secrets.c:143 #8 0x557a1f11d62c in net_setlocalsid ../../source3/utils/net.c:416 #9 0x557a1f1c9972 in net_run_function ../../source3/utils/net_util.c:464 #10 0x557a1f121129 in main ../../source3/utils/net.c:1372 #11 0x7f4f34c281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jan 23 14:30:58 UTC 2024 on atb-devel-224

Program received signal SIGSEGV, Segmentation fault. ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision)); Thread 1 (Thread 0x7ffff7ece740 (LWP 21460) "python3"): #0 ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 _flags_save_STRUCT = 0 _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> __FUNCTION__ = "ndr_push_security_descriptor" #1 0x00007ffff617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffffffdb20, mem_ctx=0x555555aa3bd0, p=0x0, fn=0x7ffff6074ad0 <ndr_push_security_descriptor>, fn@entry=0x7ffff60706c8 <ndr_push_security_descriptor@plt>) at ../../librpc/ndr/ndr.c:1438 _status = <optimized out> ndr = 0x555555bf41b0 #2 0x00007ffff607cccf in marshall_sec_desc (mem_ctx=<optimized out>, secdesc=<optimized out>, data=data@entry=0x7fffffffdb80, len=len@entry=0x7fffffffdb78) at ../../libcli/security/secdesc.c:241 blob = {data = 0x7fffffffdb40 "`\333\377\377\377\177", length = 140737352374299} ndr_err = <optimized out> __FUNCTION__ = "marshall_sec_desc" #3 0x00007ffff29edd94 in GPO_marshall_get_sec_desc_buf (self=<optimized out>, args=<optimized out>, kwds=<optimized out>) at ../../libgpo/pygpo.c:119 gpo_ptr = <optimized out> status = <optimized out> data = 0x0 len = 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: David Mulder <dmulder@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Wed Mar 6 15:44:19 UTC 2024 on atb-devel-224

Program received signal SIGSEGV, Segmentation fault. ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision)); Thread 1 (Thread 0x7ffff7ece740 (LWP 21460) "python3"): #0 ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 _flags_save_STRUCT = 0 _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> __FUNCTION__ = "ndr_push_security_descriptor" #1 0x00007ffff617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffffffdb20, mem_ctx=0x555555aa3bd0, p=0x0, fn=0x7ffff6074ad0 <ndr_push_security_descriptor>, fn@entry=0x7ffff60706c8 <ndr_push_security_descriptor@plt>) at ../../librpc/ndr/ndr.c:1438 _status = <optimized out> ndr = 0x555555bf41b0 #2 0x00007ffff607cccf in marshall_sec_desc (mem_ctx=<optimized out>, secdesc=<optimized out>, data=data@entry=0x7fffffffdb80, len=len@entry=0x7fffffffdb78) at ../../libcli/security/secdesc.c:241 blob = {data = 0x7fffffffdb40 "`\333\377\377\377\177", length = 140737352374299} ndr_err = <optimized out> __FUNCTION__ = "marshall_sec_desc" #3 0x00007ffff29edd94 in GPO_marshall_get_sec_desc_buf (self=<optimized out>, args=<optimized out>, kwds=<optimized out>) at ../../libgpo/pygpo.c:119 gpo_ptr = <optimized out> status = <optimized out> data = 0x0 len = 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: David Mulder <dmulder@samba.org> (cherry picked from commit b13d435) Autobuild-User(v4-19-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-19-test): Fri Mar 15 11:20:39 UTC 2024 on atb-devel-224

Program received signal SIGSEGV, Segmentation fault. ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 713 NDR_CHECK(ndr_push_security_descriptor_revision(ndr, NDR_SCALARS, r->revision)); Thread 1 (Thread 0x7ffff7ece740 (LWP 21460) "python3"): #0 ndr_push_security_descriptor (ndr=ndr@entry=0x555555bf41b0, ndr_flags=ndr_flags@entry=768, r=r@entry=0x0) at librpc/gen_ndr/ndr_security.c:713 _flags_save_STRUCT = 0 _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> _status = <optimized out> __FUNCTION__ = "ndr_push_security_descriptor" #1 0x00007ffff617237f in ndr_push_struct_blob (blob=blob@entry=0x7fffffffdb20, mem_ctx=0x555555aa3bd0, p=0x0, fn=0x7ffff6074ad0 <ndr_push_security_descriptor>, fn@entry=0x7ffff60706c8 <ndr_push_security_descriptor@plt>) at ../../librpc/ndr/ndr.c:1438 _status = <optimized out> ndr = 0x555555bf41b0 #2 0x00007ffff607cccf in marshall_sec_desc (mem_ctx=<optimized out>, secdesc=<optimized out>, data=data@entry=0x7fffffffdb80, len=len@entry=0x7fffffffdb78) at ../../libcli/security/secdesc.c:241 blob = {data = 0x7fffffffdb40 "`\333\377\377\377\177", length = 140737352374299} ndr_err = <optimized out> __FUNCTION__ = "marshall_sec_desc" #3 0x00007ffff29edd94 in GPO_marshall_get_sec_desc_buf (self=<optimized out>, args=<optimized out>, kwds=<optimized out>) at ../../libgpo/pygpo.c:119 gpo_ptr = <optimized out> status = <optimized out> data = 0x0 len = 0 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15599 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: David Mulder <dmulder@samba.org> (cherry picked from commit b13d435) Autobuild-User(v4-20-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-20-test): Fri Mar 15 10:29:54 UTC 2024 on atb-devel-224

Direct leak of 885 byte(s) in 1 object(s) allocated from: #0 0x7f261b8dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7f261b2c543c in _talloc_pool ../../lib/talloc/talloc.c:838 #3 0x7f261b2c543c in _talloc_pooled_object ../../lib/talloc/talloc.c:906 #4 0x7f261a69cac9 in __tevent_req_create ../../lib/tevent/tevent_req.c:98 #5 0x7f261a75bf55 in cli_full_connection_creds_send ../../source3/libsmb/cliconnect.c:3455 #6 0x7f261a75c4b7 in cli_full_connection_creds ../../source3/libsmb/cliconnect.c:3818 #7 0x7f261b70d39f in libnet_join_connect_dc_ipc ../../source3/libnet/libnet_join.c:1146 #8 0x7f261b715794 in libnet_join_lookup_dc_rpc ../../source3/libnet/libnet_join.c:1188 #9 0x7f261b715794 in libnet_DomainJoin ../../source3/libnet/libnet_join.c:2812 #10 0x7f261b715794 in libnet_Join ../../source3/libnet/libnet_join.c:3040 #11 0x555bd93671ea in net_ads_join ../../source3/utils/net_ads.c:1855 #12 0x555bd9415ca9 in net_join ../../source3/utils/net_join.c:45 #13 0x555bd940b972 in net_run_function ../../source3/utils/net_util.c:464 #14 0x555bd9363129 in main ../../source3/utils/net.c:1372 #15 0x7f2616a281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>

Indirect leak of 792 byte(s) in 1 object(s) allocated from: #0 0x7f261b8dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7f261b2c473d in __talloc ../../lib/talloc/talloc.c:825 #3 0x7f261b2c473d in _talloc_named_const ../../lib/talloc/talloc.c:982 #4 0x7f261b2c473d in _talloc_zero ../../lib/talloc/talloc.c:2421 #5 0x7f2618cb42bc in smbXcli_conn_create ../../libcli/smb/smbXcli_base.c:350 #6 0x7f261a74acd3 in cli_state_create ../../source3/libsmb/clientgen.c:196 #7 0x7f261a751f0d in cli_connect_nb_done ../../source3/libsmb/cliconnect.c:2715 #8 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #9 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #10 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #11 0x7f261a752dde in cli_connect_sock_done ../../source3/libsmb/cliconnect.c:2624 #12 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #13 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #14 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #15 0x7f261a7ba2c4 in smbsock_any_connect_connected ../../source3/libsmb/smbsock_connect.c:788 #16 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #17 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #18 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #19 0x7f261a7b75ad in smbsock_connect_connected ../../source3/libsmb/smbsock_connect.c:524 #20 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #21 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #22 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #23 0x7f261b4b400a in open_socket_out_connected ../../source3/lib/util_sock.c:484 #24 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #25 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #26 0x7f261a69be3e in tevent_req_trigger ../../lib/tevent/tevent_req.c:291 #27 0x7f261a699df4 in tevent_common_invoke_immediate_handler ../../lib/tevent/tevent_immediate.c:190 #28 0x7f261a699e31 in tevent_common_loop_immediate ../../lib/tevent/tevent_immediate.c:236 #29 0x7f261a6ad3ec in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:905 #30 0x7f261a6a679e in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #31 0x7f261a696538 in _tevent_loop_once ../../lib/tevent/tevent.c:820 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Apr 29 09:48:47 UTC 2024 on atb-devel-224

==20978==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f4f91ff51a0 at pc 0x7f4f94cf93d6 bp 0x7ffdb90fc510 sp 0x7ffdb90fbcd0 READ of size 64 at 0x7f4f91ff51a0 thread T0 #0 0x7f4f94cf93d5 in memcpy ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 #1 0x7f4f933bdb67 in ldb_val_dup ../../lib/ldb/common/ldb_msg.c:325 #2 0x7f4f933c11d1 in ldb_msg_copy ../../lib/ldb/common/ldb_msg.c:1182 #3 0x7f4f933c13d2 in ldb_msg_normalize ../../lib/ldb/common/ldb_msg.c:1235 #4 0x7f4f933ab556 in ldb_request ../../lib/ldb/common/ldb.c:1196 #5 0x7f4f8e82b1d4 in dsdb_autotransaction_request ../../source4/dsdb/common/util.c:1220 #6 0x7f4f8e831c8a in dsdb_add ../../source4/dsdb/common/util.c:5354 #7 0x7f4f8e853a01 in gkdi_create_root_key ../../source4/dsdb/gmsa/gkdi.c:493 #8 0x7f4f8e853a01 in gkdi_new_root_key ../../source4/dsdb/gmsa/gkdi.c:551 #9 0x7f4f8cd4ca52 in py_dsdb_create_gkdi_root_key ../../source4/dsdb/pydsdb.c:1388 #10 0x7f4f947ce01c (/lib64/libpython3.11.so.1.0+0x1ce01c) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #11 0x7f4f947de4c0 in _PyObject_Call (/lib64/libpython3.11.so.1.0+0x1de4c0) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #12 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #13 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #14 0x7f4f947de5d8 (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #15 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #16 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #17 0x7f4f947edabb (/lib64/libpython3.11.so.1.0+0x1edabb) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #18 0x7f4f947de5d8 (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #19 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #20 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #21 0x7f4f947ed9fb (/lib64/libpython3.11.so.1.0+0x1ed9fb) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #22 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #23 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #24 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #25 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #26 0x7f4f94839997 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x239997) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #27 0x7f4f94856862 (/lib64/libpython3.11.so.1.0+0x256862) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #28 0x7f4f94852e59 (/lib64/libpython3.11.so.1.0+0x252e59) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #29 0x7f4f94868fb1 (/lib64/libpython3.11.so.1.0+0x268fb1) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #30 0x7f4f948687a3 in _PyRun_SimpleFileObject (/lib64/libpython3.11.so.1.0+0x2687a3) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #31 0x7f4f94868453 in _PyRun_AnyFileObject (/lib64/libpython3.11.so.1.0+0x268453) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #32 0x7f4f94861c53 in Py_RunMain (/lib64/libpython3.11.so.1.0+0x261c53) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #33 0x7f4f94829996 in Py_BytesMain (/lib64/libpython3.11.so.1.0+0x229996) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #34 0x7f4f9422a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #35 0x7f4f9422a2b8 in __libc_start_main_impl ../csu/libc-start.c:360 #36 0x5604497e3084 in _start (/usr/bin/python3.11+0x1084) (BuildId: f5d6e3bdbf9098a6ddde0b7f2e07ffc9ad1b1dc3) Address 0x7f4f91ff51a0 is located in stack of thread T0 at offset 416 in frame #0 0x7f4f8e852b37 in gkdi_new_root_key ../../source4/dsdb/gmsa/gkdi.c:537 This frame has 12 object(s): [32, 40) 'root_key_dn' (line 539) [64, 72) 'res' (line 540) [96, 104) 'server_config_res' (line 118) [128, 136) 'kdf_algorithm' (line 128) [160, 168) 'domain_dn' (line 388) [192, 208) 'kdf_parameters_blob' (line 129) [224, 240) 'root_key_data_blob' (line 353) [256, 272) 'guid_blob' (line 467) [288, 312) 'kdf_parameters' (line 226) [352, 368) 'root_key_id' (line 116) [384, 400) 'guid_buf' (line 466) [416, 480) 'root_key_data' (line 352) <== Memory access at offset 416 is inside this variable Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <jsutton@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri May 3 12:20:55 UTC 2024 on atb-devel-224

abartlet and others added 14 commits August 18, 2015 15:29

python: Use an unsigned integer for buf_size, not -1

62b12a4

This will fail once our python bindings correctly check value ranges Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

pydsdb: Allow the full range of uint32_t values for attributeID

335e3d5

The high bit may be set in these integers, so we need an unsigned int to store it in Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11429

dbcheck: Add additional tests for the attributeID list

2ccdb35

Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

dbcheck: Try to avoid duplicate searches

0935c49

Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

dbcheck: Use set() operations to make dbcheck more efficient

c59eaf7

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Update release-4-1-0rc3 to include data using schema modifications

535024c

This allows us to know that the previous patches are correct. BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973 Signed-off-by: Andrew Bartlett <abartlet@samba.org>

selftest: Add in steps to re-create this database

03bf120

This may assist if this needs to be changed again Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

selftest: Add assertion that we actually fix the replPropertyMetaData…

a506c87

… sort order This ensures that the dbcheck rule fixes the sort order (and only fixes the sort order). Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=10973

dnsserver: Remove incorrect and not required include of ldb_private.h

4c46e2d

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

abartlet force-pushed the replmetadata-sort-minimal branch from b64d0c6 to 4c46e2d Compare August 18, 2015 03:31

abartlet closed this Sep 15, 2015

ghost mentioned this pull request Dec 4, 2016

vfs_fruit: Add capability to advertise FULLSYNC #64

Closed

lioupayphone pushed a commit to lioupayphone/samba that referenced this pull request Jan 22, 2017

samba: samba-team#1 apply redhat hot fix for samba-4.2.10

d6fa148

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replmetadata sort minimal #1

Replmetadata sort minimal #1

abartlet commented Aug 18, 2015

Replmetadata sort minimal #1

Replmetadata sort minimal #1

Conversation

abartlet commented Aug 18, 2015