lib/ldb: Use tdb_parse_record and a callback rather than tdb_fetch() … #6

abartlet · 2015-09-04T08:40:07Z

…in indexing

This avoids allocation at the tdb layer when we just want to read the
pointer to our in-memory structures.

Andrew Bartlett

samba-team-bot · 2015-09-04T08:57:42Z

AUTOGENERATED MESSAGE by pull-request-mailer
This pull request has been converted to an email thread on samba-technical@lists.samba.org. Discussion continues there.

Please do not post comments to this pull request. The email thread will not get notified.

samba-team-bot · 2015-09-04T09:06:26Z

AUTOGENERATED MESSAGE by pull-request-mailer
This pull request has been converted to an email thread on samba-technical@lists.samba.org. Discussion continues there.

Please do not post comments to this pull request. The email thread will not get notified.

…in indexing This avoids allocation at the tdb layer when we just want to read the pointer to our in-memory structures. Andrew Bartlett

samba-team-bot · 2015-09-07T00:06:59Z

AUTOGENERATED MESSAGE by pull-request-mailer
This pull request has been converted to an email thread on samba-technical@lists.samba.org. Discussion continues there.

Please do not post comments to this pull request. The email thread will not get notified.

This was reported by Pavel Březina <pbrezina@redhat.com>: We found a crash in SSSD when a tevent signal is freed in its handler, tevent than crashes when it access siginfo. sig_info is freed in signal destructor: > #ifdef SA_SIGINFO > if (se->sa_flags & SA_SIGINFO) { > if (sig_state->sig_info[se->signum]) { > talloc_free(sig_state->sig_info[se->signum]); > sig_state->sig_info[se->signum] = NULL; > } > } > #endif (gdb) bt #0 0x00007f5d4d86cc74 in tevent_signal_destructor (se=0x7f5d5370f920) at ../tevent_signal.c:213 samba-team#1 0x00007f5d4d65f233 in _talloc_free_internal () from /lib64/libtalloc.so.2 samba-team#2 0x00007f5d4d6593a3 in _talloc_free () from /lib64/libtalloc.so.2 samba-team#3 0x00007f5d4342f3d4 in proxy_child_init_done (subreq=0x7f5d5370f600) at src/providers/proxy/proxy_auth.c:436 samba-team#4 0x00007f5d4d86b0c2 in _tevent_req_error (req=req@entry=0x7f5d5370f600, error=error@entry=5, location=location@entry=0x7f5d43433010 "src/providers/proxy/proxy_auth.c:356") at ../tevent_req.c:167 samba-team#5 0x00007f5d4342ef5e in pc_init_sig_handler (ev=<optimized out>, sige=<optimized out>, signum=<optimized out>, count=<optimized out>, __siginfo=<optimized out>, pvt=<optimized out>) at src/providers/proxy/proxy_auth.c:356 samba-team#6 0x00007f5d4d86d48c in tevent_common_check_signal (ev=0x7f5d536de670) at ../tevent_signal.c:428 samba-team#7 0x00007f5d4d86f28c in epoll_event_loop (tvalp=0x7fff7b568490, epoll_ev=0x7f5d536de8b0) at ../tevent_epoll.c:647 samba-team#8 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#9 0x00007f5d4d86d7d7 in std_event_loop_once (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#10 0x00007f5d4d869fbd in _tevent_loop_once (ev=ev@entry=0x7f5d536de670, location=location@entry=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:530 samba-team#11 0x00007f5d4d86a15b in tevent_common_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:634 samba-team#12 0x00007f5d4d86d777 in std_event_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#13 0x00007f5d50f96863 in server_loop (main_ctx=0x7f5d536dfac0) at src/util/server.c:668 samba-team#14 0x00007f5d5180aa42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 But then it is accessed again in tevent_common_check_signal: > #ifdef SA_SIGINFO > if (clear_processed_siginfo) { > uint32_t j; > for (j=0;j<count;j++) { > uint32_t ofs = (counter.seen + j) > % TEVENT_SA_INFO_QUEUE_COUNT; > memset((void*)&sig_state->sig_info[i][ofs], > '\0', > sizeof(siginfo_t)); > } > } > #endif (gdb) bt #0 0x00007fd7ba400505 in memset (__len=<optimized out>, __ch=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:84 samba-team#1 tevent_common_check_signal (ev=0x7fd7bfddf670) at ../tevent_signal.c:459 samba-team#2 0x00007fd7ba40228c in epoll_event_loop (tvalp=0x7fff85536430, epoll_ev=0x7fd7bfddf8b0) at ../tevent_epoll.c:647 samba-team#3 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#4 0x00007fd7ba4007d7 in std_event_loop_once (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#5 0x00007fd7ba3fcfbd in _tevent_loop_once (ev=ev@entry=0x7fd7bfddf670, location=location@entry=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:530 samba-team#6 0x00007fd7ba3fd15b in tevent_common_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:634 samba-team#7 0x00007fd7ba400777 in std_event_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#8 0x00007fd7bdb29343 in server_loop (main_ctx=0x7fd7bfde0ac0) at src/util/server.c:668 samba-team#9 0x00007fd7be39ca42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11308 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jun 2 21:02:11 CEST 2015 on sn-devel-104

This was reported by Pavel Březina <pbrezina@redhat.com>: We found a crash in SSSD when a tevent signal is freed in its handler, tevent than crashes when it access siginfo. sig_info is freed in signal destructor: > #ifdef SA_SIGINFO > if (se->sa_flags & SA_SIGINFO) { > if (sig_state->sig_info[se->signum]) { > talloc_free(sig_state->sig_info[se->signum]); > sig_state->sig_info[se->signum] = NULL; > } > } > #endif (gdb) bt #0 0x00007f5d4d86cc74 in tevent_signal_destructor (se=0x7f5d5370f920) at ../tevent_signal.c:213 samba-team#1 0x00007f5d4d65f233 in _talloc_free_internal () from /lib64/libtalloc.so.2 samba-team#2 0x00007f5d4d6593a3 in _talloc_free () from /lib64/libtalloc.so.2 samba-team#3 0x00007f5d4342f3d4 in proxy_child_init_done (subreq=0x7f5d5370f600) at src/providers/proxy/proxy_auth.c:436 samba-team#4 0x00007f5d4d86b0c2 in _tevent_req_error (req=req@entry=0x7f5d5370f600, error=error@entry=5, location=location@entry=0x7f5d43433010 "src/providers/proxy/proxy_auth.c:356") at ../tevent_req.c:167 samba-team#5 0x00007f5d4342ef5e in pc_init_sig_handler (ev=<optimized out>, sige=<optimized out>, signum=<optimized out>, count=<optimized out>, __siginfo=<optimized out>, pvt=<optimized out>) at src/providers/proxy/proxy_auth.c:356 samba-team#6 0x00007f5d4d86d48c in tevent_common_check_signal (ev=0x7f5d536de670) at ../tevent_signal.c:428 samba-team#7 0x00007f5d4d86f28c in epoll_event_loop (tvalp=0x7fff7b568490, epoll_ev=0x7f5d536de8b0) at ../tevent_epoll.c:647 samba-team#8 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#9 0x00007f5d4d86d7d7 in std_event_loop_once (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#10 0x00007f5d4d869fbd in _tevent_loop_once (ev=ev@entry=0x7f5d536de670, location=location@entry=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:530 samba-team#11 0x00007f5d4d86a15b in tevent_common_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:634 samba-team#12 0x00007f5d4d86d777 in std_event_loop_wait (ev=0x7f5d536de670, location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#13 0x00007f5d50f96863 in server_loop (main_ctx=0x7f5d536dfac0) at src/util/server.c:668 samba-team#14 0x00007f5d5180aa42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 But then it is accessed again in tevent_common_check_signal: > #ifdef SA_SIGINFO > if (clear_processed_siginfo) { > uint32_t j; > for (j=0;j<count;j++) { > uint32_t ofs = (counter.seen + j) > % TEVENT_SA_INFO_QUEUE_COUNT; > memset((void*)&sig_state->sig_info[i][ofs], > '\0', > sizeof(siginfo_t)); > } > } > #endif (gdb) bt #0 0x00007fd7ba400505 in memset (__len=<optimized out>, __ch=<optimized out>, __dest=<optimized out>) at /usr/include/bits/string3.h:84 samba-team#1 tevent_common_check_signal (ev=0x7fd7bfddf670) at ../tevent_signal.c:459 samba-team#2 0x00007fd7ba40228c in epoll_event_loop (tvalp=0x7fff85536430, epoll_ev=0x7fd7bfddf8b0) at ../tevent_epoll.c:647 samba-team#3 epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at ../tevent_epoll.c:926 samba-team#4 0x00007fd7ba4007d7 in std_event_loop_once (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:114 samba-team#5 0x00007fd7ba3fcfbd in _tevent_loop_once (ev=ev@entry=0x7fd7bfddf670, location=location@entry=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:530 samba-team#6 0x00007fd7ba3fd15b in tevent_common_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:634 samba-team#7 0x00007fd7ba400777 in std_event_loop_wait (ev=0x7fd7bfddf670, location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:140 samba-team#8 0x00007fd7bdb29343 in server_loop (main_ctx=0x7fd7bfde0ac0) at src/util/server.c:668 samba-team#9 0x00007fd7be39ca42 in main (argc=8, argv=<optimized out>) at src/providers/data_provider_be.c:2909 BUG: https://bugzilla.samba.org/show_bug.cgi?id=11308 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Jun 2 21:02:11 CEST 2015 on sn-devel-104 (cherry picked from commit 9d797ff)

samba-issue5-v1: add feature of configuration files sync based on ctdb fix issue samba-team#5

This should the following segfault with SMB1: #6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94 #7 <signal handler called> #8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8) at ../source3/smbd/smbXsrv_session.c:1212 #9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961 #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726 #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0) at ../source3/smbd/process.c:1762 #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>, deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008 #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608 #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0 Inspection the core shows that: conn->client-session_table is NULL conn->protocol is PROTOCOL_NONE BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>

This should the following segfault with SMB1: #6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94 #7 <signal handler called> #8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8) at ../source3/smbd/smbXsrv_session.c:1212 #9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961 #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726 #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0) at ../source3/smbd/process.c:1762 #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>, deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008 #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608 #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0 Inspection the core shows that: conn->client-session_table is NULL conn->protocol is PROTOCOL_NONE BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit a89a714)

This should the following segfault with SMB1: #6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94 #7 <signal handler called> #8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8) at ../source3/smbd/smbXsrv_session.c:1212 #9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961 #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726 #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0) at ../source3/smbd/process.c:1762 #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>, deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008 #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608 #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0 Inspection the core shows that: conn->client-session_table is NULL conn->protocol is PROTOCOL_NONE BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit a89a714) Autobuild-User(v4-7-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-7-test): Thu Mar 8 17:53:27 CET 2018 on sn-devel-144

This should the following segfault with SMB1: #6 sig_fault (sig=<optimized out>) at ../lib/util/fault.c:94 #7 <signal handler called> #8 smbXsrv_session_create (conn=conn@entry=0x5654d3512af0, now=now@entry=131594481900356690, _session=_session@entry=0x7ffc93a778e8) at ../source3/smbd/smbXsrv_session.c:1212 #9 0x00007f7618aa21ef in reply_sesssetup_and_X (req=req@entry=0x5654d35174b0) at ../source3/smbd/sesssetup.c:961 #10 0x00007f7618ae17b0 in switch_message (type=<optimized out>, req=req@entry=0x5654d35174b0) at ../source3/smbd/process.c:1726 #11 0x00007f7618ae3550 in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=0, unread_bytes=0, size=140, inbuf=0x0, xconn=0x5654d35146d0) at ../source3/smbd/process.c:1762 #12 process_smb (xconn=xconn@entry=0x5654d3512af0, inbuf=<optimized out>, nread=140, unread_bytes=0, seqnum=0, encrypted=<optimized out>, deferred_pcd=deferred_pcd@entry=0x0) at ../source3/smbd/process.c:2008 #13 0x00007f7618ae4c41 in smbd_server_connection_read_handler (xconn=0x5654d3512af0, fd=40) at ../source3/smbd/process.c:2608 #14 0x00007f761587eedb in epoll_event_loop_once () from /lib64/libtevent.so.0 Inspection the core shows that: conn->client-session_table is NULL conn->protocol is PROTOCOL_NONE BUG: https://bugzilla.samba.org/show_bug.cgi?id=13315 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> (cherry picked from commit a89a714) Autobuild-User(v4-6-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-6-test): Fri Mar 9 01:47:40 CET 2018 on sn-devel-144

The change for https://bugzilla.samba.org/show_bug.cgi?id=7587 ("talloc_autofree_context() in shared libraries and plugins is a bad idea on FreeBSD") (ommit 41b6810) causes the following for sssd on Linux: Stack trace of thread 19667: #0 0x00007f2cab91ff6b __GI_raise (libc.so.6) #1 0x00007f2cab90a5c1 __GI_abort (libc.so.6) #2 0x00007f2cab90a491 __assert_fail_base (libc.so.6) #3 0x00007f2cab9186e2 __GI___assert_fail (libc.so.6) #4 0x00007f2cb10aaca5 k5_mutex_lock (libkrb5.so.3) #5 0x00007f2cb10ab790 k5_mutex_lock (libkrb5.so.3) #6 0x00007f2cb10ab8f5 profile_free_file (libkrb5.so.3) #7 0x00007f2cb10ab983 profile_close_file (libkrb5.so.3) #8 0x00007f2cb10af249 profile_release (libkrb5.so.3) #9 0x00007f2cb10a06c7 k5_os_free_context (libkrb5.so.3) #10 0x00007f2cb1075a9a krb5_free_context (libkrb5.so.3) #11 0x000055cea7cb2dd1 kcm_data_destructor (sssd_kcm) #12 0x00007f2cac153e96 _tc_free_internal (libtalloc.so.2) #13 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #14 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #15 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #16 0x00007f2cac1537b0 _tc_free_internal (libtalloc.so.2) #17 0x00007f2cac14e648 _talloc_free (libtalloc.so.2) #18 0x00007f2cac14c480 talloc_lib_fini (libtalloc.so.2) #19 0x00007f2cb151da96 _dl_fini (ld-linux-x86-64.so.2) #20 0x00007f2cab9226bc __run_exit_handlers (libc.so.6) #21 0x00007f2cab9227ec __GI_exit (libc.so.6) #22 0x00007f2cb030dc61 orderly_shutdown (libsss_util.so) #23 0x00007f2cac365a46 tevent_common_check_signal (libtevent.so.0) #24 0x00007f2cac367975 epoll_event_loop_once (libtevent.so.0) #25 0x00007f2cac365dab std_event_loop_once (libtevent.so.0) #26 0x00007f2cac362098 _tevent_loop_once (libtevent.so.0) #27 0x00007f2cac3622eb tevent_common_loop_wait (libtevent.so.0) #28 0x00007f2cac365d3b std_event_loop_wait (libtevent.so.0) #29 0x00007f2cb030eb37 server_loop (libsss_util.so) #30 0x000055cea7cb29f4 main (sssd_kcm) #31 0x00007f2cab90c1eb __libc_start_main (libc.so.6) #32 0x000055cea7cb2c7a _start (sssd_kcm) We still only register one atexit handler instead of multiple ones like in talloc 2.1.11, but avoids using a library destructor. Bug #7587 seems to be fixed by not using talloc_autofree_context() within samba. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13366 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>

Fixes Asan error: ==1924==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe63f873d0 at pc 0x7fb99dae1733 bp 0x7ffe63f86a00 sp 0x7ffe63f861a8 READ of size 24 at 0x7ffe63f873d0 thread T0 #0 0x7fb99dae1732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) #1 0x7fb99cfe5549 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x7fb99cfe5549 in ndr_push_bytes ../../librpc/ndr/ndr_basic.c:729 #3 0x7fb99cfe5646 in ndr_push_array_uint8 ../../librpc/ndr/ndr_basic.c:754 #4 0x7fb99a69dd1b in ndr_push_netr_ChallengeResponse librpc/gen_ndr/ndr_netlogon.c:462 #5 0x7fb99a6c5fab in ndr_push_netr_NetworkInfo librpc/gen_ndr/ndr_netlogon.c:556 #6 0x7fb99a6c749d in ndr_push_netr_LogonLevel librpc/gen_ndr/ndr_netlogon.c:783 #7 0x7fb99a7222de in ndr_push_netr_LogonSamLogonEx librpc/gen_ndr/ndr_netlogon.c:16547 #8 0x7fb99c982c97 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416 Bug: https://bugzilla.samba.org/show_bug.cgi?id=13936 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri May 10 10:02:21 UTC 2019 on sn-devel-184

Fixes Asan error: ==1924==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffe63f873d0 at pc 0x7fb99dae1733 bp 0x7ffe63f86a00 sp 0x7ffe63f861a8 READ of size 24 at 0x7ffe63f873d0 thread T0 #0 0x7fb99dae1732 (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) #1 0x7fb99cfe5549 in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 #2 0x7fb99cfe5549 in ndr_push_bytes ../../librpc/ndr/ndr_basic.c:729 #3 0x7fb99cfe5646 in ndr_push_array_uint8 ../../librpc/ndr/ndr_basic.c:754 #4 0x7fb99a69dd1b in ndr_push_netr_ChallengeResponse librpc/gen_ndr/ndr_netlogon.c:462 #5 0x7fb99a6c5fab in ndr_push_netr_NetworkInfo librpc/gen_ndr/ndr_netlogon.c:556 #6 0x7fb99a6c749d in ndr_push_netr_LogonLevel librpc/gen_ndr/ndr_netlogon.c:783 #7 0x7fb99a7222de in ndr_push_netr_LogonSamLogonEx librpc/gen_ndr/ndr_netlogon.c:16547 #8 0x7fb99c982c97 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416 Bug: https://bugzilla.samba.org/show_bug.cgi?id=13936 Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Fri May 10 10:02:21 UTC 2019 on sn-devel-184 (cherry picked from commit a5d1df4)

==14507==ERROR: LeakSanitizer: detected memory leaks Direct leak of 112 byte(s) in 1 object(s) allocated from: #0 0x7f3c76fe5c08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f3c7680df33 in __talloc_with_prefix ../../lib/talloc/talloc.c:782 #2 0x7f3c7680df33 in __talloc ../../lib/talloc/talloc.c:824 #3 0x7f3c7680df33 in _talloc_named_const ../../lib/talloc/talloc.c:981 #4 0x7f3c7680df33 in _talloc_zero ../../lib/talloc/talloc.c:2422 #5 0x7f3c7680e2a5 in _talloc_zero_array ../../lib/talloc/talloc.c:2775 #6 0x557a50d4a09f in torture_bench_treeconnect ../../source4/torture/raw/tconrate.c:165 #7 0x7f3c730e4772 in wrap_simple_test ../../lib/torture/torture.c:633 #8 0x7f3c730e875e in internal_torture_run_test ../../lib/torture/torture.c:442 #9 0x7f3c730e9543 in torture_run_tcase_restricted ../../lib/torture/torture.c:507 #10 0x7f3c730e9dd5 in torture_run_suite_restricted ../../lib/torture/torture.c:357 #11 0x7f3c730ea434 in torture_run_suite ../../lib/torture/torture.c:339 #12 0x557a50c1b54a in run_matching ../../source4/torture/smbtorture.c:93 #13 0x557a50c1cf56 in torture_run_named_tests ../../source4/torture/smbtorture.c:143 #14 0x557a50c2099d in main ../../source4/torture/smbtorture.c:691 #15 0x7f3c6b406412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Direct leak of 96 byte(s) in 1 object(s) allocated from: #0 0x7f63e6938c08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f63e615fa5c in __talloc_with_prefix ../../lib/talloc/talloc.c:782 #2 0x7f63e615fa5c in __talloc ../../lib/talloc/talloc.c:824 #3 0x7f63e615fa5c in _talloc_named_const ../../lib/talloc/talloc.c:981 #4 0x7f63e615fa5c in talloc_named_const ../../lib/talloc/talloc.c:1748 #5 0x55609e7530cf in torture_smb2_scan ../../source4/torture/smb2/scan.c:203 #6 0x7f63e2a37772 in wrap_simple_test ../../lib/torture/torture.c:633 #7 0x7f63e2a3b75e in internal_torture_run_test ../../lib/torture/torture.c:442 #8 0x7f63e2a3c543 in torture_run_tcase_restricted ../../lib/torture/torture.c:507 #9 0x7f63e2a3cdd5 in torture_run_suite_restricted ../../lib/torture/torture.c:357 #10 0x7f63e2a3cf25 in torture_run_suite_restricted ../../lib/torture/torture.c:362 #11 0x7f63e2a3d434 in torture_run_suite ../../lib/torture/torture.c:339 #12 0x55609e3a154a in run_matching ../../source4/torture/smbtorture.c:93 #13 0x55609e3a2f56 in torture_run_named_tests ../../source4/torture/smbtorture.c:143 #14 0x55609e3a699d in main ../../source4/torture/smbtorture.c:691 #15 0x7f63dad59412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

==24948==ERROR: LeakSanitizer: detected memory leaks Indirect leak of 232 byte(s) in 1 object(s) allocated from: #0 0x7fc44b971c08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7fc44a2fe7b0 in __talloc_with_prefix ../../lib/talloc/talloc.c:782 #2 0x7fc44a2fe7b0 in __talloc ../../lib/talloc/talloc.c:824 #3 0x7fc44a2fe7b0 in _talloc_named_const ../../lib/talloc/talloc.c:981 #4 0x7fc44a2fe7b0 in _talloc_array ../../lib/talloc/talloc.c:2764 #5 0x7fc44a1239bc in str_list_make_v3 ../../lib/util/util_strlist_v3.c:58 #6 0x7fc44a123e3b in str_list_make_v3_const ../../lib/util/util_strlist_v3.c:127 #7 0x7fc44b14cc1a in init_globals ../../source3/param/loadparm.c:547 #8 0x7fc44b14deef in lp_load_ex ../../source3/param/loadparm.c:3876 #9 0x7fc44b14f97c in lp_load_initial_only ../../source3/param/loadparm.c:4025 #10 0x7fc44b479235 in cmdline_messaging_context ../../source3/lib/cmdline_contexts.c:34 #11 0x557cf59d642c in process_options ../../source3/utils/smbpasswd.c:200 #12 0x557cf59d642c in main ../../source3/utils/smbpasswd.c:633 #13 0x7fc4419f5412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sat Aug 10 20:42:39 UTC 2019 on sn-devel-184

Direct leak of 96 byte(s) in 1 object(s) allocated from: #0 0x7fd52c00dc08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7fd52befec45 in __talloc_with_prefix ../../talloc.c:782 #2 0x7fd52befec45 in __talloc ../../talloc.c:824 #3 0x7fd52befec45 in _talloc_named_const ../../talloc.c:981 #4 0x7fd52befec45 in talloc_named_const ../../talloc.c:1748 #5 0x4099bd in test_realloc_on_destructor_parent ../../testsuite.c:1000 #6 0x4099bd in torture_local_talloc ../../testsuite.c:2129 #7 0x402603 in main ../../testsuite_main.c:32 #8 0x7fd52bcb8412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>

Indirect leak of 104 byte(s) in 1 object(s) allocated from: #0 0x7f06393dfc08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f06392d0c45 in __talloc_with_prefix ../../talloc.c:782 #2 0x7f06392d0c45 in __talloc ../../talloc.c:824 #3 0x7f06392d0c45 in _talloc_named_const ../../talloc.c:981 #4 0x7f06392d0c45 in talloc_named_const ../../talloc.c:1748 #5 0x409edd in test_talloc_free_in_destructor ../../testsuite.c:1256 #6 0x409edd in torture_local_talloc ../../testsuite.c:2138 #7 0x402603 in main ../../testsuite_main.c:32 #8 0x7f063908a412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>

Direct leak of 96 byte(s) in 1 object(s) allocated from: #0 0x7f06393dfc08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f06392d0c45 in __talloc_with_prefix ../../talloc.c:782 #2 0x7f06392d0c45 in __talloc ../../talloc.c:824 #3 0x7f06392d0c45 in _talloc_named_const ../../talloc.c:981 #4 0x7f06392d0c45 in talloc_named_const ../../talloc.c:1748 #5 0x40901e in test_pool_nest ../../testsuite.c:1451 #6 0x40901e in torture_local_talloc ../../testsuite.c:2096 #7 0x402603 in main ../../testsuite_main.c:32 #8 0x7f063908a412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>

Direct leak of 100 byte(s) in 1 object(s) allocated from: #0 0x7f06393dfc08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f06392d1af3 in __talloc_with_prefix ../../talloc.c:782 #2 0x7f06392d1af3 in __talloc ../../talloc.c:824 #3 0x7f06392d1af3 in __talloc_strlendup ../../talloc.c:2455 #4 0x7f06392d1af3 in talloc_strdup ../../talloc.c:2471 #5 0x40b4f0 in test_rusty ../../testsuite.c:1543 #6 0x40b4f0 in torture_local_talloc ../../testsuite.c:2146 #7 0x402603 in main ../../testsuite_main.c:32 #8 0x7f063908a412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>

Direct leak of 1152 byte(s) in 1 object(s) allocated from: #0 0x7f06393dfc08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f06392cfd59 in __talloc_with_prefix ../../talloc.c:782 #2 0x7f06392cfd59 in _talloc_pool ../../talloc.c:837 #3 0x7f06392cfd59 in talloc_pool ../../talloc.c:859 #4 0x40b83c in test_magic_protection ../../testsuite.c:1960 #5 0x40b83c in torture_local_talloc ../../testsuite.c:2164 #6 0x402603 in main ../../testsuite_main.c:32 #7 0x7f063908a412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Matthias Dieter Wallnöfer <mdw@samba.org>

Direct leak of 96 byte(s) in 1 object(s) allocated from: #0 0x7f0b16624c08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f0b15e4ba5c in __talloc_with_prefix ../../lib/talloc/talloc.c:782 #2 0x7f0b15e4ba5c in __talloc ../../lib/talloc/talloc.c:824 #3 0x7f0b15e4ba5c in _talloc_named_const ../../lib/talloc/talloc.c:981 #4 0x7f0b15e4ba5c in talloc_named_const ../../lib/talloc/talloc.c:1748 #5 0x55ffdd30d591 in torture_smb2_connect ../../source4/torture/smb2/connect.c:199 #6 0x7f0b12723772 in wrap_simple_test ../../lib/torture/torture.c:633 #7 0x7f0b1272775e in internal_torture_run_test ../../lib/torture/torture.c:442 #8 0x7f0b12728543 in torture_run_tcase_restricted ../../lib/torture/torture.c:507 #9 0x7f0b12728dd5 in torture_run_suite_restricted ../../lib/torture/torture.c:357 #10 0x7f0b12729434 in torture_run_suite ../../lib/torture/torture.c:339 #11 0x55ffdd10c54a in run_matching ../../source4/torture/smbtorture.c:93 #12 0x55ffdd10df56 in torture_run_named_tests ../../source4/torture/smbtorture.c:143 #13 0x55ffdd11199d in main ../../source4/torture/smbtorture.c:691 #14 0x7f0b0aa45412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Wed Aug 21 15:42:43 UTC 2019 on sn-devel-184

Direct leak of 256 byte(s) in 8 object(s) allocated from: #0 0x7f11b90d9c08 in __interceptor_malloc (/lib64/libasan.so.5+0xefc08) #1 0x7f11b8f395df in tdb_alloc_read ../../../lib/tdb/common/io.c:696 #2 0x7f11b8f290ee in _tdb_fetch ../../../lib/tdb/common/tdb.c:274 #3 0x7f11b8f29379 in tdb_fetch ../../../lib/tdb/common/tdb.c:283 #4 0x473ecc in ltdb_fetch ../../tests/src/fake_ctdbd.c:904 #5 0x478b40 in ltdb_transaction_update ../../tests/src/fake_ctdbd.c:993 #6 0x41fef2 in ctdb_rec_buffer_traverse ../../protocol/protocol_types.c:1656 #7 0x48108b in ltdb_transaction ../../tests/src/fake_ctdbd.c:1026 #8 0x48108b in control_trans3_commit ../../tests/src/fake_ctdbd.c:2878 #9 0x48108b in client_process_control ../../tests/src/fake_ctdbd.c:4147 #10 0x48108b in client_process_packet ../../tests/src/fake_ctdbd.c:3839 #11 0x4847f5 in client_read_handler ../../tests/src/fake_ctdbd.c:3806 #12 0x44f620 in comm_read_done ../../common/comm.c:208 #13 0x7f11b8f94fe8 in _tevent_req_notify_callback ../../../lib/tevent/tevent_req.c:141 #14 0x7f11b8f951fd in tevent_req_finish ../../../lib/tevent/tevent_req.c:193 #15 0x7f11b8f95265 in _tevent_req_done ../../../lib/tevent/tevent_req.c:199 #16 0x44e876 in pkt_read_handler ../../common/pkt_read.c:133 #17 0x44f315 in comm_fd_handler ../../common/comm.c:412 #18 0x7f11b8f92896 in tevent_common_invoke_fd_handler ../../../lib/tevent/tevent_fd.c:138 #19 0x7f11b8fa6937 in epoll_event_loop ../../../lib/tevent/tevent_epoll.c:736 #20 0x7f11b8fa6937 in epoll_event_loop_once ../../../lib/tevent/tevent_epoll.c:937 #21 0x7f11b8f9f53e in std_event_loop_once ../../../lib/tevent/tevent_standard.c:110 #22 0x7f11b8f90f34 in _tevent_loop_once ../../../lib/tevent/tevent.c:772 #23 0x7f11b8f955f1 in tevent_req_poll ../../../lib/tevent/tevent_req.c:300 #24 0x485a04 in start_server ../../tests/src/fake_ctdbd.c:4450 #25 0x485a04 in main ../../tests/src/fake_ctdbd.c:4544 #26 0x7f11b8c60412 in __libc_start_main (/lib64/libc.so.6+0x24412) Signed-off-by: Swen Schillig <swen@linux.ibm.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Martin Schwenke <martin@meltin.net> Autobuild-User(master): Martin Schwenke <martins@samba.org> Autobuild-Date(master): Mon Aug 26 10:19:30 UTC 2019 on sn-devel-184

Following backtrace is observed on executing `smbstatus` with at least one SMB client connection established: PANIC: assert failed at ../../lib/dbwrap/dbwrap.c(82): rec->value_valid PANIC (pid 350270): assert failed: rec->value_valid BACKTRACE: 15 stack frames: #0 /usr/local/lib/libsamba-util.so.0(log_stack_trace+0x1f) [0x7fbbd9b32047] #1 /usr/local/lib/libsmbconf.so.0(smb_panic_s3+0x74) [0x7fbbd9c1e6ff] #2 /usr/local/lib/libsamba-util.so.0(smb_panic+0x28) [0x7fbbd9b32012] #3 /usr/local/lib/samba/libdbwrap- samba4.so(dbwrap_record_get_value+0x86) [0x7fbbd95800ac] #4 /usr/local/lib/samba/libsmbd-base-samba4.so(+0x28f563) [0x7fbbd999e563] #5 /usr/local/lib/samba/libsamba-cluster-support-samba4.so(+0x7851) [0x7fbbd92c7851] #6 /usr/local/lib/samba/libsamba-cluster-support- samba4.so(ctdbd_traverse+0x4ca) [0x7fbbd92cc641] #7 /usr/local/lib/samba/libsamba-cluster-support-samba4.so(+0x73eb) [0x7fbbd92c73eb] #8 /usr/local/lib/samba/libsamba-cluster-support-samba4.so(+0x7a52) [0x7fbbd92c7a52] #9 /usr/local/lib/samba/libdbwrap-samba4.so(dbwrap_traverse_read+0x35) [0x7fbbd9580de5] #10 /usr/local/lib/samba/libsmbd-base- samba4.so(smbXsrv_tcon_global_traverse+0xc5) [0x7fbbd999e7d9] #11 smbstatus(connections_forall_read+0x114) [0x55d17872b8ee] #12 smbstatus(main+0x7b2) [0x55d17872a2f3] #13 /lib64/libc.so.6(__libc_start_main+0xf3) [0x7fbbd93a21a3] #14 smbstatus(_start+0x2e) [0x55d17872894e] Can not dump core: corepath not set up Assertion on rec->value_valid fails as it is uninitialized in the following functions: traverse_read_callback traverse_persistent_callback_read Signed-off-by: Anoop C S <anoopcs@redhat.com> Reviewed-by: Volker Lendecke <vl@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Wed Jan 8 23:24:58 UTC 2020 on sn-devel-184

…ecord Fixes: PANIC: assert failed at ../../lib/dbwrap/dbwrap.c(82): rec->value_valid PANIC (pid 902392): assert failed: rec->value_valid BACKTRACE: 16 stack frames: #0 bin/shared/libsamba-util.so.0(log_stack_trace+0x30) [0x7fb161f69cb0] #1 bin/shared/libsmbconf.so.0(smb_panic_s3+0x23) [0x7fb1619f4863] #2 bin/shared/libsamba-util.so.0(smb_panic+0x2f) [0x7fb161f69daf] #3 bin/shared/private/libdbwrap-samba4.so(dbwrap_record_get_value+0x27) [0x7fb160a04c57] #4 bin/shared/libsamba-passdb.so.0(+0x2d27c) [0x7fb1618e627c] #5 bin/shared/libsamba-passdb.so.0(pdb_add_aliasmem+0x33) [0x7fb1618db663] #6 bin/shared/libsamba-passdb.so.0(+0x1edbb) [0x7fb1618d7dbb] #7 bin/shared/libsamba-passdb.so.0(create_builtin_administrators+0x167) [0x7fb1618d8217] #8 bin/shared/private/libauth-samba4.so(finalize_local_nt_token+0x39d) [0x7fb16194bd5d] #9 bin/shared/private/libauth-samba4.so(create_local_nt_token_from_info3+0x304) [0x7fb16194c3f4] #10 bin/shared/private/libauth-samba4.so(create_local_token+0x3d6) [0x7fb161945106] #11 bin/shared/private/libauth-samba4.so(+0x154b4) [0x7fb1619474b4] #12 bin/shared/private/libauth-samba4.so(init_guest_session_info+0x58) [0x7fb161947798] #13 ./bin/smbd(main+0x80f) [0x55944ef8f91f] #14 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fb161076bbb] #15 ./bin/smbd(_start+0x2a) [0x55944ef90f8a] This is a similar, additional fix to commit 36ea1e1. Signed-off-by: Martin Schwenke <martin@meltin.net> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Jan 20 04:25:57 UTC 2020 on sn-devel-184

This was causing samba.tests.net_join_no_spnego(ad_dc) to core dumps sometimes on tumbleweed with python3.8 with... =============================================================== INTERNAL ERROR: Signal 11 in pid 1781 (4.12.0) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting =============================================================== smb_panic_default: PANIC (pid 1781): internal error BACKTRACE: 64 stack frames: 7128 #0 bin/shared/libsamba-util.so.0(log_stack_trace+0x1f) [0x7fa541c5b220] 7129 #1 bin/shared/libsamba-util.so.0(+0x1efc8) [0x7fa541c5afc8] 7130 #2 bin/shared/libsamba-util.so.0(log_stack_trace+0) [0x7fa541c5b201] 7131 #3 bin/shared/libsamba-util.so.0(+0x1eed9) [0x7fa541c5aed9] 7132 #4 bin/shared/libsamba-util.so.0(+0x1eeee) [0x7fa541c5aeee] 7133 #5 /lib64/libc.so.6(+0x3bf20) [0x7fa542631f20] 7134 #6 /usr/lib64/libpython3.8.so.1.0(PyObject_GC_UnTrack+0xd) [0x7fa542386c1d] 7135 #7 /usr/lib64/libpython3.8.so.1.0(+0x12d599) [0x7fa542387599] 7136 #8 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4d6d) [0x7fa5424269ed] 7137 #9 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalCodeWithName+0x30c) [0x7fa5423eaf5c] 7138 #10 /usr/lib64/libpython3.8.so.1.0(_PyFunction_Vectorcall+0x18e) [0x7fa5423ebcbe] 7139 #11 /usr/lib64/libpython3.8.so.1.0(_PyEval_EvalFrameDefault+0x4a3a) [0x7fa5424266ba] etc.... Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Mar 19 22:23:52 UTC 2020 on sn-devel-184

…do_locked() As reported on samba-technical by Rouven WEILER <Rouven_Weiler@gmx.net>: https://lists.samba.org/archive/samba-technical/2020-April/135116.html Following backtrace was observed with vfs_fruit for time machine backup: [2020/04/10 08:00:38.107917, 0] ../../lib/dbwrap/dbwrap.c:82(dbwrap_record_get_value) PANIC: assert failed at ../../lib/dbwrap/dbwrap.c(82): rec->value_valid [2020/04/10 08:00:38.108499, 0] ../../source3/lib/util.c:830(smb_panic_s3) PANIC (pid 3427): assert failed: rec->value_valid [2020/04/10 08:00:38.109541, 0] ../../lib/util/fault.c:265(log_stack_trace) BACKTRACE: 37 stack frames: #0 /usr/lib/samba/amd64/libsamba-util.so.0.0.1'log_stack_trace+0x26 [0xfffffd7fee51de66] #1 /usr/lib/samba/amd64/libsmbconf.so.0'smb_panic_s3+0x26 [0xfffffd7fedf5a596] #2 /usr/lib/samba/amd64/libsamba-util.so.0.0.1'smb_panic+0x1f [0xfffffd7fee51df3f] #3 /usr/lib/samba/private/amd64/libdbwrap-samba4.so'dbwrap_record_get_value+0x2a [0xfffffd7feccb627a] #4 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'get_share_mode_lock+0x109 [0xfffffd7fee7195c9] #5 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'smbd_contend_level2_oplocks_begin+0xa1 [0xfffffd7fee7f7761] #6 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'brl_lock+0x635 [0xfffffd7fee710f45] #7 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'do_lock_fn+0xa4 [0xfffffd7fee70d534] #8 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'share_mode_do_locked_fn+0x86 [0xfffffd7fee7174b6] #9 /usr/lib/samba/amd64/libsmbconf.so.0'dbwrap_watched_do_locked_fn+0xfa [0xfffffd7fedf622ca] #10 /usr/lib/samba/private/amd64/libdbwrap-samba4.so'db_tdb_do_locked+0x12f [0xfffffd7feccb95cf] #11 /usr/lib/samba/private/amd64/libdbwrap-samba4.so'dbwrap_do_locked+0x48 [0xfffffd7feccb69a8] #12 /usr/lib/samba/amd64/libsmbconf.so.0'dbwrap_watched_do_locked+0x6f [0xfffffd7fedf60d7f] #13 /usr/lib/samba/private/amd64/libdbwrap-samba4.so'dbwrap_do_locked+0x48 [0xfffffd7feccb69a8] #14 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'share_mode_do_locked+0xd2 [0xfffffd7fee719b82] #15 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'do_lock+0xf0 [0xfffffd7fee70dfe0] #16 /usr/lib/samba/amd64/vfs/fruit.so'fruit_create_file+0x7ba [0xfffffd7fe88855aa] #17 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'smbd_smb2_request_process_create+0xa07 [0xfffffd7fee7d3237] #18 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'smbd_smb2_request_dispatch+0xc8f [0xfffffd7fee7c985f] #19 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'smbd_smb2_connection_handler+0x621 [0xfffffd7fee7ca7e1] #20 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'tevent_common_invoke_fd_handler+0x80 [0xfffffd7fecd3a580] #21 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'epoll_event_loop_once+0x22c [0xfffffd7fecd4180c] #22 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'std_event_loop_once+0x40 [0xfffffd7fecd3f8f0] #23 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'_tevent_loop_once+0x95 [0xfffffd7fecd39bd5] #24 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'tevent_common_loop_wait+0x23 [0xfffffd7fecd39e43] #25 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'std_event_loop_wait+0x40 [0xfffffd7fecd3f870] #26 /usr/lib/samba/private/amd64/libsmbd-base-samba4.so'smbd_process+0x777 [0xfffffd7fee7b8677] #27 /usr/lib/samba/sbin/amd64/smbd'smbd_accept_connection+0x189 [0x40d5b9] #28 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'tevent_common_invoke_fd_handler+0x80 [0xfffffd7fecd3a580] #29 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'epoll_event_loop_once+0x22c [0xfffffd7fecd4180c] #30 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'std_event_loop_once+0x40 [0xfffffd7fecd3f8f0] #31 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'_tevent_loop_once+0x95 [0xfffffd7fecd39bd5] #32 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'tevent_common_loop_wait+0x23 [0xfffffd7fecd39e43] #33 /usr/lib/samba/private/amd64/libtevent.so.0.10.2'std_event_loop_wait+0x40 [0xfffffd7fecd3f870] #34 /usr/lib/samba/sbin/amd64/smbd'main+0x1a0f [0x40f9ff] #35 /usr/lib/samba/sbin/amd64/smbd'_start_crt+0x83 [0x408e73] #36 /usr/lib/samba/sbin/amd64/smbd'_start+0x18 [0x408dd8] In this particular nested share_mode_do_locked() invocation, callback comes through dbwrap_watched_do_locked_fn() where it fails to update rec->value_valid which further gets assigned to static_share_mode_record within share_mode_do_locked_fn(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14352 Signed-off-by: Anoop C S <anoopcs@redhat.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Tue Apr 21 17:37:43 UTC 2020 on sn-devel-184

It is much harder to determine why we get messages like Step samba-team#6: Error occured while running fuzz_reg_parse: Step samba-team#6: /workspace/out/coverage/fuzz_reg_parse: error while loading shared libraries: libavahi-common.so.3: cannot open shared object file: No such file or directory instead this detects the failure to use RPATH (which is strictly required instead of the modern RUNPATH) otherwise. We do this by creating a new build_samba.sh after renaming build_samba.sh to do_build.sh because this is what oss-fuzz runs, meaning we don't need to coordinate a MR there as well. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Replace probed_ifaces[i] with ifs. In SDC 2020 SMB3 Virtual IO Lab, run Windows Protocol Test Suite to test FileServer multichannel test cases. Samba server has 2 virtual interfaces for VPN connection: > name=tun2001, ip/mask=192.168.144.9/22 > name=tun2002, ip/mask=192.168.144.10/22 test suite client can ping these 2 ip addresses and browse shares. Then client try to use IOCTL FSCTL_QUERY_NETWORK_INTERFACE_INFO to get the virtual ip addresses of samba server, but samba server responded it without the virtual ip addresses. My VPN setup is point-to-point and the virtual interfaces 'tun2001' & 'tun2002' are without flag IFF_BROADCAST. So edit smb.conf and add "interfaces = ${virtual_ip}/${mask_length};if_index=${id}", like this: > interfaces = eth4 eth8 eth11 eth10 qvs0 "192.168.144.9/22;if_index=50" "192.168.144.10/22;if_index=51" then samba server IOCTL response could return the virtual ip addresses, but found a issue: the interface index of virtual ip addresses is always 4294967295 (0xFFFFFFFF, -1). Quote Metze: https://gitlab.com/samba-team/devel/samba/-/commit/6cadb55d975a6348a417caed8b3258f5be2acba4#note_419181789 This looks good, I think that also explains the possible memory corruption/crash I mentioned in the bug report. As 'i' is most likely the same as 'total_probed' and probed_ifaces[i] is not valid, so we overwrite unrelated memory. Later I see 'realloc(): invalid pointer' and this backtrace: BACKTRACE: #0 log_stack_trace + 0x29 [ip=0x7f2f1b6fffa9] [sp=0x7ffcd0ab53e0] #1 smb_panic + 0x11 [ip=0x7f2f1b700301] [sp=0x7ffcd0ab5d10] #2 sig_fault + 0x54 [ip=0x7f2f1b7004f4] [sp=0x7ffcd0ab5e20] #3 funlockfile + 0x50 [ip=0x7f2f17ce6dd0] [sp=0x7ffcd0ab5ec0] #4 gsignal + 0x10f [ip=0x7f2f1794970f] [sp=0x7ffcd0ab6b90] #5 abort + 0x127 [ip=0x7f2f17933b25] [sp=0x7ffcd0ab6cb0] #6 __libc_message + 0x297 [ip=0x7f2f1798c897] [sp=0x7ffcd0ab6de0] #7 malloc_printerr + 0x1c [ip=0x7f2f17992fdc] [sp=0x7ffcd0ab6ef0] #8 realloc + 0x23a [ip=0x7f2f17997f6a] [sp=0x7ffcd0ab6f00] #9 _talloc_realloc + 0xee [ip=0x7f2f1a365d2e] [sp=0x7ffcd0ab6f50] #10 messaging_filtered_read_send + 0x18c [ip=0x7f2f1a10f54c] [sp=0x7ffcd0ab6fb0] #11 messaging_read_send + 0x55 [ip=0x7f2f1a10f705] [sp=0x7ffcd0ab7000] #12 smb2srv_session_table_init + 0x83 [ip=0x7f2f1b3a6cd3] [sp=0x7ffcd0ab7040] #13 smbXsrv_connection_init_tables + 0x2d [ip=0x7f2f1b373f4d] [sp=0x7ffcd0ab7060] #14 smbd_smb2_request_process_negprot + 0x827 [ip=0x7f2f1b38cb47] [sp=0x7ffcd0ab7080] #15 smbd_smb2_request_dispatch + 0x19db [ip=0x7f2f1b38921b] [sp=0x7ffcd0ab71d0] #16 smbd_smb2_process_negprot + 0x298 [ip=0x7f2f1b38bb38] [sp=0x7ffcd0ab7260] #17 process_smb + 0x2ca [ip=0x7f2f1b37537a] [sp=0x7ffcd0ab72b0] #18 smbd_server_connection_read_handler + 0xd0 [ip=0x7f2f1b376420] [sp=0x7ffcd0ab7350] BUG: https://bugzilla.samba.org/show_bug.cgi?id=14514 Signed-off-by: Jones Syue <jonessyue@qnap.com> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit b78ff57)

…] share #0 0x00007fb264e75bea in __GI___wait4 (pid=21966, stat_loc=stat_loc@entry=0x7ffdf83a9bc8, options=options@entry=0, usage=usage@entry=0x0) at ../sysdeps/unix/sysv/linux/wait4.c:30 sc_ret = -512 sc_ret = <optimized out> #1 0x00007fb264e75bab in __GI___waitpid (pid=<optimized out>, stat_loc=stat_loc@entry=0x7ffdf83a9bc8, options=options@entry=0) at waitpid.c:38 No locals. #2 0x00007fb264df33a3 in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:172 __result = <optimized out> _buffer = { __routine = 0x7fb264df35d0 <cancel_handler>, __arg = 0x7ffdf83a9bd0, __canceltype = 0, __prev = 0x0 } _avail = 1 cancel_args = { quit = 0x7fb264f6f200 <quit>, intr = 0x7fb264f6f2a0 <intr>, pid = 21966 } status = -1 ret = 0 pid = 21966 sa = { __sigaction_handler = { sa_handler = 0x1, sa_sigaction = 0x1 }, sa_mask = { __val = {[0] = 65536, [1] = 94088581545700, [2] = 0, [3] = 0, [4] = 0, [5] = 0, [6] = 0, [7] = 1703897678, [8] = 140404174928432, [9] = 140404179009536, [10] = 0, [11] = 140728768044480, [12] = 140404185491504, [13] = 18446744073709551615, [14] = 100, [15] = 140404180125856} }, sa_flags = 0, sa_restorer = 0x7ffdf83a9df0 } omask = { __val = {[0] = 7296, [1] = 140404179695051, [2] = 94088578316976, [3] = 140404180018176, [4] = 140404180017664, [5] = 140404185449449, [6] = 140728768044176, [7] = 140404185448599, [8] = 140404185458050, [9] = 100, [10] = 140404180125856, [11] = 7322926704, [12] = 140728768044432, [13] = 140404185491192, [14] = 112, [15] = 100} } reset = { __val = {[0] = 6, [1] = 5372865792, [2] = 94088581545600, [3] = 140728768044624, [4] = 100, [5] = 100, [6] = 101, [7] = 94088581545600, [8] = 140728768044288, [9] = 140404173470464, [10] = 140406703357952, [11] = 94088581545600, [12] = 94088581545600, [13] = 94088581545600, [14] = 94088581545600, [15] = 94088581545700} } spawn_attr = { __flags = 12, __pgrp = 0, __sd = { __val = {[0] = 6, [1] = 5372865792, [2] = 94088581545600, [3] = 140728768044624, [4] = 100, [5] = 100, [6] = 101, [7] = 94088581545600, [8] = 140728768044288, [9] = 140404173470464, [10] = 140406703357952, [11] = 94088581545600, [12] = 94088581545600, [13] = 94088581545600, [14] = 94088581545600, [15] = 94088581545700} }, __ss = { __val = {[0] = 7296, [1] = 140404179695051, [2] = 94088578316976, [3] = 140404180018176, [4] = 140404180017664, [5] = 140404185449449, [6] = 140728768044176, [7] = 140404185448599, [8] = 140404185458050, [9] = 100, [10] = 140404180125856, [11] = 7322926704, [12] = 140728768044432, [13] = 140404185491192, [14] = 112, [15] = 100} }, __sp = { sched_priority = 0 }, __policy = 0, __pad = {[0] = 0 <repeats 16 times>} } #3 0x00007fb2654289f6 in smb_panic_s3 (why=0x7ffdf83a9fd0 "Signal 11: Segmentation fault") at ../../source3/lib/util.c:839 lp_sub = 0x7fb265461a60 <s3_global_substitution> cmd = 0x5592b47afe30 "/home/asn/workspace/projects/samba/selftest/gdb_backtrace 21964" result = 32690 __FUNCTION__ = "smb_panic_s3" #4 0x00007fb2658f6f09 in smb_panic (why=0x7ffdf83a9fd0 "Signal 11: Segmentation fault") at ../../lib/util/fault.c:197 No locals. #5 0x00007fb2658f6a39 in fault_report (sig=11) at ../../lib/util/fault.c:81 counter = 1 signal_string = "Signal 11: Segmentation fault\000\000\000\000\240:\370\375\177\000\000\000m?@/\214؊\377\245:\370\375\177\000\000\000m?@/\214؊\000\242:\370\375\177", '\000' <repeats 11 times>, "\242:\370\375\177\000\000\351C\231e\262\177\000\000`\240:\370\375\177\000\000\002:\231e\262\177\000\000Р:\370\375\177\000\000\a\000\000\000\061\000\000" #6 0x00007fb2658f6a4e in sig_fault (sig=11) at ../../lib/util/fault.c:92 No locals. #7 <signal handler called> No locals. #8 0x00007fb2653762b4 in copy_service (pserviceDest=0x5592b4657940, pserviceSource=0x0, pcopymapDest=0x0) at ../../lib/param/loadparm.c:896 src_ptr = 0x1 dest_ptr = 0x5592b4657941 i = 1 bcopyall = true data = 0x5592b44a9020 #9 0x00007fb2653e1e16 in add_a_service (pservice=0x0, name=0x5592b4476130 "laserjet1102w") at ../../source3/param/loadparm.c:1486 i = 13 tsp = 0x5592b44a9020 __FUNCTION__ = "add_a_service" #10 0x00007fb2653e2846 in lp_add_printer (pszPrintername=0x5592b4476130 "laserjet1102w", iDefaultService=-1) at ../../source3/param/loadparm.c:1666 comment = 0x7fb2654339ec "From Printcap" i = 21906 __FUNCTION__ = "lp_add_printer" #11 0x00007fb2653e59b8 in lp_add_one_printer (name=0x5592b4476130 "laserjet1102w", comment=0x5592b512d5a0 "HP LaserJet Professional p 1102w, hpcups 3.19.6, requires proprietary plugin", location=0x5592b4476200 "", pdata=0x0) at ../../source3/param/loadparm.c:2988 printers = -1 i = 1700139171 #12 0x00007fb26556112f in printer_list_exec_fn (rec=0x7ffdf83aa7e0, private_data=0x7ffdf83aa9f0) at ../../source3/printing/printer_list.c:446 state = 0x7ffdf83aa9f0 time_h = 0 time_l = 17286 name = 0x5592b4476130 "laserjet1102w" comment = 0x5592b512d5a0 "HP LaserJet Professional p 1102w, hpcups 3.19.6, requires proprietary plugin" location = 0x5592b4476200 "" ret = 100 key = { dptr = 0x5592b456fdd0 "PRINTERLIST/PRN/LASERJET1102W", dsize = 30 } value = { dptr = 0x5592b456fdee "", dsize = 100 } __FUNCTION__ = "printer_list_exec_fn" #13 0x00007fb2646fc747 in db_tdb_traverse_read_func (tdb=0x5592b5377090, kbuf=..., dbuf=..., private_data=0x7ffdf83aa920) at ../../lib/dbwrap/dbwrap_tdb.c:399 ctx = 0x7ffdf83aa920 rec = { db = 0x5592b4957500, key = { dptr = 0x5592b456fdd0 "PRINTERLIST/PRN/LASERJET1102W", dsize = 30 }, value = { dptr = 0x5592b456fdee "", dsize = 100 }, value_valid = true, storev = 0x7fb2646fc672 <db_tdb_storev_deny>, delete_rec = 0x7fb2646fc68b <db_tdb_delete_deny>, private_data = 0x5592b5249b50 } #14 0x00007fb26372c08d in ?? () from /usr/lib64/libtdb.so.1 No symbol table info available. #15 0x00007fb26372c21d in tdb_traverse_read () from /usr/lib64/libtdb.so.1 No symbol table info available. #16 0x00007fb2646fc7b7 in db_tdb_traverse_read (db=0x5592b4957500, f=0x7fb265561001 <printer_list_exec_fn>, private_data=0x7ffdf83aa9f0) at ../../lib/dbwrap/dbwrap_tdb.c:413 db_ctx = 0x5592b5249b50 ctx = { db = 0x5592b4957500, f = 0x7fb265561001 <printer_list_exec_fn>, private_data = 0x7ffdf83aa9f0 } #17 0x00007fb2646f83ad in dbwrap_traverse_read (db=0x5592b4957500, f=0x7fb265561001 <printer_list_exec_fn>, private_data=0x7ffdf83aa9f0, count=0x0) at ../../lib/dbwrap/dbwrap.c:412 ret = 0 #18 0x00007fb265560d9b in printer_list_traverse (fn=0x7fb265561001 <printer_list_exec_fn>, private_data=0x7ffdf83aa9f0, read_only=true) at ../../source3/printing/printer_list.c:328 db = 0x5592b4957500 status = { v = 0 } #19 0x00007fb2655611cc in printer_list_read_run_fn (fn=0x7fb2653e5970 <lp_add_one_printer>, private_data=0x0) at ../../source3/printing/printer_list.c:464 state = { fn = 0x7fb2653e5970 <lp_add_one_printer>, private_data = 0x0, status = { v = 0 } } status = { v = 0 } #20 0x00007fb26555c9e6 in load_printers () at ../../source3/printing/load.c:86 status = { v = 0 } __func__ = "load_printers" #21 0x00007fb265599457 in delete_and_reload_printers () at ../../source3/smbd/server_reload.c:80 n_services = -130372992 pnum = 12 snum = 12 pname = 0x5592b55626f0 "\340=\277\264\222U" ok = true pcap_last_update = 17286 frame = 0x5592b4797d70 lp_sub = 0x7fb265461a60 <s3_global_substitution> __FUNCTION__ = "delete_and_reload_printers" #22 0x00007fb2655404d7 in delete_and_reload_printers_full (ev=0x5592b44a6940, msg_ctx=0x5592b44a92c0) at ../../source3/printing/queue_process.c:131 session_info = 0x5592b55626f0 pinfo2 = 0x0 lp_sub = 0x7fb265461a60 <s3_global_substitution> n_services = 13 pnum = -1 snum = 13 pname = 0x5592b45003d0 "\240\247F\264\222U" sname = 0x7ffdf83aab00 "\200\253:\370\375\177" status = { v = 0 } __FUNCTION__ = "delete_and_reload_printers_full" #23 0x00007fb265540523 in reload_pcap_change_notify (ev=0x5592b44a6940, msg_ctx=0x5592b44a92c0) at ../../source3/printing/queue_process.c:150 No locals. #24 0x00007fb265555855 in cups_async_callback (event_ctx=0x5592b44a6940, event=0x5592b5562570, flags=1, p=0x5592b4a9b160) at ../../source3/printing/print_cups.c:571 frame = 0x5592b4e26960 cb_args = 0x5592b4a9b160 tmp_pcap_cache = 0x5592b45003d0 ret_ok = true pcap_data = { status = { v = 0 }, count = 1, printers = 0x5592b5393800 } pcap_blob = { data = 0x5592b47a48e0 "\001", length = 157 } ndr_ret = NDR_ERR_SUCCESS i = 1 __FUNCTION__ = "cups_async_callback" #25 0x00007fb26548b88c in tevent_common_invoke_fd_handler (fde=0x5592b5562570, flags=1, removed=0x0) at ../../lib/tevent/tevent_fd.c:138 handler_ev = 0x5592b44a6940 #26 0x00007fb265496148 in epoll_event_loop (epoll_ev=0x5592b4a30eb0, tvalp=0x7ffdf83aac50) at ../../lib/tevent/tevent_epoll.c:736 fde = 0x5592b5562570 flags = 1 mpx_fde = 0x0 ret = 1 i = 0 events = {[0] = { events = 17, data = { ptr = 0x5592b5562570, fd = -1252645520, u32 = 3042321776, u64 = 94088595907952 } }} timeout = 750000 wait_errno = 0 #27 0x00007fb26549678f in epoll_event_loop_once (ev=0x5592b44a6940, location=0x7fb2657c54e0 "../../source3/printing/queue_process.c:424") at ../../lib/tevent/tevent_epoll.c:937 epoll_ev = 0x5592b4a30eb0 tval = { tv_sec = 749, tv_usec = 999054 } panic_triggered = false #28 0x00007fb2654930fa in std_event_loop_once (ev=0x5592b44a6940, location=0x7fb2657c54e0 "../../source3/printing/queue_process.c:424") at ../../lib/tevent/tevent_standard.c:110 glue_ptr = 0x5592b44aa700 glue = 0x5592b44aa700 ret = 21906 #29 0x00007fb26548aaf7 in _tevent_loop_once (ev=0x5592b44a6940, location=0x7fb2657c54e0 "../../source3/printing/queue_process.c:424") at ../../lib/tevent/tevent.c:772 ret = 21906 nesting_stack_ptr = 0x0 #30 0x00007fb26548ae1e in tevent_common_loop_wait (ev=0x5592b44a6940, location=0x7fb2657c54e0 "../../source3/printing/queue_process.c:424") at ../../lib/tevent/tevent.c:895 ret = 32690 #31 0x00007fb26549319c in std_event_loop_wait (ev=0x5592b44a6940, location=0x7fb2657c54e0 "../../source3/printing/queue_process.c:424") at ../../lib/tevent/tevent_standard.c:141 glue_ptr = 0x5592b44aa700 glue = 0x5592b44aa700 ret = 32690 #32 0x00007fb26548aec1 in _tevent_loop_wait (ev=0x5592b44a6940, location=0x7fb2657c54e0 "../../source3/printing/queue_process.c:424") at ../../lib/tevent/tevent.c:914 No locals. #33 0x00007fb265541028 in start_background_queue (ev=0x5592b44a6940, msg_ctx=0x5592b44a92c0, logfile=0x0) at ../../source3/printing/queue_process.c:424 fde = 0x5592b53bcee0 ret = 21906 status = { v = 0 } pid = 0 state = 0x5592b4bf3d50 pause_pipe = {[0] = -1, [1] = 48} __FUNCTION__ = "start_background_queue" #34 0x00007fb265541154 in printing_subsystem_init (ev_ctx=0x5592b44a6940, msg_ctx=0x5592b44a92c0, dce_ctx=0x5592b44ae3e0, start_daemons=true, background_queue=true) at ../../source3/printing/queue_process.c:457 pid = -1 #35 0x00005592b436b820 in main (argc=5, argv=0x7ffdf83ab2e8) at ../../source3/smbd/server.c:2131 bgq = true ok = false is_daemon = true interactive = false Fork = false no_process_group = false log_stdout = true ports = 0x0 profile_level = 0x0 opt = -1 pc = 0x5592b4496df0 print_build_options = false main_server_id = { pid = 21931, task_id = 0, vnn = 4294967295, unique_id = 7715839874465799134 } OPT_DAEMON = OPT_DAEMON OPT_INTERACTIVE = OPT_INTERACTIVE OPT_FORK = OPT_FORK OPT_NO_PROCESS_GROUP = OPT_NO_PROCESS_GROUP OPT_LOG_STDOUT = OPT_LOG_STDOUT long_options = {[0] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fb2650d9400 <poptHelpOptions>, val = 0, descrip = 0x5592b43732e1 "Help options:", argDescrip = 0x0 }, [1] = { longName = 0x5592b43732ef "daemon", shortName = 68 'D', argInfo = 0, arg = 0x0, val = 1000, descrip = 0x5592b43732f6 "Become a daemon (default)", argDescrip = 0x0 }, [2] = { longName = 0x5592b4373310 "interactive", shortName = 105 'i', argInfo = 0, arg = 0x0, val = 1001, descrip = 0x5592b4373320 "Run interactive (not a daemon) and log to stdout", argDescrip = 0x0 }, [3] = { longName = 0x5592b4373351 "foreground", shortName = 70 'F', argInfo = 0, arg = 0x0, val = 1002, descrip = 0x5592b4373360 "Run daemon in foreground (for daemontools, etc.)", argDescrip = 0x0 }, [4] = { longName = 0x5592b4373391 "no-process-group", shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 1003, descrip = 0x5592b43733a8 "Don't create a new process group", argDescrip = 0x0 }, [5] = { longName = 0x5592b43733c9 "log-stdout", shortName = 83 'S', argInfo = 0, arg = 0x0, val = 1004, descrip = 0x5592b43733d4 "Log to stdout", argDescrip = 0x0 }, [6] = { longName = 0x5592b43733e2 "build-options", shortName = 98 'b', argInfo = 0, arg = 0x0, val = 98, descrip = 0x5592b43733f0 "Print build options", argDescrip = 0x0 }, [7] = { longName = 0x5592b4373404 "port", shortName = 112 'p', argInfo = 1, arg = 0x7ffdf83ab158, val = 0, descrip = 0x5592b4373409 "Listen on the specified ports", argDescrip = 0x0 }, [8] = { longName = 0x5592b4373427 "profiling-level", shortName = 80 'P', argInfo = 1, arg = 0x7ffdf83ab150, val = 0, descrip = 0x5592b4373437 "Set profiling level", argDescrip = 0x5592b437344b "PROFILE_LEVEL" }, [9] = { longName = 0x0, shortName = 0 '\000', argInfo = 4, arg = 0x7fb2654a8140 <popt_common_samba>, val = 0, descrip = 0x5592b4373459 "Common samba options:", argDescrip = 0x0 }, [10] = { longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0, argDescrip = 0x0 }} parent = 0x5592b44addf0 frame = 0x5592b448d6b0 status = { v = 0 } ev_ctx = 0x5592b44a6940 msg_ctx = 0x5592b44a92c0 dce_ctx = 0x5592b44ae3e0 server_id = { pid = 21931, task_id = 0, vnn = 4294967295, unique_id = 5659117256920205400 } se = 0x5592b44c0f90 profiling_level = 0 np_dir = 0x5592b4f2bdc0 "/home/asn/workspace/projects/samba/st/fl2003dc/ncalrpc/np" lp_sub = 0x7fb265461a60 <s3_global_substitution> smbd_shim_fns = { send_stat_cache_delete_message = 0x7fb26563ba6e <smbd_send_stat_cache_delete_message>, change_to_root_user = 0x7fb265613e99 <smbd_change_to_root_user>, become_authenticated_pipe_user = 0x7fb265613f4b <smbd_become_authenticated_pipe_user>, unbecome_authenticated_pipe_user = 0x7fb265614067 <smbd_unbecome_authenticated_pipe_user>, contend_level2_oplocks_begin = 0x7fb2656bb8df <smbd_contend_level2_oplocks_begin>, contend_level2_oplocks_end = 0x7fb2656bb902 <smbd_contend_level2_oplocks_end>, become_root = 0x7fb2656142cc <smbd_become_root>, unbecome_root = 0x7fb2656142f5 <smbd_unbecome_root>, exit_server = 0x7fb2656add55 <smbd_exit_server>, exit_server_cleanly = 0x7fb2656add72 <smbd_exit_server_cleanly> } __FUNCTION__ = "main" __func__ = "main" Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Mar 19 18:56:33 UTC 2021 on sn-devel-184

The LMDB change "ITS#9278 fix robust mutex cleanup for FreeBSD" released in version 0.9.26 makes samba-tool domain backup offline to fail with the following error: Failed to connect to 'mdb:///tmp/foo/private/sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb' with backend 'mdb': Unable to load ltdb cache records for backend 'ldb_mdb backend' module samba_dsdb initialization failed : Operations error Unable to load modules for /tmp/foo/private/sam.ldb.bak-offline: Unable to load ltdb cache records for backend 'ldb_mdb backend' ERROR(ldb): uncaught exception - Unable to load ltdb cache records for backend 'ldb_mdb backend' File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/__init__.py", line 186, in _run return self.run(*args, **kwargs) File "/usr/local/samba/lib64/python3.6/site-packages/samba/netcmd/domain_backup.py", line 1147, in run session_info=system_session(), lp=lp) File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", line 72, in __init__ options=options) File "/usr/local/samba/lib64/python3.6/site-packages/samba/__init__.py", line 114, in __init__ self.connect(url, flags, options) File "/usr/local/samba/lib64/python3.6/site-packages/samba/samdb.py", line 87, in connect options=options) The error occurs opening the backed ldb to write the backup date and the next SID, a call to pthread_mutex_lock in mdb_txn_renew0 (frame 8) returns EINVAL: #0 0x00007ff63c2f1bea in wait4 () from /lib64/libc.so.6 #1 0x00007ff63c26f3a3 in do_system () from /lib64/libc.so.6 #2 0x00007ff63bc71e94 in smb_panic_default (why=0x7ffed481b7d0 "Signal 6: Aborted") at ../../lib/util/fault.c:153 #3 0x00007ff63bc72168 in smb_panic (why=0x7ffed481b7d0 "Signal 6: Aborted") at ../../lib/util/fault.c:200 #4 0x00007ff63bc71c82 in fault_report (sig=6) at ../../lib/util/fault.c:81 #5 0x00007ff63bc71c97 in sig_fault (sig=6) at ../../lib/util/fault.c:92 #6 <signal handler called> #7 0x00007ff63c2178b5 in raise () from /lib64/libpthread.so.0 #8 0x00007ff637602e65 in mdb_txn_renew0 (txn=txn@entry=0x55d6f97fb800) at mdb.c:2710 #9 0x00007ff637603ae8 in mdb_txn_begin (env=0x55d6f85dfa80, parent=0x0, flags=131072, ret=0x55d6f89c0928) at mdb.c:2912 #10 0x00007ff6376236cc in lmdb_lock_read (module=0x55d6f8c5f4b0) at ../../lib/ldb/ldb_mdb/ldb_mdb.c:585 #11 0x00007ff637641de6 in ldb_kv_cache_load (module=0x55d6f8c5f4b0) at ../../lib/ldb/ldb_key_value/ldb_kv_cache.c:450 #12 0x00007ff637638792 in ldb_kv_init_store (ldb_kv=0x55d6f8af2a80, name=0x7ff637625675 "ldb_mdb backend", ldb=0x55d6f8cd22b0, options=0x0, _module=0x7ffed481c248) at ../../lib/ldb/ldb_key_value/ldb_kv.c:2166 #13 0x00007ff6376247ba in lmdb_connect (ldb=0x55d6f8cd22b0, url=0x55d6f85d41f0 "mdb:///tmp/foo/private/sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb", flags=64, options=0x0, _module=0x7ffed481c248) at ../../lib/ldb/ldb_mdb/ldb_mdb.c:1143 #14 0x00007ff63bd94d2f in ldb_module_connect_backend (ldb=0x55d6f8cd22b0, url=0x55d6f85d41f0 "mdb:///tmp/foo/private/sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb", options=0x0, backend_module=0x7ffed481c248) at ../../lib/ldb/common/ldb_modules.c:221 #15 0x00007ff6375a4baf in new_partition_from_dn (ldb=0x55d6f8cd22b0, data=0x55d6f858bed0, mem_ctx=0x55d6f8a03cd0, dn=0x55d6f9865450, filename=0x55d6f860b6da "sam.ldb.d/CN=CONFIGURATION,DC=FOO,DC=EXAMPLE,DC=COM.ldb", backend_db_store=0x55d6f9d378e0 "mdb", partition=0x7ffed481c308) at ../../source4/dsdb/samdb/ldb_modules/partition_init.c:257 #16 0x00007ff6375a57b9 in partition_reload_if_required (module=0x55d6f8972d10, data=0x55d6f858bed0, parent=0x0) at ../../source4/dsdb/samdb/ldb_modules/partition_init.c:513 #17 0x00007ff6375a3b04 in partition_read_lock (module=0x55d6f8972d10) at ../../source4/dsdb/samdb/ldb_modules/partition.c:1492 #18 0x00007ff63bd9631e in ldb_next_read_lock (module=0x55d6f8972d10) at ../../lib/ldb/common/ldb_modules.c:662 #19 0x00007ff637484857 in schema_read_lock (module=0x55d6f9377e40) at ../../source4/dsdb/samdb/ldb_modules/schema_load.c:614 #20 0x00007ff63bd9631e in ldb_next_read_lock (module=0x55d6f9377e40) at ../../lib/ldb/common/ldb_modules.c:662 #21 0x00007ff6374b5402 in samba_dsdb_init (module=0x55d6f91c3cd0) at ../../source4/dsdb/samdb/ldb_modules/samba_dsdb.c:483 #22 0x00007ff63bd95283 in ldb_module_init_chain (ldb=0x55d6f8cd22b0, module=0x55d6f91c3cd0) at ../../lib/ldb/common/ldb_modules.c:363 #23 0x00007ff63bd95645 in ldb_load_modules (ldb=0x55d6f8cd22b0, options=0x0) at ../../lib/ldb/common/ldb_modules.c:445 #24 0x00007ff63bd90663 in ldb_connect (ldb=0x55d6f8cd22b0, url=0x7ff6377d98f8 "/tmp/foo/private/sam.ldb.bak-offline", flags=64, options=0x0) at ../../lib/ldb/common/ldb.c:274 #25 0x00007ff63bddb32f in py_ldb_connect (self=0x7ff63778afc0, args=(), Python Exception <class 'gdb.error'> There is no member named ma_keys.: kwargs=) at ../../lib/ldb/pyldb.c:1235 Deleting the previous samdb instance by setting it to None before opening the backed ldb workaround the problem until we find the real problem here. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

The current test uses the dig tool from bind9 but this tool has been rewritten in 9.17.7 to use bind's netmgr functions instead of isc_socket (commit 94b7988efb0f9b96415dd2966e6070450d960263). The problem is that these 'netmgr' functions use libuv internally, and, on systems supporting it, they end up using the sendmmsg() syscall which is not catched by socket wrapper so the test fails. This commit converts the test to python and uses the dnspython module instead of the dig tool. Backtraces follow as reference. Backtrace from dig v9.16.28 (working): #0 0x00007ffff778edee in sendmsg () from /lib64/libc.so.6 #1 0x00000000005e5dee in cmsgsend (s=s@entry=12, level=level@entry=0, type=type@entry=1, res=<optimized out>) at net.c:515 #2 0x00000000005e616c in try_dscp_v4 () at net.c:623 #3 try_dscp () at net.c:696 #4 0x00007ffff7708ad7 in __pthread_once_slow () from /lib64/libc.so.6 #5 0x00000000005e66d7 in initialize_dscp () at net.c:702 #6 isc_net_probedscp () at net.c:707 #7 0x00000000005e8460 in socket_create (manager=0x6b49c0, pf=2, type=<optimized out>, socketp=0x7ffff0012b00, dup_socket=0x0) at socket.c:2454 #8 0x000000000043cfcd in send_udp (query=0x7ffff00129a8) at dighost.c:2897 #9 0x000000000043f9c7 in onrun_callback (task=<optimized out>, event=<optimized out>) at dighost.c:4271 #10 0x00000000005dfefe in task_run (task=0x6b5c70) at task.c:851 #11 isc_task_run (task=0x6b5c70) at task.c:944 #12 0x00000000005ca0ce in isc__nm_async_task (worker=0x6b8970, ev0=0x716250) at netmgr.c:873 #13 process_netievent (worker=worker@entry=0x6b8970, ievent=0x716250) at netmgr.c:952 #14 0x00000000005ca2ba in process_queue (worker=worker@entry=0x6b8970, type=type@entry=NETIEVENT_TASK) at netmgr.c:1021 #15 0x00000000005caa43 in process_all_queues (worker=0x6b8970) at netmgr.c:792 #16 async_cb (handle=0x6b8cd0) at netmgr.c:821 #17 0x00007ffff7898a4d in ?? () from /lib64/libuv.so.1 #18 0x00007ffff78b4217 in ?? () from /lib64/libuv.so.1 #19 0x00007ffff789e40a in uv_run () from /lib64/libuv.so.1 #20 0x00000000005ca31e in nm_thread (worker0=0x6b8970) at netmgr.c:727 #21 0x00000000005e2315 in isc__trampoline_run (arg=0x6b7c40) at trampoline.c:198 #22 0x00007ffff7703767 in start_thread () from /lib64/libc.so.6 #23 0x00007ffff778dc10 in clone3 () from /lib64/libc.so.6 Backtrace from dig v9.17.7 (not working): #0 0x00007ffff7684480 in syscall () from /lib64/libc.so.6 #1 0x00007ffff754aed0 in uv__sendmmsg (vlen=0, mmsg=0x0, fd=10) at src/unix/linux-syscalls.c:163 #2 uv__udp_mmsg_init () at src/unix/udp.c:74 #3 0x00007ffff7606ad7 in __pthread_once_slow () from /lib64/libc.so.6 #4 0x00007ffff7541bd9 in uv_once (guard=<optimized out>, callback=<optimized out>) at src/unix/thread.c:440 #5 0x00007ffff7539e9b in uv__udp_sendmsg (handle=0x7ffff50535b8) at src/unix/udp.c:415 #6 uv__udp_send (send_cb=0x7ffff7a41db0 <udp_send_cb>, addrlen=<optimized out>, addr=<optimized out>, nbufs=1, bufs=0x7ffff506c720, handle=0x7ffff50535b8, req=0x7ffff506c878) at src/unix/udp.c:773 #7 uv_udp_send (req=req@entry=0x7ffff506c878, handle=handle@entry=0x7ffff50535b8, bufs=bufs@entry=0x7ffff506c720, nbufs=nbufs@entry=1, addr=<optimized out>, send_cb=send_cb@entry=0x7ffff7a41db0 <udp_send_cb>) at src/uv-common.c:464 #8 0x00007ffff7a42308 in udp_send_direct (peer=0x7ffff5dfa988, req=0x7ffff506c700, sock=0x7ffff5053000) at netmgr/udp.c:839 #9 isc__nm_async_udpsend (worker=<optimized out>, ev0=0x7ffff5dfa950) at netmgr/udp.c:780 #10 0x00007ffff7a47de7 in isc__nm_udp_send (handle=<optimized out>, region=0x7ffff5dfaa90, cb=0x555555566250 <send_done>, cbarg=<optimized out>) at netmgr/udp.c:749 #11 0x0000555555562ac2 in send_udp (query=0x7ffff502a000) at /usr/src/debug/bind-9.18.2-1.1.x86_64/bin/dig/dighost.c:2899 #12 udp_ready (handle=0x7ffff5026180, eresult=ISC_R_SUCCESS, arg=<optimized out>) at /usr/src/debug/bind-9.18.2-1.1.x86_64/bin/dig/dighost.c:2974 #13 0x00007ffff7a37d34 in isc__nm_async_connectcb (worker=worker@entry=0x7ffff622f000, ev0=ev0@entry=0x7ffff5026480) at netmgr/netmgr.c:2704 #14 0x00007ffff7a3ca20 in process_netievent (worker=worker@entry=0x7ffff622f000, ievent=0x7ffff5026480) at netmgr/netmgr.c:940 #15 0x00007ffff7a3d027 in process_queue (worker=worker@entry=0x7ffff622f000, type=type@entry=NETIEVENT_NORMAL) at netmgr/netmgr.c:977 #16 0x00007ffff7a3d203 in process_all_queues (worker=0x7ffff622f000) at netmgr/netmgr.c:733 #17 async_cb (handle=0x7ffff622f360) at netmgr/netmgr.c:762 #18 0x00007ffff7531a4d in uv__async_io (loop=0x7ffff622f010, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163 #19 0x00007ffff754d217 in uv__io_poll (loop=0x7ffff622f010, timeout=<optimized out>) at src/unix/epoll.c:374 #20 0x00007ffff753740a in uv__io_poll (timeout=<optimized out>, loop=0x7ffff622f010) at src/unix/udp.c:122 #21 uv_run (loop=loop@entry=0x7ffff622f010, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:391 #22 0x00007ffff7a3d624 in nm_thread (worker0=0x7ffff622f000) at netmgr/netmgr.c:664 #23 0x00007ffff7a6c915 in isc__trampoline_run (arg=0x555555599210) at /usr/src/debug/bind-9.18.2-1.1.x86_64/lib/isc/trampoline.c:187 #24 0x00007ffff7601767 in start_thread () from /lib64/libc.so.6 #25 0x00007ffff768bc10 in clone3 () from /lib64/libc.so.6 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Jun 4 00:27:29 UTC 2022 on sn-devel-184

Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka 'unsigned long *') increases required alignment from 4 to 8 ==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8 WRITE of size 8 at 0x7ffdc6784fc0 thread T0 #0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220 #1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245 #2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267 #3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74 #4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453 #5 0x563631fe8a9f in main ../../source3/utils/net.c:1358 #6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381 #8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Dec 5 12:05:24 UTC 2022 on sn-devel-184

Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka 'unsigned long *') increases required alignment from 4 to 8 ==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8 WRITE of size 8 at 0x7ffdc6784fc0 thread T0 #0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220 #1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245 #2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267 #3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74 #4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453 #5 0x563631fe8a9f in main ../../source3/utils/net.c:1358 #6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381 #8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit ef8c8ac) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Tue Dec 6 12:39:53 UTC 2022 on sn-devel-184

Cast from 'uint32_t *' (aka 'unsigned int *') to 'size_t *' (aka 'unsigned long *') increases required alignment from 4 to 8 ==10343==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffdc6784fc0 at pc 0x7f339f1ea500 bp 0x7ffdc6784ed0 sp 0x7ffdc6784ec8 WRITE of size 8 at 0x7ffdc6784fc0 thread T0 #0 0x7f339f1ea4ff in fd_load ../../lib/util/util_file.c:220 #1 0x7f339f1ea5a4 in file_load ../../lib/util/util_file.c:245 #2 0x56363209a596 in net_offlinejoin_requestodj ../../source3/utils/net_offlinejoin.c:267 #3 0x56363209a9d0 in net_offlinejoin ../../source3/utils/net_offlinejoin.c:74 #4 0x56363208f61c in net_run_function ../../source3/utils/net_util.c:453 #5 0x563631fe8a9f in main ../../source3/utils/net.c:1358 #6 0x7f339b22c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #7 0x7f339b22c678 in __libc_start_main_impl ../csu/libc-start.c:381 #8 0x563631faf374 in _start ../sysdeps/x86_64/start.S:115 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15257 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit ef8c8ac) Autobuild-User(v4-16-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-16-test): Tue Dec 6 12:02:00 UTC 2022 on sn-devel-184

…level() ==12122==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fff494dd900 at pc 0x7fdaebea71e3 bp 0x7fff494dd430 sp 0x7fff494dd428 READ of size 4 at 0x7fff494dd900 thread T0 #0 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo8 librpc/gen_ndr/ndr_spoolss.c:8618 #1 0x7fdaebea71e2 in ndr_push_spoolss_SetPrinterInfo librpc/gen_ndr/ndr_spoolss.c:8796 #2 0x7fdaebea7482 in ndr_push_spoolss_SetPrinterInfoCtr librpc/gen_ndr/ndr_spoolss.c:9163 #3 0x7fdaebea7580 in ndr_push_spoolss_SetPrinter librpc/gen_ndr/ndr_spoolss.c:27000 #4 0x7fdaee3e1b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416 #5 0x7fdaee3e2132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553 #6 0x7fdaecb103fd in dcerpc_spoolss_SetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1722 #7 0x559a7294c2f1 in test_SetPrinter ../../source4/torture/rpc/spoolss.c:1293 #8 0x559a7297b4d4 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2126 #9 0x559a7299cfa1 in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2344 #10 0x559a7299cfa1 in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2489 #11 0x559a7299cfa1 in test_printer_dm ../../source4/torture/rpc/spoolss.c:9083 #12 0x7fdaeda9867d in wrap_test_with_simple_test ../../lib/torture/torture.c:808 #13 0x7fdaeda9a40b in internal_torture_run_test ../../lib/torture/torture.c:516 #14 0x7fdaeda9a87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581 #15 0x7fdaeda9aeb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435 #16 0x559a72b51668 in run_matching ../../source4/torture/smbtorture.c:95 #17 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105 #18 0x559a72b516ef in run_matching ../../source4/torture/smbtorture.c:105 #19 0x559a72b523ef in torture_run_named_tests ../../source4/torture/smbtorture.c:172 #20 0x559a72b563eb in main ../../source4/torture/smbtorture.c:750 #21 0x7fdaea42c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #22 0x7fdaea42c678 in __libc_start_main_impl ../csu/libc-start.c:381 #23 0x559a72755824 in _start ../sysdeps/x86_64/start.S:115 Address 0x7fff494dd900 is located in stack of thread T0 at offset 32 in frame #0 0x559a7297b111 in test_devmode_set_level ../../source4/torture/rpc/spoolss.c:2090 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>

…ull() ==17828==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffc37790230 at pc 0x7fc37e2a3a11 bp 0x7ffc3778fec0 sp 0x7ffc3778feb8 READ of size 16 at 0x7ffc37790230 thread T0 #0 0x7fc37e2a3a10 in ndr_push_spoolss_GetPrinter librpc/gen_ndr/ndr_spoolss.c:27123 #1 0x7fc380629b30 in dcerpc_binding_handle_call_send ../../librpc/rpc/binding_handle.c:416 #2 0x7fc38062a132 in dcerpc_binding_handle_call ../../librpc/rpc/binding_handle.c:553 #3 0x7fc37ed113c9 in dcerpc_spoolss_GetPrinter_r librpc/gen_ndr/ndr_spoolss_c.c:1947 #4 0x5570ba6c4d03 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2249 #5 0x5570ba6e61ea in test_PrinterInfo_DevModes ../../source4/torture/rpc/spoolss.c:2384 #6 0x5570ba6e61ea in test_PrinterInfo_DevMode ../../source4/torture/rpc/spoolss.c:2488 #7 0x5570ba6e61ea in test_printer_dm ../../source4/torture/rpc/spoolss.c:9082 #8 0x7fc37fc7b67d in wrap_test_with_simple_test ../../lib/torture/torture.c:808 #9 0x7fc37fc7d40b in internal_torture_run_test ../../lib/torture/torture.c:516 #10 0x7fc37fc7d87c in torture_run_tcase_restricted ../../lib/torture/torture.c:581 #11 0x7fc37fc7deb2 in torture_run_suite_restricted ../../lib/torture/torture.c:435 #12 0x5570ba89a65d in run_matching ../../source4/torture/smbtorture.c:95 #13 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105 #14 0x5570ba89a6e4 in run_matching ../../source4/torture/smbtorture.c:105 #15 0x5570ba89b3e4 in torture_run_named_tests ../../source4/torture/smbtorture.c:172 #16 0x5570ba89f3e0 in main ../../source4/torture/smbtorture.c:750 #17 0x7fc37c62c5af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #18 0x7fc37c62c678 in __libc_start_main_impl ../csu/libc-start.c:381 #19 0x5570ba49e824 in _start ../sysdeps/x86_64/start.S:115 Address 0x7ffc37790230 is located in stack of thread T0 at offset 160 in frame #0 0x5570ba6c4562 in test_devicemode_full ../../source4/torture/rpc/spoolss.c:2186 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Tue Dec 20 06:55:45 UTC 2022 on sn-devel-184

Found by ASAN: $ bin/stress-nss-libwbclient ... ==1639426==ERROR: AddressSanitizer: unknown-crash on address 0x7f3907d85000 at pc 0x7f3907d649fb bp 0x7ffc6545f5b0 sp 0x7ffc6545f5a8 READ of size 4 at 0x7f3907d85000 thread T0 #0 0x7f3907d649fa in winbind_close_sock ../../nsswitch/wb_common.c:220 #1 0x7f3907d65866 in winbind_destructor ../../nsswitch/wb_common.c:246 #2 0x7f3907da5d3d in _dl_fini /usr/src/debug/glibc-2.35-20.fc36.x86_64/elf/dl-fini.c:142 #3 0x7f3907241044 in __run_exit_handlers (/lib64/libc.so.6+0x41044) #4 0x7f39072411bf in exit (/lib64/libc.so.6+0x411bf) #5 0x7f3907229516 in __libc_start_call_main (/lib64/libc.so.6+0x29516) #6 0x7f39072295c8 in __libc_start_main_impl (/lib64/libc.so.6+0x295c8) #7 0x56236a2042b4 in _start (/data/git/samba/scratch3/bin/default/nsswitch/stress-nss-libwbclient+0x22b4) Address 0x7f3907d85000 is a wild pointer inside of access range of size 0x000000000004. SUMMARY: AddressSanitizer: unknown-crash ../../nsswitch/wb_common.c:220 in winbind_close_sock The pthread key in wb_global_ctx.key is only initialized if wb_thread_ctx_initialize() is called via get_wb_global_ctx() -> get_wb_thread_ctx(). Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Fri Jan 6 15:04:46 UTC 2023 on sn-devel-184

This function already exists in bind9 but takes different arguments, so when the DLZ is loaded and this function is called bind crashes: named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: client @0x7f26caa90f68 192.168.101.118#58223/key DESKTOP-8BUKMBK\$\@AFOREST.AD: updating zone '101.168.192.in-addr.arpa/NONE': deleting rrset at '118.101.168.192.in-addr.ar named[1523]: name.c:664: REQUIRE(((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) failed, back trace Backtrace: #0 0x00007f2716c957ec in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007f2716c42816 in raise () from /lib64/libc.so.6 #2 0x00007f2716c2b81c in abort () from /lib64/libc.so.6 #3 0x000055d4de847995 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/main.c:237 #4 0x00007f27176388fc in isc_assertion_failed (file=file@entry=0x7f27173b0df6 "name.c", line=line@entry=664, type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f27173b0268 "((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))") at /usr/src/debug/bind-9.18.10/lib/isc/assertions.c:48 #5 0x00007f27172946f9 in dns_name_equal (name1=<optimized out>, name2=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/name.c:664 **** Here bind's dns_name_equal() is called instead of samba's dns_name_equal() **** #6 0x00007f27077ad6f2 in dns_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dnsserver_common.c:1346 #7 0x00007f271404732c in b9_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dlz_bind9.c:1830 #8 0x00007f2714047daa in dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=0x7f26c9c10000 "118.101.168.192.in-addr.arpa.\t1200\tIN\tPTR\tDESKTOP-8BUKMBK.aforest.ad.", dbdata=0x7f271003d300, version=0x7f26f8044b20) at ../../source4/dns_server/dlz_bind9.c:2077 #9 0x000055d4de84afb4 in dlopen_dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=<optimized out>, driverarg=<optimized out>, dbdata=0x7f270430f680, version=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/dlz_dlopen_driver.c:483 #10 0x00007f271738e734 in modrdataset.constprop.0 (db=0x7f2704291740, node=0x7f26c9c006e0, version=0x7f26f8044b20, rdataset=0x7f2706ff8830, mod_function=0x55d4de84af80 <dlopen_dlz_subrdataset>, options=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/sdlz.c:1107 #11 0x00007f2717251855 in diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, warn=warn@entry=true) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:370 #12 0x00007f2717251c8a in dns_diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:465 #13 0x00007f2717d105aa in do_one_tuple (tuple=tuple@entry=0x7f2706ff8e50, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, diff=diff@entry=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:454 #14 0x00007f2717d10fff in update_one_rr (rdata=0x7f2706ff8ee8, ttl=<optimized out>, name=<optimized out>, op=DNS_DIFFOP_DEL, diff=0x7f2706ff9400, ver=0x7f26f8044b20, db=0x7f2704291740) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:505 #15 delete_if_action (data=<optimized out>, rr=0x7f2706ff8ee0) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1427 #16 0x00007f2717d10ccd in foreach_rr (db=0x7f2704291740, ver=<optimized out>, name=0x7f26caa61d00, type=<optimized out>, covers=<optimized out>, rr_action=rr_action@entry=0x7f2717d10f60 <delete_if_action>, rr_action_data=0x7f2706ff9280) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:736 #17 0x00007f2717d10e76 in delete_if (predicate=predicate@entry=0x7f2717d0fb10 <true_p>, db=<optimized out>, ver=<optimized out>, name=<optimized out>, type=<optimized out>, covers=<optimized out>, update_rr=0x7f2706ff94b0, diff=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1454 #18 0x00007f2717d1bccd in update_action (task=<optimized out>, event=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:3299 #19 0x00007f271765eb4c in task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:823 #20 isc_task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:904 #21 0x00007f271762cb12 in isc__nm_async_task (worker=0x7f2716236560, ev0=0x7f26caa07000) at netmgr/netmgr.c:840 #22 process_netievent (worker=worker@entry=0x7f2716236560, ievent=0x7f26caa07000) at netmgr/netmgr.c:918 #23 0x00007f271762d197 in process_queue (worker=worker@entry=0x7f2716236560, type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c:1011 #24 0x00007f271762d3b3 in process_all_queues (worker=0x7f2716236560) at netmgr/netmgr.c:765 #25 async_cb (handle=0x7f27162368c0) at netmgr/netmgr.c:794 #26 0x00007f2717c4cb0d in uv__async_io (loop=0x7f2716236570, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163 #27 0x00007f2717c6825d in uv__io_poll (loop=0x7f2716236570, timeout=<optimized out>) at src/unix/epoll.c:374 #28 0x00007f2717c5247a in uv__io_poll (timeout=<optimized out>, loop=0x7f2716236570) at src/unix/udp.c:122 #29 uv_run (loop=loop@entry=0x7f2716236570, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:406 #30 0x00007f271762d834 in nm_thread (worker0=0x7f2716236560) at netmgr/netmgr.c:696 #31 0x00007f27176627f5 in isc__trampoline_run (arg=0x55d4dfe3ad70) at /usr/src/debug/bind-9.18.10/lib/isc/trampoline.c:189 #32 0x00007f2716c9398d in start_thread () from /lib64/libc.so.6 #33 0x00007f2716d19344 in clone () from /lib64/libc.so.6 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14030 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Samuel Cabrero <scabrero@samba.org> Autobuild-Date(master): Thu Jan 19 10:20:27 UTC 2023 on atb-devel-224

Otherwise the posix_pending_close_db is NULL and we crash when trying to close a file descriptor: #4 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_parse_record+0xe) [0x7fbc5d05c8ae] #5 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_fetch_int32+0x38) [0x7fbc5d05d438] #6 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close_posix+0x7b) [0x7fbc5e276f8b] #7 /usr/lib64/samba/libsmbd-base-samba4.so(+0x57900) [0x7fbc5e28a900] #8 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close+0x68) [0x7fbc5e2b7ea8] #9 /usr/lib64/samba/libsmbd-base-samba4.so(+0x62608) [0x7fbc5e295608] #10 /usr/lib64/samba/libtalloc-samba4.so(_talloc_free+0x51b) [0x7fbc5d9f439b] #11 /usr/lib64/samba/vfs/fruit.so(+0xcac2) [0x7fbc45fcdac2] #12 /usr/lib64/samba/vfs/fruit.so(+0xcbdd) [0x7fbc45fcdbdd] #13 /usr/lib64/samba/vfs/fruit.so(+0xf603) [0x7fbc45fd0603] #14 /usr/lib64/samba/libsmbd-base-samba4.so(+0x56375) [0x7fbc5e289375] #15 /usr/lib64/samba/vfs/nothingtoseeherereally.so(+0x196c) [0x7fbc467f996c] #16 /usr/lib64/samba/vfs/streams_xattr.so(+0x51fc) [0x7fbc461e71fc] #17 /usr/lib64/samba/libsmbd-base-samba4.so(+0xade3a) [0x7fbc5e2e0e3a] #18 /usr/lib64/samba/libsmbd-base-samba4.so(create_conn_struct_cwd+0x44) [0x7fbc5e2e1cf4] #19 /usr/libexec/samba/rpcd_mdssvc(mds_init_ctx+0x2c3) [0x563fdac08f03] #20 /usr/libexec/samba/rpcd_mdssvc(_mdssvc_open+0x141) [0x563fdac0b4d1] The corresponding open is done as part of initializing a connection_struct object, where we chdir() and stat() the root path of the share. The stat() in vfs_fruit causes an expensive metadata request on the path which triggers an internal open of a pathref handle. Note that this only affects servers that have fruit:metadata = netatalk set, which is the default unfortunately. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15354 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Apr 7 21:12:21 UTC 2023 on atb-devel-224

Otherwise the posix_pending_close_db is NULL and we crash when trying to close a file descriptor: #4 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_parse_record+0xe) [0x7fbc5d05c8ae] #5 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_fetch_int32+0x38) [0x7fbc5d05d438] #6 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close_posix+0x7b) [0x7fbc5e276f8b] #7 /usr/lib64/samba/libsmbd-base-samba4.so(+0x57900) [0x7fbc5e28a900] #8 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close+0x68) [0x7fbc5e2b7ea8] #9 /usr/lib64/samba/libsmbd-base-samba4.so(+0x62608) [0x7fbc5e295608] #10 /usr/lib64/samba/libtalloc-samba4.so(_talloc_free+0x51b) [0x7fbc5d9f439b] #11 /usr/lib64/samba/vfs/fruit.so(+0xcac2) [0x7fbc45fcdac2] #12 /usr/lib64/samba/vfs/fruit.so(+0xcbdd) [0x7fbc45fcdbdd] #13 /usr/lib64/samba/vfs/fruit.so(+0xf603) [0x7fbc45fd0603] #14 /usr/lib64/samba/libsmbd-base-samba4.so(+0x56375) [0x7fbc5e289375] #15 /usr/lib64/samba/vfs/nothingtoseeherereally.so(+0x196c) [0x7fbc467f996c] #16 /usr/lib64/samba/vfs/streams_xattr.so(+0x51fc) [0x7fbc461e71fc] #17 /usr/lib64/samba/libsmbd-base-samba4.so(+0xade3a) [0x7fbc5e2e0e3a] #18 /usr/lib64/samba/libsmbd-base-samba4.so(create_conn_struct_cwd+0x44) [0x7fbc5e2e1cf4] #19 /usr/libexec/samba/rpcd_mdssvc(mds_init_ctx+0x2c3) [0x563fdac08f03] #20 /usr/libexec/samba/rpcd_mdssvc(_mdssvc_open+0x141) [0x563fdac0b4d1] The corresponding open is done as part of initializing a connection_struct object, where we chdir() and stat() the root path of the share. The stat() in vfs_fruit causes an expensive metadata request on the path which triggers an internal open of a pathref handle. Note that this only affects servers that have fruit:metadata = netatalk set, which is the default unfortunately. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15354 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Apr 7 21:12:21 UTC 2023 on atb-devel-224 (cherry picked from commit 3633027) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Fri Apr 14 13:30:54 UTC 2023 on sn-devel-184

Otherwise the posix_pending_close_db is NULL and we crash when trying to close a file descriptor: #4 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_parse_record+0xe) [0x7fbc5d05c8ae] #5 /usr/lib64/samba/libdbwrap-samba4.so(dbwrap_fetch_int32+0x38) [0x7fbc5d05d438] #6 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close_posix+0x7b) [0x7fbc5e276f8b] #7 /usr/lib64/samba/libsmbd-base-samba4.so(+0x57900) [0x7fbc5e28a900] #8 /usr/lib64/samba/libsmbd-base-samba4.so(fd_close+0x68) [0x7fbc5e2b7ea8] #9 /usr/lib64/samba/libsmbd-base-samba4.so(+0x62608) [0x7fbc5e295608] #10 /usr/lib64/samba/libtalloc-samba4.so(_talloc_free+0x51b) [0x7fbc5d9f439b] #11 /usr/lib64/samba/vfs/fruit.so(+0xcac2) [0x7fbc45fcdac2] #12 /usr/lib64/samba/vfs/fruit.so(+0xcbdd) [0x7fbc45fcdbdd] #13 /usr/lib64/samba/vfs/fruit.so(+0xf603) [0x7fbc45fd0603] #14 /usr/lib64/samba/libsmbd-base-samba4.so(+0x56375) [0x7fbc5e289375] #15 /usr/lib64/samba/vfs/nothingtoseeherereally.so(+0x196c) [0x7fbc467f996c] #16 /usr/lib64/samba/vfs/streams_xattr.so(+0x51fc) [0x7fbc461e71fc] #17 /usr/lib64/samba/libsmbd-base-samba4.so(+0xade3a) [0x7fbc5e2e0e3a] #18 /usr/lib64/samba/libsmbd-base-samba4.so(create_conn_struct_cwd+0x44) [0x7fbc5e2e1cf4] #19 /usr/libexec/samba/rpcd_mdssvc(mds_init_ctx+0x2c3) [0x563fdac08f03] #20 /usr/libexec/samba/rpcd_mdssvc(_mdssvc_open+0x141) [0x563fdac0b4d1] The corresponding open is done as part of initializing a connection_struct object, where we chdir() and stat() the root path of the share. The stat() in vfs_fruit causes an expensive metadata request on the path which triggers an internal open of a pathref handle. Note that this only affects servers that have fruit:metadata = netatalk set, which is the default unfortunately. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15354 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Apr 7 21:12:21 UTC 2023 on atb-devel-224 (cherry picked from commit 3633027) Autobuild-User(v4-18-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-18-test): Sun Apr 16 16:39:24 UTC 2023 on atb-devel-224

The short version is: Running LOCAL-IDMAP-TDB-COMMON test_getnewid1: PASSED! test_setmap1: PASSED! test_unixid2sid1: PASSED! test_sid2unixid1: could not create uid map! TEST LOCAL-IDMAP-TDB-COMMON FAILED! LOCAL-IDMAP-TDB-COMMON took 0.029819 secs Freed frame ../../source3/torture/torture.c:15748, expected ../../source3/torture/test_idmap_tdb_common.c:986. =============================================================== INTERNAL ERROR: Frame not freed in order. in pid 3692106 (4.19.0pre1-DEVELOPERBUILD) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting =============================================================== PANIC (pid 3692106): Frame not freed in order. in 4.19.0pre1-DEVELOPERBUILD BACKTRACE: 11 stack frames: #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x32) [0x7f2f39b430ba] #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x1dd) [0x7f2f39b43037] #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x1c) [0x7f2f39b43056] #3 bin/shared/libsamba-util.so.0(+0x75309) [0x7f2f3a659309] #4 bin/shared/private/libtalloc-samba4.so(+0x5cc6) [0x7f2f3a758cc6] #5 bin/shared/private/libtalloc-samba4.so(+0x6173) [0x7f2f3a759173] #6 bin/shared/private/libtalloc-samba4.so(_talloc_free+0x10c) [0x7f2f3a75a54b] #7 /data/samba/samba-review/bin/smbtorture3(main+0xa97) [0x55cb3dc8cedc] #8 /lib/x86_64-linux-gnu/libc.so.6(+0x29d90) [0x7f2f396d4d90] #9 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x80) [0x7f2f396d4e40] #10 /data/samba/samba-review/bin/smbtorture3(_start+0x25) [0x55cb3dc59895] smb_panic(): calling panic action [/data/samba/samba-review/selftest/gdb_backtrace 3692106] Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

This function already exists in bind9 but takes different arguments, so when the DLZ is loaded and this function is called bind crashes: named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: samba_dlz: allowing update of signer=DESKTOP-8BUKMBK\$\@AFOREST.AD name=118.101.168.192.in-addr.arpa tcpaddr=192.168.101.118 type=PTR key=1264-ms-7.1-2ac9.9ef238e1-9747-11ed-9f95-525400dc6981/159/0 named[1523]: client @0x7f26caa90f68 192.168.101.118#58223/key DESKTOP-8BUKMBK\$\@AFOREST.AD: updating zone '101.168.192.in-addr.arpa/NONE': deleting rrset at '118.101.168.192.in-addr.ar named[1523]: name.c:664: REQUIRE(((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))) failed, back trace Backtrace: #0 0x00007f2716c957ec in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00007f2716c42816 in raise () from /lib64/libc.so.6 #2 0x00007f2716c2b81c in abort () from /lib64/libc.so.6 #3 0x000055d4de847995 in assertion_failed (file=<optimized out>, line=<optimized out>, type=<optimized out>, cond=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/main.c:237 #4 0x00007f27176388fc in isc_assertion_failed (file=file@entry=0x7f27173b0df6 "name.c", line=line@entry=664, type=type@entry=isc_assertiontype_require, cond=cond@entry=0x7f27173b0268 "((name1) != ((void *)0) && ((const isc__magic_t *)(name1))->magic == ((('D') << 24 | ('N') << 16 | ('S') << 8 | ('n'))))") at /usr/src/debug/bind-9.18.10/lib/isc/assertions.c:48 #5 0x00007f27172946f9 in dns_name_equal (name1=<optimized out>, name2=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/name.c:664 **** Here bind's dns_name_equal() is called instead of samba's dns_name_equal() **** #6 0x00007f27077ad6f2 in dns_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dnsserver_common.c:1346 #7 0x00007f271404732c in b9_record_match (rec1=0x7f26f8042d70, rec2=0x7f26f8044d10) at ../../source4/dns_server/dlz_bind9.c:1830 #8 0x00007f2714047daa in dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=0x7f26c9c10000 "118.101.168.192.in-addr.arpa.\t1200\tIN\tPTR\tDESKTOP-8BUKMBK.aforest.ad.", dbdata=0x7f271003d300, version=0x7f26f8044b20) at ../../source4/dns_server/dlz_bind9.c:2077 #9 0x000055d4de84afb4 in dlopen_dlz_subrdataset (name=0x7f2706ff82f0 "118.101.168.192.in-addr.arpa", rdatastr=<optimized out>, driverarg=<optimized out>, dbdata=0x7f270430f680, version=<optimized out>) at /usr/src/debug/bind-9.18.10/bin/named/dlz_dlopen_driver.c:483 #10 0x00007f271738e734 in modrdataset.constprop.0 (db=0x7f2704291740, node=0x7f26c9c006e0, version=0x7f26f8044b20, rdataset=0x7f2706ff8830, mod_function=0x55d4de84af80 <dlopen_dlz_subrdataset>, options=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/dns/sdlz.c:1107 #11 0x00007f2717251855 in diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, warn=warn@entry=true) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:370 #12 0x00007f2717251c8a in dns_diff_apply (diff=diff@entry=0x7f2706ff8df0, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20) at /usr/src/debug/bind-9.18.10/lib/dns/diff.c:465 #13 0x00007f2717d105aa in do_one_tuple (tuple=tuple@entry=0x7f2706ff8e50, db=db@entry=0x7f2704291740, ver=ver@entry=0x7f26f8044b20, diff=diff@entry=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:454 #14 0x00007f2717d10fff in update_one_rr (rdata=0x7f2706ff8ee8, ttl=<optimized out>, name=<optimized out>, op=DNS_DIFFOP_DEL, diff=0x7f2706ff9400, ver=0x7f26f8044b20, db=0x7f2704291740) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:505 #15 delete_if_action (data=<optimized out>, rr=0x7f2706ff8ee0) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1427 #16 0x00007f2717d10ccd in foreach_rr (db=0x7f2704291740, ver=<optimized out>, name=0x7f26caa61d00, type=<optimized out>, covers=<optimized out>, rr_action=rr_action@entry=0x7f2717d10f60 <delete_if_action>, rr_action_data=0x7f2706ff9280) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:736 #17 0x00007f2717d10e76 in delete_if (predicate=predicate@entry=0x7f2717d0fb10 <true_p>, db=<optimized out>, ver=<optimized out>, name=<optimized out>, type=<optimized out>, covers=<optimized out>, update_rr=0x7f2706ff94b0, diff=0x7f2706ff9400) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:1454 #18 0x00007f2717d1bccd in update_action (task=<optimized out>, event=<optimized out>) at /usr/src/debug/bind-9.18.10/lib/ns/update.c:3299 #19 0x00007f271765eb4c in task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:823 #20 isc_task_run (task=0x7f27155ccf00) at /usr/src/debug/bind-9.18.10/lib/isc/task.c:904 #21 0x00007f271762cb12 in isc__nm_async_task (worker=0x7f2716236560, ev0=0x7f26caa07000) at netmgr/netmgr.c:840 #22 process_netievent (worker=worker@entry=0x7f2716236560, ievent=0x7f26caa07000) at netmgr/netmgr.c:918 #23 0x00007f271762d197 in process_queue (worker=worker@entry=0x7f2716236560, type=type@entry=NETIEVENT_TASK) at netmgr/netmgr.c:1011 #24 0x00007f271762d3b3 in process_all_queues (worker=0x7f2716236560) at netmgr/netmgr.c:765 #25 async_cb (handle=0x7f27162368c0) at netmgr/netmgr.c:794 #26 0x00007f2717c4cb0d in uv__async_io (loop=0x7f2716236570, w=<optimized out>, events=<optimized out>) at src/unix/async.c:163 #27 0x00007f2717c6825d in uv__io_poll (loop=0x7f2716236570, timeout=<optimized out>) at src/unix/epoll.c:374 #28 0x00007f2717c5247a in uv__io_poll (timeout=<optimized out>, loop=0x7f2716236570) at src/unix/udp.c:122 #29 uv_run (loop=loop@entry=0x7f2716236570, mode=mode@entry=UV_RUN_DEFAULT) at src/unix/core.c:406 #30 0x00007f271762d834 in nm_thread (worker0=0x7f2716236560) at netmgr/netmgr.c:696 #31 0x00007f27176627f5 in isc__trampoline_run (arg=0x55d4dfe3ad70) at /usr/src/debug/bind-9.18.10/lib/isc/trampoline.c:189 #32 0x00007f2716c9398d in start_thread () from /lib64/libc.so.6 #33 0x00007f2716d19344 in clone () from /lib64/libc.so.6 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14030 Signed-off-by: Samuel Cabrero <scabrero@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Samuel Cabrero <scabrero@samba.org> Autobuild-Date(master): Thu Jan 19 10:20:27 UTC 2023 on atb-devel-224 (cherry picked from commit fcecdfa)

[2023/06/16 16:30:18.677249, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/cmdline/cmdline.c:56(_samba_cmdline_talloc_log) Bad talloc magic value - unknown value [2023/06/16 16:30:18.677374, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:173(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677388, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:177(smb_panic_log) INTERNAL ERROR: Bad talloc magic value - unknown value in pid 28112 (4.18.3) [2023/06/16 16:30:18.677398, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:182(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting [2023/06/16 16:30:18.677408, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:183(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677420, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:185(smb_panic_log) PANIC (pid 28112): Bad talloc magic value - unknown value in 4.18.3 [2023/06/16 16:30:18.677698, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:293(log_stack_trace) BACKTRACE: 22 stack frames: #0 /usr/lib64/samba/libgenrand-samba4.so(log_stack_trace+0x34) [0x7fcc04ad35d4] #1 /usr/lib64/samba/libgenrand-samba4.so(smb_panic+0xd) [0x7fcc04ad382d] #2 /lib64/libtalloc.so.2(+0x3121) [0x7fcc04650121] #3 /usr/sbin/winbindd(_wbint_InitConnection+0xe8) [0x55aa1fd79028] #4 /usr/sbin/winbindd(+0x59488) [0x55aa1fd7e488] #5 /lib64/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x69) [0x7fcc05890469] #6 /usr/sbin/winbindd(winbindd_dual_ndrcmd+0x3c5) [0x55aa1fd762d5] #7 /usr/sbin/winbindd(+0x4d664) [0x55aa1fd72664] #8 /lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x97) [0x7fcc03d2e707] #9 /lib64/libtevent.so.0(+0xef4f) [0x7fcc03d34f4f] #10 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #11 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #12 /usr/sbin/winbindd(+0x4fd14) [0x55aa1fd74d14] #13 /usr/sbin/winbindd(+0x505cd) [0x55aa1fd755cd] #14 /lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x182) [0x7fcc03d2ec72] #15 /lib64/libtevent.so.0(tevent_common_loop_immediate+0x27) [0x7fcc03d2eca7] #16 /lib64/libtevent.so.0(+0xed2f) [0x7fcc03d34d2f] #17 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #18 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #19 /usr/sbin/winbindd(main+0xd34) [0x55aa1fd402f4] #20 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fcc0339dd85] #21 /usr/sbin/winbindd(_start+0x2e) [0x55aa1fd40e8e] [2023/06/16 16:30:18.677828, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../source3/lib/dumpcore.c:318(dump_core) coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern BUG: https://bugzilla.samba.org/show_bug.cgi?id=15398 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jun 20 11:07:45 UTC 2023 on atb-devel-224

[2023/06/16 16:30:18.677249, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/cmdline/cmdline.c:56(_samba_cmdline_talloc_log) Bad talloc magic value - unknown value [2023/06/16 16:30:18.677374, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:173(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677388, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:177(smb_panic_log) INTERNAL ERROR: Bad talloc magic value - unknown value in pid 28112 (4.18.3) [2023/06/16 16:30:18.677398, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:182(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting [2023/06/16 16:30:18.677408, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:183(smb_panic_log) =============================================================== [2023/06/16 16:30:18.677420, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:185(smb_panic_log) PANIC (pid 28112): Bad talloc magic value - unknown value in 4.18.3 [2023/06/16 16:30:18.677698, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../lib/util/fault.c:293(log_stack_trace) BACKTRACE: 22 stack frames: #0 /usr/lib64/samba/libgenrand-samba4.so(log_stack_trace+0x34) [0x7fcc04ad35d4] #1 /usr/lib64/samba/libgenrand-samba4.so(smb_panic+0xd) [0x7fcc04ad382d] #2 /lib64/libtalloc.so.2(+0x3121) [0x7fcc04650121] #3 /usr/sbin/winbindd(_wbint_InitConnection+0xe8) [0x55aa1fd79028] #4 /usr/sbin/winbindd(+0x59488) [0x55aa1fd7e488] #5 /lib64/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x69) [0x7fcc05890469] #6 /usr/sbin/winbindd(winbindd_dual_ndrcmd+0x3c5) [0x55aa1fd762d5] #7 /usr/sbin/winbindd(+0x4d664) [0x55aa1fd72664] #8 /lib64/libtevent.so.0(tevent_common_invoke_fd_handler+0x97) [0x7fcc03d2e707] #9 /lib64/libtevent.so.0(+0xef4f) [0x7fcc03d34f4f] #10 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #11 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #12 /usr/sbin/winbindd(+0x4fd14) [0x55aa1fd74d14] #13 /usr/sbin/winbindd(+0x505cd) [0x55aa1fd755cd] #14 /lib64/libtevent.so.0(tevent_common_invoke_immediate_handler+0x182) [0x7fcc03d2ec72] #15 /lib64/libtevent.so.0(tevent_common_loop_immediate+0x27) [0x7fcc03d2eca7] #16 /lib64/libtevent.so.0(+0xed2f) [0x7fcc03d34d2f] #17 /lib64/libtevent.so.0(+0xcf5b) [0x7fcc03d32f5b] #18 /lib64/libtevent.so.0(_tevent_loop_once+0x95) [0x7fcc03d2d9b5] #19 /usr/sbin/winbindd(main+0xd34) [0x55aa1fd402f4] #20 /lib64/libc.so.6(__libc_start_main+0xe5) [0x7fcc0339dd85] #21 /usr/sbin/winbindd(_start+0x2e) [0x55aa1fd40e8e] [2023/06/16 16:30:18.677828, 0, pid=28112, effective(0, 0), real(0, 0), traceid=35] ../../source3/lib/dumpcore.c:318(dump_core) coredump is handled by helper binary specified at /proc/sys/kernel/core_pattern BUG: https://bugzilla.samba.org/show_bug.cgi?id=15398 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit d34ff44) Autobuild-User(v4-18-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-18-test): Fri Jun 23 13:01:17 UTC 2023 on atb-devel-224

==395==ERROR: LeakSanitizer: detected memory leaks Direct leak of 96 byte(s) in 1 object(s) allocated from: #0 0x7f4c5dedc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: b10bafa0ba3304197db35cc24e0024cb0492168a) #1 0x7f4c5d252b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7f4c5d2543cc in __talloc ../../lib/talloc/talloc.c:825 #3 0x7f4c5d2543cc in _talloc_named_const ../../lib/talloc/talloc.c:982 #4 0x7f4c5d2543cc in talloc_named_const ../../lib/talloc/talloc.c:1751 #5 0x7f4c504acc53 in partition_metadata_get_uint64 ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:50 #6 0x7f4c504add29 in partition_metadata_sequence_number_increment ../../source4/dsdb/samdb/ldb_modules/partition_metadata.c:398 #7 0x7f4c504a66aa in partition_sequence_number ../../source4/dsdb/samdb/ldb_modules/partition.c:1401 #8 0x7f4c504a66aa in partition_extended ../../source4/dsdb/samdb/ldb_modules/partition.c:1680 #9 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #10 0x7f4c503980c8 in replmd_extended ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:8455 #11 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #12 0x7f4c502fae5c in samldb_extended ../../source4/dsdb/samdb/ldb_modules/samldb.c:5718 #13 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #14 0x7f4c52f0b94c in acl_extended ../../source4/dsdb/samdb/ldb_modules/acl.c:2854 #15 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #16 0x7f4c52eb019c in descriptor_extended ../../source4/dsdb/samdb/ldb_modules/descriptor.c:1450 #17 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #18 0x7f4c52ed8687 in log_extended ../../source4/dsdb/samdb/ldb_modules/audit_log.c:1824 #19 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #20 0x7f4c505aa337 in unlazy_op ../../source4/dsdb/samdb/ldb_modules/lazy_commit.c:40 #21 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #22 0x7f4c502d0f82 in schema_load_extended ../../source4/dsdb/samdb/ldb_modules/schema_load.c:593 #23 0x7f4c5c498c44 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:559 #24 0x7f4c5035a010 in rootdse_extended ../../source4/dsdb/samdb/ldb_modules/rootdse.c:1780 #25 0x7f4c5c4914ef in ldb_request ../../lib/ldb/common/ldb.c:1244 #26 0x7f4c5c492a2d in ldb_extended ../../lib/ldb/common/ldb.c:1714 #27 0x7f4c5c492bdf in ldb_sequence_number ../../lib/ldb/common/ldb.c:1943 #28 0x7f4c503a9abd in replmd_add ../../source4/dsdb/samdb/ldb_modules/repl_meta_data.c:1316 #29 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543 #30 0x7f4c50458783 in rdn_name_add ../../lib/ldb/modules/rdn_name.c:206 #31 0x7f4c5c4989f4 in ldb_next_request ../../lib/ldb/common/ldb_modules.c:543 #32 0x7f4c504f4852 in attr_handler ../../source4/dsdb/samdb/ldb_modules/objectclass_attrs.c:334 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org>

Indirect leak of 496 byte(s) in 1 object(s) allocated from: #0 0x7ffb062dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7ffb06025b3e in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7ffb06027512 in __talloc ../../lib/talloc/talloc.c:825 #3 0x7ffb06027512 in _talloc_named_const ../../lib/talloc/talloc.c:982 #4 0x7ffb06027512 in _talloc_zero ../../lib/talloc/talloc.c:2421 #5 0x7ffb05a0332c in samu_new ../../source3/passdb/passdb.c:63 #6 0x7ffb05a2031f in pdb_getsampwnam ../../source3/passdb/pdb_interface.c:351 #7 0x7ffb05a0540b in local_password_change ../../source3/passdb/passdb.c:752 #8 0x56291ddd4b8b in password_change ../../source3/utils/smbpasswd.c:273 #9 0x56291ddd5b59 in process_root ../../source3/utils/smbpasswd.c:478 #10 0x56291ddd5b59 in main ../../source3/utils/smbpasswd.c:661 #11 0x7ffb024281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Commit e07f890 broke handling of NT4 domains which lack a DNS domain names. As the dns_name is NULL, talloc_steal(dns_name) returns NULL, which causes _wbint_ListTrustedDomains to return NT_STATUS_NO_MEMORY. To make things worse, at that point the new struct netr_DomainTrust is not yet initialized correctly and the "out->count = n + 1" already increased the array counter at the start of the loop without initializing it. Later when NDR-pushing the result in dcesrv_call_dispatch_local(), the ndr_push() can crash when accesssing the ununitialized values: 2023-12-08T14:07:42.759691+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759702+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: INTERNAL ERROR: Signal 11: Segmentation fault in winbindd (wb[ADDOMAIN]) (domain child [ADDOMAIN]) pid 157227 (4.20.0pre1-DEVELOPERBUILD) 2023-12-08T14:07:42.759712+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting 2023-12-08T14:07:42.759723+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: =============================================================== 2023-12-08T14:07:42.759730+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: PANIC (pid 157227): Signal 11: Segmentation fault in 4.20.0pre1-DEVELOPERBUILD 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: BACKTRACE: 36 stack frames: 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #0 bin/shared/private/libgenrand-samba4.so(log_stack_trace+0x1f) [0x7f1396acd441] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #1 bin/shared/private/libgenrand-samba4.so(smb_panic_log+0x20f) [0x7f1396acd3d5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #2 bin/shared/private/libgenrand-samba4.so(smb_panic+0x18) [0x7f1396acd3f0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #3 bin/shared/private/libgenrand-samba4.so(+0x2eb5) [0x7f1396acceb5] 92023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #4 bin/shared/private/libgenrand-samba4.so(+0x2eca) [0x7f1396acceca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #5 /lib64/libc.so.6(+0x3dbb0) [0x7f139687abb0] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #6 bin/shared/private/libsamba-security-samba4.so(ndr_push_dom_sid2+0x2a) [0x7f13977e5437] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #7 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrust+0x4ad) [0x7f1396deb64c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #8 bin/shared/libndr-standard.so.0(ndr_push_netr_DomainTrustList+0x204) [0x7f1396dec7a9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #9 bin/shared/private/libndr-samba4.so(+0x239bf9) [0x7f1397639bf9] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #10 winbindd: domain child [ADDOMAIN](winbind__op_ndr_push+0x5a) [0x55741e6857a8] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #11 bin/shared/libdcerpc-server-core.so.0(dcesrv_call_dispatch_local+0x49b) [0x7f1397be6219] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #12 winbindd: domain child [ADDOMAIN](winbindd_dual_ndrcmd+0x375) [0x55741e67a204] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #13 winbindd: domain child [ADDOMAIN](+0x9cf0d) [0x55741e674f0d] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #14 winbindd: domain child [ADDOMAIN](+0x9f792) [0x55741e677792] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #15 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_fd_handler+0x121) [0x7f139802f816] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #16 bin/shared/private/libtevent-samba4.so(+0x19cef) [0x7f139803bcef] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #17 bin/shared/private/libtevent-samba4.so(+0x1a3dc) [0x7f139803c3dc] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #18 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #19 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #20 winbindd: domain child [ADDOMAIN](+0xa03ca) [0x55741e6783ca] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #21 winbindd: domain child [ADDOMAIN](+0x9ba9c) [0x55741e673a9c] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #22 bin/shared/private/libtevent-samba4.so(_tevent_req_notify_callback+0xba) [0x7f139803194a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #23 bin/shared/private/libtevent-samba4.so(+0xfadb) [0x7f1398031adb] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #24 bin/shared/private/libtevent-samba4.so(_tevent_req_done+0x25) [0x7f1398031b07] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #25 bin/shared/private/libtevent-samba4.so(+0xf125) [0x7f1398031125] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #26 bin/shared/private/libtevent-samba4.so(+0xe9cf) [0x7f13980309cf] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #27 bin/shared/private/libtevent-samba4.so(tevent_common_invoke_immediate_handler+0x207) [0x7f1398030343] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #28 bin/shared/private/libtevent-samba4.so(tevent_common_loop_immediate+0x37) [0x7f13980304b5] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #29 bin/shared/private/libtevent-samba4.so(+0x1a332) [0x7f139803c332] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #30 bin/shared/private/libtevent-samba4.so(+0x15b52) [0x7f1398037b52] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #31 bin/shared/private/libtevent-samba4.so(_tevent_loop_once+0x113) [0x7f139802e1db] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #32 winbindd: domain child [ADDOMAIN](main+0x1689) [0x55741e6b210a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #33 /lib64/libc.so.6(+0x27b8a) [0x7f1396864b8a] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #34 /lib64/libc.so.6(__libc_start_main+0x8b) [0x7f1396864c4b] 2023-12-08T14:07:42.760443+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: #35 winbindd: domain child [ADDOMAIN](_start+0x25) [0x55741e63a045] 2023-12-08T14:07:42.760685+00:00 localadmember.addom.samba.example.com log.winbindd[157227]: smb_panic(): calling panic action [cd /data/git/samba/scratch3 && /data/git/samba/scratch3/selftest/gdb_backtrace 157227 ./bin/winbindd] Deferring assignment of r->out.domains->array and r->out.domains->count to the end of the function ensures we don't return inconsistent state in case of an error. Also, r->out.domains is already set by the NDR layer, no need to create and assign a struct netr_DomainTrustList object. Using talloc_move() ensures we don't leave dangling pointers. Better to crash reliably on accessing NULL, then accessing some unknown memory via a wild pointer. As talloc_move() can't fail, there's no need to check the return value. And using a struct initializer ensures all members are properly initialized. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15533 Signed-off-by: Ralph Boehme <slow@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Sat Jan 20 14:23:51 UTC 2024 on atb-devel-224

==19938==ERROR: LeakSanitizer: detected memory leaks Direct leak of 77 byte(s) in 1 object(s) allocated from: #0 0x7f7d482841f8 in strdup (/lib64/libasan.so.8+0x841f8) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f7d47204846 (bin/shared/libsamba-util.so.0+0x4c846) (BuildId: 43b084eb9013442ac68eb1fc17649f142cbb0f94) #2 0x7f7d40b1d97a in pdb_init_tdbsam ../../source3/passdb/pdb_tdb.c:1361 #3 0x7f7d4715f266 (bin/shared/libsamba-passdb.so.0+0x76266) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) #4 0x7f7d4715f57a (bin/shared/libsamba-passdb.so.0+0x7657a) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) #5 0x7f7d47163700 (bin/shared/libsamba-passdb.so.0+0x7a700) (BuildId: 13d2858e2217592a22a4ee9203fef759d52df733) #6 0x55a9177d3853 in main ../../source3/smbd/server.c:1928 #7 0x7f7d434281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>

Indirect leak of 291 byte(s) in 2 object(s) allocated from: #0 0x7fd77b6dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7fd77b094bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7fd77b096034 in __talloc ../../lib/talloc/talloc.c:825 #3 0x7fd77b096034 in __talloc_strlendup ../../lib/talloc/talloc.c:2454 #4 0x7fd77b096034 in talloc_strdup ../../lib/talloc/talloc.c:2470 #5 0x7fd779996633 in add_string_to_array ../../lib/util/util_strlist.c:504 #6 0x7fd77b10c754 in ads_create_machine_acct ../../source3/libads/ldap.c:2662 #7 0x7fd77b46705f in libnet_join_precreate_machine_acct ../../source3/libnet/libnet_join.c:390 #8 0x7fd77b46705f in libnet_DomainJoin ../../source3/libnet/libnet_join.c:2852 #9 0x7fd77b46705f in libnet_Join ../../source3/libnet/libnet_join.c:3036 #10 0x55fb9788d91a in net_ads_join ../../source3/utils/net_ads.c:1853 #11 0x55fb9793ab86 in net_join ../../source3/utils/net_join.c:45 #12 0x55fb9793084f in net_run_function ../../source3/utils/net_util.c:454 #13 0x55fb97889859 in main ../../source3/utils/net.c:1372 #14 0x7fd7768281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>

Direct leak of 68 byte(s) in 1 object(s) allocated from: #0 0x7f4f39cdc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f4f36fbe427 in malloc_ ../../source3/lib/util_malloc.c:38 #2 0x7f4f394b5e19 in pdb_generate_sam_sid ../../source3/passdb/machine_sid.c:90 #3 0x7f4f394b5e19 in get_global_sam_sid ../../source3/passdb/machine_sid.c:211 #4 0x7f4f394af366 in secrets_store_domain_sid ../../source3/passdb/machine_account_secrets.c:143 #5 0x7f4f394b5eb5 in pdb_generate_sam_sid ../../source3/passdb/machine_sid.c:110 #6 0x7f4f394b5eb5 in get_global_sam_sid ../../source3/passdb/machine_sid.c:211 #7 0x7f4f394af366 in secrets_store_domain_sid ../../source3/passdb/machine_account_secrets.c:143 #8 0x557a1f11d62c in net_setlocalsid ../../source3/utils/net.c:416 #9 0x557a1f1c9972 in net_run_function ../../source3/utils/net_util.c:464 #10 0x557a1f121129 in main ../../source3/utils/net.c:1372 #11 0x7f4f34c281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Jan 23 14:30:58 UTC 2024 on atb-devel-224

Direct leak of 885 byte(s) in 1 object(s) allocated from: #0 0x7f261b8dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7f261b2c543c in _talloc_pool ../../lib/talloc/talloc.c:838 #3 0x7f261b2c543c in _talloc_pooled_object ../../lib/talloc/talloc.c:906 #4 0x7f261a69cac9 in __tevent_req_create ../../lib/tevent/tevent_req.c:98 #5 0x7f261a75bf55 in cli_full_connection_creds_send ../../source3/libsmb/cliconnect.c:3455 #6 0x7f261a75c4b7 in cli_full_connection_creds ../../source3/libsmb/cliconnect.c:3818 #7 0x7f261b70d39f in libnet_join_connect_dc_ipc ../../source3/libnet/libnet_join.c:1146 #8 0x7f261b715794 in libnet_join_lookup_dc_rpc ../../source3/libnet/libnet_join.c:1188 #9 0x7f261b715794 in libnet_DomainJoin ../../source3/libnet/libnet_join.c:2812 #10 0x7f261b715794 in libnet_Join ../../source3/libnet/libnet_join.c:3040 #11 0x555bd93671ea in net_ads_join ../../source3/utils/net_ads.c:1855 #12 0x555bd9415ca9 in net_join ../../source3/utils/net_join.c:45 #13 0x555bd940b972 in net_run_function ../../source3/utils/net_util.c:464 #14 0x555bd9363129 in main ../../source3/utils/net.c:1372 #15 0x7f2616a281af in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org>

Indirect leak of 792 byte(s) in 1 object(s) allocated from: #0 0x7f261b8dc03f in malloc (/lib64/libasan.so.8+0xdc03f) (BuildId: 3e1694ad218c99a8b1b69231666a27df63cf19d0) #1 0x7f261b2c2bc2 in __talloc_with_prefix ../../lib/talloc/talloc.c:783 #2 0x7f261b2c473d in __talloc ../../lib/talloc/talloc.c:825 #3 0x7f261b2c473d in _talloc_named_const ../../lib/talloc/talloc.c:982 #4 0x7f261b2c473d in _talloc_zero ../../lib/talloc/talloc.c:2421 #5 0x7f2618cb42bc in smbXcli_conn_create ../../libcli/smb/smbXcli_base.c:350 #6 0x7f261a74acd3 in cli_state_create ../../source3/libsmb/clientgen.c:196 #7 0x7f261a751f0d in cli_connect_nb_done ../../source3/libsmb/cliconnect.c:2715 #8 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #9 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #10 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #11 0x7f261a752dde in cli_connect_sock_done ../../source3/libsmb/cliconnect.c:2624 #12 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #13 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #14 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #15 0x7f261a7ba2c4 in smbsock_any_connect_connected ../../source3/libsmb/smbsock_connect.c:788 #16 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #17 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #18 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #19 0x7f261a7b75ad in smbsock_connect_connected ../../source3/libsmb/smbsock_connect.c:524 #20 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #21 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #22 0x7f261a69bd6e in _tevent_req_done ../../lib/tevent/tevent_req.c:240 #23 0x7f261b4b400a in open_socket_out_connected ../../source3/lib/util_sock.c:484 #24 0x7f261a69bacf in _tevent_req_notify_callback ../../lib/tevent/tevent_req.c:177 #25 0x7f261a69bd06 in tevent_req_finish ../../lib/tevent/tevent_req.c:234 #26 0x7f261a69be3e in tevent_req_trigger ../../lib/tevent/tevent_req.c:291 #27 0x7f261a699df4 in tevent_common_invoke_immediate_handler ../../lib/tevent/tevent_immediate.c:190 #28 0x7f261a699e31 in tevent_common_loop_immediate ../../lib/tevent/tevent_immediate.c:236 #29 0x7f261a6ad3ec in epoll_event_loop_once ../../lib/tevent/tevent_epoll.c:905 #30 0x7f261a6a679e in std_event_loop_once ../../lib/tevent/tevent_standard.c:110 #31 0x7f261a696538 in _tevent_loop_once ../../lib/tevent/tevent.c:820 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> Autobuild-User(master): Volker Lendecke <vl@samba.org> Autobuild-Date(master): Mon Apr 29 09:48:47 UTC 2024 on atb-devel-224

==20978==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f4f91ff51a0 at pc 0x7f4f94cf93d6 bp 0x7ffdb90fc510 sp 0x7ffdb90fbcd0 READ of size 64 at 0x7f4f91ff51a0 thread T0 #0 0x7f4f94cf93d5 in memcpy ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors_memintrinsics.inc:115 #1 0x7f4f933bdb67 in ldb_val_dup ../../lib/ldb/common/ldb_msg.c:325 #2 0x7f4f933c11d1 in ldb_msg_copy ../../lib/ldb/common/ldb_msg.c:1182 #3 0x7f4f933c13d2 in ldb_msg_normalize ../../lib/ldb/common/ldb_msg.c:1235 #4 0x7f4f933ab556 in ldb_request ../../lib/ldb/common/ldb.c:1196 #5 0x7f4f8e82b1d4 in dsdb_autotransaction_request ../../source4/dsdb/common/util.c:1220 #6 0x7f4f8e831c8a in dsdb_add ../../source4/dsdb/common/util.c:5354 #7 0x7f4f8e853a01 in gkdi_create_root_key ../../source4/dsdb/gmsa/gkdi.c:493 #8 0x7f4f8e853a01 in gkdi_new_root_key ../../source4/dsdb/gmsa/gkdi.c:551 #9 0x7f4f8cd4ca52 in py_dsdb_create_gkdi_root_key ../../source4/dsdb/pydsdb.c:1388 #10 0x7f4f947ce01c (/lib64/libpython3.11.so.1.0+0x1ce01c) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #11 0x7f4f947de4c0 in _PyObject_Call (/lib64/libpython3.11.so.1.0+0x1de4c0) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #12 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #13 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #14 0x7f4f947de5d8 (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #15 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #16 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #17 0x7f4f947edabb (/lib64/libpython3.11.so.1.0+0x1edabb) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #18 0x7f4f947de5d8 (/lib64/libpython3.11.so.1.0+0x1de5d8) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #19 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #20 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #21 0x7f4f947ed9fb (/lib64/libpython3.11.so.1.0+0x1ed9fb) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #22 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #23 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #24 0x7f4f947be6ca in _PyEval_EvalFrameDefault (/lib64/libpython3.11.so.1.0+0x1be6ca) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #25 0x7f4f947b6e79 (/lib64/libpython3.11.so.1.0+0x1b6e79) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #26 0x7f4f94839997 in PyEval_EvalCode (/lib64/libpython3.11.so.1.0+0x239997) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #27 0x7f4f94856862 (/lib64/libpython3.11.so.1.0+0x256862) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #28 0x7f4f94852e59 (/lib64/libpython3.11.so.1.0+0x252e59) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #29 0x7f4f94868fb1 (/lib64/libpython3.11.so.1.0+0x268fb1) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #30 0x7f4f948687a3 in _PyRun_SimpleFileObject (/lib64/libpython3.11.so.1.0+0x2687a3) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #31 0x7f4f94868453 in _PyRun_AnyFileObject (/lib64/libpython3.11.so.1.0+0x268453) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #32 0x7f4f94861c53 in Py_RunMain (/lib64/libpython3.11.so.1.0+0x261c53) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #33 0x7f4f94829996 in Py_BytesMain (/lib64/libpython3.11.so.1.0+0x229996) (BuildId: 170cbf941d17f6c2ac4f784129b31ebaa10c44a7) #34 0x7f4f9422a1ef in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #35 0x7f4f9422a2b8 in __libc_start_main_impl ../csu/libc-start.c:360 #36 0x5604497e3084 in _start (/usr/bin/python3.11+0x1084) (BuildId: f5d6e3bdbf9098a6ddde0b7f2e07ffc9ad1b1dc3) Address 0x7f4f91ff51a0 is located in stack of thread T0 at offset 416 in frame #0 0x7f4f8e852b37 in gkdi_new_root_key ../../source4/dsdb/gmsa/gkdi.c:537 This frame has 12 object(s): [32, 40) 'root_key_dn' (line 539) [64, 72) 'res' (line 540) [96, 104) 'server_config_res' (line 118) [128, 136) 'kdf_algorithm' (line 128) [160, 168) 'domain_dn' (line 388) [192, 208) 'kdf_parameters_blob' (line 129) [224, 240) 'root_key_data_blob' (line 353) [256, 272) 'guid_blob' (line 467) [288, 312) 'kdf_parameters' (line 226) [352, 368) 'root_key_id' (line 116) [384, 400) 'guid_buf' (line 466) [416, 480) 'root_key_data' (line 352) <== Memory access at offset 416 is inside this variable Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Joseph Sutton <jsutton@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Fri May 3 12:20:55 UTC 2024 on atb-devel-224

lib/ldb: Use tdb_parse_record and a callback rather than tdb_fetch() …

117dbc5

…in indexing This avoids allocation at the tdb layer when we just want to read the pointer to our in-memory structures. Andrew Bartlett

abartlet force-pushed the less-malloc-index branch from b6c7f93 to 117dbc5 Compare September 7, 2015 00:06

abartlet closed this Sep 15, 2015

lioupayphone pushed a commit to lioupayphone/samba that referenced this pull request Jan 22, 2017

Merge pull request samba-team#6 from dl566/fix-issue2-configuration-sync

8c7d8c9

samba-issue5-v1: add feature of configuration files sync based on ctdb fix issue samba-team#5

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

lib/ldb: Use tdb_parse_record and a callback rather than tdb_fetch() … #6

lib/ldb: Use tdb_parse_record and a callback rather than tdb_fetch() … #6

abartlet commented Sep 4, 2015

samba-team-bot commented Sep 4, 2015

samba-team-bot commented Sep 4, 2015

samba-team-bot commented Sep 7, 2015

lib/ldb: Use tdb_parse_record and a callback rather than tdb_fetch() … #6

lib/ldb: Use tdb_parse_record and a callback rather than tdb_fetch() … #6

Conversation

abartlet commented Sep 4, 2015

samba-team-bot commented Sep 4, 2015

samba-team-bot commented Sep 4, 2015

samba-team-bot commented Sep 7, 2015