[Pkg-samba-maint] [Git][samba-team/samba][master] 2 commits: poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse (#1022826)
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Wed Oct 26 18:12:12 BST 2022
Michael Tokarev pushed to branch master at Debian Samba Team / samba
Commits:
53c8b81c by Michael Tokarev at 2022-10-26T19:42:11+03:00
poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse (#1022826)
This is become an issue with popt-1.9, https://bugzilla.samba.org/show_bug.cgi?id=15205
These patches are included in 4.17 already.
- - - - -
2bd73416 by Michael Tokarev at 2022-10-26T20:10:49+03:00
update changelog; upload 4.16.6+dfsg-4 to unstable
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/poptGetArg-misuse-fixes-1022826.diff
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+samba (2:4.16.6+dfsg-4) unstable; urgency=medium
+
+ * poptGetArg-misuse-fixes-1022826.diff: fix poptGetArg() misuse
+ for popt-1.9 (Closes: #1022826)
+
+ -- Michael Tokarev <mjt at tls.msk.ru> Wed, 26 Oct 2022 19:45:38 +0300
+
samba (2:4.16.6+dfsg-3) unstable; urgency=medium
* d/rules: stop dh_installpam from installing samba.pam
=====================================
debian/patches/poptGetArg-misuse-fixes-1022826.diff
=====================================
@@ -0,0 +1,914 @@
+Subject: a collection of patches from upstream branch
+ v4.16-test to fix popt misue (#1022826)
+Bug-Debian: https://bugs.debian.org/1022826
+
+commit 0503e0df3b6b0b02c54c50f25e77b39de90ca575
+Author: Noel Power <noel.power at suse.com>
+Date: Fri Oct 14 10:03:17 2022 +0100
+
+ s3/rpcclient: Duplicate string returned from poptGetArg
+
+ popt1.19 fixes a leak that exposes a use as free,
+ make sure we duplicate return of poptGetArg if
+ poptFreeContext is called before we use it.
+
+ ==4407== Invalid read of size 1
+ ==4407== at 0x146263: main (rpcclient.c:1262)
+ ==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+ ==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x146227: main (rpcclient.c:1251)
+ ==4407== Block was alloc'd at
+ ==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x1461BC: main (rpcclient.c:1219)
+ ==4407==
+ ==4407== Invalid read of size 1
+ ==4407== at 0x14627D: main (rpcclient.c:1263)
+ ==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+ ==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x146227: main (rpcclient.c:1251)
+ ==4407== Block was alloc'd at
+ ==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x1461BC: main (rpcclient.c:1219)
+ ==4407==
+ ==4407== Invalid read of size 1
+ ==4407== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470)
+ ==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+ ==4407== by 0x1462B1: main (rpcclient.c:1267)
+ ==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+ ==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x146227: main (rpcclient.c:1251)
+ ==4407== Block was alloc'd at
+ ==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x1461BC: main (rpcclient.c:1219)
+ ==4407==
+ ==4407== Invalid read of size 1
+ ==4407== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x4980E1C: talloc_strdup (talloc.c:2470)
+ ==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+ ==4407== by 0x1462B1: main (rpcclient.c:1267)
+ ==4407== Address 0x7b67cd1 is 1 bytes inside a block of size 10 free'd
+ ==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x146227: main (rpcclient.c:1251)
+ ==4407== Block was alloc'd at
+ ==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x1461BC: main (rpcclient.c:1219)
+ ==4407==
+ ==4407== Invalid read of size 8
+ ==4407== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
+ ==4407== by 0x4980E32: talloc_strdup (talloc.c:2470)
+ ==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+ ==4407== by 0x1462B1: main (rpcclient.c:1267)
+ ==4407== Address 0x7b67cd0 is 0 bytes inside a block of size 10 free'd
+ ==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x146227: main (rpcclient.c:1251)
+ ==4407== Block was alloc'd at
+ ==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x1461BC: main (rpcclient.c:1219)
+ ==4407==
+ ==4407== Invalid read of size 1
+ ==4407== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x4980DC2: __talloc_strlendup (talloc.c:2457)
+ ==4407== by 0x4980E32: talloc_strdup (talloc.c:2470)
+ ==4407== by 0x488CD96: dcerpc_parse_binding (binding.c:320)
+ ==4407== by 0x1462B1: main (rpcclient.c:1267)
+ ==4407== Address 0x7b67cd8 is 8 bytes inside a block of size 10 free'd
+ ==4407== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B2E8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x5B2F5D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x146227: main (rpcclient.c:1251)
+ ==4407== Block was alloc'd at
+ ==4407== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==4407== by 0x5B302EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==4407== by 0x1461BC: main (rpcclient.c:1219)
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Ralph Boehme <slow at samba.org>
+ (cherry picked from commit d26d3d9bff61f796c9c9ab54990ea078f575ab1e)
+
+diff --git a/source3/rpcclient/rpcclient.c b/source3/rpcclient/rpcclient.c
+index 4042d0d60be..27fe5d705c6 100644
+--- a/source3/rpcclient/rpcclient.c
++++ b/source3/rpcclient/rpcclient.c
+@@ -1238,7 +1238,7 @@ out_free:
+ /* Get server as remaining unparsed argument. Print usage if more
+ than one unparsed argument is present. */
+
+- server = poptGetArg(pc);
++ server = talloc_strdup(frame, poptGetArg(pc));
+
+ if (!server || poptGetArg(pc)) {
+ poptPrintHelp(pc, stderr, 0);
+
+commit da11c48d9b69b394e2d01b3405aba24b17e671e0
+Author: Noel Power <noel.power at suse.com>
+Date: Fri Oct 14 11:23:37 2022 +0100
+
+ s3/param: Fix use after free with popt-1.19
+
+ popt1.19 fixes a leak that exposes a use as free,
+ make sure we duplicate return of poptGetArg if
+ poptFreeContext is called before we use it.
+
+ ==5325== Invalid read of size 1
+ ==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+ ==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 1
+ ==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+ ==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 8
+ ==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+ ==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+ ==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 2
+ ==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+ ==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+ ==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 1
+ ==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+ ==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x48C0D37: talloc_sub_basic (substitute.c:303)
+ ==5325== by 0x4894B98: lp_load_ex (loadparm.c:4004)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 1
+ ==5325== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+ ==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 1
+ ==5325== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859E1C: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+ ==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8b1 is 1 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 8
+ ==5325== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+ ==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+ ==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8b0 is 0 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 2
+ ==5325== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+ ==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+ ==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8c0 is 16 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+ ==5325== Invalid read of size 1
+ ==5325== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4859DC2: __talloc_strlendup (talloc.c:2457)
+ ==5325== by 0x4859E32: talloc_strdup (talloc.c:2470)
+ ==5325== by 0x4B3B74B: add_to_file_list (loadparm.c:1023)
+ ==5325== by 0x4894BD4: lp_load_ex (loadparm.c:4011)
+ ==5325== by 0x489529E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==5325== by 0x10ABD7: main (test_lp_load.c:98)
+ ==5325== Address 0x72da8c2 is 18 bytes inside a block of size 20 free'd
+ ==5325== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B8F8B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x4B905D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB8E: main (test_lp_load.c:90)
+ ==5325== Block was alloc'd at
+ ==5325== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5325== by 0x4B912EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5325== by 0x10AB49: main (test_lp_load.c:74)
+ ==5325==
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Ralph Boehme <slow at samba.org>
+ (cherry picked from commit ff003fc87b8164610dfd6572347c05308c4b2fd7)
+
+diff --git a/source3/param/test_lp_load.c b/source3/param/test_lp_load.c
+index 2c6a5c8891b..03be4118efd 100644
+--- a/source3/param/test_lp_load.c
++++ b/source3/param/test_lp_load.c
+@@ -82,7 +82,7 @@ int main(int argc, const char **argv)
+ }
+
+ if (poptPeekArg(pc)) {
+- config_file = poptGetArg(pc);
++ config_file = talloc_strdup(frame, poptGetArg(pc));
+ } else {
+ config_file = get_dyn_CONFIGFILE();
+ }
+
+commit 1efcc10c9d4f4f35ea22322e427989112a3bae51
+Author: Noel Power <noel.power at suse.com>
+Date: Fri Oct 14 11:26:24 2022 +0100
+
+ s3/utils: Add missing poptFreeContext
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Ralph Boehme <slow at samba.org>
+ (cherry picked from commit 31d3d10b260f05080ca0a3cf9434aa4704d60739)
+
+diff --git a/source3/utils/mdsearch.c b/source3/utils/mdsearch.c
+index ac0b75fca51..ab48e366a0a 100644
+--- a/source3/utils/mdsearch.c
++++ b/source3/utils/mdsearch.c
+@@ -242,6 +242,7 @@ int main(int argc, char **argv)
+ return 0;
+
+ fail:
++ poptFreeContext(pc);
+ TALLOC_FREE(frame);
+ return 1;
+ }
+
+commit 4b35fa3f85e6ce8811a47e3d42049fecc0045d2f
+Author: Noel Power <noel.power at suse.com>
+Date: Fri Oct 14 11:35:51 2022 +0100
+
+ s3/utils: Fix use after free with popt 1.19
+
+ popt1.19 fixes a leak that exposes a use as free,
+ make sure we duplicate return of poptGetArg if
+ poptFreeContext is called before we use it.
+
+ ==5914== Invalid read of size 1
+ ==5914== at 0x4FDF740: strlcpy (in /usr/lib64/libbsd.so.0.11.6)
+ ==5914== by 0x49E09A9: tdbsam_getsampwnam (pdb_tdb.c:583)
+ ==5914== by 0x49D94E5: pdb_getsampwnam (pdb_interface.c:340)
+ ==5914== by 0x10DED1: print_user_info (pdbedit.c:372)
+ ==5914== by 0x111413: main (pdbedit.c:1324)
+ ==5914== Address 0x73b6750 is 0 bytes inside a block of size 7 free'd
+ ==5914== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5914== by 0x4C508B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5914== by 0x4C515D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==5914== by 0x1113E6: main (pdbedit.c:1323)
+ ==5914== Block was alloc'd at
+ ==5914== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==5914== by 0x4C522EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==5914== by 0x110AE5: main (pdbedit.c:1137)
+ ==5914==
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Ralph Boehme <slow at samba.org>
+ (cherry picked from commit e82699fcca3716d9ed0450263fd83f948de8ffbe)
+
+diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
+index 4fdcc3ee428..eb4f3072df8 100644
+--- a/source3/utils/pdbedit.c
++++ b/source3/utils/pdbedit.c
+@@ -1150,7 +1150,7 @@ int main(int argc, const char **argv)
+ poptGetArg(pc); /* Drop argv[0], the program name */
+
+ if (user_name == NULL)
+- user_name = poptGetArg(pc);
++ user_name = talloc_strdup(frame, poptGetArg(pc));
+
+ setparms = (backend ? BIT_BACKEND : 0) +
+ (verbose ? BIT_VERBOSE : 0) +
+
+commit 5383d625cbb3a2c10b4fa18d21e738dabad5d6be
+Author: Noel Power <noel.power at suse.com>
+Date: Fri Oct 14 11:45:13 2022 +0100
+
+ s3/utils: Fix use after free with popt 1.19
+
+ popt1.19 fixes a leak that exposes a use as free,
+ make sure we duplicate return of poptGetArg if
+ poptFreeContext is called before we use it.
+
+ ==6055== Command: ./bin/testparm /etc/samba/smb.conf
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x10EBFA: main (testparm.c:862)
+ ==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4C1E50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x10EBFA: main (testparm.c:862)
+ ==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4C44DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x10EBFA: main (testparm.c:862)
+ ==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4C44DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C1E39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C1EB74: buffered_vfprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x4C119E9: fprintf (in /usr/lib64/libc.so.6)
+ ==6055== by 0x10EBFA: main (testparm.c:862)
+ ==6055== Address 0x72dab72 is 2 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ Load smb config files from /etc/samba/smb.conf
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+ ==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+ ==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 8
+ ==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+ ==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+ ==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 2
+ ==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+ ==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+ ==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+ ==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x48B5D37: talloc_sub_basic (substitute.c:303)
+ ==6055== by 0x4889B98: lp_load_ex (loadparm.c:4004)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+ ==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927E1C: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+ ==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab71 is 1 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 8
+ ==6055== at 0x484D3AE: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+ ==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+ ==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab70 is 0 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 2
+ ==6055== at 0x484D400: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+ ==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+ ==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab80 is 16 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+ ==6055== Invalid read of size 1
+ ==6055== at 0x484D430: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4927DC2: __talloc_strlendup (talloc.c:2457)
+ ==6055== by 0x4927E32: talloc_strdup (talloc.c:2470)
+ ==6055== by 0x4B5974B: add_to_file_list (loadparm.c:1023)
+ ==6055== by 0x4889BD4: lp_load_ex (loadparm.c:4011)
+ ==6055== by 0x488A29E: lp_load_with_registry_shares (loadparm.c:4237)
+ ==6055== by 0x10EC06: main (testparm.c:864)
+ ==6055== Address 0x72dab82 is 18 bytes inside a block of size 20 free'd
+ ==6055== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB28B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x4BB35D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EBAC: main (testparm.c:854)
+ ==6055== Block was alloc'd at
+ ==6055== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6055== by 0x4BB42EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6055== by 0x10EB2E: main (testparm.c:830)
+ ==6055==
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Ralph Boehme <slow at samba.org>
+ (cherry picked from commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3)
+
+diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
+index 71bc4c2694e..bb9cb6db563 100644
+--- a/source3/utils/testparm.c
++++ b/source3/utils/testparm.c
+@@ -844,13 +844,13 @@ static void do_per_share_checks(int s)
+ }
+
+ if (poptPeekArg(pc)) {
+- config_file = poptGetArg(pc);
++ config_file = talloc_strdup(frame, poptGetArg(pc));
+ } else {
+ config_file = get_dyn_CONFIGFILE();
+ }
+
+- cname = poptGetArg(pc);
+- caddr = poptGetArg(pc);
++ cname = talloc_strdup(frame, poptGetArg(pc));
++ caddr = talloc_strdup(frame, poptGetArg(pc));
+
+ poptFreeContext(pc);
+
+
+commit 7480f9c01d6449e071784b04ea1f8e2a18906d75
+Author: Noel Power <noel.power at suse.com>
+Date: Fri Oct 14 11:53:53 2022 +0100
+
+ s4/lib/registry: Fix use after free with popt 1.19
+
+ popt1.19 fixes a leak that exposes a use as free,
+ make sure we duplicate return of poptGetArg if
+ poptFreeContext is called before we use it.
+
+ ==6357== Command: ./bin/regpatch file
+ ==6357==
+ Can't load /home/npower/samba-back/INSTALL_DIR/etc/smb.conf - run testparm to debug it
+ ==6357== Syscall param openat(filename) points to unaddressable byte(s)
+ ==6357== at 0x4BFE535: open (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4861432: reg_diff_load (patchfile.c:345)
+ ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+ ==6357== by 0x10ADF9: main (regpatch.c:114)
+ ==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
+ ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ADCF: main (regpatch.c:111)
+ ==6357== Block was alloc'd at
+ ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ACBD: main (regpatch.c:79)
+ ==6357==
+ ==6357== Invalid read of size 1
+ ==6357== at 0x4849782: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+ ==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
+ ==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
+ ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+ ==6357== by 0x10ADF9: main (regpatch.c:114)
+ ==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
+ ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ADCF: main (regpatch.c:111)
+ ==6357== Block was alloc'd at
+ ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ACBD: main (regpatch.c:79)
+ ==6357==
+ ==6357== Invalid read of size 1
+ ==6357== at 0x4849794: strlen (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4B5D50F: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+ ==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
+ ==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
+ ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+ ==6357== by 0x10ADF9: main (regpatch.c:114)
+ ==6357== Address 0x70f79d1 is 1 bytes inside a block of size 5 free'd
+ ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ADCF: main (regpatch.c:111)
+ ==6357== Block was alloc'd at
+ ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ACBD: main (regpatch.c:79)
+ ==6357==
+ ==6357== Invalid read of size 1
+ ==6357== at 0x4B83DD0: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+ ==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
+ ==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
+ ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+ ==6357== by 0x10ADF9: main (regpatch.c:114)
+ ==6357== Address 0x70f79d0 is 0 bytes inside a block of size 5 free'd
+ ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ADCF: main (regpatch.c:111)
+ ==6357== Block was alloc'd at
+ ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ACBD: main (regpatch.c:79)
+ ==6357==
+ ==6357== Invalid read of size 1
+ ==6357== at 0x4B83DDF: _IO_default_xsputn (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4B5D39E: __vfprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4B7E719: __vasprintf_internal (in /usr/lib64/libc.so.6)
+ ==6357== by 0x4AD32F0: __dbgtext_va (debug.c:1904)
+ ==6357== by 0x4AD33F2: dbgtext (debug.c:1925)
+ ==6357== by 0x4861515: reg_diff_load (patchfile.c:353)
+ ==6357== by 0x4861CD3: reg_diff_apply (patchfile.c:542)
+ ==6357== by 0x10ADF9: main (regpatch.c:114)
+ ==6357== Address 0x70f79d2 is 2 bytes inside a block of size 5 free'd
+ ==6357== at 0x484617B: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF38B8: poptResetContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x4AF45D4: poptFreeContext (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ADCF: main (regpatch.c:111)
+ ==6357== Block was alloc'd at
+ ==6357== at 0x48437B4: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
+ ==6357== by 0x4AF52EE: poptGetNextOpt (in /usr/lib64/libpopt.so.0.0.2)
+ ==6357== by 0x10ACBD: main (regpatch.c:79)
+ ==6357==
+ Error reading registry patch file `file'
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Ralph Boehme <slow at samba.org>
+
+ Autobuild-User(master): Ralph Böhme <slow at samba.org>
+ Autobuild-Date(master): Fri Oct 14 13:38:55 UTC 2022 on sn-devel-184
+
+ (cherry picked from commit 7e0e3f47cd67e4cadc101691cd14837f45d9506a)
+
+diff --git a/source4/lib/registry/tools/regpatch.c b/source4/lib/registry/tools/regpatch.c
+index 2be78d143ef..eafaff6cf99 100644
+--- a/source4/lib/registry/tools/regpatch.c
++++ b/source4/lib/registry/tools/regpatch.c
+@@ -101,7 +101,7 @@ int main(int argc, char **argv)
+ return 1;
+ }
+
+- patch = poptGetArg(pc);
++ patch = talloc_strdup(mem_ctx, poptGetArg(pc));
+ if (patch == NULL) {
+ poptPrintUsage(pc, stderr, 0);
+ TALLOC_FREE(mem_ctx);
+
+commit e69d2b3f9d2c8f38a4d93413d563ad5241d35383
+Author: Noel Power <noel.power at suse.com>
+Date: Mon Oct 17 10:17:34 2022 +0100
+
+ s3/param: Check return of talloc_strdup
+
+ followup to commit ff003fc87b8164610dfd6572347c05308c4b2fd7
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Jeremy Allison <jra at samba.org>
+ (cherry picked from commit 19eb88bc53e481327bbd437b0c145d5765c6dcec)
+
+diff --git a/source3/param/test_lp_load.c b/source3/param/test_lp_load.c
+index 03be4118efd..9f3d5516805 100644
+--- a/source3/param/test_lp_load.c
++++ b/source3/param/test_lp_load.c
+@@ -83,6 +83,11 @@ int main(int argc, const char **argv)
+
+ if (poptPeekArg(pc)) {
+ config_file = talloc_strdup(frame, poptGetArg(pc));
++ if (config_file == NULL) {
++ DBG_ERR("out of memory\n");
++ TALLOC_FREE(frame);
++ exit(1);
++ }
+ } else {
+ config_file = get_dyn_CONFIGFILE();
+ }
+
+commit 9a18da112c47055fb32291dfcde42f2ccca7aad7
+Author: Noel Power <noel.power at suse.com>
+Date: Mon Oct 17 10:25:00 2022 +0100
+
+ s3/utils: Check return of talloc_strdup
+
+ followup to e82699fcca3716d9ed0450263fd83f948de8ffbe
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Jeremy Allison <jra at samba.org>
+ (cherry picked from commit 972127daddc7a32d23fb84d97102557035b06f5b)
+
+diff --git a/source3/utils/pdbedit.c b/source3/utils/pdbedit.c
+index eb4f3072df8..ede467108bb 100644
+--- a/source3/utils/pdbedit.c
++++ b/source3/utils/pdbedit.c
+@@ -1149,8 +1149,16 @@ int main(int argc, const char **argv)
+
+ poptGetArg(pc); /* Drop argv[0], the program name */
+
+- if (user_name == NULL)
+- user_name = talloc_strdup(frame, poptGetArg(pc));
++ if (user_name == NULL) {
++ if (poptPeekArg(pc)) {
++ user_name = talloc_strdup(frame, poptGetArg(pc));
++ if (user_name == NULL) {
++ fprintf(stderr, "out of memory\n");
++ TALLOC_FREE(frame);
++ exit(1);
++ }
++ }
++ }
+
+ setparms = (backend ? BIT_BACKEND : 0) +
+ (verbose ? BIT_VERBOSE : 0) +
+
+commit 4d7e31b98162a33702162b00cf40811dfeabe671
+Author: Noel Power <noel.power at suse.com>
+Date: Mon Oct 17 10:27:31 2022 +0100
+
+ s3/utils: check result of talloc_strdup
+
+ follow to commit 4b15d8c2a5c8547b84e7926fed9890b5676b8bc3
+
+ BUG: https://bugzilla.samba.org/show_bug.cgi?id=15205
+
+ Signed-off-by: Noel Power <noel.power at suse.com>
+ Reviewed-by: Jeremy Allison <jra at samba.org>
+
+ Autobuild-User(master): Jeremy Allison <jra at samba.org>
+ Autobuild-Date(master): Mon Oct 17 19:49:37 UTC 2022 on sn-devel-184
+
+ (cherry picked from commit 0326549a052c22e4929e3760fd5011c35e32fe33)
+
+diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
+index bb9cb6db563..27a8bc1fb8e 100644
+--- a/source3/utils/testparm.c
++++ b/source3/utils/testparm.c
+@@ -845,6 +845,11 @@ static void do_per_share_checks(int s)
+
+ if (poptPeekArg(pc)) {
+ config_file = talloc_strdup(frame, poptGetArg(pc));
++ if (config_file == NULL) {
++ DBG_ERR("out of memory\n");
++ TALLOC_FREE(frame);
++ exit(1);
++ }
+ } else {
+ config_file = get_dyn_CONFIGFILE();
+ }
=====================================
debian/patches/series
=====================================
@@ -20,3 +20,4 @@ move-msg.sock-from-var-lib-samba-to-run-samba.patch
testparm-do-not-fail-if-pid-dir-does-not-exist.patch
add-missing-libs-deps.diff
dont-ignore-errors-in-random-number-generation-CVE-2022-1615.patch
+poptGetArg-misuse-fixes-1022826.diff
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/ce709ba2b2104d04ebee954e94c514fc3bc7a36c...2bd73416bb1d5ba03d4c36d3b321aca1daa0e46e
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/ce709ba2b2104d04ebee954e94c514fc3bc7a36c...2bd73416bb1d5ba03d4c36d3b321aca1daa0e46e
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20221026/87468dd8/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list