[Pkg-samba-maint] [Git][samba-team/samba][upstream_4.19] 63 commits: VERSION: Bump version up to Samba 4.19.1...
Michael Tokarev (@mjt)
gitlab at salsa.debian.org
Mon Oct 16 16:29:26 BST 2023
Michael Tokarev pushed to branch upstream_4.19 at Debian Samba Team / samba
Commits:
a8c5fe34 by Jule Anger at 2023-09-04T14:36:48+02:00
VERSION: Bump version up to Samba 4.19.1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
eadd7e5f by Ralph Boehme at 2023-09-05T09:33:16+00:00
mdssvc: better support for search with mdfind from Macs
When searching Samba via Spotlight from a Mac with mdfind, only 50 results are
returned.
It seems the changes for bug #15342 where one step in the right
direction. There, a status indicator meaning "search is still being processed"
was implemented, returning a special status indicator (0x23) in a response, when
the query was still running in the backend, eg Elasticsearch, and we haven't got
any result when when the Mac already comes along asking for results of a query.
Turns out, we should also return 0x23, ie "search is still being processed" when
we have some initial search results from the backend. Otherwise mdfind will stop
querying for more results. It works in Finder, as the Finder by default employs
a "live" search where it just keeps polling for more results even after the
server returned an empty result set. The Finder just keeps on querying in some
interval, typically 4 seconds, and a Mac server Spotlight server might return
new results if new files where created that match the query, hence "live"
search.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15463
Signed-off-by: Ralph Boehme <slow at samba.org>
Reviewed-by: Noel Power <noel.power at suse.com>
Autobuild-User(master): Ralph Böhme <slow at samba.org>
Autobuild-Date(master): Wed Aug 30 10:51:40 UTC 2023 on atb-devel-224
(cherry picked from commit 3afa27a01ca0b81b0044d5d543a999936582e67a)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Sep 5 09:33:17 UTC 2023 on atb-devel-224
- - - - -
340b7fd1 by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch: add test for pthread_key_delete missuse (bug 15464)
This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
written by Krzysztof Piotr Oledzki <ole at ans.pl>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 62af25d44e542548d8cdecb061a6001e0071ee76)
- - - - -
61f6f46b by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch/wb_common.c: fix build without HAVE_PTHREAD
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 4faf806412c4408db25448b1f67c09359ec2f81f)
- - - - -
9c10f828 by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch/wb_common.c: winbind_destructor can always use get_wb_global_ctx()
The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
required magic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 836823e5047d0eb18e66707386ba03b812adfaf8)
- - - - -
7d04c32e by Stefan Metzmacher at 2023-09-18T15:59:16+00:00
nsswitch/wb_common.c: don't operate on a stale wb_global_ctx.key
If nss_winbind is loaded into a process that uses fork multiple times
without any further calls into nss_winbind, wb_atfork_child handler
was using a wb_global_ctx.key that was no longer registered in the
pthread library, so we operated on a slot that was potentially
reused by other libraries or the main application. Which is likely
to cause memory corruption.
So we better don't call pthread_key_delete() in wb_atfork_child().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Reported-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Tested-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 91b30a7261e6455d3a4f31728c23e4849e3945b9)
- - - - -
374ba0d2 by Stefan Metzmacher at 2023-09-18T16:55:30+00:00
nsswitch/wb_common.c: fix socket fd and memory leaks of global state
When we are called in wb_atfork_child() or winbind_destructor(),
wb_thread_ctx_destructor() is not called for the global state
of the current nor any other thread, which means we would
leak the related memory and socket fds.
Now we maintain a global list protected by a global mutex.
We traverse the list and close all socket fds, which are no
longer used (winbind_destructor) or no longer valid in the
current process (wb_atfork_child), in addition we 'autofree'
the ones, which are only visible internally as global (per thread)
context.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Tested-by: Krzysztof Piotr Oledzki <ole at ans.pl>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224
(cherry picked from commit 4af3faace481d23869b64485b791bdd43d8972c5)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Sep 18 16:55:30 UTC 2023 on atb-devel-224
- - - - -
d70374c3 by Jeremy Allison at 2023-09-20T16:23:32+00:00
s3: libsmb: Add a missing return statement in the timeout case.
Obvious fix (needs a malicious server to recreate).
Found by Robert Morris <rtm at lcs.mit.edu>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15426
Signed-off-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit d27c2f2a47dc488ee32dd28d01697bfc409dff77)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Wed Sep 20 16:23:32 UTC 2023 on atb-devel-224
- - - - -
3ac07573 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: Add some DEVELOPER-only code to panic if the destructor for an aio_lnk is called and the associated fsp doesn't exist.
Make this DEVELOPER-only as it walks the entire open
file list on every file close (with associated aio).
This helps catch really subtle problems with orphaned
aio lnk structs.
Reproducer test case to follow.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 82e88f70f181300f6f98691f6680839a94470e13)
- - - - -
68b8a5c4 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: named pipe reads are async. Use the same logic as for named pipe transacts to avoid crashes on shutdown.
Noticed by Metze.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 3f32bf887d4425655e81da0b2234cbca3b1d56e6)
- - - - -
f3d07e12 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: named pipe writes are async. Use the same logic as for named pipe transacts to avoid crashes on shutdown.
Noticed by Metze.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit ea062c3b0d4dbb1f0682f808ac893bf36a6fb194)
- - - - -
09e00c0a by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: torture: Add a new SMB2 test: SMB2-PIPE-READ-ASYNC-DISCONNECT
Shows the server crashes if we open a named pipe, do an async read
and then disconnect.
Adds knownfail:
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 66398dd03c46633b474438dddb771caa2d245e64)
- - - - -
c30984f0 by Jeremy Allison at 2023-09-22T19:34:15+00:00
s3: smbd: Ensure we remove any pending aio values for named pipes on forced shutdown.
Matches file and directory closes.
Remove knownfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
Signed-off-by: Jeremy Allison <jra at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 20 02:43:18 UTC 2023 on atb-devel-224
(cherry picked from commit 11280f1705c0faa1729f5aeaa1b6a1f79ab5a199)
- - - - -
9ba1c94e by Joseph Sutton at 2023-09-22T19:34:15+00:00
s4:kdc: Add correct Asserted Identity SID in response to an S4U2Self request
I’m not sure exactly how this check was supposed to work. But in any
case, within fast_unwrap_request() the Heimdal KDC replaces the outer
padata with the padata from the inner FAST request. Hence, this check
does not accomplish anything useful: at no point should the KDC plugin
see the outer padata.
A couple of unwanted consequences resulted from this check. One was that
a client who sent empty FX‐FAST padata within the inner FAST request
would receive the *Authentication Authority* Asserted Identity SID
instead of the *Service* Asserted Identity SID. Another consequence was
that a client could in the same manner bypass the restriction on
performing S4U2Self with an RODC‐issued TGT.
Overall, samba_wdc_is_s4u2self_req() is somewhat of a hack. But the
Heimdal plugin API gives us nothing better to work with.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5c580dbdb3e6a70c8d2f5059e2b7293a7e780414)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477
- - - - -
ebc4bbbf by Volker Lendecke at 2023-09-22T19:34:15+00:00
tests: Add reproducer for BZ15481
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
(cherry picked from commit 56df75d44795582dcecb8676a0d80d6f4a46c7e9)
- - - - -
79101588 by Volker Lendecke at 2023-09-22T20:34:16+00:00
smbd: Fix BZ15481
Bug: https://bugzilla.samba.org/show_bug.cgi?id=15481
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed Sep 20 22:42:48 UTC 2023 on atb-devel-224
(cherry picked from commit 3481bbfede5127e3664bcf464a0ae3dec9247ab7)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Fri Sep 22 20:34:16 UTC 2023 on atb-devel-224
- - - - -
5dab2cfd by Jeremy Allison at 2023-10-08T22:05:34+02:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
45d58453 by Jeremy Allison at 2023-10-08T22:05:34+02:00
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
f17abf9c by Jeremy Allison at 2023-10-08T22:05:34+02:00
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
2ff6cbcd by Ralph Boehme at 2023-10-08T22:05:54+02:00
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
- - - - -
6b6495c7 by Ralph Boehme at 2023-10-08T22:05:54+02:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
- - - - -
05c370c4 by Andreas Schneider at 2023-10-08T22:06:12+02:00
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
- - - - -
937e50b1 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c284a922 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e46a30aa by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
e9cbf161 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1eca806c by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f70bdb46 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
56c13448 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
72248a51 by Andrew Bartlett at 2023-10-08T22:06:12+02:00
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5eeba465 by Andrew Bartlett at 2023-10-08T22:06:35+02:00
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
88542d6d by Andrew Bartlett at 2023-10-08T22:06:35+02:00
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
06a434bc by Andrew Bartlett at 2023-10-08T22:06:59+02:00
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
3e6d7e10 by Andrew Bartlett at 2023-10-08T22:06:59+02:00
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
cb9c3524 by Jule Anger at 2023-10-09T22:14:05+02:00
VERSION: Bump version up to Samba 4.19.1...
and re-enable GIT_SNAPSHOT.
Signed-off-by: Jule Anger <janger at samba.org>
(cherry picked from commit a8c5fe34b639f72c045bc0500d0c053842327556)
- - - - -
67c67785 by Jeremy Allison at 2023-10-09T22:14:05+02:00
CVE-2023-3961:s3:smbd: Catch any incoming pipe path that could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
44d59c38 by Jeremy Allison at 2023-10-09T22:14:05+02:00
CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we allow bad pipenames with unix separators through to the UNIX domain socket code.
The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.
Add the knownfail.
BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
456a758f by Jeremy Allison at 2023-10-09T22:14:05+02:00
CVE-2023-3961:s3: smbd: Remove the SMB_ASSERT() that crashes on bad pipenames.
We correctly handle this and just return ENOENT (NT_STATUS_OBJECT_NAME_NOT_FOUND).
Remove knowfail.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra at samba.org>
- - - - -
2761477b by Ralph Boehme at 2023-10-09T22:14:05+02:00
CVE-2023-4091: smbtorture: test overwrite dispositions on read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
- - - - -
9cd1ad18 by Ralph Boehme at 2023-10-09T22:14:05+02:00
CVE-2023-4091: smbd: use open_access_mask for access check in open_file()
If the client requested FILE_OVERWRITE[_IF], we're implicitly adding
FILE_WRITE_DATA to the open_access_mask in open_file_ntcreate(), but for the
access check we're using access_mask which doesn't contain the additional
right, which means we can end up truncating a file for which the user has
only read-only access via an SD.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow at samba.org>
- - - - -
52c633af by Andreas Schneider at 2023-10-09T22:14:05+02:00
CVE-2023-4154 s4:dsdb:tests: Fix code spelling
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
(cherry picked from commit b29793ffdee5d9b9c1c05830622e80f7faec7670)
- - - - -
c04ec1a2 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Do not run SimpleDirsyncTests twice
To re-use setup code, the super-class must have no test_*() methods
otherwise these will be run as well as the class-local tests.
We rename tests that would otherwise have duplicate names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b398d8af by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Use self.addCleanup() and delete_force()
Thie helps ensure this test is reliable even in spite of errors while
running.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
ad11a871 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Force the test attribute to be not-confidential at the start
Rather than fail, if the last run failed to reset things, just force
the DC into the required state.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
f7d30cf9 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Check that secret attributes are not visible with DirSync ever.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
93424793 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Speed up DirSync test by only checking positive matches once
When we (expect to) get back a result, do not waste time against a potentially
slow server confirming we also get back results for all the other attribute
combinations.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
c443a222 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Add test for SEARCH_FLAG_RODC_ATTRIBUTE behaviour
SEARCH_FLAG_RODC_ATTRIBUTE should be like SEARCH_FLAG_CONFIDENTIAL,
but for DirSync and DRS replication. Accounts with
GUID_DRS_GET_CHANGES rights should not be able to read this
attribute.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
b55e2c32 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154 dsdb/tests: Extend attribute read DirSync tests
The aim here is to document the expected (even if not implemented)
SEARCH_FLAG_RODC_ATTRIBUTE vs SEARCH_FLAG_CONFIDENTIAL, behaviour, so
that any change once CVE-2023-4154 is fixed can be noted.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
1b321f44 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-4154: Unimplement the original DirSync behaviour without LDAP_DIRSYNC_OBJECT_SECURITY
This makes LDAP_DIRSYNC_OBJECT_SECURITY the only behaviour provided by
Samba.
Having a second access control system withing the LDAP stack is unsafe
and this layer is incomplete.
The current system gives all accounts that have been given the
GUID_DRS_GET_CHANGES extended right SYSTEM access. Currently in Samba
this equates to full access to passwords as well as "RODC Filtered
attributes" (often used with confidential attributes).
Rather than attempting to correctly filter for secrets (passwords) and
these filtered attributes, as well as preventing search expressions for
both, we leave this complexity to the acl_read module which has this
facility already well tested.
The implication is that callers will only see and filter by attribute
in DirSync that they could without DirSync.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15424
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
5609c68a by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42669 s4-rpc_server: Disable rpcecho server by default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
2cb41dd7 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42669 s3-rpc_server: Disable rpcecho for consistency with the AD DC
The rpcecho server in source3 does have samba the sleep() feature that
the s4 version has, but the task architecture is different, so there
is not the same impact. Hoever equally this is not something that
should be enabled on production builds of Samba, so restrict to
selftest builds.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
338021c7 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC
Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.
Most critically of course this applies to netlogon, lsa and samr.
This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
81b816c6 by Andrew Bartlett at 2023-10-09T22:14:05+02:00
CVE-2023-42670 s3-rpc_server: Remove cross-check with "samba" EPM lookup
We now have ensured that no conflicting services attempt to start
so we do not need the runtime lookup and so avoid the risk that
the lookup may fail.
This means that any duplicates will be noticed early not just
in a race condition.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
- - - - -
a4bdbfef by Jule Anger at 2023-10-10T11:04:03+02:00
WHATSNEW: Add release notes for Samba 4.19.1.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
d9e90993 by Jule Anger at 2023-10-10T11:04:49+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.19.1 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
6872b662 by Jule Anger at 2023-10-10T17:05:22+02:00
Merge tag 'samba-4.19.1' into v4-19-stable
samba: tag release samba-4.19.1
- - - - -
fe7adbfc by Jule Anger at 2023-10-10T17:46:38+02:00
Merge branch 'v4-19-stable' into v4-19-test
- - - - -
6d875c29 by Jule Anger at 2023-10-10T17:56:21+02:00
VERSION: Bump version up to Samba 4.19.2...
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
14705069 by Martin Schwenke at 2023-10-10T17:42:25+00:00
ctdb-daemon: Call setproctitle_init()
Commit 19c82c19c009eefe975ae95c8b709fc93f5f4c39 changed the behaviour
of prctl_set_comment() so it now calls setproctitle(3bsd) by default.
In some Linux distributions (e.g. Rocky Linux 8.8), this results in
messages like this spamming the logs:
ctdbd: setproctitle not initialized, please either call setproctitle_init() or link against libbsd-ctor.
Most Samba daemons seem to call setproctitle_init(), so do it here.
In the longer term CTDB should also switch to using lib/util's
process_set_title(), like the rest of Samba, for more flexible process
names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15479
Signed-off-by: Martin Schwenke <mschwenke at ddn.com>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Martin Schwenke <martins at samba.org>
Autobuild-Date(master): Thu Sep 21 00:46:50 UTC 2023 on atb-devel-224
(cherry picked from commit 8b9f464420b66cebaf00654cf8b19165b301b8b6)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Tue Oct 10 17:42:25 UTC 2023 on atb-devel-224
- - - - -
f0da8219 by Joseph Sutton at 2023-10-16T08:28:32+00:00
CVE-2023-5568 third_party/heimdal: Fix PKINIT freshness token memory handling (Import lorikeet-heimdal-202310092148 (commit 38aa80e35b6b1e16b081fa9c005c03b1e6994204))
The issue here is that only the size of the pointer, not the size
of the struture was allocated with calloc().
This means that the malloc() for the freshness token bytes would
have the memory address written beyond the end of the allocated memory.
Additionally, the allocation was not free()ed, resulting in a memory
leak. This means that a user could trigger ongoing memory allocation
in the server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15491
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3280893ae80507e36653a0c7da03c82b88ece30b)
Autobuild-User(v4-19-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-19-test): Mon Oct 16 08:28:32 UTC 2023 on atb-devel-224
- - - - -
7d9af74c by Jule Anger at 2023-10-16T15:41:13+02:00
WHATSNEW: Add release notes for Samba 4.19.2.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
5b54d9e2 by Jule Anger at 2023-10-16T15:41:42+02:00
VERSION: Disable GIT_SNAPSHOT for the 4.19.2 release.
Signed-off-by: Jule Anger <janger at samba.org>
- - - - -
7758b7d9 by Michael Tokarev at 2023-10-16T18:20:38+03:00
New upstream version 4.19.2+dfsg
- - - - -
22 changed files:
- VERSION
- WHATSNEW.txt
- ctdb/server/ctdbd.c
- + nsswitch/b15464-testcase.c
- nsswitch/wb_common.c
- nsswitch/wscript_build
- python/samba/tests/libsmb-basic.py
- source3/libsmb/clidfs.c
- source3/rpc_server/mdssvc/mdssvc.c
- + source3/script/tests/test_smbtorture_nocrash_s3.sh
- source3/selftest/tests.py
- source3/smbd/close.c
- source3/smbd/filename.c
- source3/smbd/smb2_aio.c
- source3/smbd/smb2_read.c
- source3/smbd/smb2_write.c
- source3/torture/proto.h
- source3/torture/test_smb2.c
- source3/torture/torture.c
- source4/kdc/wdc-samba4.c
- + testprogs/blackbox/b15464-testcase.sh
- third_party/heimdal/kdc/pkinit.c
Changes:
=====================================
VERSION
=====================================
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=19
-SAMBA_VERSION_RELEASE=1
+SAMBA_VERSION_RELEASE=2
########################################################
# If a official release has a serious bug #
=====================================
WHATSNEW.txt
=====================================
@@ -1,3 +1,65 @@
+ ==============================
+ Release Notes for Samba 4.19.2
+ October 16, 2023
+ ==============================
+
+
+This is the latest stable release of the Samba 4.19 release series.
+
+
+Changes since 4.19.1
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 15423: Use-after-free in aio_del_req_from_fsp during smbd shutdown
+ after failed IPC FSCTL_PIPE_TRANSCEIVE.
+ * BUG 15426: clidfs.c do_connect() missing a "return" after a cli_shutdown()
+ call.
+
+o Ralph Boehme <slow at samba.org>
+ * BUG 15463: macOS mdfind returns only 50 results.
+
+o Volker Lendecke <vl at samba.org>
+ * BUG 15481: GETREALFILENAME_CACHE can modify incoming new filename with
+ previous cache entry value.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 15464: libnss_winbind causes memory corruption since samba-4.18,
+ impacts sendmail, zabbix, potentially more.
+
+o Martin Schwenke <mschwenke at ddn.com>
+ * BUG 15479: ctdbd: setproctitle not initialized messages flooding logs.
+
+o Joseph Sutton <josephsutton at catalyst.net.nz>
+ * BUG 15491: CVE-2023-5568 Heap buffer overflow with freshness tokens in the
+ Heimdal KDC in Samba 4.19
+ * BUG 15477: The heimdal KDC doesn't detect s4u2self correctly when fast is
+ in use.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical:matrix.org matrix room, or
+#samba-technical IRC channel on irc.libera.chat.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the Samba 4.1 and newer product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
==============================
Release Notes for Samba 4.19.1
October 10, 2023
@@ -68,8 +130,7 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
==============================
Release Notes for Samba 4.19.0
September 04, 2023
=====================================
ctdb/server/ctdbd.c
=====================================
@@ -170,6 +170,8 @@ int main(int argc, const char *argv[])
const char *test_mode;
bool ok;
+ setproctitle_init(argc, discard_const(argv), environ);
+
/*
* Basic setup
*/
=====================================
nsswitch/b15464-testcase.c
=====================================
@@ -0,0 +1,77 @@
+#include "replace.h"
+#include "system/wait.h"
+#include "system/threads.h"
+#include <assert.h>
+
+int main(int argc, const char *argv[])
+{
+ pid_t pid;
+ int wstatus;
+ pthread_key_t k1;
+ pthread_key_t k2;
+ pthread_key_t k3;
+ char *val = NULL;
+ const char *nss_winbind = (argc >= 2 ? argv[1] : "bin/plugins/libnss_winbind.so.2");
+ void *nss_winbind_handle = NULL;
+ union {
+ int (*fn)(void);
+ void *symbol;
+ } nss_winbind_endpwent = { .symbol = NULL, };
+
+ /*
+ * load and invoke something simple like
+ * _nss_winbind_endpwent in order to
+ * get the libnss_winbind internal going
+ */
+ nss_winbind_handle = dlopen(nss_winbind, RTLD_NOW);
+ printf("%d: nss_winbind[%s] nss_winbind_handle[%p]\n",
+ getpid(), nss_winbind, nss_winbind_handle);
+ assert(nss_winbind_handle != NULL);
+
+ nss_winbind_endpwent.symbol = dlsym(nss_winbind_handle,
+ "_nss_winbind_endpwent");
+ printf("%d: nss_winbind_handle[%p] _nss_winbind_endpwent[%p]\n",
+ getpid(), nss_winbind_handle, nss_winbind_endpwent.symbol);
+ assert(nss_winbind_endpwent.symbol != NULL);
+ (void)nss_winbind_endpwent.fn();
+
+ val = malloc(1);
+ assert(val != NULL);
+
+ pthread_key_create(&k1, NULL);
+ pthread_setspecific(k1, val);
+ printf("%d: k1=%d\n", getpid(), k1);
+
+ pid = fork();
+ if (pid) {
+ free(val);
+ wait(&wstatus);
+ return WEXITSTATUS(wstatus);
+ }
+
+ pthread_key_create(&k2, NULL);
+ pthread_setspecific(k2, val);
+
+ printf("%d: Hello after fork, k1=%d, k2=%d\n", getpid(), k1, k2);
+
+ pid = fork();
+
+ if (pid) {
+ free(val);
+ wait(&wstatus);
+ return WEXITSTATUS(wstatus);
+ }
+
+ pthread_key_create(&k3, NULL);
+ pthread_setspecific(k3, val);
+
+ printf("%d: Hello after fork2, k1=%d, k2=%d, k3=%d\n", getpid(), k1, k2, k3);
+
+ if (k1 == k2 || k2 == k3) {
+ printf("%d: FAIL inconsistent keys\n", getpid());
+ return 1;
+ }
+
+ printf("%d: OK consistent keys\n", getpid());
+ return 0;
+}
=====================================
nsswitch/wb_common.c
=====================================
@@ -26,6 +26,7 @@
#include "replace.h"
#include "system/select.h"
#include "winbind_client.h"
+#include "lib/util/dlinklist.h"
#include <assert.h>
#ifdef HAVE_PTHREAD_H
@@ -37,74 +38,113 @@ static __thread char client_name[32];
/* Global context */
struct winbindd_context {
+ struct winbindd_context *prev, *next;
int winbindd_fd; /* winbind file descriptor */
bool is_privileged; /* using the privileged socket? */
pid_t our_pid; /* calling process pid */
+ bool autofree; /* this is a thread global context */
};
static struct wb_global_ctx {
- bool initialized;
#ifdef HAVE_PTHREAD
pthread_once_t control;
pthread_key_t key;
+ bool key_initialized;
+#ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
#else
- bool dummy;
+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
#endif
+#define WB_GLOBAL_LIST_LOCK do { \
+ int __pret = pthread_mutex_lock(&wb_global_ctx.list_mutex); \
+ assert(__pret == 0); \
+} while(0)
+#define WB_GLOBAL_LIST_UNLOCK do { \
+ int __pret = pthread_mutex_unlock(&wb_global_ctx.list_mutex); \
+ assert(__pret == 0); \
+} while(0)
+ pthread_mutex_t list_mutex;
+#else /* => not HAVE_PTHREAD */
+#define WB_GLOBAL_LIST_LOCK do { } while(0)
+#define WB_GLOBAL_LIST_UNLOCK do { } while(0)
+#endif /* not HAVE_PTHREAD */
+ struct winbindd_context *list;
} wb_global_ctx = {
#ifdef HAVE_PTHREAD
.control = PTHREAD_ONCE_INIT,
+ .list_mutex = WB_GLOBAL_MUTEX_INITIALIZER,
#endif
+ .list = NULL,
};
static void winbind_close_sock(struct winbindd_context *ctx);
+static void winbind_ctx_free_locked(struct winbindd_context *ctx);
+static void winbind_cleanup_list(void);
#ifdef HAVE_PTHREAD
static void wb_thread_ctx_initialize(void);
-static void wb_atfork_child(void)
+static void wb_atfork_prepare(void)
{
- struct winbindd_context *ctx = NULL;
- int ret;
+ WB_GLOBAL_LIST_LOCK;
+}
- ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
- if (ctx == NULL) {
- return;
- }
+static void wb_atfork_parent(void)
+{
+ WB_GLOBAL_LIST_UNLOCK;
+}
- ret = pthread_setspecific(wb_global_ctx.key, NULL);
- assert(ret == 0);
+static void wb_atfork_child(void)
+{
+ wb_global_ctx.list_mutex = (pthread_mutex_t)WB_GLOBAL_MUTEX_INITIALIZER;
- winbind_close_sock(ctx);
- free(ctx);
+ if (wb_global_ctx.key_initialized) {
+ int ret;
- ret = pthread_key_delete(wb_global_ctx.key);
- assert(ret == 0);
+ /*
+ * After a fork the child still believes
+ * it is the same thread as in the parent.
+ * So pthread_getspecific() would return the
+ * value of the thread that called fork().
+ *
+ * But we don't want that behavior, so
+ * we just clear the reference and let
+ * winbind_cleanup_list() below 'autofree'
+ * the parent threads global context.
+ */
+ ret = pthread_setspecific(wb_global_ctx.key, NULL);
+ assert(ret == 0);
+ }
- wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
+ /*
+ * But we need to close/cleanup the global state
+ * of the parents threads.
+ */
+ winbind_cleanup_list();
}
static void wb_thread_ctx_destructor(void *p)
{
struct winbindd_context *ctx = (struct winbindd_context *)p;
- winbind_close_sock(ctx);
- free(ctx);
+ winbindd_ctx_free(ctx);
}
static void wb_thread_ctx_initialize(void)
{
int ret;
- ret = pthread_atfork(NULL,
- NULL,
+ ret = pthread_atfork(wb_atfork_prepare,
+ wb_atfork_parent,
wb_atfork_child);
assert(ret == 0);
ret = pthread_key_create(&wb_global_ctx.key,
wb_thread_ctx_destructor);
assert(ret == 0);
+
+ wb_global_ctx.key_initialized = true;
}
-#endif
static struct winbindd_context *get_wb_thread_ctx(void)
{
@@ -129,9 +169,14 @@ static struct winbindd_context *get_wb_thread_ctx(void)
*ctx = (struct winbindd_context) {
.winbindd_fd = -1,
.is_privileged = false,
- .our_pid = 0
+ .our_pid = 0,
+ .autofree = true,
};
+ WB_GLOBAL_LIST_LOCK;
+ DLIST_ADD_END(wb_global_ctx.list, ctx);
+ WB_GLOBAL_LIST_UNLOCK;
+
ret = pthread_setspecific(wb_global_ctx.key, ctx);
if (ret != 0) {
free(ctx);
@@ -139,6 +184,7 @@ static struct winbindd_context *get_wb_thread_ctx(void)
}
return ctx;
}
+#endif /* HAVE_PTHREAD */
static struct winbindd_context *get_wb_global_ctx(void)
{
@@ -147,7 +193,8 @@ static struct winbindd_context *get_wb_global_ctx(void)
static struct winbindd_context _ctx = {
.winbindd_fd = -1,
.is_privileged = false,
- .our_pid = 0
+ .our_pid = 0,
+ .autofree = false,
};
#endif
@@ -155,9 +202,11 @@ static struct winbindd_context *get_wb_global_ctx(void)
ctx = get_wb_thread_ctx();
#else
ctx = &_ctx;
+ if (ctx->prev == NULL && ctx->next == NULL) {
+ DLIST_ADD_END(wb_global_ctx.list, ctx);
+ }
#endif
- wb_global_ctx.initialized = true;
return ctx;
}
@@ -231,6 +280,30 @@ static void winbind_close_sock(struct winbindd_context *ctx)
}
}
+static void winbind_ctx_free_locked(struct winbindd_context *ctx)
+{
+ winbind_close_sock(ctx);
+ DLIST_REMOVE(wb_global_ctx.list, ctx);
+ free(ctx);
+}
+
+static void winbind_cleanup_list(void)
+{
+ struct winbindd_context *ctx = NULL, *next = NULL;
+
+ WB_GLOBAL_LIST_LOCK;
+ for (ctx = wb_global_ctx.list; ctx != NULL; ctx = next) {
+ next = ctx->next;
+
+ if (ctx->autofree) {
+ winbind_ctx_free_locked(ctx);
+ } else {
+ winbind_close_sock(ctx);
+ }
+ }
+ WB_GLOBAL_LIST_UNLOCK;
+}
+
/* Destructor for global context to ensure fd is closed */
#ifdef HAVE_DESTRUCTOR_ATTRIBUTE
@@ -240,22 +313,18 @@ __attribute__((destructor))
#endif
static void winbind_destructor(void)
{
- struct winbindd_context *ctx;
-
- if (!wb_global_ctx.initialized) {
- return;
+#ifdef HAVE_PTHREAD
+ if (wb_global_ctx.key_initialized) {
+ int ret;
+ ret = pthread_key_delete(wb_global_ctx.key);
+ assert(ret == 0);
+ wb_global_ctx.key_initialized = false;
}
-#ifdef HAVE_PTHREAD_H
- ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
- if (ctx == NULL) {
- return;
- }
-#else
- ctx = get_wb_global_ctx();
-#endif
+ wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
+#endif /* HAVE_PTHREAD */
- winbind_close_sock(ctx);
+ winbind_cleanup_list();
}
#define CONNECT_TIMEOUT 30
@@ -937,11 +1006,16 @@ struct winbindd_context *winbindd_ctx_create(void)
ctx->winbindd_fd = -1;
+ WB_GLOBAL_LIST_LOCK;
+ DLIST_ADD_END(wb_global_ctx.list, ctx);
+ WB_GLOBAL_LIST_UNLOCK;
+
return ctx;
}
void winbindd_ctx_free(struct winbindd_context *ctx)
{
- winbind_close_sock(ctx);
- free(ctx);
+ WB_GLOBAL_LIST_LOCK;
+ winbind_ctx_free_locked(ctx);
+ WB_GLOBAL_LIST_UNLOCK;
}
=====================================
nsswitch/wscript_build
=====================================
@@ -15,6 +15,11 @@ if bld.CONFIG_SET('HAVE_PTHREAD'):
deps='wbclient pthread',
for_selftest=True
)
+ bld.SAMBA_BINARY('b15464-testcase',
+ source='b15464-testcase.c',
+ deps='replace pthread dl',
+ for_selftest=True
+ )
# The nss_wrapper code relies strictly on the linux implementation and
# name, so compile but do not install a copy under this name.
=====================================
python/samba/tests/libsmb-basic.py
=====================================
@@ -215,6 +215,33 @@ class LibsmbTestCase(samba.tests.libsmb.LibsmbTests):
c1.unlink("x")
c1 = None
+ def test_gencache_pollution_bz15481(self):
+ c = libsmb.Conn(self.server_ip, "tmp", self.lp, self.creds)
+ fh = c.create("file",
+ DesiredAccess=security.SEC_STD_DELETE,
+ CreateDisposition=libsmb.FILE_CREATE)
+
+ # prime the gencache File->file
+ fh_upper = c.create("File",
+ DesiredAccess=security.SEC_FILE_READ_ATTRIBUTE,
+ CreateDisposition=libsmb.FILE_OPEN)
+ c.close(fh_upper)
+
+ c.delete_on_close(fh, 1)
+ c.close(fh)
+
+ fh = c.create("File",
+ DesiredAccess=security.SEC_STD_DELETE,
+ CreateDisposition=libsmb.FILE_CREATE)
+
+ directory = c.list("\\", "File")
+
+ c.delete_on_close(fh, 1)
+ c.close(fh)
+
+ # Without the bugfix for 15481 we get 'file' not 'File'
+ self.assertEqual(directory[0]['name'], 'File')
+
if __name__ == "__main__":
import unittest
unittest.main()
=====================================
source3/libsmb/clidfs.c
=====================================
@@ -202,6 +202,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
c->timeout,
smbXcli_conn_remote_name(c->conn));
cli_shutdown(c);
+ return status;
} else if (!NT_STATUS_IS_OK(status)) {
d_printf("Protocol negotiation to server %s (for a protocol between %s and %s) failed: %s\n",
smbXcli_conn_remote_name(c->conn),
=====================================
source3/rpc_server/mdssvc/mdssvc.c
=====================================
@@ -313,11 +313,11 @@ static bool add_results(sl_array_t *array, struct sl_query *slq)
bool ok;
/*
- * Taken from a network trace against a macOS SMB Spotlight server. If
- * the first fetch-query-results has no results yet because the search
- * is still running, macOS returns 0x23, otherwise 0x0.
+ * Taken from network traces against a macOS SMB Spotlight server: if
+ * the search is not finished yet in the backend macOS returns 0x23,
+ * otherwise 0x0.
*/
- if (slq->state >= SLQ_STATE_RESULTS ) {
+ if (slq->state >= SLQ_STATE_DONE) {
status = 0;
} else {
status = 0x23;
=====================================
source3/script/tests/test_smbtorture_nocrash_s3.sh
=====================================
@@ -0,0 +1,38 @@
+#!/bin/sh
+
+. $(dirname $0)/../../../testprogs/blackbox/subunit.sh
+
+# this runs the file serving tests that are expected to pass with samba3
+
+if [ $# -lt 5 ]; then
+ cat <<EOF
+Usage: test_smbtorture_s3.sh TEST UNC USERNAME PASSWORD SMBTORTURE <smbtorture args>
+EOF
+ exit 1
+fi
+
+t="$1"
+unc="$2"
+username="$3"
+password="$4"
+SMBTORTURE="$5"
+shift 5
+ADDARGS="$*"
+
+incdir=$(dirname $0)/../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+panic_count_0=$(grep -c PANIC $SMBD_TEST_LOG)
+
+echo "$panic_count_0" >/tmp/look
+
+failed=0
+testit "smbtorture" $VALGRIND $SMBTORTURE $unc -U"$username"%"$password" $ADDARGS $t || failed=$(expr $failed + 1)
+
+panic_count_1=$(grep -c PANIC $SMBD_TEST_LOG)
+
+echo "$panic_count_1" >>/tmp/look
+
+testit "check_panic" test $panic_count_0 -eq $panic_count_1 || failed=$(expr $failed + 1)
+
+testok $0 $failed
=====================================
source3/selftest/tests.py
=====================================
@@ -67,6 +67,8 @@ except KeyError:
samba4bindir = bindir()
config_h = os.path.join(samba4bindir, "default/include/config.h")
+bbdir = os.path.join(srcdir(), "testprogs/blackbox")
+
# check available features
config_hash = dict()
f = open(config_h, 'r')
@@ -493,6 +495,22 @@ plantestsuite("samba3.smbtorture_s3.plain.%s" % "SMB2-DEL-ON-CLOSE-NONWRITE-DELE
"",
"-l $LOCAL_PATH"])
+#
+# Test doing an async read + disconnect on a pipe doesn't crash the server.
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
+#
+plantestsuite("samba3.smbtorture_s3.plain.%s" % "SMB2-PIPE-READ-ASYNC-DISCONNECT",
+ "fileserver",
+ [os.path.join(samba3srcdir,
+ "script/tests/test_smbtorture_nocrash_s3.sh"),
+ 'SMB2-PIPE-READ-ASYNC-DISCONNECT',
+ '//$SERVER_IP/tmp',
+ '$USERNAME',
+ '$PASSWORD',
+ smbtorture3,
+ "",
+ "-l $LOCAL_PATH"])
+
shares = [
"vfs_aio_pthread_async_dosmode_default1",
"vfs_aio_pthread_async_dosmode_default2"
@@ -972,6 +990,10 @@ if with_pthreadpool:
[os.path.join(samba3srcdir,
"script/tests/test_libwbclient_threads.sh"),
"$DOMAIN", "$DC_USERNAME"])
+ plantestsuite("b15464_testcase", "none",
+ [os.path.join(bbdir, "b15464-testcase.sh"),
+ binpath("b15464-testcase"),
+ binpath("plugins/libnss_winbind.so.2")])
plantestsuite("samba3.test_nfs4_acl", "none",
[os.path.join(bindir(), "test_nfs4_acls"),
=====================================
source3/smbd/close.c
=====================================
@@ -1630,6 +1630,14 @@ NTSTATUS close_file_smb(struct smb_request *req,
SMB_ASSERT(fsp->stream_fsp == NULL);
if (fsp->fake_file_handle != NULL) {
+ /*
+ * Named pipes are opened as fake files and
+ * can have pending aio requests. Ensure
+ * we clear out all pending aio on force
+ * shutdown of named pipes also.
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
+ */
+ assert_no_pending_aio(fsp, close_type);
status = close_fake_file(req, fsp);
} else if (fsp->print_file != NULL) {
/* FIXME: return spool errors */
=====================================
source3/smbd/filename.c
=====================================
@@ -784,6 +784,7 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
if (lp_stat_cache()) {
char *base_name = smb_fname_rel->base_name;
+ char *original_relname = NULL;
DATA_BLOB value = { .data = NULL };
ok = get_real_filename_cache_key(
@@ -805,7 +806,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
}
DO_PROFILE_INC(statcache_hits);
- TALLOC_FREE(smb_fname_rel->base_name);
+ /*
+ * For the "new filename" case we need to preserve the
+ * capitalization the client sent us, see
+ * https://bugzilla.samba.org/show_bug.cgi?id=15481
+ */
+ original_relname = smb_fname_rel->base_name;
+
smb_fname_rel->base_name = talloc_memdup(
smb_fname_rel, value.data, value.length);
if (smb_fname_rel->base_name == NULL) {
@@ -823,10 +830,13 @@ static NTSTATUS openat_pathref_fsp_case_insensitive(
status = openat_pathref_fsp(dirfsp, smb_fname_rel);
if (NT_STATUS_IS_OK(status)) {
TALLOC_FREE(cache_key.data);
+ TALLOC_FREE(original_relname);
return NT_STATUS_OK;
}
memcache_delete(NULL, GETREALFILENAME_CACHE, cache_key);
+ TALLOC_FREE(smb_fname_rel->base_name);
+ smb_fname_rel->base_name = original_relname;
}
lookup:
=====================================
source3/smbd/smb2_aio.c
=====================================
@@ -64,6 +64,9 @@ struct aio_extra *create_aio_extra(TALLOC_CTX *mem_ctx,
}
struct aio_req_fsp_link {
+#ifdef DEVELOPER
+ struct smbd_server_connection *sconn;
+#endif
files_struct *fsp;
struct tevent_req *req;
};
@@ -74,6 +77,24 @@ static int aio_del_req_from_fsp(struct aio_req_fsp_link *lnk)
files_struct *fsp = lnk->fsp;
struct tevent_req *req = lnk->req;
+#ifdef DEVELOPER
+ struct files_struct *ifsp = NULL;
+ bool found = false;
+
+ /*
+ * When this is called, lnk->fsp must still exist
+ * on the files list for this connection. Panic if not.
+ */
+ for (ifsp = lnk->sconn->files; ifsp; ifsp = ifsp->next) {
+ if (ifsp == fsp) {
+ found = true;
+ }
+ }
+ if (!found) {
+ smb_panic("orphaned lnk on fsp aio list.\n");
+ }
+#endif
+
for (i=0; i<fsp->num_aio_requests; i++) {
if (fsp->aio_requests[i] == req) {
break;
@@ -130,6 +151,9 @@ bool aio_add_req_to_fsp(files_struct *fsp, struct tevent_req *req)
lnk->fsp = fsp;
lnk->req = req;
+#ifdef DEVELOPER
+ lnk->sconn = fsp->conn->sconn;
+#endif
talloc_set_destructor(lnk, aio_del_req_from_fsp);
return true;
=====================================
source3/smbd/smb2_read.c
=====================================
@@ -494,6 +494,7 @@ static struct tevent_req *smbd_smb2_read_send(TALLOC_CTX *mem_ctx,
if (IS_IPC(smbreq->conn)) {
struct tevent_req *subreq = NULL;
+ bool ok;
state->out_data = data_blob_talloc(state, NULL, in_length);
if (in_length > 0 && tevent_req_nomem(state->out_data.data, req)) {
@@ -515,6 +516,18 @@ static struct tevent_req *smbd_smb2_read_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(subreq,
smbd_smb2_read_pipe_done,
req);
+
+ /*
+ * Make sure we mark the fsp as having outstanding async
+ * activity so we don't crash on shutdown close.
+ */
+
+ ok = aio_add_req_to_fsp(fsp, req);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+ return tevent_req_post(req, ev);
+ }
+
return req;
}
=====================================
source3/smbd/smb2_write.c
=====================================
@@ -307,6 +307,7 @@ static struct tevent_req *smbd_smb2_write_send(TALLOC_CTX *mem_ctx,
if (IS_IPC(smbreq->conn)) {
struct tevent_req *subreq = NULL;
+ bool ok;
if (!fsp_is_np(fsp)) {
tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
@@ -323,6 +324,18 @@ static struct tevent_req *smbd_smb2_write_send(TALLOC_CTX *mem_ctx,
tevent_req_set_callback(subreq,
smbd_smb2_write_pipe_done,
req);
+
+ /*
+ * Make sure we mark the fsp as having outstanding async
+ * activity so we don't crash on shutdown close.
+ */
+
+ ok = aio_add_req_to_fsp(fsp, req);
+ if (!ok) {
+ tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
+ return tevent_req_post(req, ev);
+ }
+
return req;
}
=====================================
source3/torture/proto.h
=====================================
@@ -124,6 +124,7 @@ bool run_smb2_dfs_paths(int dummy);
bool run_smb2_non_dfs_share(int dummy);
bool run_smb2_dfs_share_non_dfs_path(int dummy);
bool run_smb2_dfs_filename_leading_backslash(int dummy);
+bool run_smb2_pipe_read_async_disconnect(int dummy);
bool run_smb2_invalid_pipename(int dummy);
bool run_smb1_dfs_paths(int dummy);
bool run_smb1_dfs_search_paths(int dummy);
=====================================
source3/torture/test_smb2.c
=====================================
@@ -5137,6 +5137,123 @@ bool run_smb2_dfs_filename_leading_backslash(int dummy)
return retval;
}
+/*
+ * Ensure a named pipe async read followed by a disconnect
+ * doesn't crash the server (server crash checked for in
+ * containing test script:
+ * source3/script/tests/test_smbtorture_nocrash_s3.sh)
+ * BUG: https://bugzilla.samba.org/show_bug.cgi?id=15423
+ */
+
+bool run_smb2_pipe_read_async_disconnect(int dummy)
+{
+ struct cli_state *cli = NULL;
+ NTSTATUS status;
+ uint64_t fid_persistent = 0;
+ uint64_t fid_volatile = 0;
+ struct tevent_context *ev;
+ struct tevent_req *req;
+ bool retval = false;
+
+ printf("Starting SMB2-PIPE-READ-ASYNC-DISCONNECT\n");
+
+ if (!torture_init_connection(&cli)) {
+ return false;
+ }
+
+ status = smbXcli_negprot(cli->conn,
+ cli->timeout,
+ PROTOCOL_SMB2_02,
+ PROTOCOL_SMB3_11);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("smbXcli_negprot returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_session_setup_creds(cli, torture_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_session_setup returned %s\n", nt_errstr(status));
+ return false;
+ }
+
+ status = cli_tree_connect_creds(cli, "IPC$", "IPC", torture_creds);
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("cli_tree_connect to IPC$ returned %s\n",
+ nt_errstr(status));
+ return false;
+ }
+
+ /* Open the SAMR pipe. */
+ status = smb2cli_create(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ "SAMR",
+ SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
+ SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
+ SEC_STD_SYNCHRONIZE|
+ SEC_FILE_READ_DATA|
+ SEC_FILE_WRITE_DATA, /* desired_access, */
+ FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
+ FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
+ FILE_OPEN, /* create_disposition, */
+ 0, /* create_options, */
+ NULL, /* smb2_create_blobs *blobs */
+ &fid_persistent,
+ &fid_volatile,
+ NULL, /* struct smb_create_returns * */
+ talloc_tos(), /* mem_ctx. */
+ NULL, /* struct smb2_create_blobs * */
+ NULL); /* psymlink */
+ if (!NT_STATUS_IS_OK(status)) {
+ printf("%s:%d smb2cli_create on SAMR returned %s\n",
+ __FILE__,
+ __LINE__,
+ nt_errstr(status));
+ goto err;
+ }
+
+ ev = samba_tevent_context_init(talloc_tos());
+ if (ev == NULL) {
+ goto err;
+ }
+
+ /* Start an async read. */
+ req = smb2cli_read_send(talloc_tos(),
+ ev,
+ cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ 16*1024,
+ 0, /* offset */
+ fid_persistent,
+ fid_volatile,
+ 0, /* minimum_count */
+ 0); /* remaining_bytes */
+ if (req == NULL) {
+ goto err;
+ }
+
+ /* Force disconnect. */
+ smbXcli_conn_disconnect(cli->conn, NT_STATUS_LOCAL_DISCONNECT);
+ fid_volatile = 0;
+ retval = true;
+
+ err:
+
+ if (fid_volatile != 0) {
+ smb2cli_close(cli->conn,
+ cli->timeout,
+ cli->smb2.session,
+ cli->smb2.tcon,
+ 0, /* flags */
+ fid_persistent,
+ fid_volatile);
+ }
+ return retval;
+}
+
bool run_smb2_invalid_pipename(int dummy)
{
struct cli_state *cli = NULL;
=====================================
source3/torture/torture.c
=====================================
@@ -15727,6 +15727,10 @@ static struct {
.name = "SMB2-QUOTA1",
.fn = run_smb2_quota1,
},
+ {
+ .name = "SMB2-INVALID-PIPENAME",
+ .fn = run_smb2_invalid_pipename,
+ },
{
.name = "SMB2-STREAM-ACL",
.fn = run_smb2_stream_acl,
@@ -15764,8 +15768,8 @@ static struct {
.fn = run_smb2_dfs_filename_leading_backslash,
},
{
- .name = "SMB2-INVALID-PIPENAME",
- .fn = run_smb2_invalid_pipename,
+ .name = "SMB2-PIPE-READ-ASYNC-DISCONNECT",
+ .fn = run_smb2_pipe_read_async_disconnect,
},
{
.name = "SMB1-TRUNCATED-SESSSETUP",
=====================================
source4/kdc/wdc-samba4.c
=====================================
@@ -37,7 +37,6 @@
static bool samba_wdc_is_s4u2self_req(astgs_request_t r)
{
- krb5_kdc_configuration *config = kdc_request_get_config((kdc_request_t)r);
const KDC_REQ *req = kdc_request_get_req(r);
const PA_DATA *pa_for_user = NULL;
@@ -45,27 +44,6 @@ static bool samba_wdc_is_s4u2self_req(astgs_request_t r)
return false;
}
- if (config->enable_fast && req->padata != NULL) {
- const PA_DATA *pa_fx_fast = NULL;
- int idx = 0;
-
- pa_fx_fast = krb5_find_padata(req->padata->val,
- req->padata->len,
- KRB5_PADATA_FX_FAST,
- &idx);
- if (pa_fx_fast != NULL) {
- /*
- * We're in the outer request
- * with KRB5_PADATA_FX_FAST
- * if fast is enabled we'll
- * process the s4u2self
- * request only in the
- * inner request.
- */
- return false;
- }
- }
-
if (req->padata != NULL) {
int idx = 0;
=====================================
testprogs/blackbox/b15464-testcase.sh
=====================================
@@ -0,0 +1,21 @@
+#!/bin/sh
+# Blackbox wrapper for bug 15464
+# Copyright (C) 2023 Stefan Metzmacher
+
+if [ $# -lt 2 ]; then
+ cat <<EOF
+Usage: b15464-testcase.sh B15464_TESTCASE LIBNSS_WINBIND
+EOF
+ exit 1
+fi
+
+b15464_testcase=$1
+libnss_winbind=$2
+shift 2
+failed=0
+
+. $(dirname $0)/subunit.sh
+
+testit "run b15464-testcase" $VALGRIND $b15464_testcase $libnss_winbind || failed=$(expr $failed + 1)
+
+testok $0 $failed
=====================================
third_party/heimdal/kdc/pkinit.c
=====================================
@@ -180,6 +180,9 @@ _kdc_pk_free_client_param(krb5_context context, pk_client_params *cp)
hx509_peer_info_free(cp->peer);
if (cp->client_anchors)
hx509_certs_free(&cp->client_anchors);
+ if (cp->freshness_token)
+ der_free_octet_string(cp->freshness_token);
+ free(cp->freshness_token);
memset(cp, 0, sizeof(*cp));
free(cp);
}
@@ -776,7 +779,7 @@ _kdc_pk_rd_padata(astgs_request_t priv,
* Copy the freshness token into the out parameters if it is present.
*/
if (ap.pkAuthenticator.freshnessToken != NULL) {
- cp->freshness_token = calloc(1, sizeof (cp->freshness_token));
+ cp->freshness_token = calloc(1, sizeof (*cp->freshness_token));
if (cp->freshness_token == NULL) {
ret = ENOMEM;
free_AuthPack(&ap);
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/8c3fc86511a8d10cad2e752cae20062d70c9c997...7758b7d97d6965d124ba5a830ad78446a46160a5
--
View it on GitLab: https://salsa.debian.org/samba-team/samba/-/compare/8c3fc86511a8d10cad2e752cae20062d70c9c997...7758b7d97d6965d124ba5a830ad78446a46160a5
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-samba-maint/attachments/20231016/7d93ee4c/attachment-0001.htm>
More information about the Pkg-samba-maint
mailing list