[Pkg-samba-maint] Bug#1053128: smbclient: "smbtree -N" causes a segfault when "server min protocol = NT1"
Bernhard Übelacker
bernhardu at mailbox.org
Sat May 4 16:48:11 BST 2024
Hello,
I am not a samba maintainer, just trying to collect some more information.
As far as I see the crash happens
because "cli_credentials_get_password(creds)" in line 62
returns a null pointer, which gets forwarded to
the call to strlcpy without further check.
Kind regards,
Bernhard
(rr) reverse-finish
Run back to call of #0 strlcpy (dst=0x7fff875c0640 "", src=0x0, dsize=<optimized out>) at ./src/strlcpy.c:36
0x00005574e9c43c8c in get_auth_data_with_context_fn (context=<optimized out>, server=<optimized out>, share=<optimized out>, domain=<optimized out>, domain_len=<optimized out>, user=<optimized out>, user_len=256, password=0x7fff875c0640 "", password_len=256) at source3/utils/smbtree.c:61
61 len = strlcpy(
(rr) bt
#0 0x00005574e9c43c8c in get_auth_data_with_context_fn (context=<optimized out>, server=<optimized out>, share=<optimized out>, domain=<optimized out>, domain_len=<optimized out>, user=<optimized out>, user_len=256, password=0x7fff875c0640 "", password_len=256) at source3/utils/smbtree.c:61
#1 0x00007f9851ec6510 in SMBC_call_auth_fn (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, server=server at entry=0x5574eb8c9fe0 "10.0.2.15", share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=pp_workgroup at entry=0x7fff875c09b8, pp_username=pp_username at entry=0x7fff875c09a0, pp_password=0x7fff875c09a8) at source3/libsmb/libsmb_server.c:171
...
(rr) list smbtree.c:42
37
38 static void get_auth_data_with_context_fn(
39 SMBCCTX *context,
40 const char *server,
41 const char *share,
42 char *domain,
43 int domain_len,
44 char *user,
45 int user_len,
46 char *password,
47 int password_len)
48 {
49 struct cli_credentials *creds = samba_cmdline_get_creds();
50 size_t len;
51
52 len = strlcpy(domain, cli_credentials_get_domain(creds), domain_len);
53 if ((int)len >= domain_len) {
54 return;
55 }
56 len = strlcpy(
57 user, cli_credentials_get_username(creds), user_len);
58 if ((int)len >= user_len) {
59 return;
60 }
61 len = strlcpy(
62 password, cli_credentials_get_password(creds), password_len);
63 if ((int)len >= password_len) {
64 /* pointless, but what can you do... */
65 return;
66 }
-------------- next part --------------
# 2024-05-04 Trixie/testing amd64 qemu VM
apt install systemd-coredump mc gdb rr samba smbclient smbclient-dbgsym libsmbclient0-dbgsym libbsd0-dbgsym
apt build-dep samba
mkdir /home/benutzer/source/samba/orig -p
cd /home/benutzer/source/samba/orig
apt source samba
mc -e /etc/samba/smb.conf
[global]
+server min protocol = NT1
testparm -s
systemctl enable --now smb
systemctl enable --now nmb
systemctl restart smbd nmbd
# Maybe a minute waiting is needed or this message appears "main: This is utility doesn't work if netbios name resolution is not configured."
smbtree -N --option="client min protocol = NT1"
benutzer at debian:~$ rr record smbtree -N --option="client min protocol = NT1"
rr: Saving execution to trace directory `/home/benutzer/.local/share/rr/smbtree-0'.
===============================================================
INTERNAL ERROR: Signal 11: Speicherzugriffsfehler in smbtree () () pid 9884 (4.19.6-Debian)
If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.org/index.php/Bug_Reporting
===============================================================
PANIC (pid 9884): Signal 11: Speicherzugriffsfehler in 4.19.6-Debian
BACKTRACE: 14 stack frames:
#0 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(log_stack_trace+0x32) [0x7f9851a105c2]
#1 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(smb_panic+0xd) [0x7f9851a1085d]
#2 /usr/lib/x86_64-linux-gnu/samba/libgenrand-samba4.so.0(+0x28f5) [0x7f9851a108f5]
#3 /lib/x86_64-linux-gnu/libc.so.6(+0x3c510) [0x7f9851acd510]
#4 /lib/x86_64-linux-gnu/libbsd.so.0(strlcpy+0x10) [0x7f9851c7f900]
#5 /lib/x86_64-linux-gnu/libsmbclient.so.0(+0x14510) [0x7f9851ec6510]
#6 /lib/x86_64-linux-gnu/libsmbclient.so.0(+0x14ab1) [0x7f9851ec6ab1]
#7 /lib/x86_64-linux-gnu/libsmbclient.so.0(+0x14bdb) [0x7f9851ec6bdb]
#8 /lib/x86_64-linux-gnu/libsmbclient.so.0(+0x156e4) [0x7f9851ec76e4]
#9 /lib/x86_64-linux-gnu/libsmbclient.so.0(+0xd37f) [0x7f9851ebf37f]
#10 smbtree(main+0x262) [0x5574e9c43692]
#11 /lib/x86_64-linux-gnu/libc.so.6(+0x276ca) [0x7f9851ab86ca]
#12 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0x85) [0x7f9851ab8785]
#13 smbtree(_start+0x21) [0x5574e9c43b21]
smb_panic(): calling panic action [/usr/share/samba/panic-action 9884]
smb_panic(): action returned status 0
Can not dump core: corepath not set up
benutzer at debian:~$
benutzer at debian:~$ rr replay --debugger-option=-q smbtree-0
Reading symbols from /usr/bin/smbtree...
(No debugging symbols found in /usr/bin/smbtree)
Really redefine built-in command "restart"? (y or n) [answered Y; input not from terminal]
Really redefine built-in command "jump"? (y or n) [answered Y; input not from terminal]
Remote debugging using 127.0.0.1:10027
Reading symbols from /lib64/ld-linux-x86-64.so.2...
Reading symbols from /usr/lib/debug/.build-id/2f/79e5f4699b6c6a7b9cd1b3765571d84e49b3b9.debug...
BFD: warning: system-supplied DSO at 0x6fffd000 has a section extending past end of file
0x00007f9851fd34d0 in _start () from /lib64/ld-linux-x86-64.so.2
(rr) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x00007f9851c7f900 in strlcpy () from /lib/x86_64-linux-gnu/libbsd.so.0
(rr) bt
#0 0x00007f9851c7f900 in strlcpy () from /lib/x86_64-linux-gnu/libbsd.so.0
#1 0x00007f9851ec6510 in ?? () from /lib/x86_64-linux-gnu/libsmbclient.so.0
#2 0x00007f9851ec6ab1 in ?? () from /lib/x86_64-linux-gnu/libsmbclient.so.0
#3 0x00007f9851ec6bdb in ?? () from /lib/x86_64-linux-gnu/libsmbclient.so.0
#4 0x00007f9851ec76e4 in ?? () from /lib/x86_64-linux-gnu/libsmbclient.so.0
#5 0x00007f9851ebf37f in ?? () from /lib/x86_64-linux-gnu/libsmbclient.so.0
#6 0x00005574e9c43692 in main ()
(rr)
benutzer at debian:~$ rr replay --debugger-option=-q smbtree-0
Reading symbols from /usr/bin/smbtree...
Reading symbols from /usr/lib/debug/.build-id/74/0b51379aa5167e1567b851e6e42a0ac3d55076.debug...
Really redefine built-in command "restart"? (y or n) [answered Y; input not from terminal]
Really redefine built-in command "jump"? (y or n) [answered Y; input not from terminal]
Remote debugging using 127.0.0.1:10115
Reading symbols from /lib64/ld-linux-x86-64.so.2...
Reading symbols from /usr/lib/debug/.build-id/2f/79e5f4699b6c6a7b9cd1b3765571d84e49b3b9.debug...
BFD: warning: system-supplied DSO at 0x6fffd000 has a section extending past end of file
0x00007f9851fd34d0 in _start () from /lib64/ld-linux-x86-64.so.2
(rr) cont
Continuing.
Program received signal SIGSEGV, Segmentation fault.
strlcpy (dst=0x7fff875c0640 "", src=0x0, dsize=<optimized out>) at ./src/strlcpy.c:36
36 ./src/strlcpy.c: Datei oder Verzeichnis nicht gefunden.
(rr) set width 0
(rr) set pagination off
(rr) directory /home/benutzer/source/samba/orig/samba-4.19.6+dfsg
Source directories searched: /home/benutzer/source/samba/orig/samba-4.19.6+dfsg:$cdir:$cwd
(rr) bt
#0 strlcpy (dst=0x7fff875c0640 "", src=0x0, dsize=<optimized out>) at ./src/strlcpy.c:36
#1 0x00007f9851ec6510 in SMBC_call_auth_fn (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, server=server at entry=0x5574eb8c9fe0 "10.0.2.15", share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=pp_workgroup at entry=0x7fff875c09b8, pp_username=pp_username at entry=0x7fff875c09a0, pp_password=0x7fff875c09a8) at source3/libsmb/libsmb_server.c:171
#2 0x00007f9851ec6ab1 in SMBC_find_server (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, server=server at entry=0x5574eb8c9fe0 "10.0.2.15", share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=pp_workgroup at entry=0x7fff875c09b8, pp_username=pp_username at entry=0x7fff875c09a0, pp_password=0x7fff875c09a8) at source3/libsmb/libsmb_server.c:231
#3 0x00007f9851ec6bdb in SMBC_server_internal (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, connect_if_not_found=connect_if_not_found at entry=true, server=server at entry=0x5574eb8c9fe0 "10.0.2.15", port=0, share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=0x7fff875c09b8, pp_username=0x7fff875c09a0, pp_password=0x7fff875c09a8, in_cache=0x7fff875c08e7) at source3/libsmb/libsmb_server.c:381
#4 0x00007f9851ec76e4 in SMBC_server (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, connect_if_not_found=connect_if_not_found at entry=true, server=0x5574eb8c9fe0 "10.0.2.15", port=<optimized out>, share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=0x7fff875c09b8, pp_username=0x7fff875c09a0, pp_password=0x7fff875c09a8) at source3/libsmb/libsmb_server.c:726
#5 0x00007f9851ebf37f in SMBC_opendir_ctx (context=0x5574eb8b7900, fname=<optimized out>) at source3/libsmb/libsmb_dir.c:690
#6 0x00005574e9c43692 in main (argc=<optimized out>, argv=<optimized out>) at source3/utils/smbtree.c:172
(rr) reverse-finish
Run back to call of #0 strlcpy (dst=0x7fff875c0640 "", src=0x0, dsize=<optimized out>) at ./src/strlcpy.c:36
Program received signal SIGSEGV, Segmentation fault.
strlcpy (dst=0x7fff875c0640 "", src=0x0, dsize=<optimized out>) at ./src/strlcpy.c:36
36 in ./src/strlcpy.c
(rr) reverse-finish
Run back to call of #0 strlcpy (dst=0x7fff875c0640 "", src=0x0, dsize=<optimized out>) at ./src/strlcpy.c:36
0x00005574e9c43c8c in get_auth_data_with_context_fn (context=<optimized out>, server=<optimized out>, share=<optimized out>, domain=<optimized out>, domain_len=<optimized out>, user=<optimized out>, user_len=256, password=0x7fff875c0640 "", password_len=256) at source3/utils/smbtree.c:61
61 len = strlcpy(
(rr) bt
#0 0x00005574e9c43c8c in get_auth_data_with_context_fn (context=<optimized out>, server=<optimized out>, share=<optimized out>, domain=<optimized out>, domain_len=<optimized out>, user=<optimized out>, user_len=256, password=0x7fff875c0640 "", password_len=256) at source3/utils/smbtree.c:61
#1 0x00007f9851ec6510 in SMBC_call_auth_fn (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, server=server at entry=0x5574eb8c9fe0 "10.0.2.15", share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=pp_workgroup at entry=0x7fff875c09b8, pp_username=pp_username at entry=0x7fff875c09a0, pp_password=0x7fff875c09a8) at source3/libsmb/libsmb_server.c:171
#2 0x00007f9851ec6ab1 in SMBC_find_server (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, server=server at entry=0x5574eb8c9fe0 "10.0.2.15", share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=pp_workgroup at entry=0x7fff875c09b8, pp_username=pp_username at entry=0x7fff875c09a0, pp_password=0x7fff875c09a8) at source3/libsmb/libsmb_server.c:231
#3 0x00007f9851ec6bdb in SMBC_server_internal (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, connect_if_not_found=connect_if_not_found at entry=true, server=server at entry=0x5574eb8c9fe0 "10.0.2.15", port=0, share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=0x7fff875c09b8, pp_username=0x7fff875c09a0, pp_password=0x7fff875c09a8, in_cache=0x7fff875c08e7) at source3/libsmb/libsmb_server.c:381
#4 0x00007f9851ec76e4 in SMBC_server (ctx=ctx at entry=0x5574eb8ba610, context=context at entry=0x5574eb8b7900, connect_if_not_found=connect_if_not_found at entry=true, server=0x5574eb8c9fe0 "10.0.2.15", port=<optimized out>, share=share at entry=0x7f9851ed46a4 "IPC$", pp_workgroup=0x7fff875c09b8, pp_username=0x7fff875c09a0, pp_password=0x7fff875c09a8) at source3/libsmb/libsmb_server.c:726
#5 0x00007f9851ebf37f in SMBC_opendir_ctx (context=0x5574eb8b7900, fname=<optimized out>) at source3/libsmb/libsmb_dir.c:690
#6 0x00005574e9c43692 in main (argc=<optimized out>, argv=<optimized out>) at source3/utils/smbtree.c:172
(rr) print password
$2 = 0x7fff875c0640 ""
(rr) print creds
$3 = <optimized out>
(rr) print password_len
$4 = 256
(rr) b cli_credentials_get_password
Breakpoint 1 at 0x7f9851ea0e30
(rr) reverse-cont
Continuing.
Breakpoint 1, cli_credentials_get_password (cred=cred at entry=0x5574eb8a9e00) at auth/credentials/credentials.c:434
434 {
(rr) next
435 if (cred->machine_account_pending) {
(rr) print cred
$5 = (struct cli_credentials *) 0x5574eb8a9e00
(rr) print *cred
$6 = {workstation_obtained = CRED_SMB_CONF, username_obtained = CRED_GUESS_ENV, password_obtained = CRED_SPECIFIED, domain_obtained = CRED_SMB_CONF, realm_obtained = CRED_UNINITIALISED, ccache_obtained = CRED_GUESS_FILE, client_gss_creds_obtained = CRED_UNINITIALISED, principal_obtained = CRED_UNINITIALISED, keytab_obtained = CRED_UNINITIALISED, server_gss_creds_obtained = CRED_UNINITIALISED, signing_state_obtained = CRED_SMB_CONF, ipc_signing_state_obtained = CRED_SMB_CONF, encryption_state_obtained = CRED_UNINITIALISED, kerberos_state_obtained = CRED_SMB_CONF, gensec_features_obtained = CRED_SMB_CONF, ccache_threshold = CRED_SPECIFIED, client_gss_creds_threshold = CRED_SPECIFIED, workstation = 0x5574eb8b6dc0 "DEBIAN", username = 0x5574eb8b8900 "benutzer", password = 0x0, old_password = 0x0, domain = 0x5574eb8b7140 "WORKGROUP", realm = 0x0, principal = 0x0, salt_principal = 0x0, impersonate_principal = 0x0, self_service = 0x0, target_service = 0x0, bind_dn = 0x0, nt_hash = 0x0, old_nt_hash = 0x0, lm_response = {data = 0x0, length = 0}, lm_session_key = {data = 0x0, length = 0}, nt_response = {data = 0x0, length = 0}, nt_session_key = {data = 0x0, length = 0}, ccache = 0x5574eb8b8880, client_gss_creds = 0x0, keytab = 0x0, server_gss_creds = 0x0, workstation_cb = 0x0, password_cb = 0x0, username_cb = 0x0, domain_cb = 0x0, realm_cb = 0x0, principal_cb = 0x0, priv_data = 0x0, netlogon_creds = 0x0, secure_channel_type = SEC_CHAN_NULL, kvno = 0, password_last_changed_time = 0, smb_krb5_context = 0x5574eb8b8980, machine_account_pending = false, machine_account_pending_lp_ctx = 0x0, machine_account = false, kerberos_state = CRED_USE_KERBEROS_DESIRED, krb_forwardable = CRED_AUTO_KRB_FORWARDABLE, forced_sasl_mech = 0x0, gensec_features = 0, password_tries = 0, callback_running = false, winbind_separator = 92 '\\', password_will_be_nt_hash = false, signing_state = SMB_SIGNING_DEFAULT, ipc_signing_state = SMB_SIGNING_REQUIRED, encryption_state = SMB_ENCRYPTION_DEFAULT}
(rr) print cred->machine_account_pending
$7 = false
(rr) next
440 if (cred->password_obtained == CRED_CALLBACK &&
(rr) print cred->password_obtained
$8 = CRED_SPECIFIED
(rr) next
452 return cred->password;
(rr) print cred->password
$9 = 0x0
(rr)
(rr) list smbtree.c:42
37
38 static void get_auth_data_with_context_fn(
39 SMBCCTX *context,
40 const char *server,
41 const char *share,
42 char *domain,
43 int domain_len,
44 char *user,
45 int user_len,
46 char *password,
47 int password_len)
48 {
49 struct cli_credentials *creds = samba_cmdline_get_creds();
50 size_t len;
51
52 len = strlcpy(domain, cli_credentials_get_domain(creds), domain_len);
53 if ((int)len >= domain_len) {
54 return;
55 }
56 len = strlcpy(
57 user, cli_credentials_get_username(creds), user_len);
58 if ((int)len >= user_len) {
59 return;
60 }
61 len = strlcpy(
62 password, cli_credentials_get_password(creds), password_len);
63 if ((int)len >= password_len) {
64 /* pointless, but what can you do... */
65 return;
66 }
https://sources.debian.org/src/samba/2%3A4.19.6%2Bdfsg-1/source3/utils/smbtree.c/#L61
More information about the Pkg-samba-maint
mailing list