Univention Bugzilla – Bug 54278
Paged LDAP search against Samba/AD causes panic and stops sending remaining results
Last modified: 2022-03-21 12:05:22 CET
Ticket#2021102921000312 reported Samba panics appearing in the log.samba. Analysis of log.samba and the core dump in the customer environment showed, that this can be reproduced with an ldbsearch like this: root@primary20:~# ldbsearch -H "ldap://$(hostname -f)" -s sub '(&(|(&(objectCategory=person)(objectSid=*)(!(samAccountType:1.2.840.113556.1.4.804:=3)))(&(objectCategory=person)(!(objectSid=*)))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(anr=a*))' objectClass userAccountControl name description -P --controls "paged_results:0:2" which triggers the Samba panic and doesn't return all entries. log.samba on my test VM shows this: ========================================================================= [2021/12/30 17:08:02.843023, 0, pid=3719] ../../lib/util/fault.c:159(smb_panic_log) =============================================================== [2021/12/30 17:08:02.843171, 0, pid=3719] ../../lib/util/fault.c:163(smb_panic_log) INTERNAL ERROR: Signal 11: Segmentation fault in pid 3719 (4.13.13-Univention) [2021/12/30 17:08:02.843193, 0, pid=3719] ../../lib/util/fault.c:168(smb_panic_log) If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba. org/index.php/Bug_Reporting [2021/12/30 17:08:02.843213, 0, pid=3719] ../../lib/util/fault.c:169(smb_panic_log) =============================================================== [2021/12/30 17:08:02.843243, 0, pid=3719] ../../lib/util/fault.c:171(smb_panic_log) PANIC (pid 3719): Signal 11: Segmentation fault in 4.13.13-Univention [2021/12/30 17:08:02.867942, 0, pid=3719] ../../lib/util/fault.c:275(log_stack_trace) BACKTRACE: 42 stack frames: #0 /lib/x86_64-linux-gnu/libsamba-util.so.0(log_stack_trace+0x30) [0x7fd09f406b90] #1 /lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x24) [0x7fd09f406e04] #2 /lib/x86_64-linux-gnu/libsamba-util.so.0(+0x13011) [0x7fd09f407011] #3 /lib/x86_64-linux-gnu/libpthread.so.0(+0x12730) [0x7fd09f081730] #4 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x15ae) [0x7fd09acaf5ae] #5 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x15e0) [0x7fd09acaf5e0] #6 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x1edd) [0x7fd09acafedd] #7 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202] #8 /lib/x86_64-linux-gnu/libldb.so.2(+0x242cb) [0x7fd09f05d2cb] #9 /lib/x86_64-linux-gnu/libldb.so.2(ldb_request+0x1d9) [0x7fd09f05c569] #10 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/paged_results.so(+0x2656) [0x7fd09adc7656] #11 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/paged_results.so(+0x30c9) [0x7fd09adc80c9] #12 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202] #13 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/dirsync.so(+0x2713) [0x7fd09ae58713] #14 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202] #15 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/lazy_commit.so(+0x14c3) [0x7fd09ae0a4c3] #16 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202] #17 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/dsdb_notification.so(+0x14e3) [0x7fd09ae434e3] #18 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202] #19 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/rootdse.so(+0x7933) [0x7fd09aca1933] #20 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202] #21 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x1f0b) [0x7fd09acaff0b] #22 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202] #23 /lib/x86_64-linux-gnu/libldb.so.2(+0x242cb) [0x7fd09f05d2cb] #24 /lib/x86_64-linux-gnu/libldb.so.2(ldb_request+0x1d9) [0x7fd09f05c569] #25 /usr/lib/x86_64-linux-gnu/samba/service/ldap.so(ldapsrv_do_call+0x14c5) [0x7fd09b3cf945] #26 /usr/lib/x86_64-linux-gnu/samba/service/ldap.so(+0x6265) [0x7fd09b3cb265] #27 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_invoke_immediate_handler+0x139) [0x7fd09f0cab29] #28 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0x23) [0x7fd09f0cab53] #29 /lib/x86_64-linux-gnu/libtevent.so.0(+0xd88b) [0x7fd09f0d088b] #30 /lib/x86_64-linux-gnu/libtevent.so.0(+0xbb37) [0x7fd09f0ceb37] #31 /lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x91) [0x7fd09f0c9e01] #32 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fd09f0ca08b] #33 /lib/x86_64-linux-gnu/libtevent.so.0(+0xbad7) [0x7fd09f0cead7] #34 /usr/lib/x86_64-linux-gnu/samba/process_model/prefork.so(+0x2bef) [0x7fd09b7dbbef] #35 /usr/lib/x86_64-linux-gnu/samba/process_model/prefork.so(+0x30cb) [0x7fd09b7dc0cb] #36 /usr/lib/x86_64-linux-gnu/samba/process_model/prefork.so(+0x3360) [0x7fd09b7dc360] #37 /usr/lib/x86_64-linux-gnu/samba/libservice.so.0(task_server_startup+0x5c) [0x7fd09f3e9e7c] #38 /usr/lib/x86_64-linux-gnu/samba/libservice.so.0(server_service_startup+0x96) [0x7fd09f3e8776] #39 samba: task[ldap] pre-forked worker(3)(+0x5e02) [0x55f7abff2e02] #40 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fd09ee8e09b] #41 samba: task[ldap] pre-forked worker(3)(_start+0x2a) [0x55f7abff17ca] [2021/12/30 17:08:04.585291, 0, pid=3559] ../../source4/smbd/process_prefork.c:539(prefork_child_pipe_handler) prefork_child_pipe_handler: Parent 3559, Child 3719 terminated with signal 6 [2021/12/30 17:08:04.585780, 0, pid=3559] ../../source4/smbd/process_prefork.c:483(prefork_restart) prefork_restart: Restarting [ldap] pre-fork worker(3) ========================================================================= It looks like this is not fatal for the samba process infrastructure, because it only seems to kill a child. The same thing can be triggered in UCS 4.4-8. Further analysis of the core dump and git blaming points to a call "paged_results(ac, NULL)" in the paged_search function. The NULL argument later gets dereferenced in https://gitlab.com/samba-team/samba/-/blob/master/source4/dsdb/samdb/ldb_modules/paged_results.c#L279 . This regression has been introduced (upstream) as part of the security update https://errata.software-univention.de/#/?erratum=4.4x645 https://gitlab.com/samba-team/samba/-/commit/4d99cab6172a#0aab2f36dcbb2363d97d86e4924cda3a7c0ca2fc_772_796
For context of that commit: This is the security patch series for the main branch: https://attachments.samba.org/attachment.cgi?id=16002 Maybe this helps understanding the intention of the code change, and how to avoid calling paged_results with NULL.
A patch for this issue has been committed upstream last week: https://gitlab.com/samba-team/samba/-/commit/19fa22b1fbc and the subsequent patch fixes the same for vlv: https://gitlab.com/samba-team/samba/-/commit/7d16a56b9d1
r19511 | Cherrypicked upstream patches r19512 | Fix patch metadata 56b6965fae | Advisory Package: samba Version: 2:4.13.13-1A~5.0.0.202201310946 Branch: ucs_5.0-0 Scope: errata5.0-1
Upstream patch applied: OK The reproducing ldbsearch still fails with a segmentation fault. But this seems to be another issue that has already existed before the security patch. The applied patch is correct so it may be able to fix the customers problem. Maybe the ldbsearch recreated another issue. YAML: OK Verified.
<https://errata.software-univention.de/#/?erratum=5.0x200>