Bug 40131 - Samba PANIC: Bad talloc magic value - access after free
Samba PANIC: Bad talloc magic value - access after free
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1-0-errata
Assigned To: Arvid Requate
Stefan Gohmann
https://bugzilla.samba.org/show_bug.c...
:
Depends on: 39276
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-30 16:02 CET by Arvid Requate
Modified: 2015-12-16 13:47 CET (History)
5 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Troubleshooting
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2015-11-30 16:02:14 CET
We also need to apply the patch UCS 4.1

+++ This bug was initially created as a clone of Bug #39276 +++

2015051521000324
2015082521000274

We've seen a lot of panic's like the following on different customer systems:

Release:        4.0-2 errata264
Linux cortex 3.16.0-ucs135-amd64 #1 SMP Debian 3.16.7-ckt11-1~bpo70+1.135.201507161851 (2015-07-1 x86_64 GNU/Linux

samba 2:4.2.3-1.758.201507271307 
[2015/08/24 16:53:53.861384,  2, pid=7762] ../source3/smbd/process.c:2780(deadtime_fn)
  Closing idle connection
[2015/08/24 16:53:53.861763,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
  192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service dms
[2015/08/24 16:53:53.861962,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
  192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service vollkomm
[2015/08/24 16:53:53.862130,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
  192.168.42.250 (ipv4:192.168.42.250:61926) closed connection to service users
[2015/08/24 16:53:53.873479,  2, pid=7762] ../source3/smbd/service.c:1138(close_cnum)
[2015/08/24 16:53:53.873562,  0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at ../source3/smbd/server_exit.c:228
[2015/08/24 16:53:53.873666,  0, pid=7762] ../source3/lib/popt_common.c:68(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2015/08/24 16:53:53.873708,  0, pid=7762] ../source3/lib/util.c:788(smb_panic_s3)
  PANIC (pid 7762): Bad talloc magic value - access after free
[2015/08/24 16:53:53.884830,  0, pid=7762] ../source3/lib/util.c:899(log_stack_trace)
  BACKTRACE: 30 stack frames:
   #0 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(log_stack_trace+0x1a) [0x7fbbe6bc9b9a]
   #1 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(smb_panic_s3+0x20) [0x7fbbe6bc9c70]
   #2 /usr/lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x2f) [0x7fbbe8a3946f]
   #3 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x233b) [0x7fbbe581433b]
   #4 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_check_name+0x6c) [0x7fbbe581613c]
   #5 /usr/lib/x86_64-linux-gnu/samba/libsamba-sockets.so.0(+0xe6ee) [0x7fbbe67916ee]
   #6 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(close_cnum+0xcf) [0x7fbbe8628e4f]
   #7 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbXsrv_tcon_disconnect+0x12c) [0x7fbbe865241c]
   #8 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x1617c8) [0x7fbbe86527c8]
   #9 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(+0x89f6) [0x7fbbe581a9f6]
   #10 /usr/lib/x86_64-linux-gnu/libtalloc.so.2(_talloc_free+0xe4) [0x7fbbe5815524]
   #11 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164883) [0x7fbbe8655883]
   #12 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(+0x164cfe) [0x7fbbe8655cfe]
   #13 /usr/lib/x86_64-linux-gnu/samba/libsmbd-shim.so.0(exit_server_cleanly+0x12) [0x7fbbe6581d12]
   #14 /usr/sbin/smbd(+0xa78a) [0x7fbbe909878a]
   #15 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x3f66d) [0x7fbbe6bdc66d]
   #16 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0xe2) [0x7fbbe5608d92]
   #17 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x48) [0x7fbbe6be9d68]
   #18 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d07b) [0x7fbbe6bea07b]
   #19 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd]
   #20 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b]
   #21 /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0(smbd_process+0x725) [0x7fbbe86263a5]
   #22 /usr/sbin/smbd(+0xb634) [0x7fbbe9099634]
   #23 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(run_events_poll+0x187) [0x7fbbe6be9ea7]
   #24 /usr/lib/x86_64-linux-gnu/libsmbconf.so.0(+0x4d129) [0x7fbbe6bea129]
   #25 /usr/lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x9d) [0x7fbbe56084dd]
   #26 /usr/lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fbbe560869b]
   #27 /usr/sbin/smbd(main+0x14a2) [0x7fbbe9095b32]
   #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xfd) [0x7fbbe5296ead]
   #29 /usr/sbin/smbd(+0x7f65) [0x7fbbe9095f65]
Comment 1 Arvid Requate univentionstaff 2015-12-01 17:33:23 CET
samba has been rebuilt in errata4.1-0 with an adjusted version of the patch from Bug 39276.

Advisory: samba.yaml
Comment 2 Stefan Gohmann univentionstaff 2015-12-08 06:54:58 CET
I recommend that we use the latest patch from https://bugzilla.samba.org/show_bug.cgi?id=11394:

https://bugzilla.samba.org/attachment.cgi?id=11677
Comment 3 Arvid Requate univentionstaff 2015-12-08 12:15:14 CET
Rebuilt with new upstream patches.
Advisory updated.
Comment 4 Stefan Gohmann univentionstaff 2015-12-09 06:26:41 CET
The amd64 build was not successful:

make[1]: Leaving directory `/var/build/temp/tmp.geXTRu2zzh/pbuilder/samba-4.3.1'
   dh_clean
 dpkg-source -b samba-4.3.1
dpkg-source: warning: diff `samba-4.3.1/debian/patches/98_bug40131_dbwrap_rbt-add-nested-traverse-protection.patch' patches file samba-4.3.1/lib/dbwrap/dbwrap_rbt.c twice
dpkg-source: warning: diff `samba-4.3.1/debian/patches/98_bug40131_dbwrap_rbt-add-nested-traverse-protection.patch' patches file samba-4.3.1/lib/dbwrap/dbwrap_rbt.c twice
dpkg-source: info: using source format `3.0 (quilt)'
dpkg-source: info: building samba using existing ./samba_4.3.1.orig.tar.gz
dpkg-source: info: local changes detected, the modified files are:
 samba-4.3.1/lib/dbwrap/dbwrap_rbt.c
 samba-4.3.1/source3/torture/torture.c
 samba-4.3.1/source4/dsdb/samdb/ldb_modules/partition.c
dpkg-source: error: aborting due to unexpected upstream changes, see /tmp/samba_4.3.1-1.807.201512081139.diff.3XLKSE
dpkg-source: info: you can integrate the local changes with dpkg-source --commit
dpkg-buildpackage: error: dpkg-source -b samba-4.3.1 gave error exit status 2
Comment 5 Arvid Requate univentionstaff 2015-12-10 10:56:46 CET
Strange patch application issue in amd64, never sow this before. Splitting the patch fixed this.

Advisory updated, installation ok.
Comment 6 Stefan Gohmann univentionstaff 2015-12-15 06:18:59 CET
Tests were successful (Windows 7 + Windows 10).

YAML: OK
Comment 7 Janek Walkenhorst univentionstaff 2015-12-16 13:47:20 CET
<http://errata.software-univention.de/ucs/4.1/35.html>