Bug 54278 - Paged LDAP search against Samba/AD causes panic and stops sending remaining results
Paged LDAP search against Samba/AD causes panic and stops sending remaining r...
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Arvid Requate
Julia Bremer
https://bugzilla.samba.org/show_bug.c...
:
Depends on:
Blocks: 54425 54397
  Show dependency treegraph
 
Reported: 2021-12-30 17:42 CET by Arvid Requate
Modified: 2022-03-21 12:05 CET (History)
3 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 1: Will affect a very few installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.114
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2021102921000312
Bug group (optional):
Max CVSS v3 score:
requate: Patch_Available+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-12-30 17:42:34 CET
Ticket#2021102921000312 reported Samba panics appearing in the log.samba.

Analysis of log.samba and the core dump in the customer environment showed, that this can be reproduced with an ldbsearch like this:

root@primary20:~# ldbsearch -H "ldap://$(hostname -f)"  -s sub  '(&(|(&(objectCategory=person)(objectSid=*)(!(samAccountType:1.2.840.113556.1.4.804:=3)))(&(objectCategory=person)(!(objectSid=*)))(&(objectCategory=group)(groupType:1.2.840.113556.1.4.804:=14)))(anr=a*))' objectClass userAccountControl name description -P  --controls "paged_results:0:2"

which triggers the Samba panic and doesn't return all entries. log.samba on my test VM shows this:
=========================================================================
[2021/12/30 17:08:02.843023,  0, pid=3719] ../../lib/util/fault.c:159(smb_panic_log)
  ===============================================================
[2021/12/30 17:08:02.843171,  0, pid=3719] ../../lib/util/fault.c:163(smb_panic_log)
  INTERNAL ERROR: Signal 11: Segmentation fault in pid 3719 (4.13.13-Univention)
[2021/12/30 17:08:02.843193,  0, pid=3719] ../../lib/util/fault.c:168(smb_panic_log)
  If you are running a recent Samba version, and if you think this problem is not yet fixed in the latest versions, please consider reporting this bug, see https://wiki.samba.
org/index.php/Bug_Reporting
[2021/12/30 17:08:02.843213,  0, pid=3719] ../../lib/util/fault.c:169(smb_panic_log)
  ===============================================================
[2021/12/30 17:08:02.843243,  0, pid=3719] ../../lib/util/fault.c:171(smb_panic_log)
  PANIC (pid 3719): Signal 11: Segmentation fault in 4.13.13-Univention
[2021/12/30 17:08:02.867942,  0, pid=3719] ../../lib/util/fault.c:275(log_stack_trace)
  BACKTRACE: 42 stack frames:
   #0 /lib/x86_64-linux-gnu/libsamba-util.so.0(log_stack_trace+0x30) [0x7fd09f406b90]
   #1 /lib/x86_64-linux-gnu/libsamba-util.so.0(smb_panic+0x24) [0x7fd09f406e04]
   #2 /lib/x86_64-linux-gnu/libsamba-util.so.0(+0x13011) [0x7fd09f407011]
   #3 /lib/x86_64-linux-gnu/libpthread.so.0(+0x12730) [0x7fd09f081730]
   #4 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x15ae) [0x7fd09acaf5ae]
   #5 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x15e0) [0x7fd09acaf5e0]
   #6 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x1edd) [0x7fd09acafedd]
   #7 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202]
   #8 /lib/x86_64-linux-gnu/libldb.so.2(+0x242cb) [0x7fd09f05d2cb]
   #9 /lib/x86_64-linux-gnu/libldb.so.2(ldb_request+0x1d9) [0x7fd09f05c569]
   #10 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/paged_results.so(+0x2656) [0x7fd09adc7656]
   #11 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/paged_results.so(+0x30c9) [0x7fd09adc80c9]
   #12 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202]
   #13 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/dirsync.so(+0x2713) [0x7fd09ae58713]
   #14 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202]
   #15 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/lazy_commit.so(+0x14c3) [0x7fd09ae0a4c3]
   #16 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202]
   #17 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/dsdb_notification.so(+0x14e3) [0x7fd09ae434e3]
   #18 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202]
   #19 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/rootdse.so(+0x7933) [0x7fd09aca1933]
   #20 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202]
   #21 /usr/lib/x86_64-linux-gnu/ldb/modules/ldb/samba/resolve_oids.so(+0x1f0b) [0x7fd09acaff0b]
   #22 /lib/x86_64-linux-gnu/libldb.so.2(ldb_next_request+0x132) [0x7fd09f045202]
   #23 /lib/x86_64-linux-gnu/libldb.so.2(+0x242cb) [0x7fd09f05d2cb]
   #24 /lib/x86_64-linux-gnu/libldb.so.2(ldb_request+0x1d9) [0x7fd09f05c569]
   #25 /usr/lib/x86_64-linux-gnu/samba/service/ldap.so(ldapsrv_do_call+0x14c5) [0x7fd09b3cf945]
   #26 /usr/lib/x86_64-linux-gnu/samba/service/ldap.so(+0x6265) [0x7fd09b3cb265]
   #27 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_invoke_immediate_handler+0x139) [0x7fd09f0cab29]
   #28 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_immediate+0x23) [0x7fd09f0cab53]
   #29 /lib/x86_64-linux-gnu/libtevent.so.0(+0xd88b) [0x7fd09f0d088b]
   #30 /lib/x86_64-linux-gnu/libtevent.so.0(+0xbb37) [0x7fd09f0ceb37]
   #31 /lib/x86_64-linux-gnu/libtevent.so.0(_tevent_loop_once+0x91) [0x7fd09f0c9e01]
   #32 /lib/x86_64-linux-gnu/libtevent.so.0(tevent_common_loop_wait+0x1b) [0x7fd09f0ca08b]
   #33 /lib/x86_64-linux-gnu/libtevent.so.0(+0xbad7) [0x7fd09f0cead7]
   #34 /usr/lib/x86_64-linux-gnu/samba/process_model/prefork.so(+0x2bef) [0x7fd09b7dbbef]
   #35 /usr/lib/x86_64-linux-gnu/samba/process_model/prefork.so(+0x30cb) [0x7fd09b7dc0cb]
   #36 /usr/lib/x86_64-linux-gnu/samba/process_model/prefork.so(+0x3360) [0x7fd09b7dc360]
   #37 /usr/lib/x86_64-linux-gnu/samba/libservice.so.0(task_server_startup+0x5c) [0x7fd09f3e9e7c]
   #38 /usr/lib/x86_64-linux-gnu/samba/libservice.so.0(server_service_startup+0x96) [0x7fd09f3e8776]
   #39 samba: task[ldap] pre-forked worker(3)(+0x5e02) [0x55f7abff2e02]
   #40 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fd09ee8e09b]
   #41 samba: task[ldap] pre-forked worker(3)(_start+0x2a) [0x55f7abff17ca]
[2021/12/30 17:08:04.585291,  0, pid=3559] ../../source4/smbd/process_prefork.c:539(prefork_child_pipe_handler)
  prefork_child_pipe_handler: Parent 3559, Child 3719 terminated with signal 6
[2021/12/30 17:08:04.585780,  0, pid=3559] ../../source4/smbd/process_prefork.c:483(prefork_restart)
  prefork_restart: Restarting [ldap] pre-fork worker(3)
=========================================================================


It looks like this is not fatal for the samba process infrastructure, because it only seems to kill a child. The same thing can be triggered in UCS 4.4-8.

Further analysis of the core dump and git blaming points to a call "paged_results(ac, NULL)" in the paged_search function. The NULL argument later gets dereferenced in https://gitlab.com/samba-team/samba/-/blob/master/source4/dsdb/samdb/ldb_modules/paged_results.c#L279 .

This regression has been introduced (upstream) as part of the security update https://errata.software-univention.de/#/?erratum=4.4x645



https://gitlab.com/samba-team/samba/-/commit/4d99cab6172a#0aab2f36dcbb2363d97d86e4924cda3a7c0ca2fc_772_796
Comment 1 Arvid Requate univentionstaff 2022-01-11 09:41:32 CET
For context of that commit:

This is the security patch series for the main branch:

  https://attachments.samba.org/attachment.cgi?id=16002

Maybe this helps understanding the intention of the code change,
and how to avoid calling paged_results with NULL.
Comment 2 Arvid Requate univentionstaff 2022-01-30 18:40:42 CET
A patch for this issue has been committed upstream last week:

https://gitlab.com/samba-team/samba/-/commit/19fa22b1fbc

and the subsequent patch fixes the same for vlv:

https://gitlab.com/samba-team/samba/-/commit/7d16a56b9d1
Comment 3 Arvid Requate univentionstaff 2022-01-31 10:04:23 CET
r19511 | Cherrypicked upstream patches
r19512 | Fix patch metadata
56b6965fae | Advisory

Package: samba
Version: 2:4.13.13-1A~5.0.0.202201310946
Branch: ucs_5.0-0
Scope: errata5.0-1
Comment 4 Julia Bremer univentionstaff 2022-01-31 14:56:31 CET
Upstream patch applied: OK
The reproducing ldbsearch still fails with a segmentation fault.
But this seems to be another issue that has already existed before the security patch. The applied patch is correct so it may be able to fix the customers problem. 
Maybe the ldbsearch recreated another issue.
YAML: OK

Verified.