[Bug 245707] samba410 PANIC Bad talloc magic value - access after free

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Fri Apr 17 20:16:50 UTC 2020 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245707

            Bug ID: 245707
           Summary: samba410 PANIC Bad talloc magic value - access after
                    free
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs at FreeBSD.org
          Reporter: m at funkyhat.org

samba410 PANICs repeatedly while a macOS Catalina client attempts to connect to
it (I don't have a Windows box to test whether it's a fruit-specific issue or
not)

This happens with both samba410 from the official pkg repos (4.10.13)
and with poudriere-compiled samba410 with bundled tevent, talloc, tab (4.10.14)
(as the PANIC is in talloc so trying the bundled version seemed worth a punt at
least...)

Samba is running in a jail with VNET on ZFS
Base system is FreeBSD 12.1-RELEASE r354233 GENERIC  amd64


/etc/jail.conf:
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";

exec.consolelog = "/var/log/jail_${name}_console.log";

host.hostname = "${name}.sodium";

path = "/jails/${name}";

samba {
        vnet;
        vnet.interface = "ng0_${name}";
        exec.prestart += "jng bridge ${name} bge0";
        exec.poststop += "jng shutdown ${name}";

        devfs_ruleset=11;
        mount.devfs;
}


/jails/samba/usr/local/etc/smb4.conf:
[global]
        workgroup = WORKGROUP
        security = user
        netbios name = files
        server string = files.beryllium.local
        ; hostname lookups = yes

        load printers = no
        show add printer wizard = no
        time server = yes
        map to guest = Bad User
        use mmap = yes

        dos charset = 850
        unix charset = UTF-8
        mangled names = no

        log level = 0
        vfs objects = fruit streams_xattr zfsacl

        fruit:model = MacPro
        fruit:resource = file
        fruit:metadata = netatalk

; time machine
[TimeMachine]
        path = /shares/timemachine
        read only = no
        use sendfile = yes
        browseable = no
        ; hosts allow = macbook.your-local-domain.invalid fe80::/10
        fruit:time machine = yes
        fruit:time machine max size = 3T
        valid users = tm

---

Proceed with deinstalling packages? [y/N]: y
[samba.sodium] [1/4] Deinstalling samba410-4.10.13...
[samba.sodium] [1/4] Deleting files for samba410-4.10.13: 100%
[samba.sodium] [2/4] Deinstalling tevent-0.10.1...
[samba.sodium] [2/4] Deleting files for tevent-0.10.1: 100%
[samba.sodium] [3/4] Deinstalling talloc-2.3.0...
[samba.sodium] [3/4] Deleting files for talloc-2.3.0: 100%
[samba.sodium] [4/4] Deinstalling tdb-1.4.2,1...
[samba.sodium] [4/4] Deleting files for tdb-1.4.2,1: 100%
root at sodium:~ # pkg -j samba install samba410
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
Updating local_poudriere repository catalogue...
local_poudriere repository is up to date.
All repositories are up to date.
Checking integrity... done (0 conflicting)
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        samba410: 4.10.14 [local_poudriere]

Number of packages to be installed: 1

The process will require 76 MiB more space.

Proceed with this action? [y/N]: y

---

[2020/04/17 19:22:13.945495,  0] ../../source3/lib/dumpcore.c:310(dump_core)
  unable to change to %N.core
  refusing to dump core
[2020/04/17 19:22:14.059962,  0]
../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at
../../lib/util/memcache.c:218
[2020/04/17 19:22:14.060538,  0]
../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2020/04/17 19:22:14.060812,  0] ../../source3/lib/util.c:824(smb_panic_s3)
  PANIC (pid 95605): Bad talloc magic value - access after free
[2020/04/17 19:22:14.064574,  0] ../../lib/util/fault.c:265(log_stack_trace)
  BACKTRACE: 24 stack frames:
   #0 0x8010f2947 <log_stack_trace+0x37> at
/usr/local/lib/samba4/libsamba-util.so.0
   #1 0x80168e50d <smb_panic_s3+0x4d> at /usr/local/lib/samba4/libsmbconf.so.0
   #2 0x8010f2737 <smb_panic+0x17> at /usr/local/lib/samba4/libsamba-util.so.0
   #3 0x80145fd95 <talloc_set_memlimit+0x6f5> at
/usr/local/lib/samba4/private/libtalloc.so.2
   #4 0x80145fe3f <talloc_set_memlimit+0x79f> at
/usr/local/lib/samba4/private/libtalloc.so.2
   #5 0x801358615 <create_file_default+0x24f5> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #6 0x801357271 <create_file_default+0x1151> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #7 0x801356306 <create_file_default+0x1e6> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #8 0x80be6ae25 <samba_init_module+0x2d95> at
/usr/local/lib/samba4/modules/vfs/fruit.so
   #9 0x80139620a <smbd_smb2_request_process_create+0x168a> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #10 0x80138c2d4 <smbd_smb2_request_dispatch+0x1d44> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #11 0x80138f7c1 <smbd_smb2_process_negprot+0x1951> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #12 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at
/usr/local/lib/samba4/private/libtevent.so.0
   #13 0x801497ac4 <tevent_context_same_loop+0xd34> at
/usr/local/lib/samba4/private/libtevent.so.0
   #14 0x801493ef1 <_tevent_loop_once+0xe1> at
/usr/local/lib/samba4/private/libtevent.so.0
   #15 0x80149417b <tevent_common_loop_wait+0x5b> at
/usr/local/lib/samba4/private/libtevent.so.0
   #16 0x80137a406 <smbd_process+0x886> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #17 0x1031d0f <main+0x445f> at /usr/local/sbin/smbd
   #18 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at
/usr/local/lib/samba4/private/libtevent.so.0
   #19 0x801497ac4 <tevent_context_same_loop+0xd34> at
/usr/local/lib/samba4/private/libtevent.so.0
   #20 0x801493ef1 <_tevent_loop_once+0xe1> at
/usr/local/lib/samba4/private/libtevent.so.0
   #21 0x80149417b <tevent_common_loop_wait+0x5b> at
/usr/local/lib/samba4/private/libtevent.so.0
   #22 0x103016f <main+0x28bf> at /usr/local/sbin/smbd
   #23 0x102f6af <main+0x1dff> at /usr/local/sbin/smbd
[2020/04/17 19:22:14.068335,  0] ../../source3/lib/dumpcore.c:310(dump_core)
  unable to change to %N.core
  refusing to dump core
[2020/04/17 19:22:14.072418,  0]
../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  talloc: access after free error - first free may be at
../../lib/util/memcache.c:218
[2020/04/17 19:22:14.073014,  0]
../../source3/lib/popt_common.c:67(popt_s3_talloc_log_fn)
  Bad talloc magic value - access after free
[2020/04/17 19:22:14.073290,  0] ../../source3/lib/util.c:824(smb_panic_s3)
  PANIC (pid 96458): Bad talloc magic value - access after free
[2020/04/17 19:22:14.077131,  0] ../../lib/util/fault.c:265(log_stack_trace)
  BACKTRACE: 24 stack frames:
   #0 0x8010f2947 <log_stack_trace+0x37> at
/usr/local/lib/samba4/libsamba-util.so.0
   #1 0x80168e50d <smb_panic_s3+0x4d> at /usr/local/lib/samba4/libsmbconf.so.0
   #2 0x8010f2737 <smb_panic+0x17> at /usr/local/lib/samba4/libsamba-util.so.0
   #3 0x80145fd95 <talloc_set_memlimit+0x6f5> at
/usr/local/lib/samba4/private/libtalloc.so.2
   #4 0x80145fe3f <talloc_set_memlimit+0x79f> at
/usr/local/lib/samba4/private/libtalloc.so.2
   #5 0x801358615 <create_file_default+0x24f5> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #6 0x801357271 <create_file_default+0x1151> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #7 0x801356306 <create_file_default+0x1e6> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #8 0x80be6ae25 <samba_init_module+0x2d95> at
/usr/local/lib/samba4/modules/vfs/fruit.so
   #9 0x80139620a <smbd_smb2_request_process_create+0x168a> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #10 0x80138c2d4 <smbd_smb2_request_dispatch+0x1d44> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #11 0x80138f7c1 <smbd_smb2_process_negprot+0x1951> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #12 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at
/usr/local/lib/samba4/private/libtevent.so.0
   #13 0x801497ac4 <tevent_context_same_loop+0xd34> at
/usr/local/lib/samba4/private/libtevent.so.0
   #14 0x801493ef1 <_tevent_loop_once+0xe1> at
/usr/local/lib/samba4/private/libtevent.so.0
   #15 0x80149417b <tevent_common_loop_wait+0x5b> at
/usr/local/lib/samba4/private/libtevent.so.0
   #16 0x80137a406 <smbd_process+0x886> at
/usr/local/lib/samba4/private/libsmbd-base-samba4.so
   #17 0x1031d0f <main+0x445f> at /usr/local/sbin/smbd
   #18 0x801494ccd <tevent_common_invoke_fd_handler+0x8d> at
/usr/local/lib/samba4/private/libtevent.so.0
   #19 0x801497ac4 <tevent_context_same_loop+0xd34> at
/usr/local/lib/samba4/private/libtevent.so.0
   #20 0x801493ef1 <_tevent_loop_once+0xe1> at
/usr/local/lib/samba4/private/libtevent.so.0
   #21 0x80149417b <tevent_common_loop_wait+0x5b> at
/usr/local/lib/samba4/private/libtevent.so.0
   #22 0x103016f <main+0x28bf> at /usr/local/sbin/smbd
   #23 0x102f6af <main+0x1dff> at /usr/local/sbin/smbd

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-ports-bugs mailing list