Project

General

Profile

Bug #11835

smbd rpc service crash in ndr_outer_string / ndr_s_wchar

Added by Gordon Ross 11 months ago. Updated 11 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

Found an smbd core dump (sigsegv, not panic) after running the smbtorture rpc tests:

smbtorture  //myhost/IPC\$ -U test%test rpc.srvsvc.\*.NetNameValidate

Careful with the escapes for the dollar sign and asterisk above.

The stack from this core file:

root@nstor:/var/cores# mdb  core.smbd.100606.1569377704
Loading modules: [ libumem.so.1 libc.so.1 libuutil.so.1 libcmdutils.so.1 libmlsvc.so.1 libavl.so.1 libtopo.so.1 libnvpair.so.1 ld.so.1 ]
> $C
f8bfb7a8 libc.so.1`_lwp_kill+0x15(7a, 6, f8bfb7d8, fef47000, fef47000, f8bfb840
)
f8bfb7c8 libc.so.1`raise+0x2b(6, 0, f8bfb7e0, fee896a0, 0, 0)
f8bfb818 libc.so.1`abort+0x10e(f8bfb840, f8bfb840, 61, fe0bb7bc, fe0bbcb7, 784)
f8bfba48 0xfee417f4(fe0bb7bc, fe0bbcb7, 784, fe0b7c48)
f8bfdaf8 libmlrpc.so.2`ndr_s_wchar+0x51(f8bfdb84, 4c, 4, fe0b64ff)
f8bfdb48 libmlrpc.so.2`ndr_inner+0x67(f8bfdb84, 3c, 853ad60, fe0b663c)
f8bfdbd8 libmlrpc.so.2`ndr_outer_string+0x4a8(853ad60, fe0bbdb2, 853ad60, 
853ac58)
f8bfdc28 libmlrpc.so.2`ndr_outer+0xd7(853ad60, fefc2d7f, f8bfde1c, fe0b764e)
f8bfdc48 libmlrpc.so.2`ndr_run_outer_queue+0x29(837b80c, 0, 853ac18, fe0b769a)
f8bfdc98 libmlrpc.so.2`ndr_topmost+0x2b4(f8bfdcb4, 3c, fef4c38c, 0)
f8bfdd08 libmlsvc.so.1`ndr__mslm_NetNameValidate+0xc1(f8bfdd44, 0, 3c, fe0b795e
)
f8bfdd28 libmlrpc.so.2`ndr_params+0x28(f8bfdd44, 3c, fe0e0928, 837b808)
f8bfdd98 libmlsvc.so.1`ndr__srvsvc_interface+0x2e4(f8bfddb4, 3c, 0, 0)
f8bfde08 libmlrpc.so.2`ndo_operation+0x86(837b80c, fe16fbe8, 21, 853ac54)
f8bfde28 libmlrpc.so.2`ndr_encode_decode_common+0x23(837b80c, 21, fe16fbe8, 
853ac54)
f8bfde48 libmlrpc.so.2`ndr_decode_call+0x38(837b808, 853ac54, 837b808, fe0b8005
)
f8bfde88 libmlrpc.so.2`ndr_generic_call_stub+0xd4(837b808, 0, f8bfdeb8, fe0b4c76
, 837b80c, 837b83c)
f8bfdec8 libmlrpc.so.2`ndr_svc_request+0x6f(837b808, fe0cd000, fe0b8604, 837b808
, 837b808, 0)
f8bfdee8 libmlrpc.so.2`ndr_svc_process+0x44(837b808, 0, 21, 853a008, 124, 
83a09b8)
f8bfdf28 libmlrpc.so.2`ndr_pipe_process+0x9a(83a09b8, 837b808, 2, 0)
f8bfdf58 libmlrpc.so.2`ndr_pipe_worker+0x54(83a09b8, f8bfdf8c, 4, 1, 8, 0)
f8bfdfc8 pipesvc_worker+0x195(83a09b8, 0, 0, 0)
f8bfdfe8 libc.so.1`_thrp_setup+0x88(feccb240)
f8bfdff8 libc.so.1`_lwp_start(feccb240, 0, 0, 0, 0, 0)

History

#1

Updated by Gordon Ross 11 months ago

This was running a debug build. We triggered an assert in ndr_s_wchar having to do with string length enforcement. Let's have a look at the data structures in the enclosing function calls:

> f8bfdb84::print ndr_ref_t
{
    next = 0
    enclosing = 0x853ad60
    stream = 0x837b80c
    ti = libmlrpc.so.2`ndt_s_wchar
    name = 0xfe0bbd27 "OUTER-STRING" 
    pdu_offset = 0x50
    datum = 0x8543008 "" 
    backptr = 0
    outer_flags = 0x8
    inner_flags = 0
    type_flags = 0
    packed_alignment = 0
    size_is = 0x1001
    strlen_is = 0x1001
    switch_is = 0
    dimension_is = 0
    pdu_end_offset = 0
}
> f8bfdb84 ::print ndr_ref_t
{
    next = 0
    enclosing = 0x853ad60
    stream = 0x837b80c
    ti = libmlrpc.so.2`ndt_s_wchar
    name = 0xfe0bbd27 "OUTER-STRING" 
    pdu_offset = 0x50
    datum = 0x8543008 "" 
    backptr = 0
    outer_flags = 0x8
    inner_flags = 0
    type_flags = 0
    packed_alignment = 0
    size_is = 0x1001
    strlen_is = 0x1001
    switch_is = 0
    dimension_is = 0
    pdu_end_offset = 0
}

We have size_is one larger than it should be. Looks like a missing enforcement.
Sure enough ndr_outer_string enforced those limits for the "encode" direction, but note for "decode".

#2

Updated by Gordon Ross 11 months ago

I was able to reproduce this using the smbtorture rpc tests:

smbtorture  //myhost/IPC\$ -U test%test rpc.srvsvc.\*.NetNameValidate

Careful with the escapes for the dollar sign and asterisk.

#3

Updated by Gordon Ross 11 months ago

Tested per. the description above.

#4

Updated by Electric Monk 11 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit 1ca4e8df0656724dae6eea0884d84d8d4c1aabb2

commit  1ca4e8df0656724dae6eea0884d84d8d4c1aabb2
Author: Gordon Ross <gwr@nexenta.com>
Date:   2019-10-19T13:02:57.000Z

    11835 smbd rpc service crash in ndr_outer_string / ndr_s_wchar
    Reviewed by: Matt Barden <matt.barden@nexenta.com>
    Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
    Reviewed by: Evan Layton <evan.layton@nexenta.com>
    Reviewed by: Andy Stormont <AStormont@racktopsystems.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Also available in: Atom PDF