diff options
author | Volker Lendecke <vl@samba.org> | 2022-02-03 15:25:11 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-02-14 17:46:14 +0000 |
commit | 4cc60cbdb70172e3b996fe55968003320bd10f2c (patch) | |
tree | aa1f117fc9a2a56b9f50ebd7bdef105cb8e89836 | |
parent | a61a91d427fef0b29fbe4983ee2b9dd4d9f0c074 (diff) | |
download | samba-4cc60cbdb70172e3b996fe55968003320bd10f2c.tar.gz |
torture: Add a test to show that full_audit uses a ptr after free
Run vfstest with this vfstest.cmd under valgrind and you'll see what
happens. Exact explanation a few patches further down...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14975
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 5f1ceead7094aefc6ad1f209468e9ea8f009716c)
-rw-r--r-- | selftest/knownfail.d/full_audit_crash | 1 | ||||
-rwxr-xr-x | source3/script/tests/full_audit_segfault/run.sh | 23 | ||||
-rw-r--r-- | source3/script/tests/full_audit_segfault/vfstest.cmd | 3 | ||||
-rwxr-xr-x | source3/selftest/tests.py | 8 | ||||
-rw-r--r-- | source3/torture/cmd_vfs.c | 85 |
5 files changed, 120 insertions, 0 deletions
diff --git a/selftest/knownfail.d/full_audit_crash b/selftest/knownfail.d/full_audit_crash new file mode 100644 index 00000000000..9154ea334f2 --- /dev/null +++ b/selftest/knownfail.d/full_audit_crash @@ -0,0 +1 @@ +^samba.vfstest.full_audit_segfault.vfstest\(nt4_dc:local\)
\ No newline at end of file diff --git a/source3/script/tests/full_audit_segfault/run.sh b/source3/script/tests/full_audit_segfault/run.sh new file mode 100755 index 00000000000..752b27125c8 --- /dev/null +++ b/source3/script/tests/full_audit_segfault/run.sh @@ -0,0 +1,23 @@ +#!/bin/sh +if [ $# -lt 1 ]; then +cat <<EOF +Usage: run.sh VFSTEST +EOF +exit 1; +fi + +TALLOC_FILL_FREE=0; export TALLOC_FILL_FREE + +TESTBASE="$(dirname $0)" +VFSTEST="$VALGRIND $1"; shift 1; +ADDARGS="$*" + +incdir=`dirname $0`/../../../../testprogs/blackbox +. $incdir/subunit.sh + +failed=0 + +testit "vfstest" "$VFSTEST" -f "$TESTBASE/vfstest.cmd" "$ADDARGS" || + failed=$(expr $failed + 1) + +exit $failed diff --git a/source3/script/tests/full_audit_segfault/vfstest.cmd b/source3/script/tests/full_audit_segfault/vfstest.cmd new file mode 100644 index 00000000000..84e93e2b157 --- /dev/null +++ b/source3/script/tests/full_audit_segfault/vfstest.cmd @@ -0,0 +1,3 @@ +load full_audit +connect +create_file . diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py index acf5282b8ec..95192ae19ae 100755 --- a/source3/selftest/tests.py +++ b/source3/selftest/tests.py @@ -359,6 +359,14 @@ plantestsuite("samba.vfstest.stream_depot", "nt4_dc:local", [os.path.join(samba3 plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/xattr-tdb-1/run.sh"), binpath("vfstest"), "$PREFIX", configuration]) plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration]) plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration]) +plantestsuite( + "samba.vfstest.full_audit_segfault", + "nt4_dc:local", + [os.path.join(samba3srcdir, + "script/tests/full_audit_segfault/run.sh"), + binpath("vfstest"), + "$PREFIX", + configuration]) plantestsuite("samba3.blackbox.smbclient_basic.NT1", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mNT1"]) plantestsuite("samba3.blackbox.smbclient_basic.NT1", "nt4_dc_smb1", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mNT1"]) diff --git a/source3/torture/cmd_vfs.c b/source3/torture/cmd_vfs.c index 72fa784d72b..4be5719e94e 100644 --- a/source3/torture/cmd_vfs.c +++ b/source3/torture/cmd_vfs.c @@ -2169,6 +2169,86 @@ cleanup: return status; } +/* + * This is a quick hack to demonstrate a crash in the full_audit + * module when passing fsp->smb_fname into SMB_VFS_CREATE_FILE leading + * to an error. + * + * Feel free to expand with more options as needed + */ +static NTSTATUS cmd_create_file( + struct vfs_state *vfs, + TALLOC_CTX *mem_ctx, + int argc, + const char **argv) +{ + struct smb_filename *fname = NULL; + struct files_struct *fsp = NULL; + int info, ret; + NTSTATUS status; + + if (argc != 2) { + DBG_ERR("Usage: create_file filename\n"); + return NT_STATUS_UNSUCCESSFUL; + } + + fname = synthetic_smb_fname( + talloc_tos(), argv[1], NULL, NULL, 0, 0); + if (fname == NULL) { + return NT_STATUS_NO_MEMORY; + } + + ret = vfs_stat(vfs->conn, fname); + if (ret != 0) { + status = map_nt_error_from_unix(errno); + DBG_DEBUG("vfs_stat() failed: %s\n", strerror(errno)); + TALLOC_FREE(fname); + return status; + } + + status = openat_pathref_fsp(vfs->conn->cwd_fsp, fname); + if (!NT_STATUS_IS_OK(status)) { + DBG_DEBUG("Could not open %s: %s\n", + fname->base_name, + nt_errstr(status)); + TALLOC_FREE(fname); + return status; + } + + status = SMB_VFS_CREATE_FILE( + vfs->conn, + NULL, + + /* + * Using fname->fsp->fsp_name seems to be legal, + * there's code to handle this in + * create_file_unixpath(). And it is actually very + * worthwhile re-using the fsp_name, we can save quite + * a few copies of smb_filename with that. + */ + fname->fsp->fsp_name, + SEC_FILE_ALL, + FILE_SHARE_NONE, + FILE_OPEN, + FILE_NON_DIRECTORY_FILE, + 0, + 0, + NULL, + 0, + 0, + NULL, + NULL, + &fsp, + &info, + NULL, + NULL + ); + DBG_DEBUG("create_file returned %s\n", nt_errstr(status)); + + TALLOC_FREE(fname); + + return NT_STATUS_OK; +} struct cmd_set vfs_commands[] = { @@ -2237,5 +2317,10 @@ struct cmd_set vfs_commands[] = { { "test_chain", cmd_test_chain, "test chain code", "test_chain" }, { "translate_name", cmd_translate_name, "VFS translate_name()", "translate_name unix_filename" }, + { "create_file", + cmd_create_file, + "VFS create_file()", + "create_file <filename>" + }, {0} }; |