Ubuntu
samba package

smbd crashed with SIGABRT in strlen() while accessing a share from a W7 client

Bug #1514766 reported by Thomas A. F. Thorne on 2015-11-10

This bug affects 12 people

Affects		Status	Importance	Assigned to	Milestone
	samba (Ubuntu)	Confirmed	Medium	Unassigned

Bug Description

I tried to access an SMB share hosted on my Ubuntu desktop from my Windows 7 laptop. This is something I do dozens of times a day and have not seen a crash report until now.

The specifics were that I was running Chrome on my Windows 7 desktop and I was selecting a file to upload to a website via a mounted network share. That mounted drive is an SMB network share from my Ubuntu desktop that allows read access of a directory in my /home

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: samba 2:4.1.6+dfsg-1ubuntu2.14.04.9
ProcVersionSignature: Ubuntu 3.16.0-51.69~14.04.1-generic 3.16.7-ckt17
Uname: Linux 3.16.0-51-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.18
Architecture: amd64
Date: Tue Nov 10 08:45:29 2015
ExecutablePath: /usr/sbin/smbd
InstallationDate: Installed on 2015-03-12 (242 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
NmbdLog:

ProcCmdline: smbd -F
ProcEnviron:
PATH=(custom, no user)
TERM=linux
SambaServerRegression: Yes
Signal: 6
SmbConfIncluded: Yes
SmbLog:

SourcePackage: samba
StacktraceTop:
strlen () at ../sysdeps/x86_64/strlen.S:106
push_ucs2_talloc () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0
E_md4hash () from /usr/lib/x86_64-linux-gnu/samba/libcliauth.so.0
create_volume_objectid () from /usr/lib/x86_64-linux-gnu/samba/libsmbd_base.so.0
?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd_base.so.0
Title: smbd crashed with SIGABRT in strlen()
UbuntuFailedConnect: Yes
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

Tags:

Revision history for this message

Thomas A. F. Thorne (tafthorne) wrote on 2015-11-10:

Dependencies.txt Edit (5.6 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (952 bytes, text/plain; charset="utf-8")
ProcMaps.txt Edit (60.5 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (777 bytes, text/plain; charset="utf-8")
Registers.txt Edit (763 bytes, text/plain; charset="utf-8")
SMBConf.txt Edit (9.3 KiB, text/plain; charset="utf-8")
SambaInstalledVersions.txt Edit (385 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (3.5 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (3.5 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2015-11-10:

StacktraceTop:
strlen () at ../sysdeps/x86_64/strlen.S:106
push_ucs2_talloc (ctx=ctx@entry=0x0, dest=dest@entry=0x7ffe2aa192e8, src=src@entry=0x0, converted_size=converted_size@entry=0x7ffe2aa192e0) at ../lib/util/charset/pull_push.c:41
E_md4hash (passwd=0x0, p16=p16@entry=0x7ffe2aa19350 "|") at ../libcli/auth/smbencrypt.c:78
create_volume_objectid (conn=<optimized out>, objid=objid@entry=0x7ffe2aa19350 "|") at ../source3/smbd/trans2.c:3017
vfswrap_fsctl (handle=<optimized out>, fsp=0x7f70d72e0f80, ctx=<optimized out>, function=<optimized out>, req_flags=<optimized out>, _in_data=<optimized out>, in_len=0, _out_data=0x7ffe2aa19438, max_out_len=64, out_len=0x7ffe2aa19434) at ../source3/modules/vfs_default.c:1066

Revision history for this message

Apport retracing service (apport) wrote on 2015-11-10: Stacktrace.txt

Stacktrace.txt Edit (12.3 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2015-11-10: StacktraceSource.txt

StacktraceSource.txt Edit (12.1 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2015-11-10: ThreadStacktrace.txt

ThreadStacktrace.txt Edit (12.4 KiB, text/plain)

Changed in samba (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-amd64-retrace

Revision history for this message

Thomas A. F. Thorne (tafthorne) wrote on 2015-11-11:

Looked in the attached files and could not see anything sensitive there. I have changed this from a Private bug to a Public one.

information type:

Private → Public

Revision history for this message

Thomas A. F. Thorne (tafthorne) wrote on 2015-11-11:

Download full text (3.3 KiB)

Scratching about to try and find any other reports.

There is something going on in https://tracker.zentyal.org/issues/3130 and a handful of their other bugs that looks similar. Zentyal is listed as a drop in replacement for a Microsoft Small Business Server so it sounds likely they it could include Samba. That was only generated from a search for "strlen () at ../sysdeps/x86_64/strlen.S:106 Samba" though so it could be unrelated.

A Samba bug also comes up for a later package https://bugzilla.samba.org/show_bug.cgi?id=11530 but reading that suggests the strlen search I am doing is too general to find more than general protection faults. So what would "E_md4hash (passwd= p16= entry= ) at ../libcli/auth/smbencrypt.c:78" turn up?

That is more hopeful. There is this post http://gathering.tweakers.net/forum/list_messages/1607613 that seems to relate to Ubuntu 14.04 as well and contains a similar segment of stack trace in it:
No locals.
#10 0xb768afb1 in push_ucs2_talloc (ctx=ctx@entry=0x0, dest=dest@entry=0xbfd3b61c, src=src@entry=0x0, converted_size=converted_size@entry=0xbfd3b618) at ../lib/util/charset/pull_push.c:41
src_len = <optimized out>
#11 0xb724e574 in E_md4hash (passwd=0x0, p16=p16@entry=0xbfd3b6a8 "") at ../libcli/auth/smbencrypt.c:78
len = 64
wpwd = 0xb7665000
ret = <optimized out>
#12 0xb7421898 in create_volume_objectid (conn=0xb82c1ac8, objid=objid@entry=0xbfd3b6a8 "") at ../source3/smbd/trans2.c:3017
No locals.
#13 0xb752fbde in vfswrap_fsctl (handle=0xb82c1910, fsp=0xb82ea670, ctx=0xb82df308, function=590016, req_flags=49217, _in_data=0x0, in_len=0, _out_data=0xbfd3b798, max_out_len=64, out_len=0xbfd3b79c) at ../source3/modules/vfs_default.c:1066
Someone else might do a better job of translating the page. I can only vaguely follow it but it seems to point to https://bugs.launchpad.net/ubuntu/+source/samba/+bug/916576 near the end. Bug #916576 was marked expired in 2013-01-02 but there are some diagnostic requests in there that I can attempt. It also suggests some relation to bug 913809 which lists a huge number of duplicates and two Samba bugs. The Samba bugs mentioned seemed to trail off as unreproducible.

I'll leave the related items there for now. I will set my smb.cong log level 5 and provide the output of `sudo testparm -s` as requested in Bug #916576 and leave it there for now.

$ sudo testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
server string = %h server (Samba, Ubuntu)
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
dns proxy = No
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb

[printers]
comment = All Printers
path = /var/spool/samba
...

Scratching about to try and find any other reports.

There is something going on in https://tracker.zentyal.org/issues/3130 and a handful of their other bugs that looks similar.  Zentyal is listed as a drop in replacement for a Microsoft Small Business Server so it sounds likely they it could include Samba.  That was only generated from a search for "strlen () at ../sysdeps/x86_64/strlen.S:106 Samba" though so it could be unrelated.

A Samba bug also comes up for a later package https://bugzilla.samba.org/show_bug.cgi?id=11530 but reading that suggests the strlen search I am doing is too general to find more than general protection faults.  So what would "E_md4hash (passwd=  p16= entry= ) at ../libcli/auth/smbencrypt.c:78" turn up?

That is more hopeful.  There is this post http://gathering.tweakers.net/forum/list_messages/1607613 that seems to relate to Ubuntu 14.04 as well and contains a  similar segment of stack trace in it:
No locals.
#10 0xb768afb1 in push_ucs2_talloc (ctx=ctx@entry=0x0, dest=dest@entry=0xbfd3b61c, src=src@entry=0x0, converted_size=converted_size@entry=0xbfd3b618) at ../lib/util/charset/pull_push.c:41
src_len = <optimized out>
#11 0xb724e574 in E_md4hash (passwd=0x0, p16=p16@entry=0xbfd3b6a8 "") at ../libcli/auth/smbencrypt.c:78
len = 64
wpwd = 0xb7665000
ret = <optimized out>
#12 0xb7421898 in create_volume_objectid (conn=0xb82c1ac8, objid=objid@entry=0xbfd3b6a8 "") at ../source3/smbd/trans2.c:3017
No locals.
#13 0xb752fbde in vfswrap_fsctl (handle=0xb82c1910, fsp=0xb82ea670, ctx=0xb82df308, function=590016, req_flags=49217, _in_data=0x0, in_len=0, _out_data=0xbfd3b798, max_out_len=64, out_len=0xbfd3b79c) at ../source3/modules/vfs_default.c:1066
Someone else might do a better job of translating the page.  I can only vaguely follow it but it seems to point to https://bugs.launchpad.net/ubuntu/+source/samba/+bug/916576 near the end.  Bug #916576 was marked expired in 2013-01-02 but there are some diagnostic requests in there that I can attempt.  It also suggests some relation to bug 913809 which lists a huge number of duplicates and two Samba bugs.  The Samba bugs mentioned seemed to trail off as unreproducible.

I'll leave the related items there for now.  I will set my smb.cong log level 5 and provide the output of `sudo testparm -s` as requested in Bug #916576 and leave it there for now.

$ sudo testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
	server string = %h server (Samba, Ubuntu)
	server role = standalone server
	map to guest = Bad User
	obey pam restrictions = Yes
	pam password change = Yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
	unix password sync = Yes
	syslog = 0
	log file = /var/log/samba/log.%m
	dns proxy = No
	usershare allow guests = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap config * : backend = tdb

[printers]
	comment = All Printers
	path = /var/spool/samba
	create mask = 0700
	printable = Yes
	print ok = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-02-02:

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status:	New → Confirmed

Apport retracing service (apport) on 2016-02-19

tags:

added: xenial

Apport retracing service (apport) on 2016-06-26

tags:

added: yakkety

Report a bug

This report contains Public information

Everyone can see this information.

Duplicates of this bug

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

samba-bugs #11530 Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntusamba package

smbd crashed with SIGABRT in strlen() while accessing a share from a W7 client

Bug Description

Duplicates of this bug

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
samba package