Ubuntu
samba package

segmentation fault in wins name resolution

Bug #39990 reported by Nicolas Gama
28
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Fix Released
Medium
MOTU Reviewers Team

Bug Description

in Dapper, since the latest upgrade of samba (3.0.22-1ubuntu1)
samba runs as a standalone wins server.

Suppose "ordi" is a name of a windows (or samba) computer

if nsswitch.conf has the line
hosts: files dns mdns
then "smbclient -L ordi" succeeds
but "ping ordi" fails with unknown host

if nsswitch.conf has the line
hosts: files dns mdns wins
then "ping ordi" and "smbclient -L ordi" both fail with segmentation fault
ping "www.google.fr" works.

if nsswitch.conf has the line
hosts: wins files dns mdns
then "ping ordi" and "smbclient -L ordi" both fail with segmentation fault
ping "www.google.fr" also fail with segmentation fault

before the upgrade, both were working.

Revision history for this message
claes (claes-backstrom) wrote :

I have the exact same problem.

When the winbind deamon should be started it crashes during the upstart och the machine and the same thing if I try to restart the winbind daemon after bootup. This happens both with samba installed or uninstalled. I also get a mail from /usr/share/samba/panic-action everytime winbind is started. I have installed samba-dbg to get more output and the output is attached.

Claes

Changed in samba:
status: Unconfirmed → Confirmed
Revision history for this message
benkillin (bennyhur) wrote :

I have the same problem; when I install winbind from apt-get I cant do any network stuff like ping google.com, or anything. I get segmentation faults as well, but I don't recall the exact message the thing spit at me.

I solved it by "aptitude purge winbind"

You could solve this by installing an older version of winbind.

Revision history for this message
claes (claes-backstrom) wrote :

Seems like there something strange going on with /lib/libnss_wins.so.2
Every name resolution that uses it seg faults. When I remove wins from /etc/nsswitch.conf it doesn't seg fault anymore but it cant resolv names from the wins server.

Claes

Revision history for this message
Ulrik Mikaelsson (rawler) wrote :

I might be able to shed some more light on the issue.

ulrik@ulrik-laptop:~/workspace/cdonrails/trunk$ gdb --args /bin/ping freshmeat
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

(gdb) run
Starting program: /bin/ping freshmeat
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread -1209579840 (LWP 12326)]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1209579840 (LWP 12326)]
0xb7e00e99 in toupper_w () from /lib/libnss_wins.so.2
(gdb)

Revision history for this message
Ulrik Mikaelsson (rawler) wrote :

--- short analysis from source/lib/util_unistr.c ---

toupper_w is simply:

smb_ucs2_t toupper_w(smb_ucs2_t val)
{
        return upcase_table[SVAL(&val,0)];
}

and upcase_table is a direct mmap to a file /usr/share/samba/upcase.dat as defined in

/**
 * Load or generate the case handling tables.
 *
 * The case tables are defined in UCS2 and don't depend on any
 * configured parameters, so they never need to be reloaded.
 **/

void load_case_tables(void)
{
        static int initialised;
        int i;

        if (initialised) {
                return;
        }
        initialised = 1;

        upcase_table = map_file(lib_path("upcase.dat"), 0x20000);
        lowcase_table = map_file(lib_path("lowcase.dat"), 0x20000);

        /* we would like Samba to limp along even if these tables are
           not available */
        if (!upcase_table) {
                DEBUG(1,("creating lame upcase table\n"));
                upcase_table = SMB_MALLOC(0x20000);
                for (i=0;i<0x10000;i++) {
                        smb_ucs2_t v;
                        SSVAL(&v, 0, i);
                        upcase_table[v] = i;
                }
                for (i=0;i<256;i++) {
                        smb_ucs2_t v;
                        SSVAL(&v, 0, UCS2_CHAR(i));
                        upcase_table[v] = UCS2_CHAR(islower(i)?toupper(i):i);
                }
        }

        if (!lowcase_table) {
                DEBUG(1,("creating lame lowcase table\n"));
                lowcase_table = SMB_MALLOC(0x20000);
                for (i=0;i<0x10000;i++) {
                        smb_ucs2_t v;
                        SSVAL(&v, 0, i);
                        lowcase_table[v] = i;
                }
                for (i=0;i<256;i++) {
                        smb_ucs2_t v;
                        SSVAL(&v, 0, UCS2_CHAR(i));
                        lowcase_table[v] = UCS2_CHAR(isupper(i)?tolower(i):i)
                }
        }
}

Revision history for this message
Ulrik Mikaelsson (rawler) wrote :

As I don't really know how the Debian package process works, I don't really know how to modify and build the sources to track this problem further, and I'm hoping that someone from the ubuntu-team takes a look at the issue.

It affects just about any program that tries to do DNS-lookup. (Including firefox, which will crash trying to load ANY page without an exact resolving DNS-address)

Revision history for this message
Nicolas Gama (gama-nicolas) wrote : A possible fix ?

I downloaded samba_source, and built everything using -g3
It appears that the static tables
upcase_table, lowcase_table and valid_table
are not initialized: obviously, the functions init_valid_table and load_case_table are never called
_____________________________________________________
[Thread debugging using libthread_db enabled]
[New Thread -1210394944 (LWP 9957)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1210394944 (LWP 9957)]
0xb7d39e89 in toupper_w (val=106) at lib/util_unistr.c:385
385 {
(gdb) info locals
No locals.
(gdb) p upcase_table
$1 = (smb_ucs2_t *) 0x0
(gdb) p lowcase_table
$2 = (smb_ucs2_t *) 0x0
(gdb) p load_case_tables::initialised
$4 = 0
________________________________________________________

To fix it, I just added the missing calls to initialization functions in lib/util_unistr.c:

line 423, in BOOL isvalid83_w(smb_ucs2_t c), insert:
 init_valid_table();

line 413, in BOOL isupper_w(smb_ucs2_t c), insert:
   load_case_tables();

line 404, in BOOL islower_w(smb_ucs2_t c), insert:
   load_case_tables();

line 395, in smb_ucs2_t tolower_w( smb_ucs2_t val ), insert:
   load_case_tables();

line 386, in smb_ucs2_t toupper_w(smb_ucs2_t val), insert:
   load_case_tables();

__________________________________________________

I am not an expert in samba, I don't know if this fix is clean nor how to commit these changes, but it works on my three computers.

Revision history for this message
Nicolas Gama (gama-nicolas) wrote : patch

I recompiled a working version of samba using the above modifications.
I have put it on
http://www.eleves.ens.fr/home/gama/samba
in particular, http://www.eleves.ens.fr/home/gama/samba/winbind_3.0.22-1ubuntu1_i386.deb
fixes this bug, but the other debs also fix bug id 39956 and 39484

For the maintainers, I also uploaded the patch, .change, .dsc and all files generated by dpkg-buildpackage.

Revision history for this message
Nicolas Gama (gama-nicolas) wrote : samba-util_unistr patch

this patch fixes bugs on samba_3.0.22-1ubuntu1
related with unicode uppercase or lowercase functions

it fixes bug 39990 (winbind), 39484 (cups-samba backend) and 39956 (swat)

Revision history for this message
Nicolas Gama (gama-nicolas) wrote :

Since winbind is in the universe section, this bug should be assigned to the MOTU reviewers team.
However the given patch also concerns the other parts of samba, which are in the main section.

Changed in samba:
assignee: nobody → motureviewers
Revision history for this message
claes (claes-backstrom) wrote :

The updated winbind deb from Nicolas Gama fixes this problem. So hopefully this fix will be in officila ubuntu soon.

Claes

Revision history for this message
Ulrik Mikaelsson (rawler) wrote :

I'm not claiming to know the internals of Samba or WinBind, but wouldn't this proposed patch re-initialize the Unicode conversion tables for each and every character within any given string that is using, for instance, upcase?

I know the load_case_tables start with checking if stuff is already initialized, but for any function that can be iterated for each character over an entire buffer, calling initialize seems just plain wrong?

Sorry, not trying to offend anyone, and spotting the problem was a good job, I'm just hoping there is a better way to solve it than this.

Revision history for this message
Ulrik Mikaelsson (rawler) wrote : Different patch

Another suggested patch that runs the load_case_tables() on init instead of per-function-call.

I do not recommend submitting this patch to upstream, since it is not guaranteed to initialize the case-tables from other applications running the code.

Initialization of these tables should be more thoroughly reviewed upstream and a single call to initialize the entire samba library should be defined.

Revision history for this message
Chris Glass (tribaal) wrote :

Thanks a lot for the light you shed on my problem guys... It was driving me mad.

I tested all your solutions (my way to contribute) and they... all work :) I suggest using the .deb file though, it's much more handy.

This would really have to be fixed upstream.

Revision history for this message
Tomi Urankar (tomi0) wrote :

just DLed:
http://www.eleves.ens.fr/home/gama/samba/winbind_3.0.22-1ubuntu1_i386.deb
and I now get no more SEG FAULTS.
But I am curious how come the same version is also in the REPOS but that version gives me SEG FAULTS??

Revision history for this message
Erich Pawlik (erichpawlik) wrote :

The problem no longer occurs on my machines after installing the latest update of Ubuntu (as of May 16) including a new version of the winbind package.

Revision history for this message
Tomi Urankar (tomi0) wrote :

gonna try it on 2 computer when I get home

Revision history for this message
Adam Conrad (adconrad) wrote :

Fixed in 3.0.22-1ubuntu2.

Changed in samba:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.