Samba crashes invalid pointer: 0x00007f0bc3de7590

Bug #1094438 reported by Dmitriy Altuhov on 2012-12-29
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
High
Unassigned

Bug Description

Ubuntu 12.04.1 LTS
Samba 2:3.6.3-2ubuntu2.3
krb5-config 2.2
Samba on ubuntu joined to Windows 2003 domain
Share on /media/100RAGE = /dev/md0 (software raid5)

getent passwd, getent group working fine.
All working fine, except I see errors in samba logs.

We have two of the same server with the same configuration (differents only in hostname).

Samba crushes everytime after opening shared folder from windows workstation on both servers.

  BACKTRACE: 30 stack frames:
   #0 smbd(log_stack_trace+0x1a) [0x7f4533d61aea]
   #1 smbd(smb_panic+0x25) [0x7f4533d61bc5]
   #2 smbd(+0x409e88) [0x7f4533d52e88]
   #3 /lib/x86_64-linux-gnu/libc.so.6(+0x364a0) [0x7f45309024a0]
   #4 /lib/x86_64-linux-gnu/libc.so.6(gsignal+0x35) [0x7f4530902425]
   #5 /lib/x86_64-linux-gnu/libc.so.6(abort+0x17b) [0x7f4530905b8b]
   #6 /lib/x86_64-linux-gnu/libc.so.6(+0x7439e) [0x7f453094039e]
   #7 /lib/x86_64-linux-gnu/libc.so.6(+0x7eb96) [0x7f453094ab96]
   #8 /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2(gss_release_buffer+0x28) [0x7f453309fb78]
   #9 smbd(gse_get_pac_blob+0x202) [0x7f4533dcf182]
   #10 smbd(gssapi_server_get_user_info+0x6b) [0x7f4533c661ab]
   #11 smbd(+0x31167d) [0x7f4533c5a67d]
   #12 smbd(+0x31306a) [0x7f4533c5c06a]
   #13 smbd(process_complete_pdu+0x102b) [0x7f4533c5e25b]
   #14 smbd(process_incoming_data+0x12b) [0x7f4533c5e94b]
   #15 smbd(np_write_send+0x14e) [0x7f4533c5f02e]
   #16 smbd(reply_pipe_write_and_X+0x167) [0x7f4533a73967]
   #17 smbd(reply_write_and_X+0x368) [0x7f4533a7d308]
   #18 smbd(+0x176fa4) [0x7f4533abffa4]
   #19 smbd(+0x1773bb) [0x7f4533ac03bb]
   #20 smbd(+0x1777d3) [0x7f4533ac07d3]
   #21 smbd(run_events_poll+0x34e) [0x7f4533d718ae]
   #22 smbd(smbd_process+0x812) [0x7f4533ac1f42]
   #23 smbd(+0x68666f) [0x7f4533fcf66f]
   #24 smbd(run_events_poll+0x34e) [0x7f4533d718ae]
   #25 smbd(+0x428a4a) [0x7f4533d71a4a]
   #26 smbd(_tevent_loop_once+0x90) [0x7f4533d725d0]
   #27 smbd(main+0xed0) [0x7f4533a40030]
   #28 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xed) [0x7f45308ed76d]
   #29 smbd(+0xf7515) [0x7f4533a40515]

description: updated
description: updated
description: updated
description: updated
description: updated
Dmitriy Altuhov (altuhov.su) wrote :

samba 2:3.6.6-3ubuntu5 from quantal installed in 12.04 = no probles! No coredumps.

Dave Gilbert (ubuntu-treblig) wrote :

It would be better if you could upload this bug info with apport-collect and that will get a full set of diagnostic logs.

You might also want to install the -dbgsym package ( https://wiki.ubuntu.com/DebuggingProgramCrash ) that will get a much more detailed backtrace if you can't upload the crash logs directly.

Dave

Changed in samba (Ubuntu):
status: New → Incomplete
Dmitriy Altuhov (altuhov.su) wrote :
Download full text (4.1 KiB)

#0 0x00007f8f4377e425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) where
#0 0x00007f8f4377e425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f8f43781b8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f8f46bcf53b in dump_core () at lib/fault.c:391
#3 0x00007f8f46bddc01 in smb_panic (why=<optimized out>) at lib/util.c:1133
#4 0x00007f8f46bcee88 in fault_report (sig=6) at lib/fault.c:53
#5 sig_fault (sig=6) at lib/fault.c:76
#6 <signal handler called>
#7 0x00007f8f4377e425 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#8 0x00007f8f43781b8b in abort () from /lib/x86_64-linux-gnu/libc.so.6
#9 0x00007f8f437bc39e in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#10 0x00007f8f437c6b96 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#11 0x00007f8f45f1bb78 in gss_release_buffer () from /usr/lib/x86_64-linux-gnu/libgssapi_krb5.so.2
#12 0x00007f8f46c4b182 in gse_get_pac_blob (gse_ctx=<optimized out>, mem_ctx=0x7f8f4778a4e0, pac_blob=<optimized out>) at librpc/crypto/gse.c:731
#13 0x00007f8f46ae21ab in gssapi_server_get_user_info (gse_ctx=0x7f8f47790030, mem_ctx=0x7f8f47786660, client_id=0x7f8f477705e8, server_info=0x7f8f47786688)
    at rpc_server/dcesrv_gssapi.c:127
#14 0x00007f8f46ad667d in pipe_gssapi_verify_final (mem_ctx=0x7f8f47786660, gse_ctx=0x7f8f47790030, client_id=0x7f8f477705e8, session_info=0x7f8f47786688)
    at rpc_server/srv_pipe.c:734
#15 0x00007f8f46ad806a in pipe_auth_verify_final (p=0x7f8f47786660) at rpc_server/srv_pipe.c:814
#16 0x00007f8f46ada25b in api_pipe_alter_context (pkt=0x7f8f47790f30, p=0x7f8f47786660) at rpc_server/srv_pipe.c:1403
#17 process_complete_pdu (p=0x7f8f47786660) at rpc_server/srv_pipe.c:1955
#18 0x00007f8f46ada94b in process_incoming_data (p=0x7f8f47786660, data=0x7f8f47792db4 "\270\020\270\020", n=<optimized out>) at rpc_server/srv_pipe_hnd.c:218
#19 0x00007f8f46adb02e in write_to_internal_pipe (n=177, data=0x7f8f47792db4 "\270\020\270\020", p=0x7f8f47786660) at rpc_server/srv_pipe_hnd.c:244
#20 np_write_send (mem_ctx=<optimized out>, ev=0x7f8f47770520, handle=<optimized out>, data=<optimized out>, len=177) at rpc_server/srv_pipe_hnd.c:538
#21 0x00007f8f468ef967 in reply_pipe_write_and_X (req=0x7f8f47792eb0) at smbd/pipes.c:322
#22 0x00007f8f468f9308 in reply_write_and_X (req=0x7f8f47792eb0) at smbd/reply.c:4529
#23 0x00007f8f4693bfa4 in switch_message (type=47 '/', req=0x7f8f47792eb0, size=245) at smbd/process.c:1574
#24 0x00007f8f4693c3bb in construct_reply (deferred_pcd=0x0, encrypted=false, seqnum=<optimized out>, unread_bytes=0, size=245, inbuf=0x0, sconn=0x7f8f477705e0)
    at smbd/process.c:1610
#25 process_smb (sconn=0x7f8f477705e0, inbuf=<optimized out>, nread=245, unread_bytes=0, seqnum=<optimized out>, encrypted=false, deferred_pcd=0x0) at smbd/process.c:1688
#26 0x00007f8f4693c7d3 in smbd_server_connection_read_handler (conn=0x7f8f477705e0, fd=24) at smbd/process.c:2317
#27 0x00007f8f46bed8ae in run_events_poll (num_pfds=2, pfds=0x7f8f4777b040, pollrtn=<optimized out>, ev=0x7f8f47770520) at lib/events.c:286
#28 run_events_poll (ev=0x7f8f47770520, pollrtn=<optimized out>, pfds=0x7f8f4777b040, num_pfds=2) at lib/events.c:184
#29 0x00007f8f4693df42 in smbd_s...

Read more...

Changed in samba (Ubuntu):
status: Incomplete → New
Dmitriy Altuhov (altuhov.su) wrote :

I have installed samba-dbg and dbg packages. If I can help to debug this problem, tell me what to do.
Thanks.

Changed in samba (Ubuntu):
importance: Undecided → High
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
danb1974 (danb1974) wrote :
Download full text (4.8 KiB)

I seem to have hit the same bug, invalid poiter free()d by gssalloc_free() called by gss_release_buffer()

Happens when a program installed on the DC connects to this linux requesting some registry keys (not knowing this is not a windows machine)

Here is a stack trace with full symbols

Core was generated by `smbd -F'.
Program terminated with signal 6, Aborted.
#0 0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1 0x00007f4458a0383b in __GI_abort () at abort.c:91
#2 0x00007f445be50eeb in dump_core () at lib/fault.c:391
#3 0x00007f445be5f5d1 in smb_panic (why=<optimized out>) at lib/util.c:1133
#4 0x00007f445be50838 in fault_report (sig=6) at lib/fault.c:53
#5 sig_fault (sig=6) at lib/fault.c:76
#6 <signal handler called>
#7 0x00007f4458a000d5 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#8 0x00007f4458a0383b in __GI_abort () at abort.c:91
#9 0x00007f4458a3e04e in __libc_message (do_abort=2, fmt=0x7f4458b485e0 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:201
#10 0x00007f4458a48846 in malloc_printerr (action=3, str=0x7f4458b44ee9 "free(): invalid pointer", ptr=<optimized out>) at malloc.c:5047
#11 0x00007f445b19db78 in gssalloc_free (value=<optimized out>) at ../../../include/gssapi/gssapi_alloc.h:22
#12 gss_release_buffer (minor_status=<optimized out>, buffer=0x7ffffef4b840) at ../../../../src/lib/gssapi/mechglue/g_rel_buffer.c:52
#13 0x00007f445beccca2 in gse_get_pac_blob (gse_ctx=<optimized out>, mem_ctx=0x7f445e2dce70, pac_blob=<optimized out>) at librpc/crypto/gse.c:731
#14 0x00007f445bd63a8b in gssapi_server_get_user_info (gse_ctx=0x7f445e2d8020, mem_ctx=0x7f445e2d7380, client_id=0x7f445e2bd5e8, server_info=0x7f445e2d73a8) at rpc_server/dcesrv_gssapi.c:127
#15 0x00007f445bd57f5d in pipe_gssapi_verify_final (mem_ctx=0x7f445e2d7380, gse_ctx=0x7f445e2d8020, client_id=0x7f445e2bd5e8, session_info=0x7f445e2d73a8) at rpc_server/srv_pipe.c:734
#16 0x00007f445bd5994a in pipe_auth_verify_final (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:814
#17 0x00007f445bd5bb3b in api_pipe_alter_context (pkt=0x7f445e2d3200, p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1403
#18 process_complete_pdu (p=0x7f445e2d7380) at rpc_server/srv_pipe.c:1955
#19 0x00007f445bd5c22b in process_incoming_data (p=0x7f445e2d7380, data=0x7f445e2e4cb4 "\270\020\270\020", n=<optimized out>) at rpc_server/srv_pipe_hnd.c:218
#20 0x00007f445bd5c90e in write_to_internal_pipe (n=216, data=0x7f445e2e4cb4 "\270\020\270\020", p=0x7f445e2d7380) at rpc_server/srv_pipe_hnd.c:244
#21 np_write_send (mem_ctx=<optimized out>, ev=0x7f445e2bd520, handle=<optimized out>, data=<optimized out>, len=216) at rpc_server/srv_pipe_hnd.c:538
#22 0x00007f445bb71177 in reply_pipe_write_and_X (req=0x7f445e2e4dd0) at smbd/pipes.c:322
#23 0x00007f445bb7ab18 in reply_write_and_X (req=0x7f445e2e4dd0) at smbd/reply.c:4529
#24 0x00007f445bbbd9c4 in switch_message (type=47 '/', req=0x7f445e2e4dd0, ...

Read more...

danb1974 (danb1974) wrote :

In my case the crash only happens on remote registry access, file sharing works. Mine is joined to a Windows 2012 AD.

danb1974 (danb1974) wrote :

I tracked my crash to what appears to be missing structure initialization, resulting in invalid pointers being free()d

Added two initializations, seems to fix the problem. Not being familiar with samba, please confirm if I'm doing the right thing.

The attachment "samba-3.6.3-missing-gss-buffer-desc-init.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers