smbd crashed with SIGABRT in strlen() while accessing a share from a W7 client

Bug #1514766 reported by Thomas A. F. Thorne on 2015-11-10
94
This bug affects 12 people
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Medium
Unassigned

Bug Description

I tried to access an SMB share hosted on my Ubuntu desktop from my Windows 7 laptop. This is something I do dozens of times a day and have not seen a crash report until now.

The specifics were that I was running Chrome on my Windows 7 desktop and I was selecting a file to upload to a website via a mounted network share. That mounted drive is an SMB network share from my Ubuntu desktop that allows read access of a directory in my /home

ProblemType: Crash
DistroRelease: Ubuntu 14.04
Package: samba 2:4.1.6+dfsg-1ubuntu2.14.04.9
ProcVersionSignature: Ubuntu 3.16.0-51.69~14.04.1-generic 3.16.7-ckt17
Uname: Linux 3.16.0-51-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.18
Architecture: amd64
Date: Tue Nov 10 08:45:29 2015
ExecutablePath: /usr/sbin/smbd
InstallationDate: Installed on 2015-03-12 (242 days ago)
InstallationMedia: Ubuntu 14.04.2 LTS "Trusty Tahr" - Release amd64 (20150218.1)
NmbdLog:

ProcCmdline: smbd -F
ProcEnviron:
 PATH=(custom, no user)
 TERM=linux
SambaServerRegression: Yes
Signal: 6
SmbConfIncluded: Yes
SmbLog:

SourcePackage: samba
StacktraceTop:
 strlen () at ../sysdeps/x86_64/strlen.S:106
 push_ucs2_talloc () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0
 E_md4hash () from /usr/lib/x86_64-linux-gnu/samba/libcliauth.so.0
 create_volume_objectid () from /usr/lib/x86_64-linux-gnu/samba/libsmbd_base.so.0
 ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd_base.so.0
Title: smbd crashed with SIGABRT in strlen()
UbuntuFailedConnect: Yes
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

Thomas A. F. Thorne (tafthorne) wrote :

StacktraceTop:
 strlen () at ../sysdeps/x86_64/strlen.S:106
 push_ucs2_talloc (ctx=ctx@entry=0x0, dest=dest@entry=0x7ffe2aa192e8, src=src@entry=0x0, converted_size=converted_size@entry=0x7ffe2aa192e0) at ../lib/util/charset/pull_push.c:41
 E_md4hash (passwd=0x0, p16=p16@entry=0x7ffe2aa19350 "|") at ../libcli/auth/smbencrypt.c:78
 create_volume_objectid (conn=<optimized out>, objid=objid@entry=0x7ffe2aa19350 "|") at ../source3/smbd/trans2.c:3017
 vfswrap_fsctl (handle=<optimized out>, fsp=0x7f70d72e0f80, ctx=<optimized out>, function=<optimized out>, req_flags=<optimized out>, _in_data=<optimized out>, in_len=0, _out_data=0x7ffe2aa19438, max_out_len=64, out_len=0x7ffe2aa19434) at ../source3/modules/vfs_default.c:1066

Changed in samba (Ubuntu):
importance: Undecided → Medium
tags: removed: need-amd64-retrace
Thomas A. F. Thorne (tafthorne) wrote :

Looked in the attached files and could not see anything sensitive there. I have changed this from a Private bug to a Public one.

information type: Private → Public
Thomas A. F. Thorne (tafthorne) wrote :
Download full text (3.3 KiB)

Scratching about to try and find any other reports.

There is something going on in https://tracker.zentyal.org/issues/3130 and a handful of their other bugs that looks similar. Zentyal is listed as a drop in replacement for a Microsoft Small Business Server so it sounds likely they it could include Samba. That was only generated from a search for "strlen () at ../sysdeps/x86_64/strlen.S:106 Samba" though so it could be unrelated.

A Samba bug also comes up for a later package https://bugzilla.samba.org/show_bug.cgi?id=11530 but reading that suggests the strlen search I am doing is too general to find more than general protection faults. So what would "E_md4hash (passwd= p16= entry= ) at ../libcli/auth/smbencrypt.c:78" turn up?

That is more hopeful. There is this post http://gathering.tweakers.net/forum/list_messages/1607613 that seems to relate to Ubuntu 14.04 as well and contains a similar segment of stack trace in it:
No locals.
#10 0xb768afb1 in push_ucs2_talloc (ctx=ctx@entry=0x0, dest=dest@entry=0xbfd3b61c, src=src@entry=0x0, converted_size=converted_size@entry=0xbfd3b618) at ../lib/util/charset/pull_push.c:41
src_len = <optimized out>
#11 0xb724e574 in E_md4hash (passwd=0x0, p16=p16@entry=0xbfd3b6a8 "") at ../libcli/auth/smbencrypt.c:78
len = 64
wpwd = 0xb7665000
ret = <optimized out>
#12 0xb7421898 in create_volume_objectid (conn=0xb82c1ac8, objid=objid@entry=0xbfd3b6a8 "") at ../source3/smbd/trans2.c:3017
No locals.
#13 0xb752fbde in vfswrap_fsctl (handle=0xb82c1910, fsp=0xb82ea670, ctx=0xb82df308, function=590016, req_flags=49217, _in_data=0x0, in_len=0, _out_data=0xbfd3b798, max_out_len=64, out_len=0xbfd3b79c) at ../source3/modules/vfs_default.c:1066
Someone else might do a better job of translating the page. I can only vaguely follow it but it seems to point to https://bugs.launchpad.net/ubuntu/+source/samba/+bug/916576 near the end. Bug #916576 was marked expired in 2013-01-02 but there are some diagnostic requests in there that I can attempt. It also suggests some relation to bug 913809 which lists a huge number of duplicates and two Samba bugs. The Samba bugs mentioned seemed to trail off as unreproducible.

I'll leave the related items there for now. I will set my smb.cong log level 5 and provide the output of `sudo testparm -s` as requested in Bug #916576 and leave it there for now.

$ sudo testparm -s
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[printers]"
Processing section "[print$]"
Loaded services file OK.
Server role: ROLE_STANDALONE
[global]
 server string = %h server (Samba, Ubuntu)
 server role = standalone server
 map to guest = Bad User
 obey pam restrictions = Yes
 pam password change = Yes
 passwd program = /usr/bin/passwd %u
 passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
 unix password sync = Yes
 syslog = 0
 log file = /var/log/samba/log.%m
 dns proxy = No
 usershare allow guests = Yes
 panic action = /usr/share/samba/panic-action %d
 idmap config * : backend = tdb

[printers]
 comment = All Printers
 path = /var/spool/samba
...

Read more...

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
tags: added: xenial
tags: added: yakkety
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.