Panic or segfault in Samba

Bug #1827924 reported by Andreas on 2019-05-06
306
This bug affects 7 people
Affects Status Importance Assigned to Milestone
samba
Unknown
Unknown
samba (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Marc Deslauriers
Bionic
Undecided
Marc Deslauriers

Bug Description

The Samba 'panic action' script, /usr/share/samba/panic-action,
was called for PID 8336 (/usr/sbin/smbd).

This means there was a problem with the program, such as a segfault.
Below is a backtrace for this process generated with gdb, which shows
the state of the program at the time the error occurred. The Samba log
files may contain additional information about the problem.

If the problem persists, you are encouraged to first install the
samba-dbg package, which contains the debugging symbols for the Samba
binaries. Then submit the provided information as a bug report to
Ubuntu by visiting this link:
https://launchpad.net/ubuntu/+source/samba/+filebug

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
0x00007f892084507a in __GI___waitpid (pid=8341, stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
#0 0x00007f892084507a in __GI___waitpid (pid=8341, stat_loc=stat_loc@entry=0x7ffcd9196290, options=options@entry=0) at ../sysdeps/unix/sysv/linux/waitpid.c:29
#1 0x00007f89207bdfbb in do_system (line=<optimized out>) at ../sysdeps/posix/system.c:148
#2 0x00007f89232698d1 in smb_panic_s3 () from /usr/lib/x86_64-linux-gnu/samba/libsmbregistry.so.0
#3 0x00007f8923fdcf1f in smb_panic () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0
#4 0x00007f8923fdd136 in ?? () from /usr/lib/x86_64-linux-gnu/libsamba-util.so.0
#5 <signal handler called>
#6 0x00007f8923bd5c6f in smbXsrv_session_create () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#7 0x00007f8923b6e643 in reply_sesssetup_and_X () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#8 0x00007f8923baae67 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#9 0x00007f8923bacbb3 in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#10 0x00007f8923bae21c in ?? () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#11 0x00007f8921efc917 in run_events_poll () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
#12 0x00007f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
#13 0x00007f8920b46d3d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#14 0x00007f8920b46edb in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#15 0x00007f8923baf578 in smbd_process () from /usr/lib/x86_64-linux-gnu/samba/libsmbd-base.so.0
#16 0x00005585ef73fe12 in ?? ()
#17 0x00007f8921efc917 in run_events_poll () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
#18 0x00007f8921efcb77 in ?? () from /usr/lib/x86_64-linux-gnu/libsmbconf.so.0
#19 0x00007f8920b46d3d in _tevent_loop_once () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#20 0x00007f8920b46edb in tevent_common_loop_wait () from /usr/lib/x86_64-linux-gnu/libtevent.so.0
#21 0x00005585ef73e099 in main ()
A debugging session is active.

        Inferior 1 [process 8336] will be detached.

Alex Murray (alexmurray) on 2019-05-09
information type: Private Security → Public
tags: added: server-triage-discuss
Andreas Hasenack (ahasenack) wrote :

This may be https://bugzilla.samba.org/show_bug.cgi?id=13315, found also in https://bugzilla.samba.org/show_bug.cgi?id=13315, but we don't even have the crash file and I can't reproduce it at the moment by just connecting using SMB1: it won't crash.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in samba (Ubuntu):
status: New → Confirmed
Changed in samba (Ubuntu Xenial):
status: New → Confirmed
Changed in samba (Ubuntu Bionic):
status: New → Confirmed
Changed in samba (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in samba (Ubuntu Bionic):
assignee: nobody → Marc Deslauriers (mdeslaur)
Andreas Hasenack (ahasenack) wrote :

I asked upstream and there is no reproducer for this bug at the moment, other than having affected people try a package with the fix for https://bugzilla.samba.org/show_bug.cgi?id=13315

Marc Deslauriers (mdeslaur) wrote :

I have uploaded packages that contain the bugfix that likely solves this issue to the security team PPA here:

https://launchpad.net/~ubuntu-security-proposed/+archive/ubuntu/ppa/+packages

Once they are finished building, please test the packages, and if they seem to resolve the issue, I will release them as a security regression fix.

Thanks!

information type: Public → Private Security
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.3.11+dfsg-0ubuntu0.16.04.21

---------------
samba (2:4.3.11+dfsg-0ubuntu0.16.04.21) xenial-security; urgency=medium

  * SECURITY REGRESSION: panics following recent update (LP: #1827924)
    - debian/patches/bug13315.patch: do not crash if we fail to init the
      session table in source3/smbd/negprot.c.

 -- Marc Deslauriers <email address hidden> Thu, 23 May 2019 08:08:58 -0400

Changed in samba (Ubuntu Xenial):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package samba - 2:4.7.6+dfsg~ubuntu-0ubuntu2.11

---------------
samba (2:4.7.6+dfsg~ubuntu-0ubuntu2.11) bionic-security; urgency=medium

  * SECURITY REGRESSION: panics following recent update (LP: #1827924)
    - debian/patches/bug13315.patch: do not crash if we fail to init the
      session table in source3/smbd/negprot.c.

 -- Marc Deslauriers <email address hidden> Thu, 23 May 2019 08:06:42 -0400

Changed in samba (Ubuntu Bionic):
status: Confirmed → Fix Released
Changed in samba (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.