The branch, v4-18-test has been updated via af00a0df70a s3/lib: Prevent use after free of messaging_ctdb_fde_ev structs via f21236ac004 s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac() via 6e6913bcac2 WHATSNEW: add acl_xattr:security_acl_name option from 8b97aca0dee WHATSNEW 4.18: mention samba-tool dsacl delete
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-18-test - Log ----------------------------------------------------------------- commit af00a0df70a591ef5890274ba700349abe9ec928 Author: Noel Power <noel.po...@suse.com> Date: Wed Jan 25 17:03:07 2023 +0000 s3/lib: Prevent use after free of messaging_ctdb_fde_ev structs In a cluster setup samba-bgqd async callback cups_pcap_load_async can access messaging_ctdb_fde_ev associated with already destructed global_ctdb_ctx_destructor ==26053== Invalid read of size 8 ==26053== at 0x71692E1: messaging_ctdb_fde_ev_destructor (messages_ctdb.c:181) ==26053== by 0x40B2309: _tc_free_internal (talloc.c:1158) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x4056BCA: tevent_req_received (tevent_req.c:301) ==26053== by 0x405673D: tevent_req_destructor (tevent_req.c:135) ==26053== by 0x40B2309: _tc_free_internal (talloc.c:1158) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x1384EF: cups_pcap_load_async (print_cups.c:507) ==26053== by 0x13894B: cups_cache_reload (print_cups.c:602) ==26053== by 0x1373AE: pcap_cache_reload (pcap.c:140) ==26053== by 0x1369D2: register_printing_bq_handlers (queue_process.c:323) ==26053== by 0x122AD6: main (samba-bgqd.c:316) ==26053== Address 0xed64d48 is 120 bytes inside a block of size 128 free'd ==26053== at 0x4C370EB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==26053== by 0x40B25E1: _tc_free_internal (talloc.c:1222) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x71691F6: messaging_ctdb_destroy (messages_ctdb.c:141) ==26053== by 0x7169C21: msg_ctdb_ref_destructor (messages_ctdb_ref.c:142) ==26053== by 0x40B2309: _tc_free_internal (talloc.c:1158) ==26053== by 0x40B3539: _tc_free_children_internal (talloc.c:1669) ==26053== by 0x40B24C4: _tc_free_internal (talloc.c:1184) ==26053== by 0x40B2685: _talloc_free_internal (talloc.c:1248) ==26053== by 0x40B3963: _talloc_free (talloc.c:1792) ==26053== by 0x4157380: messaging_reinit (messages.c:646) ==26053== by 0x416C01E: reinit_after_fork (util.c:488) ==26053== by 0x13844C: cups_pcap_load_async (print_cups.c:498) ==26053== by 0x13894B: cups_cache_reload (print_cups.c:602) ==26053== by 0x1373AE: pcap_cache_reload (pcap.c:140) ==26053== by 0x1369D2: register_printing_bq_handlers (queue_process.c:323) ==26053== by 0x122AD6: main (samba-bgqd.c:316) ==26053== Block was alloc'd at ==26053== at 0x4C346A4: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==26053== by 0x40B1989: __talloc_with_prefix (talloc.c:783) ==26053== by 0x40B1B23: __talloc (talloc.c:825) ==26053== by 0x40B1ECC: _talloc_named_const (talloc.c:982) ==26053== by 0x40B49C3: _talloc_zero (talloc.c:2421) ==26053== by 0x7168E68: messaging_ctdb_init (messages_ctdb.c:93) ==26053== by 0x716979D: messaging_ctdb_ref (messages_ctdb_ref.c:75) ==26053== by 0x415702A: messaging_init_internal (messages.c:563) ==26053== by 0x41572FD: messaging_init (messages.c:622) ==26053== by 0x4163ED3: global_messaging_context (global_contexts.c:62) ==26053== by 0x12273B: main (samba-bgqd.c:271) ==26053== Bug: https://bugzilla.samba.org/show_bug.cgi?id=15293 Signed-off-by: Noel Power <npo...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> (cherry picked from commit 7a880ef52dfc85ed2f674250b5baf5109f8d4691) Autobuild-User(v4-18-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-18-test): Tue Jan 31 12:49:50 UTC 2023 on atb-devel-224 commit f21236ac004b42f822214277c6f8be4c6450b13f Author: Stefan Metzmacher <me...@samba.org> Date: Thu Dec 16 18:24:16 2021 +0100 s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15286 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> (cherry picked from commit e27084f5d8c3a151c5d0b266118f0d71b641dc85) commit 6e6913bcac289649af4084682262ebf8a2240dd2 Author: Björn Baumbach <b...@sernet.de> Date: Thu Jan 19 14:52:04 2023 +0100 WHATSNEW: add acl_xattr:security_acl_name option Signed-off-by: Björn Baumbach <b...@sernet.de> Reviewed-by: Ralph Boehme <s...@samba.org> ----------------------------------------------------------------------- Summary of changes: WHATSNEW.txt | 17 +++++++++++++++++ source3/auth/auth_generic.c | 1 + source3/lib/messages_ctdb.c | 19 +++++++++++++++++++ 3 files changed, 37 insertions(+) Changeset truncated at 500 lines: diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 4aa903c2fec..46c9c5fadc1 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -90,6 +90,22 @@ which forces the trust account password to be changed at a specified domain controller. If the specified domain controller cannot be contacted the password change fails rather than trying other DCs. +New option to change the NT ACL default location +------------------------------------------------ + +Usually the NT ACLs are stored in the security.NTACL extended +attribute (xattr) of files and directories. The new +"acl_xattr:security_acl_name" option allows to redefine the default +location. The default "security.NTACL" is a protected location, which +means the content of the security.NTACL attribute is not accessible +from normal users outside of Samba. When this option is set to use a +user-defined value, e.g. user.NTACL then any user can potentially +access and overwrite this information. The module prevents access to +this xattr over SMB, but the xattr may still be accessed by other +means (eg local access, SSH, NFS). This option must only be used when +this consequence is clearly understood and when specific precautions +are taken to avoid compromising the ACL content. + REMOVED FEATURES ================ @@ -100,6 +116,7 @@ smb.conf changes Parameter Name Description Default -------------- ----------- ------- + acl_xattr:security_acl_name New security.NTACL KNOWN ISSUES diff --git a/source3/auth/auth_generic.c b/source3/auth/auth_generic.c index ff51307e43a..6c61eb4e827 100644 --- a/source3/auth/auth_generic.c +++ b/source3/auth/auth_generic.c @@ -143,6 +143,7 @@ static NTSTATUS auth3_generate_session_info_pac(struct auth4_context *auth_ctx, info->account_name, info->domain_name, info, &server_info); + wbcFreeMemory(info); if (!NT_STATUS_IS_OK(status)) { DEBUG(10, ("make_server_info_wbcAuthUserInfo failed: %s\n", nt_errstr(status))); diff --git a/source3/lib/messages_ctdb.c b/source3/lib/messages_ctdb.c index 3e784bf7237..d55b53bf601 100644 --- a/source3/lib/messages_ctdb.c +++ b/source3/lib/messages_ctdb.c @@ -76,6 +76,21 @@ static int messaging_ctdb_recv( struct messaging_ctdb_context *global_ctdb_context; +static int global_ctdb_ctx_destructor(struct messaging_ctdb_context *ctx) +{ + if (ctx != NULL) { + struct messaging_ctdb_fde_ev *fde_ev = NULL; + for (fde_ev = ctx->fde_evs; + fde_ev != NULL; + fde_ev = fde_ev->next) { + if (fde_ev->ctx == ctx) { + fde_ev->ctx = NULL; + } + } + } + return 0; +} + int messaging_ctdb_init(const char *sockname, int timeout, uint64_t unique_id, void (*recv_cb)(struct tevent_context *ev, const uint8_t *msg, size_t msg_len, @@ -94,6 +109,10 @@ int messaging_ctdb_init(const char *sockname, int timeout, uint64_t unique_id, if (ctx == NULL) { return ENOMEM; } + + talloc_set_destructor(ctx, + global_ctdb_ctx_destructor); + ctx->recv_cb = recv_cb; ctx->recv_cb_private_data = private_data; -- Samba Shared Repository