[SCM] Samba Shared Repository - branch master updated

Andreas Schneider Fri, 17 Oct 2025 20:35:53 -0700

The branch, master has been updated
       via  b72a7e2fb53 s3:libsmb: Fix heap-use-after-free in 
py_cli_notify_get_changes()
      from  9f4fcac1209 vfs_fake_acls: Fix error path return in 
fake_acls_fstatat()


https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b72a7e2fb53c79a4790e221776281cbf02bc2664
Author: Andreas Schneider <[email protected]>
Date:   Tue Oct 14 11:33:00 2025 +0200

    s3:libsmb: Fix heap-use-after-free in py_cli_notify_get_changes()
    
    ==556308==ERROR: AddressSanitizer: heap-use-after-free on address 
0x7d2f14452360 at pc 0x7baf0a5c3a8b bp 0x7ffe6e1eb2e0 sp 0x7ffe6e1eb2d8         
             11:26:39 [1226/65848]
    READ of size 4 at 0x7d2f14452360 thread T0
        #0 0x7baf0a5c3a8a in py_cli_notify_get_changes 
../../source3/libsmb/pylibsmb.c:2291
        #1 0x7faf165ba239  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1ba239) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #2 0x7faf1658c798 in PyObject_Vectorcall 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18c798) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #3 0x7faf165a366e in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1a366e) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #4 0x7faf165db031  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #5 0x7faf1659fa1d in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #6 0x7faf1658ce9b  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #7 0x7faf1667a637  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #8 0x7faf1658a726 in _PyObject_MakeTpCall 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #9 0x7faf1659ae9b in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19ae9b) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #10 0x7faf165db031  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #11 0x7faf1659fa1d in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #12 0x7faf1658ce9b  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #13 0x7faf1667a637  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #14 0x7faf1658a726 in _PyObject_MakeTpCall 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #15 0x7faf1659ae9b in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19ae9b) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #16 0x7faf165db031  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #17 0x7faf1659fa1d in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #18 0x7faf1658ce9b  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #19 0x7faf1667a637  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #20 0x7faf1658a726 in _PyObject_MakeTpCall 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #21 0x7faf1659e0ae in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19e0ae) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #22 0x7faf165db031  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #23 0x7faf1659fa1d in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #24 0x7faf1658ce9b  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #25 0x7faf1667a637  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #26 0x7faf1658a726 in _PyObject_MakeTpCall 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #27 0x7faf1659e0ae in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19e0ae) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #28 0x7faf1658cf1b  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18cf1b) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #29 0x7faf165c3c5a  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1c3c5a) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #30 0x7faf1658a9b5  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a9b5) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #31 0x7faf1658a726 in _PyObject_MakeTpCall 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #32 0x7faf165a366e in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1a366e) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #33 0x7faf1662f875 in PyEval_EvalCode 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x22f875) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #34 0x7faf166498fc  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x2498fc) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #35 0x7faf165b17fe  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1b17fe) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #36 0x7faf1658c798 in PyObject_Vectorcall 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18c798) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #37 0x7faf1659e0ae in _PyEval_EvalFrameDefault 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19e0ae) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #38 0x7faf16664a89  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x264a89) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #39 0x7faf16663a38 in Py_RunMain 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x263a38) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #40 0x7faf1661e3b5 in Py_BytesMain 
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x21e3b5) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
        #41 0x7faf1602b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) 
(BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
        #42 0x7faf1602b3ca in __libc_start_main_impl (/lib64/libc.so.6+0x2b3ca) 
(BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
        #43 0x564f2695f074 in _start (/usr/bin/python3.13+0x1074) (BuildId: 
381e7a168bb2c479b5b88bcfd875777e342d6b45)
    
    0x7d2f14452360 is located 736 bytes inside of 861-byte region 
[0x7d2f14452080,0x7d2f144523dd)
    freed by thread T0 here:
        #0 0x7faf16d208eb  (/lib64/libasan.so.8+0x1208eb) (BuildId: 
61b31c4760766f5f2552c32e175755894d8f6565)
        #1 0x7faf14560a72 in _tc_free_poolmem ../../lib/talloc/talloc.c:1080
        #2 0x7faf1455f71b in _tc_free_internal ../../lib/talloc/talloc.c:1215
        #3 0x7faf1455ee1b in _tc_free_children_internal 
../../lib/talloc/talloc.c:1669
        #4 0x7faf1455ee1b in _tc_free_internal ../../lib/talloc/talloc.c:1184
        #5 0x7faf14560315 in _talloc_free_internal 
../../lib/talloc/talloc.c:1248
        #6 0x7faf14560315 in _talloc_free ../../lib/talloc/talloc.c:1792
        #7 0x7baf0a5c3883 in py_cli_notify_get_changes 
../../source3/libsmb/pylibsmb.c:2274
        #8 0x7faf165ba239  
(/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1ba239) (BuildId: 
3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    
    Signed-off-by: Andreas Schneider <[email protected]>
    Reviewed-by: Noel Power <[email protected]>
    
    Autobuild-User(master): Andreas Schneider <[email protected]>
    Autobuild-Date(master): Tue Oct 14 12:35:37 UTC 2025 on atb-devel-224

-----------------------------------------------------------------------

Summary of changes:
 source3/libsmb/pylibsmb.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)


Changeset truncated at 500 lines:

diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
index cba910d173d..be2f2cbcd7e 100644
--- a/source3/libsmb/pylibsmb.c
+++ b/source3/libsmb/pylibsmb.c
@@ -2270,7 +2270,7 @@ static PyObject *py_cli_notify_get_changes(struct 
py_cli_notify_state *self,
                return NULL;
        }
 
-       status = cli_notify_recv(req, req, &num_changes, &changes);
+       status = cli_notify_recv(req, frame, &num_changes, &changes);
        TALLOC_FREE(req);
        if (!NT_STATUS_IS_OK(status)) {
                TALLOC_FREE(frame);


-- 
Samba Shared Repository

[SCM] Samba Shared Repository - branch master updated

Reply via email to