Merge branch 'c9' into a9

This commit is contained in:
eabdullin 2024-11-12 16:37:26 +03:00
commit 4ee6d876f4
11 changed files with 609 additions and 1120 deletions

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/samba-4.18.6.tar.xz
SOURCES/samba-4.20.2.tar.xz
SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -1,2 +1,2 @@
12b41f2a849cb6c40e9f5b174bb1cd823a060bd7 SOURCES/samba-4.18.6.tar.xz
607bea15c2306b165610ebe3f617f1b29ef7f133 SOURCES/samba-4.20.2.tar.xz
971f563c447eda8d144d6c9e743cd0f0488c0d9e SOURCES/samba-pubkey_AA99442FB680B620.gpg

View File

@ -1,45 +0,0 @@
From ae476e1c28b797fe221172ed1066bf8efa476d8d Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Tue, 25 Jul 2023 17:41:04 -0700
Subject: [PATCH] CVE-2023-3961:s3:smbd: Catch any incoming pipe path that
could exit socket_dir.
For now, SMB_ASSERT() to exit the server. We will remove
this once the test code is in place.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
Signed-off-by: Jeremy Allison <jra@samba.org>
---
source3/rpc_client/local_np.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/source3/rpc_client/local_np.c b/source3/rpc_client/local_np.c
index 0e912d0e35a..dfed7e7beb6 100644
--- a/source3/rpc_client/local_np.c
+++ b/source3/rpc_client/local_np.c
@@ -542,6 +542,24 @@ struct tevent_req *local_np_connect_send(
return tevent_req_post(req, ev);
}
+ /*
+ * Ensure we cannot process a path that exits
+ * the socket_dir.
+ */
+ if (ISDOTDOT(lower_case_pipename) ||
+ (strchr(lower_case_pipename, '/')!=NULL))
+ {
+ DBG_DEBUG("attempt to connect to invalid pipe pathname %s\n",
+ lower_case_pipename);
+ /*
+ * For now, panic the server until we have
+ * the test code in place.
+ */
+ SMB_ASSERT(false);
+ tevent_req_error(req, ENOENT);
+ return tevent_req_post(req, ev);
+ }
+
state->socketpath = talloc_asprintf(
state, "%s/np/%s", socket_dir, lower_case_pipename);
if (tevent_req_nomem(state->socketpath, req)) {

View File

@ -1,183 +0,0 @@
From b1fd65694185c26f1e196d84ee8756300e631bd5 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 1 Aug 2023 12:30:00 +0200
Subject: [PATCH] CVE-2023-4091: smbtorture: test overwrite dispositions on
read-only file
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15439
Signed-off-by: Ralph Boehme <slow@samba.org>
---
selftest/knownfail.d/samba3.smb2.acls | 1 +
source4/torture/smb2/acls.c | 143 ++++++++++++++++++++++++++
2 files changed, 144 insertions(+)
create mode 100644 selftest/knownfail.d/samba3.smb2.acls
diff --git a/selftest/knownfail.d/samba3.smb2.acls b/selftest/knownfail.d/samba3.smb2.acls
new file mode 100644
index 00000000000..18df260c0e5
--- /dev/null
+++ b/selftest/knownfail.d/samba3.smb2.acls
@@ -0,0 +1 @@
+^samba3.smb2.acls.OVERWRITE_READ_ONLY_FILE
diff --git a/source4/torture/smb2/acls.c b/source4/torture/smb2/acls.c
index bbf201bcf4b..53f482c5541 100644
--- a/source4/torture/smb2/acls.c
+++ b/source4/torture/smb2/acls.c
@@ -2989,6 +2989,148 @@ static bool test_mxac_not_granted(struct torture_context *tctx,
return ret;
}
+static bool test_overwrite_read_only_file(struct torture_context *tctx,
+ struct smb2_tree *tree)
+{
+ NTSTATUS status;
+ struct smb2_create c;
+ const char *fname = BASEDIR "\\test_overwrite_read_only_file.txt";
+ struct smb2_handle handle = {{0}};
+ union smb_fileinfo q;
+ union smb_setfileinfo set;
+ struct security_descriptor *sd = NULL, *sd_orig = NULL;
+ const char *owner_sid = NULL;
+ int i;
+ bool ret = true;
+
+ struct tcase {
+ int disposition;
+ const char *disposition_string;
+ NTSTATUS expected_status;
+ } tcases[] = {
+#define TCASE(d, s) { \
+ .disposition = d, \
+ .disposition_string = #d, \
+ .expected_status = s, \
+ }
+ TCASE(NTCREATEX_DISP_OPEN, NT_STATUS_OK),
+ TCASE(NTCREATEX_DISP_SUPERSEDE, NT_STATUS_ACCESS_DENIED),
+ TCASE(NTCREATEX_DISP_OVERWRITE, NT_STATUS_ACCESS_DENIED),
+ TCASE(NTCREATEX_DISP_OVERWRITE_IF, NT_STATUS_ACCESS_DENIED),
+ };
+#undef TCASE
+
+ ret = smb2_util_setup_dir(tctx, tree, BASEDIR);
+ torture_assert_goto(tctx, ret, ret, done, "smb2_util_setup_dir not ok");
+
+ c = (struct smb2_create) {
+ .in.desired_access = SEC_STD_READ_CONTROL |
+ SEC_STD_WRITE_DAC |
+ SEC_STD_WRITE_OWNER,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_READ |
+ NTCREATEX_SHARE_ACCESS_WRITE,
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_create failed\n");
+ handle = c.out.file.handle;
+
+ torture_comment(tctx, "get the original sd\n");
+
+ ZERO_STRUCT(q);
+ q.query_secdesc.level = RAW_FILEINFO_SEC_DESC;
+ q.query_secdesc.in.file.handle = handle;
+ q.query_secdesc.in.secinfo_flags = SECINFO_DACL | SECINFO_OWNER;
+
+ status = smb2_getinfo_file(tree, tctx, &q);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_getinfo_file failed\n");
+ sd_orig = q.query_secdesc.out.sd;
+
+ owner_sid = dom_sid_string(tctx, sd_orig->owner_sid);
+
+ sd = security_descriptor_dacl_create(tctx,
+ 0, NULL, NULL,
+ owner_sid,
+ SEC_ACE_TYPE_ACCESS_ALLOWED,
+ SEC_FILE_READ_DATA,
+ 0,
+ NULL);
+
+ ZERO_STRUCT(set);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.handle = handle;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd;
+
+ status = smb2_setinfo_file(tree, &set);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_setinfo_file failed\n");
+
+ smb2_util_close(tree, handle);
+ ZERO_STRUCT(handle);
+
+ for (i = 0; i < ARRAY_SIZE(tcases); i++) {
+ torture_comment(tctx, "Verify open with %s dispostion\n",
+ tcases[i].disposition_string);
+
+ c = (struct smb2_create) {
+ .in.create_disposition = tcases[i].disposition,
+ .in.desired_access = SEC_FILE_READ_DATA,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ smb2_util_close(tree, c.out.file.handle);
+ torture_assert_ntstatus_equal_goto(
+ tctx, status, tcases[i].expected_status, ret, done,
+ "smb2_create failed\n");
+ };
+
+ torture_comment(tctx, "put back original sd\n");
+
+ c = (struct smb2_create) {
+ .in.desired_access = SEC_STD_WRITE_DAC,
+ .in.file_attributes = FILE_ATTRIBUTE_NORMAL,
+ .in.share_access = NTCREATEX_SHARE_ACCESS_MASK,
+ .in.create_disposition = NTCREATEX_DISP_OPEN_IF,
+ .in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS,
+ .in.fname = fname,
+ };
+
+ status = smb2_create(tree, tctx, &c);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_create failed\n");
+ handle = c.out.file.handle;
+
+ ZERO_STRUCT(set);
+ set.set_secdesc.level = RAW_SFILEINFO_SEC_DESC;
+ set.set_secdesc.in.file.handle = handle;
+ set.set_secdesc.in.secinfo_flags = SECINFO_DACL;
+ set.set_secdesc.in.sd = sd_orig;
+
+ status = smb2_setinfo_file(tree, &set);
+ torture_assert_ntstatus_ok_goto(tctx, status, ret, done,
+ "smb2_setinfo_file failed\n");
+
+ smb2_util_close(tree, handle);
+ ZERO_STRUCT(handle);
+
+done:
+ smb2_util_close(tree, handle);
+ smb2_util_unlink(tree, fname);
+ smb2_deltree(tree, BASEDIR);
+ return ret;
+}
+
/*
basic testing of SMB2 ACLs
*/
@@ -3017,6 +3159,7 @@ struct torture_suite *torture_smb2_acls_init(TALLOC_CTX *ctx)
test_deny1);
torture_suite_add_1smb2_test(suite, "MXAC-NOT-GRANTED",
test_mxac_not_granted);
+ torture_suite_add_1smb2_test(suite, "OVERWRITE_READ_ONLY_FILE", test_overwrite_read_only_file);
suite->description = talloc_strdup(suite, "SMB2-ACLS tests");

View File

@ -1,86 +0,0 @@
From 3cf1beed5df7d8b5d854517de7de322c6a5bc7fa Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 12 Sep 2023 18:59:44 +1200
Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
default
The rpcecho server is useful in development and testing, but should never
have been allowed into production, as it includes the facility to
do a blocking sleep() in the single-threaded rpc worker.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
---
docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
lib/param/loadparm.c | 2 +-
selftest/target/Samba4.pm | 2 +-
source3/param/loadparm.c | 2 +-
source4/rpc_server/wscript_build | 3 ++-
5 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
index 8a217cc7f118..c6642b795fd6 100644
--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
@@ -6,6 +6,6 @@
<para>Specifies which DCE/RPC endpoint servers should be run.</para>
</description>
-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
<value type="example">rpcecho</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 9a7ae4f95fe8..673b913e6e5a 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2730,7 +2730,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
- lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+ lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
/* the winbind method for domain controllers is for both RODC
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 49e3c174b07e..5f1f1bfffad6 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -783,7 +783,7 @@ sub provision_raw_step1($$)
wins support = yes
server role = $ctx->{server_role}
server services = +echo $services
- dcerpc endpoint servers = +winreg +srvsvc
+ dcerpc endpoint servers = +winreg +srvsvc +rpcecho
notify:inotify = false
ldb:nosync = true
ldap server require strong auth = yes
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 1c3644589126..e7f4bbe3995e 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -883,7 +883,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
- Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+ Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
Globals.tls_enabled = true;
Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
index 0e44a3c2baed..31ec4f60c9a6 100644
--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
@@ -33,7 +33,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
source='echo/rpc_echo.c',
subsystem='dcerpc_server',
init_function='dcerpc_server_rpcecho_init',
- deps='ndr-standard events'
+ deps='ndr-standard events',
+ enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
)

View File

@ -1,613 +0,0 @@
From ced40c5a805dcfb06d5f3d68aa45a0aaa44bfdca Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Sep 2023 13:57:26 +0200
Subject: [PATCH 1/5] nsswitch: add test for pthread_key_delete missuse (bug
15464)
This is based on https://bugzilla.samba.org/attachment.cgi?id=18081
written by Krzysztof Piotr Oledzki <ole@ans.pl>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 62af25d44e542548d8cdecb061a6001e0071ee76)
---
nsswitch/b15464-testcase.c | 77 +++++++++++++++++++++++++++
nsswitch/wscript_build | 5 ++
selftest/knownfail.d/b15464_testcase | 1 +
source3/selftest/tests.py | 6 +++
testprogs/blackbox/b15464-testcase.sh | 21 ++++++++
5 files changed, 110 insertions(+)
create mode 100644 nsswitch/b15464-testcase.c
create mode 100644 selftest/knownfail.d/b15464_testcase
create mode 100755 testprogs/blackbox/b15464-testcase.sh
diff --git a/nsswitch/b15464-testcase.c b/nsswitch/b15464-testcase.c
new file mode 100644
index 000000000000..decb474a81ee
--- /dev/null
+++ b/nsswitch/b15464-testcase.c
@@ -0,0 +1,77 @@
+#include "replace.h"
+#include "system/wait.h"
+#include "system/threads.h"
+#include <assert.h>
+
+int main(int argc, const char *argv[])
+{
+ pid_t pid;
+ int wstatus;
+ pthread_key_t k1;
+ pthread_key_t k2;
+ pthread_key_t k3;
+ char *val = NULL;
+ const char *nss_winbind = (argc >= 2 ? argv[1] : "bin/plugins/libnss_winbind.so.2");
+ void *nss_winbind_handle = NULL;
+ union {
+ int (*fn)(void);
+ void *symbol;
+ } nss_winbind_endpwent = { .symbol = NULL, };
+
+ /*
+ * load and invoke something simple like
+ * _nss_winbind_endpwent in order to
+ * get the libnss_winbind internal going
+ */
+ nss_winbind_handle = dlopen(nss_winbind, RTLD_NOW);
+ printf("%d: nss_winbind[%s] nss_winbind_handle[%p]\n",
+ getpid(), nss_winbind, nss_winbind_handle);
+ assert(nss_winbind_handle != NULL);
+
+ nss_winbind_endpwent.symbol = dlsym(nss_winbind_handle,
+ "_nss_winbind_endpwent");
+ printf("%d: nss_winbind_handle[%p] _nss_winbind_endpwent[%p]\n",
+ getpid(), nss_winbind_handle, nss_winbind_endpwent.symbol);
+ assert(nss_winbind_endpwent.symbol != NULL);
+ (void)nss_winbind_endpwent.fn();
+
+ val = malloc(1);
+ assert(val != NULL);
+
+ pthread_key_create(&k1, NULL);
+ pthread_setspecific(k1, val);
+ printf("%d: k1=%d\n", getpid(), k1);
+
+ pid = fork();
+ if (pid) {
+ free(val);
+ wait(&wstatus);
+ return WEXITSTATUS(wstatus);
+ }
+
+ pthread_key_create(&k2, NULL);
+ pthread_setspecific(k2, val);
+
+ printf("%d: Hello after fork, k1=%d, k2=%d\n", getpid(), k1, k2);
+
+ pid = fork();
+
+ if (pid) {
+ free(val);
+ wait(&wstatus);
+ return WEXITSTATUS(wstatus);
+ }
+
+ pthread_key_create(&k3, NULL);
+ pthread_setspecific(k3, val);
+
+ printf("%d: Hello after fork2, k1=%d, k2=%d, k3=%d\n", getpid(), k1, k2, k3);
+
+ if (k1 == k2 || k2 == k3) {
+ printf("%d: FAIL inconsistent keys\n", getpid());
+ return 1;
+ }
+
+ printf("%d: OK consistent keys\n", getpid());
+ return 0;
+}
diff --git a/nsswitch/wscript_build b/nsswitch/wscript_build
index 3247b6c2b7c3..4e62bb4c9461 100644
--- a/nsswitch/wscript_build
+++ b/nsswitch/wscript_build
@@ -15,6 +15,11 @@ if bld.CONFIG_SET('HAVE_PTHREAD'):
deps='wbclient pthread',
for_selftest=True
)
+ bld.SAMBA_BINARY('b15464-testcase',
+ source='b15464-testcase.c',
+ deps='replace pthread dl',
+ for_selftest=True
+ )
# The nss_wrapper code relies strictly on the linux implementation and
# name, so compile but do not install a copy under this name.
diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
new file mode 100644
index 000000000000..94dd7db7c2a5
--- /dev/null
+++ b/selftest/knownfail.d/b15464_testcase
@@ -0,0 +1 @@
+^b15464_testcase.run.b15464-testcase
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 0c834ed48b5e..ea17ead3eda7 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -67,6 +67,8 @@ except KeyError:
samba4bindir = bindir()
config_h = os.path.join(samba4bindir, "default/include/config.h")
+bbdir = os.path.join(srcdir(), "testprogs/blackbox")
+
# check available features
config_hash = dict()
f = open(config_h, 'r')
@@ -936,6 +938,10 @@ if with_pthreadpool:
[os.path.join(samba3srcdir,
"script/tests/test_libwbclient_threads.sh"),
"$DOMAIN", "$DC_USERNAME"])
+ plantestsuite("b15464_testcase", "none",
+ [os.path.join(bbdir, "b15464-testcase.sh"),
+ binpath("b15464-testcase"),
+ binpath("plugins/libnss_winbind.so.2")])
plantestsuite("samba3.test_nfs4_acl", "none",
[os.path.join(bindir(), "test_nfs4_acls"),
diff --git a/testprogs/blackbox/b15464-testcase.sh b/testprogs/blackbox/b15464-testcase.sh
new file mode 100755
index 000000000000..b0c88260d4cc
--- /dev/null
+++ b/testprogs/blackbox/b15464-testcase.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+# Blackbox wrapper for bug 15464
+# Copyright (C) 2023 Stefan Metzmacher
+
+if [ $# -lt 2 ]; then
+ cat <<EOF
+Usage: b15464-testcase.sh B15464_TESTCASE LIBNSS_WINBIND
+EOF
+ exit 1
+fi
+
+b15464_testcase=$1
+libnss_winbind=$2
+shift 2
+failed=0
+
+. $(dirname $0)/subunit.sh
+
+testit "run b15464-testcase" $VALGRIND $b15464_testcase $libnss_winbind || failed=$(expr $failed + 1)
+
+testok $0 $failed
--
2.34.1
From 08728ee7847d7864d4c72a4ac1ddfeca78934326 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Sep 2023 16:02:32 +0200
Subject: [PATCH 2/5] nsswitch/wb_common.c: fix build without HAVE_PTHREAD
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 4faf806412c4408db25448b1f67c09359ec2f81f)
---
nsswitch/wb_common.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index d569e761ebe4..c382a44c1209 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -104,7 +104,6 @@ static void wb_thread_ctx_initialize(void)
wb_thread_ctx_destructor);
assert(ret == 0);
}
-#endif
static struct winbindd_context *get_wb_thread_ctx(void)
{
@@ -139,6 +138,7 @@ static struct winbindd_context *get_wb_thread_ctx(void)
}
return ctx;
}
+#endif /* HAVE_PTHREAD */
static struct winbindd_context *get_wb_global_ctx(void)
{
--
2.34.1
From d1f43cd4cc6aeb2ac9fcaee9aa512012ca92ecb3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Sep 2023 09:53:42 +0200
Subject: [PATCH 3/5] nsswitch/wb_common.c: winbind_destructor can always use
get_wb_global_ctx()
The HAVE_PTHREAD logic inside of get_wb_global_ctx() will do all
required magic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 836823e5047d0eb18e66707386ba03b812adfaf8)
---
nsswitch/wb_common.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index c382a44c1209..d56e48d9bdb8 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -246,14 +246,10 @@ static void winbind_destructor(void)
return;
}
-#ifdef HAVE_PTHREAD_H
- ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
+ ctx = get_wb_global_ctx();
if (ctx == NULL) {
return;
}
-#else
- ctx = get_wb_global_ctx();
-#endif
winbind_close_sock(ctx);
}
--
2.34.1
From 6e29ea5b9efe5cf166cc9d633c1dc4eb8f192736 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 8 Sep 2023 09:56:47 +0200
Subject: [PATCH 4/5] nsswitch/wb_common.c: don't operate on a stale
wb_global_ctx.key
If nss_winbind is loaded into a process that uses fork multiple times
without any further calls into nss_winbind, wb_atfork_child handler
was using a wb_global_ctx.key that was no longer registered in the
pthread library, so we operated on a slot that was potentially
reused by other libraries or the main application. Which is likely
to cause memory corruption.
So we better don't call pthread_key_delete() in wb_atfork_child().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Reported-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 91b30a7261e6455d3a4f31728c23e4849e3945b9)
---
nsswitch/wb_common.c | 5 -----
selftest/knownfail.d/b15464_testcase | 1 -
2 files changed, 6 deletions(-)
delete mode 100644 selftest/knownfail.d/b15464_testcase
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index d56e48d9bdb8..38f9f334016b 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -76,11 +76,6 @@ static void wb_atfork_child(void)
winbind_close_sock(ctx);
free(ctx);
-
- ret = pthread_key_delete(wb_global_ctx.key);
- assert(ret == 0);
-
- wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
}
static void wb_thread_ctx_destructor(void *p)
diff --git a/selftest/knownfail.d/b15464_testcase b/selftest/knownfail.d/b15464_testcase
deleted file mode 100644
index 94dd7db7c2a5..000000000000
--- a/selftest/knownfail.d/b15464_testcase
+++ /dev/null
@@ -1 +0,0 @@
-^b15464_testcase.run.b15464-testcase
--
2.34.1
From 61ca2c66e0a3c837f2c542b8d9321a8d8cd03382 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 7 Sep 2023 15:59:59 +0200
Subject: [PATCH 5/5] nsswitch/wb_common.c: fix socket fd and memory leaks of
global state
When we are called in wb_atfork_child() or winbind_destructor(),
wb_thread_ctx_destructor() is not called for the global state
of the current nor any other thread, which means we would
leak the related memory and socket fds.
Now we maintain a global list protected by a global mutex.
We traverse the list and close all socket fds, which are no
longer used (winbind_destructor) or no longer valid in the
current process (wb_atfork_child), in addition we 'autofree'
the ones, which are only visible internally as global (per thread)
context.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15464
Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Thu Sep 14 18:53:07 UTC 2023 on atb-devel-224
(cherry picked from commit 4af3faace481d23869b64485b791bdd43d8972c5)
---
nsswitch/wb_common.c | 143 ++++++++++++++++++++++++++++++++++---------
1 file changed, 113 insertions(+), 30 deletions(-)
diff --git a/nsswitch/wb_common.c b/nsswitch/wb_common.c
index 38f9f334016b..b7f84435a4ee 100644
--- a/nsswitch/wb_common.c
+++ b/nsswitch/wb_common.c
@@ -26,6 +26,7 @@
#include "replace.h"
#include "system/select.h"
#include "winbind_client.h"
+#include "lib/util/dlinklist.h"
#include <assert.h>
#ifdef HAVE_PTHREAD_H
@@ -37,67 +38,112 @@ static __thread char client_name[32];
/* Global context */
struct winbindd_context {
+ struct winbindd_context *prev, *next;
int winbindd_fd; /* winbind file descriptor */
bool is_privileged; /* using the privileged socket? */
pid_t our_pid; /* calling process pid */
+ bool autofree; /* this is a thread global context */
};
static struct wb_global_ctx {
- bool initialized;
#ifdef HAVE_PTHREAD
pthread_once_t control;
pthread_key_t key;
+ bool key_initialized;
+#ifdef PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_ERRORCHECK_MUTEX_INITIALIZER_NP
#else
- bool dummy;
+#define WB_GLOBAL_MUTEX_INITIALIZER PTHREAD_MUTEX_INITIALIZER
#endif
+#define WB_GLOBAL_LIST_LOCK do { \
+ int __pret = pthread_mutex_lock(&wb_global_ctx.list_mutex); \
+ assert(__pret == 0); \
+} while(0)
+#define WB_GLOBAL_LIST_UNLOCK do { \
+ int __pret = pthread_mutex_unlock(&wb_global_ctx.list_mutex); \
+ assert(__pret == 0); \
+} while(0)
+ pthread_mutex_t list_mutex;
+#else /* => not HAVE_PTHREAD */
+#define WB_GLOBAL_LIST_LOCK do { } while(0)
+#define WB_GLOBAL_LIST_UNLOCK do { } while(0)
+#endif /* not HAVE_PTHREAD */
+ struct winbindd_context *list;
} wb_global_ctx = {
#ifdef HAVE_PTHREAD
.control = PTHREAD_ONCE_INIT,
+ .list_mutex = WB_GLOBAL_MUTEX_INITIALIZER,
#endif
+ .list = NULL,
};
static void winbind_close_sock(struct winbindd_context *ctx);
+static void winbind_ctx_free_locked(struct winbindd_context *ctx);
+static void winbind_cleanup_list(void);
#ifdef HAVE_PTHREAD
static void wb_thread_ctx_initialize(void);
+static void wb_atfork_prepare(void)
+{
+ WB_GLOBAL_LIST_LOCK;
+}
+
+static void wb_atfork_parent(void)
+{
+ WB_GLOBAL_LIST_UNLOCK;
+}
+
static void wb_atfork_child(void)
{
- struct winbindd_context *ctx = NULL;
- int ret;
+ wb_global_ctx.list_mutex = (pthread_mutex_t)WB_GLOBAL_MUTEX_INITIALIZER;
- ctx = (struct winbindd_context *)pthread_getspecific(wb_global_ctx.key);
- if (ctx == NULL) {
- return;
- }
+ if (wb_global_ctx.key_initialized) {
+ int ret;
- ret = pthread_setspecific(wb_global_ctx.key, NULL);
- assert(ret == 0);
+ /*
+ * After a fork the child still believes
+ * it is the same thread as in the parent.
+ * So pthread_getspecific() would return the
+ * value of the thread that called fork().
+ *
+ * But we don't want that behavior, so
+ * we just clear the reference and let
+ * winbind_cleanup_list() below 'autofree'
+ * the parent threads global context.
+ */
+ ret = pthread_setspecific(wb_global_ctx.key, NULL);
+ assert(ret == 0);
+ }
- winbind_close_sock(ctx);
- free(ctx);
+ /*
+ * But we need to close/cleanup the global state
+ * of the parents threads.
+ */
+ winbind_cleanup_list();
}
static void wb_thread_ctx_destructor(void *p)
{
struct winbindd_context *ctx = (struct winbindd_context *)p;
- winbind_close_sock(ctx);
- free(ctx);
+ winbindd_ctx_free(ctx);
}
static void wb_thread_ctx_initialize(void)
{
int ret;
- ret = pthread_atfork(NULL,
- NULL,
+ ret = pthread_atfork(wb_atfork_prepare,
+ wb_atfork_parent,
wb_atfork_child);
assert(ret == 0);
ret = pthread_key_create(&wb_global_ctx.key,
wb_thread_ctx_destructor);
assert(ret == 0);
+
+ wb_global_ctx.key_initialized = true;
}
static struct winbindd_context *get_wb_thread_ctx(void)
@@ -123,9 +169,14 @@ static struct winbindd_context *get_wb_thread_ctx(void)
*ctx = (struct winbindd_context) {
.winbindd_fd = -1,
.is_privileged = false,
- .our_pid = 0
+ .our_pid = 0,
+ .autofree = true,
};
+ WB_GLOBAL_LIST_LOCK;
+ DLIST_ADD_END(wb_global_ctx.list, ctx);
+ WB_GLOBAL_LIST_UNLOCK;
+
ret = pthread_setspecific(wb_global_ctx.key, ctx);
if (ret != 0) {
free(ctx);
@@ -142,7 +193,8 @@ static struct winbindd_context *get_wb_global_ctx(void)
static struct winbindd_context _ctx = {
.winbindd_fd = -1,
.is_privileged = false,
- .our_pid = 0
+ .our_pid = 0,
+ .autofree = false,
};
#endif
@@ -150,9 +202,11 @@ static struct winbindd_context *get_wb_global_ctx(void)
ctx = get_wb_thread_ctx();
#else
ctx = &_ctx;
+ if (ctx->prev == NULL && ctx->next == NULL) {
+ DLIST_ADD_END(wb_global_ctx.list, ctx);
+ }
#endif
- wb_global_ctx.initialized = true;
return ctx;
}
@@ -226,6 +280,30 @@ static void winbind_close_sock(struct winbindd_context *ctx)
}
}
+static void winbind_ctx_free_locked(struct winbindd_context *ctx)
+{
+ winbind_close_sock(ctx);
+ DLIST_REMOVE(wb_global_ctx.list, ctx);
+ free(ctx);
+}
+
+static void winbind_cleanup_list(void)
+{
+ struct winbindd_context *ctx = NULL, *next = NULL;
+
+ WB_GLOBAL_LIST_LOCK;
+ for (ctx = wb_global_ctx.list; ctx != NULL; ctx = next) {
+ next = ctx->next;
+
+ if (ctx->autofree) {
+ winbind_ctx_free_locked(ctx);
+ } else {
+ winbind_close_sock(ctx);
+ }
+ }
+ WB_GLOBAL_LIST_UNLOCK;
+}
+
/* Destructor for global context to ensure fd is closed */
#ifdef HAVE_DESTRUCTOR_ATTRIBUTE
@@ -235,18 +313,18 @@ __attribute__((destructor))
#endif
static void winbind_destructor(void)
{
- struct winbindd_context *ctx;
-
- if (!wb_global_ctx.initialized) {
- return;
+#ifdef HAVE_PTHREAD
+ if (wb_global_ctx.key_initialized) {
+ int ret;
+ ret = pthread_key_delete(wb_global_ctx.key);
+ assert(ret == 0);
+ wb_global_ctx.key_initialized = false;
}
- ctx = get_wb_global_ctx();
- if (ctx == NULL) {
- return;
- }
+ wb_global_ctx.control = (pthread_once_t)PTHREAD_ONCE_INIT;
+#endif /* HAVE_PTHREAD */
- winbind_close_sock(ctx);
+ winbind_cleanup_list();
}
#define CONNECT_TIMEOUT 30
@@ -928,11 +1006,16 @@ struct winbindd_context *winbindd_ctx_create(void)
ctx->winbindd_fd = -1;
+ WB_GLOBAL_LIST_LOCK;
+ DLIST_ADD_END(wb_global_ctx.list, ctx);
+ WB_GLOBAL_LIST_UNLOCK;
+
return ctx;
}
void winbindd_ctx_free(struct winbindd_context *ctx)
{
- winbind_close_sock(ctx);
- free(ctx);
+ WB_GLOBAL_LIST_LOCK;
+ winbind_ctx_free_locked(ctx);
+ WB_GLOBAL_LIST_UNLOCK;
}
--
2.34.1

102
SOURCES/redhat-4.20.2.patch Normal file
View File

@ -0,0 +1,102 @@
From dddbbec2cb10b05a6ec3b4f1fcc877d60a44080a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20Filipensk=C3=BD?= <pfilipensky@samba.org>
Date: Thu, 4 Jul 2024 11:08:03 +0200
Subject: [PATCH 1/2] .gitlab-ci-main.yml: Add safe.directory '*'
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is to fix the error when pushing to personal gitlab repo:
2024-07-04 08:16:05,460 Running: 'git clone --recursive --shared /builds/pfilipen/samba /builds/samba-testbase/master' in '/builds/pfilipen/samba'
Cloning into '/builds/samba-testbase/master'...
fatal: detected dubious ownership in repository at '/builds/pfilipen/samba/.git'
To add an exception for this directory, call:
git config --global --add safe.directory /builds/pfilipen/samba/.git
fatal: Could not read from remote repository.
Instead of adding more and more explicit repositories
we should just allow any, we're in an isolated environment...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15660
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Pavel Filipenský <pfilipensky@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Jul 10 10:35:00 UTC 2024 on atb-devel-224
(cherry picked from commit 3a21b7d9a4e7e9814d0be8c0ebf72b9821a5dc36)
---
.gitlab-ci-main.yml | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index face2103327..08865ca2c42 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -146,8 +146,7 @@ include:
- ccache -z -M 500M
- ccache -s
# We are already running .gitlab-ci directives from this repo, remove additional checks that break our CI
- - git config --global --add safe.directory `pwd`
- - git config --global --add safe.directory /builds/samba-team/devel/samba/.git
+ - git config --global --add safe.directory '*'
after_script:
- mount
- df -h
--
2.45.2
From 1c69964d34d2cf66532b23ffde76a839a65b0db2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Fri, 12 Jul 2024 14:18:26 +0200
Subject: [PATCH 2/2] s3:printing: Allow to run samba-bgqd as a standalone
systemd service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15683
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
(cherry picked from commit 0a532378322661b23b3393eb2ebde29402a16e62)
Autobuild-User(v4-20-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-20-test): Tue Jul 23 08:56:24 UTC 2024 on atb-devel-224
(cherry picked from commit 4cf9af9186d7829f11bd07c7d6e526a51dcf0d61)
---
source3/printing/samba-bgqd.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/source3/printing/samba-bgqd.c b/source3/printing/samba-bgqd.c
index 59ed0cc40db..9560fcf9e35 100644
--- a/source3/printing/samba-bgqd.c
+++ b/source3/printing/samba-bgqd.c
@@ -253,7 +253,9 @@ int main(int argc, const char *argv[])
log_stdout = (debug_get_log_type() == DEBUG_STDOUT);
/* main process will notify systemd */
- daemon_sd_notifications(false);
+ if (ready_signal_fd != -1 || watch_fd != -1) {
+ daemon_sd_notifications(false);
+ }
if (!cmdline_daemon_cfg->fork) {
daemon_status(progname, "Starting process ... ");
@@ -325,6 +327,10 @@ int main(int argc, const char *argv[])
goto done;
}
+ if (!cmdline_daemon_cfg->fork) {
+ daemon_ready(progname);
+ }
+
if (ready_signal_fd != -1) {
pid_t pid = getpid();
ssize_t written;
--
2.45.2

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmTc/5EACgkQqplEL7aA
tiB+4RAAkcRhO1/ZC7sXgqAqTZY05On8g2GLeuBh2Q+u7QIyjcDLuJWzp0TkrbMn
LBGtFAyCxM1JbW/K1UNafeQcf3UKzY1nIPtUpqVjN7qMxt0BDZ6MsXGbB/qhyGMZ
YnsZ8of/8NOUKx5KbrSeN5TqjICWTVRKi7KPcBrD51sTSt5unXYrolyJpKoPjYYU
lQS8cnh/shfvvFX4fYf9XtFS2OcQqCTFrLeajb6DU7Ep6ZBZa9r3m5Gk3ZvhBu9r
qowmQDqbNfo++wIkOaehD6tQsWcY2XvfBCFLqtSnF1SraN0jpdYr08dbcRGyuhFd
DS9+4BwCCML0mip7aaP6NHZpN+LvyYkAKPuKo8mW8pxe3i8ctxcTyN6SfmZA6RlE
bcmRQSkBD/e0jjBX5nR0zsaT01bgE1bBvbro0ZKHpR7/k6WeV+k6jDmqqXnYj3uB
61fCtf41w1b2pMhty70niga2gxaHrSqu9gqSl2wk/uMhwtdntqrJtaWIChWM0CRs
b6pfbjEZM2NDhsLe3idvY9Hl1hlKrMtoLJTu7fksTDVJzWPfqOCyIOc1DkxbCqlG
XB9fbre57DWIpRvNK4pu108LiGbavK2rLC6wlcjshP3/9BA3c3HO/JPQGtDAn1UE
JVQlYT1Fzzp9RU8U5Khz9D7pB3k6K19ZIo3q5xTA/V5O6axB5WM=
=GnJM
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEgfXigyvSVFoYl7cTqplEL7aAtiAFAmZy684ACgkQqplEL7aA
tiDXDw/+KleJ11LLq5ZlXMlj11niRCETErY8cuoZ9VX04lfRwRBnplpKKLSQuFit
5HeY5ED65DhbpGzPfLPx7xOw4wyFc/bXhHPTgF3Ybj8TKkEcaMmkpD3V8FPa4NAt
vNZ3alLQLP//kgRXnqeV9pfa4slx17G6WeBLbpd8b4SbgPMgokJt7hL3nWfBrFE9
p6B+TKZcwfoCn9ufz1UxMpBFtpSK0yF0S7CQcdv3JrBNIYhULuXbnAnLCHcH1RqW
xreoxZPnMx+SrYb0iHyKbkMsDujCqBKm9CyS13Yt9DjI49lv0pBwQFnaqtR4Xm/D
BU2XIWLLInUecxtUOBtsa046h55fLQPgkb+WYob++iA9r91y4JAZIiAxdVrNLsxR
BiFUxkL7EPtyptT84xNjpQ3CTZuw8tlHu/sJ1/XHRUFMtRGjiMqJp7ULsVQDfwET
7T+HHrVHNstddb9A6WfM8qSItoMfGUlYyzTQ2d3OmrbGRnB0qf+zg9DI+vXv5Itx
M23we8ljSadCnc/kqz3Z6gefI538WWDnbXIljRqDxuzwaSXhMd4heG+xIAAO0Of5
ziyCVQ/n8gnyXQmC82Xlebc3mYki8UoyYWdbVNJZAOEo/LuBql1OkjOhkhMcBDmr
qvD6f+0+MA4nydmVhI/q/pmo7nAUD3SAxmRKrVTwjpjcAnZ4IGw=
=CGiK
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,2 @@
#Type Name ID
g wbpriv 88

File diff suppressed because it is too large Load Diff