[Bug 1015935] Re: SWAT segfaults when trying to view full configuration

Kai Blin 1015935 at bugs.launchpad.net
Mon Jun 25 21:15:45 UTC 2012 

Ok, this actually is a bug in libpam-smbpass, not in swat.

When recompiling the packages with debug info, the backtrace from swat
is:

#0  0xb7217600 in ?? ()
#1  0xb7d7923c in _talloc_free () from /usr/lib/i386-linux-gnu/libtalloc.so.2
#2  0x8027fae1 in smb_iconv_close (cd=0x8081f768) at ../lib/util/charset/iconv.c:337
#3  0x8026ee61 in close_iconv_convenience (data=0x80812228) at ../lib/util/charset/codepoints.c:203
#4  0x8026f08c in smb_iconv_convenience_reinit (mem_ctx=0x0, dos_charset=0x80816c08 "CP850", unix_charset=0x80816bc8 "UTF-8", 
    display_charset=0xb745930c "UTF-8", native_iconv=true, old_ic=0x80812228) at ../lib/util/charset/codepoints.c:265
#5  0x8025b037 in init_iconv () at lib/charcnv.c:78
#6  0x8025af8c in lazy_initialize_conv () at lib/charcnv.c:55
#7  0x8025bb59 in convert_string_talloc (ctx=0x80816b90, from=CH_UTF8, to=CH_UNIX, src=0x8081cd60, srclen=9, dst=0xbffff670, converted_size=0xbffff674, 
    allow_bad_conv=true) at lib/charcnv.c:480
#8  0x8007207d in cgi_load_variables () at web/cgi.c:214
#9  0x80079c4c in main (argc=1, argv=0xbffff824) at web/swat.c:1581

Note the call to close_iconv_convenience() in frame 3.

Now, when looking at libpam-smbpass.so symbols with nm, this gives the
following iconv-related output:

0008fe20 t close_iconv_convenience
0008fd4c T get_iconv_convenience
00207a80 B global_iconv_convenience
         U iconv@@GLIBC_2.1
         U iconv_close@@GLIBC_2.1
000a111b t iconv_copy
         U iconv_open@@GLIBC_2.1
000a1057 t iconv_swab
0007c01a T init_iconv
000a0364 t lazy_initialize_iconv
000a03ff T smb_iconv
000a0af6 T smb_iconv_close
00090085 T smb_iconv_convenience_reinit
000a0abc T smb_iconv_open
000a0686 T smb_iconv_open_ex
000a0600 t smb_iconv_t_destructor
000a0389 t sys_iconv

Again, note the t close_iconv_convenience, which as far as I understand says that libpam-smbpass contains close_iconv_convenience in it's text section, so there's a copy of that call in libpam-smbpass.
Now, if libpam-smbpass is loaded, it seems like swat uses the wrong version of that call, and things go wrong.
If you comment out the libpam-smbpass line in /etc/pam.d/common-auth, The crash is gone.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to samba in Ubuntu.
https://bugs.launchpad.net/bugs/1015935

Title:
  SWAT segfaults when trying to view full configuration

Status in Samba:
  Unknown
Status in “samba” package in Ubuntu:
  Confirmed

Bug description:
  When running swat on a 32bit 12.04 install, swat segfaults when the
  user clicks on the "Full View" button in the configuration menu. This
  only happens on the 32bit install, the 64bit install seems fine.

  This was reported to upstream under
  https://bugzilla.samba.org/show_bug.cgi?id=8999 but can only be
  reproduced with the distro packages.

  swat crashes with the following backtrace (sorry for the missing debug
  symbols, the samba-dbg package doesn't seem to help gdb getting debug
  symbols for swat):

  (gdb) bt
  #0  0xb72340c0 in ?? ()
  #1  0xb7d7923c in _talloc_free () from /usr/lib/i386-linux-gnu/libtalloc.so.2
  #2  0x80215875 in smb_iconv_close ()
  #3  0x80204d65 in ?? ()
  #4  0x802051d8 in smb_iconv_convenience_reinit ()
  #5  0x801f2bf5 in init_iconv ()
  #6  0x801f2c32 in lazy_initialize_conv ()
  #7  0x801f35e5 in convert_string_talloc ()
  #8  0x80074c99 in cgi_load_variables ()
  #9  0x80071e3c in main ()

  A relatively straightforward way to reproduce the crash in gdb is running gdb swat, and then typing in
  GET /viewconfig HTTP/1.1
  Authorization: Basic <base64 of user:pass>

  then grab the xsrf and xsrf_time values in the form displayed...

  GET /viewconfig?full_view=Full+View&xsrf=<xsrf>&xsrf_time=<xsrf_time> HTTP/1.1
  Authorization: Basic <base64 of user:pass>

  and the segfault happens.
  With the current v3-6-test git HEAD from the samba git, this doesn't happen. The last time this code was touched upstream was in 2009, so I'm not sure a code change caused this.

  You cannot reproduce the crash if you start swat with -a to skip the
  authentication logic, so you need to set up a root password for this
  to work.

  ProblemType: Bug
  DistroRelease: Ubuntu 12.04
  Package: swat 2:3.6.3-2ubuntu2.3
  ProcVersionSignature: Ubuntu 3.2.0-25.40-generic-pae 3.2.18
  Uname: Linux 3.2.0-25-generic-pae i686
  ApportVersion: 2.0.1-0ubuntu8
  Architecture: i386
  Date: Wed Jun 20 13:41:39 2012
  InstallationMedia: Ubuntu-Server 12.04 LTS "Precise Pangolin" - Release i386 (20120424.1)
  NmbdLog:
   Packet send failed to 10.0.2.255(138) ERRNO=Invalid argument
     Packet send failed to 10.0.2.255(138) ERRNO=Invalid argument
  OtherFailedConnect: Yes
  ProcEnviron:
   LANGUAGE=en_IE:en
   TERM=linux
   PATH=(custom, no user)
   LANG=en_IE.UTF-8
   SHELL=/bin/bash
  SambaServerRegression: Yes
  SmbConfIncluded: Yes
  SourcePackage: samba
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/samba/+bug/1015935/+subscriptions

More information about the foundations-bugs mailing list