From: Andreas Schneider <asn@samba.org>
Date: Tue, 14 Oct 2025 09:33:00 +0000 (+0200)
Subject: s3:libsmb: Fix heap-use-after-free in py_cli_notify_get_changes()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b72a7e2fb53c79a4790e221776281cbf02bc2664;p=thirdparty%2Fsamba.git

s3:libsmb: Fix heap-use-after-free in py_cli_notify_get_changes()

==556308==ERROR: AddressSanitizer: heap-use-after-free on address 0x7d2f14452360 at pc 0x7baf0a5c3a8b bp 0x7ffe6e1eb2e0 sp 0x7ffe6e1eb2d8                      11:26:39 [1226/65848]
READ of size 4 at 0x7d2f14452360 thread T0
    #0 0x7baf0a5c3a8a in py_cli_notify_get_changes ../../source3/libsmb/pylibsmb.c:2291
    #1 0x7faf165ba239  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1ba239) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #2 0x7faf1658c798 in PyObject_Vectorcall (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18c798) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #3 0x7faf165a366e in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1a366e) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #4 0x7faf165db031  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #5 0x7faf1659fa1d in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #6 0x7faf1658ce9b  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #7 0x7faf1667a637  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #8 0x7faf1658a726 in _PyObject_MakeTpCall (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #9 0x7faf1659ae9b in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19ae9b) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #10 0x7faf165db031  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #11 0x7faf1659fa1d in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #12 0x7faf1658ce9b  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #13 0x7faf1667a637  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #14 0x7faf1658a726 in _PyObject_MakeTpCall (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #15 0x7faf1659ae9b in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19ae9b) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #16 0x7faf165db031  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #17 0x7faf1659fa1d in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #18 0x7faf1658ce9b  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #19 0x7faf1667a637  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #20 0x7faf1658a726 in _PyObject_MakeTpCall (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #21 0x7faf1659e0ae in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19e0ae) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #22 0x7faf165db031  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1db031) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #23 0x7faf1659fa1d in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19fa1d) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #24 0x7faf1658ce9b  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18ce9b) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #25 0x7faf1667a637  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x27a637) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #26 0x7faf1658a726 in _PyObject_MakeTpCall (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #27 0x7faf1659e0ae in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19e0ae) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #28 0x7faf1658cf1b  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18cf1b) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #29 0x7faf165c3c5a  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1c3c5a) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #30 0x7faf1658a9b5  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a9b5) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #31 0x7faf1658a726 in _PyObject_MakeTpCall (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18a726) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #32 0x7faf165a366e in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1a366e) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #33 0x7faf1662f875 in PyEval_EvalCode (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x22f875) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #34 0x7faf166498fc  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x2498fc) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #35 0x7faf165b17fe  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1b17fe) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #36 0x7faf1658c798 in PyObject_Vectorcall (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x18c798) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #37 0x7faf1659e0ae in _PyEval_EvalFrameDefault (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x19e0ae) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #38 0x7faf16664a89  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x264a89) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #39 0x7faf16663a38 in Py_RunMain (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x263a38) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #40 0x7faf1661e3b5 in Py_BytesMain (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x21e3b5) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)
    #41 0x7faf1602b2fa in __libc_start_call_main (/lib64/libc.so.6+0x2b2fa) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
    #42 0x7faf1602b3ca in __libc_start_main_impl (/lib64/libc.so.6+0x2b3ca) (BuildId: 8523b213e7586a93ab00f6dd476418b1e521e62c)
    #43 0x564f2695f074 in _start (/usr/bin/python3.13+0x1074) (BuildId: 381e7a168bb2c479b5b88bcfd875777e342d6b45)

0x7d2f14452360 is located 736 bytes inside of 861-byte region [0x7d2f14452080,0x7d2f144523dd)
freed by thread T0 here:
    #0 0x7faf16d208eb  (/lib64/libasan.so.8+0x1208eb) (BuildId: 61b31c4760766f5f2552c32e175755894d8f6565)
    #1 0x7faf14560a72 in _tc_free_poolmem ../../lib/talloc/talloc.c:1080
    #2 0x7faf1455f71b in _tc_free_internal ../../lib/talloc/talloc.c:1215
    #3 0x7faf1455ee1b in _tc_free_children_internal ../../lib/talloc/talloc.c:1669
    #4 0x7faf1455ee1b in _tc_free_internal ../../lib/talloc/talloc.c:1184
    #5 0x7faf14560315 in _talloc_free_internal ../../lib/talloc/talloc.c:1248
    #6 0x7faf14560315 in _talloc_free ../../lib/talloc/talloc.c:1792
    #7 0x7baf0a5c3883 in py_cli_notify_get_changes ../../source3/libsmb/pylibsmb.c:2274
    #8 0x7faf165ba239  (/lib64/glibc-hwcaps/x86-64-v3/libpython3.13.so.1.0+0x1ba239) (BuildId: 3925b60e845f4803e4de04e1fdf7845f2e54ecb0)

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Oct 14 12:35:37 UTC 2025 on atb-devel-224
---

diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c
index cba910d173d..be2f2cbcd7e 100644
--- a/source3/libsmb/pylibsmb.c
+++ b/source3/libsmb/pylibsmb.c
@@ -2270,7 +2270,7 @@ static PyObject *py_cli_notify_get_changes(struct py_cli_notify_state *self,
 		return NULL;
 	}
 
-	status = cli_notify_recv(req, req, &num_changes, &changes);
+	status = cli_notify_recv(req, frame, &num_changes, &changes);
 	TALLOC_FREE(req);
 	if (!NT_STATUS_IS_OK(status)) {
 		TALLOC_FREE(frame);