From 5f1ceead7094aefc6ad1f209468e9ea8f009716c Mon Sep 17 00:00:00 2001
From: Volker Lendecke <vl@samba.org>
Date: Thu, 3 Feb 2022 15:25:11 +0100
Subject: [PATCH] torture: Add a test to show that full_audit uses a ptr after
 free

Run vfstest with this vfstest.cmd under valgrind and you'll see what
happens. Exact explanation a few patches further down...

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
 selftest/knownfail.d/full_audit_crash         |  1 +
 .../script/tests/full_audit_segfault/run.sh   | 23 +++++
 .../tests/full_audit_segfault/vfstest.cmd     |  3 +
 source3/selftest/tests.py                     |  8 ++
 source3/torture/cmd_vfs.c                     | 85 +++++++++++++++++++
 5 files changed, 120 insertions(+)
 create mode 100644 selftest/knownfail.d/full_audit_crash
 create mode 100755 source3/script/tests/full_audit_segfault/run.sh
 create mode 100644 source3/script/tests/full_audit_segfault/vfstest.cmd

diff --git a/selftest/knownfail.d/full_audit_crash b/selftest/knownfail.d/full_audit_crash
new file mode 100644
index 00000000000..9154ea334f2
--- /dev/null
+++ b/selftest/knownfail.d/full_audit_crash
@@ -0,0 +1 @@
+^samba.vfstest.full_audit_segfault.vfstest\(nt4_dc:local\)
\ No newline at end of file
diff --git a/source3/script/tests/full_audit_segfault/run.sh b/source3/script/tests/full_audit_segfault/run.sh
new file mode 100755
index 00000000000..752b27125c8
--- /dev/null
+++ b/source3/script/tests/full_audit_segfault/run.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+if [ $# -lt 1 ]; then
+cat <<EOF
+Usage: run.sh VFSTEST
+EOF
+exit 1;
+fi
+
+TALLOC_FILL_FREE=0; export TALLOC_FILL_FREE
+
+TESTBASE="$(dirname $0)"
+VFSTEST="$VALGRIND $1"; shift 1;
+ADDARGS="$*"
+
+incdir=`dirname $0`/../../../../testprogs/blackbox
+. $incdir/subunit.sh
+
+failed=0
+
+testit "vfstest" "$VFSTEST" -f "$TESTBASE/vfstest.cmd" "$ADDARGS" ||
+    failed=$(expr $failed + 1)
+
+exit $failed
diff --git a/source3/script/tests/full_audit_segfault/vfstest.cmd b/source3/script/tests/full_audit_segfault/vfstest.cmd
new file mode 100644
index 00000000000..84e93e2b157
--- /dev/null
+++ b/source3/script/tests/full_audit_segfault/vfstest.cmd
@@ -0,0 +1,3 @@
+load full_audit
+connect
+create_file .
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index 08c8d48ddd5..cab64969491 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -359,6 +359,14 @@ plantestsuite("samba.vfstest.stream_depot", "nt4_dc:local", [os.path.join(samba3
 plantestsuite("samba.vfstest.xattr-tdb-1", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/xattr-tdb-1/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
 plantestsuite("samba.vfstest.acl", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-acl/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
 plantestsuite("samba.vfstest.catia", "nt4_dc:local", [os.path.join(samba3srcdir, "script/tests/vfstest-catia/run.sh"), binpath("vfstest"), "$PREFIX", configuration])
+plantestsuite(
+    "samba.vfstest.full_audit_segfault",
+    "nt4_dc:local",
+    [os.path.join(samba3srcdir,
+                  "script/tests/full_audit_segfault/run.sh"),
+     binpath("vfstest"),
+     "$PREFIX",
+     configuration])
 
 plantestsuite("samba3.blackbox.smbclient_basic.NT1", "nt4_dc_schannel", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mNT1"])
 plantestsuite("samba3.blackbox.smbclient_basic.NT1", "nt4_dc_smb1", [os.path.join(samba3srcdir, "script/tests/test_smbclient_basic.sh"), '$SERVER', '$SERVER_IP', '$DC_USERNAME', '$DC_PASSWORD', smbclient3, configuration, "-mNT1"])
diff --git a/source3/torture/cmd_vfs.c b/source3/torture/cmd_vfs.c
index 72fa784d72b..4be5719e94e 100644
--- a/source3/torture/cmd_vfs.c
+++ b/source3/torture/cmd_vfs.c
@@ -2169,6 +2169,86 @@ cleanup:
 	return status;
 }
 
+/*
+ * This is a quick hack to demonstrate a crash in the full_audit
+ * module when passing fsp->smb_fname into SMB_VFS_CREATE_FILE leading
+ * to an error.
+ *
+ * Feel free to expand with more options as needed
+ */
+static NTSTATUS cmd_create_file(
+	struct vfs_state *vfs,
+	TALLOC_CTX *mem_ctx,
+	int argc,
+	const char **argv)
+{
+	struct smb_filename *fname = NULL;
+	struct files_struct *fsp = NULL;
+	int info, ret;
+	NTSTATUS status;
+
+	if (argc != 2) {
+		DBG_ERR("Usage: create_file filename\n");
+		return NT_STATUS_UNSUCCESSFUL;
+	}
+
+	fname = synthetic_smb_fname(
+		talloc_tos(), argv[1], NULL, NULL, 0, 0);
+	if (fname == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	ret = vfs_stat(vfs->conn, fname);
+	if (ret != 0) {
+		status = map_nt_error_from_unix(errno);
+		DBG_DEBUG("vfs_stat() failed: %s\n", strerror(errno));
+		TALLOC_FREE(fname);
+		return status;
+	}
+
+	status = openat_pathref_fsp(vfs->conn->cwd_fsp, fname);
+	if (!NT_STATUS_IS_OK(status)) {
+		DBG_DEBUG("Could not open %s: %s\n",
+			  fname->base_name,
+			  nt_errstr(status));
+		TALLOC_FREE(fname);
+		return status;
+	}
+
+	status = SMB_VFS_CREATE_FILE(
+		vfs->conn,
+		NULL,
+
+		/*
+		 * Using fname->fsp->fsp_name seems to be legal,
+		 * there's code to handle this in
+		 * create_file_unixpath(). And it is actually very
+		 * worthwhile re-using the fsp_name, we can save quite
+		 * a few copies of smb_filename with that.
+		 */
+		fname->fsp->fsp_name,
+		SEC_FILE_ALL,
+		FILE_SHARE_NONE,
+		FILE_OPEN,
+		FILE_NON_DIRECTORY_FILE,
+		0,
+		0,
+		NULL,
+		0,
+		0,
+		NULL,
+		NULL,
+		&fsp,
+		&info,
+		NULL,
+		NULL
+		);
+	DBG_DEBUG("create_file returned %s\n", nt_errstr(status));
+
+	TALLOC_FREE(fname);
+
+	return NT_STATUS_OK;
+}
 
 struct cmd_set vfs_commands[] = {
 
@@ -2237,5 +2317,10 @@ struct cmd_set vfs_commands[] = {
 	{ "test_chain", cmd_test_chain, "test chain code",
 	  "test_chain" },
 	{ "translate_name", cmd_translate_name, "VFS translate_name()", "translate_name unix_filename" },
+	{ "create_file",
+	  cmd_create_file,
+	  "VFS create_file()",
+	  "create_file <filename>"
+	},
 	{0}
 };
-- 
2.34.1