Your message dated Sun, 8 May 2011 16:13:09 -0500 with message-id <20110508211308.GA24035@elie> and subject line Re: dbus-1 does not start because of segmentation fault has caused the Debian Bug report #226515, regarding getgrouplist() segfaults for NIS groups; breaks sshd's AllowGroups feature in some situations to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 226515: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=226515 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: libc6 Version: 2.3.2.ds1-10 Severity: important There appears to be a bug in the getgrouplist() function or a function that it calls which causes a segmentation fault under the following circumstances (as far as I can observe): - NIS maps must be used to find some or all of the user's group information. - The user is in one or more supplementary groups from the NIS "group" map. (If the user has a primary group from the NIS map but no supplementary groups from the NIS map, the problem doesn't occur.) I first noticed this bug when enabling sshd's AllowGroups feature caused sshd to crash (before asking for a password) when users meeting the above criteria connected. When I recompiled sshd (with debug symbols) from the Debian source packages (glibc_2.3.2.ds1-10), I got output like the following when I ran it inside gdb (stuff in [[double square brackets]] has been removed by me): root@[[SERVER NAME]]:/usr/src/openssh-3.6.1p2# gdb sshd gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking GNU gdb 2002-04-01-cvs Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"... (gdb) run -ddd -D -f /etc/ssh/sshd_config.experiment -p 8022 Starting program: /usr/src/openssh-3.6.1p2/sshd -ddd -D -f /etc/ssh/sshd_config.experiment -p 8022 debug2: read_server_config: filename /etc/ssh/sshd_config.experiment debug1: sshd version OpenSSH_3.6.1p2 debug1: private host key: #0 type 0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key. debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 DSA socket: Address family not supported by protocol debug1: Bind to port 8022 on 0.0.0.0. Server listening on 0.0.0.0 port 8022. Generating 768 bit RSA key. RSA key generation complete. debug1: Server will not fork when running in debugging mode. Connection from [[SERVER IP ADDRESS]] port 39620 debug1: Client protocol version 1.5; client software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10 debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10 pat OpenSSH* debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2 debug2: Network child is on pid 29464 debug3: privsep user:group 102:65534 debug1: permanently_set_uid: 102/65534 debug1: Sent 768 bit server key and 1024 bit host key. debug3: preauth child monitor started debug3: mm_request_receive entering debug1: Encryption type: 3des debug3: mm_request_send entering: type 28 debug3: mm_request_receive_expect entering: type 29 debug3: mm_request_receive entering debug3: monitor_read: checking request 28 debug3: mm_request_send entering: type 29 debug3: mm_ssh1_session_id entering debug3: mm_request_send entering: type 30 debug2: cipher_init: set keylen (16 -> 32) debug2: cipher_init: set keylen (16 -> 32) debug1: Received session key; encryption turned on. debug2: monitor_read: 28 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 30 debug3: mm_answer_sessid entering debug2: monitor_read: 30 used once, disabling now debug3: mm_request_receive entering debug1: Installing crc compensation attack detector. debug3: mm_getpwnamallow entering debug3: mm_request_send entering: type 6 debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM debug3: mm_request_receive_expect entering: type 7 debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_pwnamallow Program received signal SIGSEGV, Segmentation fault. 0x401dd700 in strcmp () from /lib/libc.so.6 (gdb) backtrace #0 0x401dd700 in strcmp () from /lib/libc.so.6 #1 0x402a4a24 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #2 0x402a4c90 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #3 0x402a4f48 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #4 0x402a5084 in _nss_compat_initgroups_dyn () from /lib/libnss_compat.so.2 #5 0x4020e124 in fgetgrent () from /lib/libc.so.6 #6 0x4020e263 in getgrouplist () from /lib/libc.so.6 #7 0x0805c46a in ga_init (user=0x8099f70 "abradley", base=550) at groupaccess.c:51 #8 0x08055525 in allowed_user (pw=0x40299628) at auth.c:173 #9 0x08055da4 in getpwnamallow (user=0x809b540 "abradley") at auth.c:506 #10 0x0805fb1d in mm_answer_pwnamallow (socket=11, m=0xbffff588) at monitor.c:534 #11 0x0805f663 in monitor_read (pmonitor=0x809b768, ent=0x8091cc8, pent=0xbffff5c4) at monitor.c:388 #12 0x0805f326 in monitor_child_preauth (pmonitor=0x809b768) at monitor.c:281 #13 0x0804cb41 in privsep_preauth () at sshd.c:600 #14 0x0804ea99 in main (ac=7, av=0xbffffbd4) at sshd.c:1511 (gdb) quit A debugging session is active. Do you still want to close the debugger?(y or n) y debug1: Calling cleanup 0x8072344(0x0) Testing sshd on other machines, I found that (1) on a machine with a similar configuration (NIS client of same NIS master, same users tested) with an older version of libc6, 2.3.2-4, the problem did not occur and (2) even with libc6 2.3.2.ds1-10, the problem did not occur on the NIS master, where a user's groups could be found directly from /etc/group. I wrote the following C program to test getgrouplist alone: #include <stdio.h> #include <unistd.h> #include <grp.h> #include <stdlib.h> #define NGROUPS_MAX 32 int main (int argc, char *argv[]) { if (argc > 2) { char * username = argv[1]; gid_t gid = atoi(argv[2]); gid_t groups_bygid[NGROUPS_MAX]; int ngroups = NGROUPS_MAX; int i; if (getgrouplist(username, gid, groups_bygid, &ngroups) == -1) { printf("getgrouplist() returned -1\n"); } else { printf("getgrouplist() call successful.\n"); for (i = 0; i < ngroups; i++) printf("%d ", groups_bygid[i]); printf("\n"); } } return 0; } This program segfaulted and had the following stack trace on the server on which I first observed sshd to crash: 05:21 PM abradley@[[SERVER NAME]]:~/bin/c$ gdb grplist gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking GNU gdb 2002-04-01-cvs Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"... (gdb) run abradley 550 Starting program: /home/abradley/bin/c/grplist abradley 550 Program received signal SIGSEGV, Segmentation fault. 0x40099700 in strcmp () from /lib/libc.so.6 (gdb) bt #0 0x40099700 in strcmp () from /lib/libc.so.6 #1 0x4015ca24 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #2 0x4015cc90 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #3 0x4015cf48 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #4 0x4015d084 in _nss_compat_initgroups_dyn () from /lib/libnss_compat.so.2 #5 0x400ca124 in fgetgrent () from /lib/libc.so.6 #6 0x400ca263 in getgrouplist () from /lib/libc.so.6 #7 0x080484ca in main () #8 0x4003ada6 in __libc_start_main () from /lib/libc.so.6 (gdb) quit A sample session from one of our lab machines shows that my program works with libc6 2.3.2-4 but crashes when libc6 is upgraded to 2.3.2.ds1-10: 05:16 PM root@[[MACHINE NAME]]:~$ dpkg -s libc6 | grep ^Version: Version: 2.3.2-4 05:17 PM root@[[MACHINE NAME]]:~$ ~abradley/bin/c/grplist abradley 550 getgrouplist() call successful. 550 [[LIST OF OTHER GIDS]] 05:17 PM root@[[MACHINE NAME]]:~$ apt-get install libc6 Reading Package Lists... Done Building Dependency Tree... Done The following extra packages will be installed: libc6-dev linux-kernel-headers locales Suggested packages: glibc-doc manpages-dev The following NEW packages will be installed: linux-kernel-headers 3 packages upgraded, 1 newly installed, 0 to remove and 556 not upgraded. Need to get 0B/12.6MB of archives. After unpacking 6742kB of additional disk space will be used. Do you want to continue? [Y/n] y Preconfiguring packages ... (Reading database ... 101691 files and directories currently installed.) Preparing to replace libc6-dev 2.3.2-4 (using .../libc6-dev_2.3.2.ds1-10_i386.deb) ... Unpacking replacement libc6-dev ... Selecting previously deselected package linux-kernel-headers. Unpacking linux-kernel-headers (from .../linux-kernel-headers_2.5.999-test7-bk-9_i386.deb) ... Preparing to replace locales 2.3.2-4 (using .../locales_2.3.2.ds1-10_all.deb) ... Unpacking replacement locales ... Preparing to replace libc6 2.3.2-4 (using .../libc6_2.3.2.ds1-10_i386.deb) ... Unpacking replacement libc6 ... Setting up libc6 (2.3.2.ds1-10) ... Current default timezone: 'Canada/Pacific'. Local time is now: Tue Jan 6 17:18:11 PST 2004. Universal Time is now: Wed Jan 7 01:18:11 UTC 2004. Run 'tzconfig' if you wish to change it. Setting up linux-kernel-headers (2.5.999-test7-bk-9) ... Setting up libc6-dev (2.3.2.ds1-10) ... Setting up locales (2.3.2.ds1-10) ... Installing new version of config file /etc/locale.alias ... Generating locales... en_US.ISO-8859-1... done Generation complete. 05:18 PM root@[[MACHINE NAME]]:~$ ~abradley/bin/c/grplist abradley 550 Segmentation fault 05:18 PM root@[[MACHINE NAME]]:~$ gdb ~abradley/bin/c/grplist GNU gdb 5.3-debian Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-linux"... (gdb) run abradley 550 Starting program: /home/abradley/bin/c/grplist abradley 550 Program received signal SIGSEGV, Segmentation fault. 0x4009a700 in strcmp () from /lib/libc.so.6 (gdb) backtrace #0 0x4009a700 in strcmp () from /lib/libc.so.6 #1 0x4015da24 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #2 0x4015dc90 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #3 0x4015df48 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2 #4 0x4015e084 in _nss_compat_initgroups_dyn () from /lib/libnss_compat.so.2 #5 0x400cb124 in fgetgrent () from /lib/libc.so.6 #6 0x400cb263 in getgrouplist () from /lib/libc.so.6 #7 0x080484ca in main () #8 0x4003bda6 in __libc_start_main () from /lib/libc.so.6 (gdb) quit The presence of _nss_compat_getspnam_r in the trace made me suspect that shadow password configurations might have something to do with the problem, but I have tried my test program on various machines with shadow passwords on and off and I haven't found any evidence that the shadow password configuration makes a difference. FWIW, /etc/nsswitch.conf on the server on which I first found the problem is as follows: # /etc/nsswitch.conf # # Example configuration of GNU Name Service Switch functionality. # passwd: compat group: compat shadow: compat hosts: nis files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis # end of nsswitch.conf ------------------------------------------------------------ Alex Bradley Vancouver College IT Department
--- End Message ---
--- Begin Message ---Version: 2.3.5-3 GOTO Masanori wrote: > These bugs are marked as important when glibc 2.3.2.ds1 is used in > sarge. Nowadays we have new glibc 2.3.5-3 in unstable. Could you > test dbus-1 with new glibc? I guess this problem is already fixed. This might have been fixed by 2003-04-23 Ulrich Drepper <[email protected]> * grp/initgroups.c (getgrouplist): Don't copy too much into the user buffer if more groups are found than fit into it. * nis/nss_nis/nis-initgroups.c (_nss_nis_initgroups_dyn): Use extend_alloca. or 2005-03-29 Thorsten Kukuk <[email protected]> [BZ #661] * grp/initgroups.c (internal_getgrouplist): Check if we have enough space before adding the primary group to the list. or 2003-06-27 Thorsten Kukuk <[email protected]> * nis/nss_compat/compat-initgroups.c: Don't use our own NIS/NIS+ functions, dlopen corresponding NSS module instead. After gotom's ping, no one responded except someone reporting the same bug with 2.3.2, and I suspect this is the sort of bug that would make people unhappy enough to report it when they see it. Closing. Please reopen if it happens again.
--- End Message ---
