Bug 125510

Summary: useradd segfaults if too many users in one group
Product: Red Hat Enterprise Linux 3 Reporter: Florian Brand <florian.brand>
Component: shadow-utilsAssignee: Peter Vrabec <pvrabec>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 3.0CC: jn, netllama, rainer.traut
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2006-0035 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-03-07 18:28:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 168429    
Attachments:
Description Flags
change static limit on group count to dynamic none

Description Florian Brand 2004-06-08 12:12:19 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114

Description of problem:


Version-Release number of selected component (if applicable):
shadow-utiles-4.0.3-7

How reproducible:
Always

Steps to Reproduce:
groupadd test
for i in `seq 1 10000` ; do 
   adduser -G test u$i
done
    

Actual Results:  Segmentation fault after user u2527 has been added.
further attempts of useradd also lead to a segfault.
deleting the big group in group and gshadow manually helps.

Expected Results:  no segfault or at least an error message

Additional info:

#strace useradd foo
unlink("/etc/gshadow.23338")            = 0
open("/etc/gshadow", O_RDWR)            = 8
fstat64(8, {st_mode=S_IFREG|0400, st_size=37347, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7275000
read(8, "root:::root\nbin:::root,bin,daemo"..., 4096) = 4096
read(8, "31,k1632,k1633,k1634,k1635,k1636"..., 4096) = 4096
read(8, "331,k332,k333,k334,k335,k336,k33"..., 4096) = 4096
read(8, "125,k1126,k1127,k1128,k1129,k113"..., 4096) = 4096
read(8, "k1808,k1809,k1810,k1811,k1812,k1"..., 4096) = 4096
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Comment 1 John Newbigin 2004-09-27 01:18:29 UTC 
I am seeing this under AS2.1 as well.

open("/etc/gshadow", O_RDWR|O_LARGEFILE) = 8
fstat64(8, {st_mode=S_IFREG|0400, st_size=54615, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x401c1000
read(8, "root:::root\nbin:::root,bin,daemo"..., 4096) = 4096
read(8, "s403701,s403702,s403703,s403705,"..., 4096) = 4096
brk(0x81fb000)                          = 0x81fb000
read(8, "s526512,s526513,s526516,s838584,"..., 4096) = 4096
read(8, "s126230,s126234,s126238,s126276,"..., 4096) = 4096
brk(0x8200000)                          = 0x8200000
read(8, "s236805,s236826,s236851,s236874,"..., 4096) = 4096
read(8, "s403688,s403690,s403692,s403693,"..., 4096) = 4096
read(8, "s526426,s526434,s526445,s526446,"..., 4096) = 4096
brk(0x8207000)                          = 0x8207000
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

# grep room_sb102 /etc/gshadow | wc
      1       1   24672

There are 3081 users in the group, most with 7 character user names.
Comment 2 John Newbigin 2004-09-27 02:54:16 UTC 
I found the problem, in both shadow-utils-20000902-16 (RHEL21AS) and
shadow-utils-4.0.3-20.05 (RHEL3)

/lib/gshadow.c line 51
#define       MAXMEM  1024

sgetgrent.c contains the following:
 * FINALLY added dynamic allocation.  Still need to fix sgetsgent().
 *  --marekm
Comment 3 Lonni J Friedman 2004-11-11 14:56:31 UTC 
What are the chances of this getting fixed any time soon.  I'm seeing
*ALOT* of pain from this bug right now on RHEL-3.0
Comment 4 John Newbigin 2004-11-11 22:14:59 UTC 
I have a RHEL3 compatible version with an increased static limit here:
http://bender.it.swin.edu.au/centos-3/testing/

That should get you out of trouble if you are seeing crashes.

I am kind of glad I am not paying $$$ to RH anymore.

My RPM contains the following patch:
--- lib/gshadow.c.orig  Mon Sep 27 12:47:35 2004
+++ lib/gshadow.c       Mon Sep 27 12:48:00 2004
@@ -48,7 +48,7 @@
 static int     dbmerror;
 #endif

-#define        MAXMEM  1024
+#define        MAXMEM  4096

 static FILE    *shadow;
 static char    sgrbuf[BUFSIZ*4];
Comment 8 John Newbigin 2005-02-25 05:26:47 UTC 
For anyone who needs it:
http://bender.it.swin.edu.au/centos-3/testing/shadow-utils-4.0.3-22.02.c3.1.i386.rpm

RedHat: Please fix this bug......
Comment 9 Peter Vrabec 2005-02-25 15:49:27 UTC 
Created attachment 111425 [details]
change static limit on group count to dynamic

Patch made by Adrian Havill <havill> and 
fixed(#148994) by Mogens Kjaer (mk)
Comment 10 Mike Frysinger 2005-07-01 03:37:27 UTC 
This issue has been filed as Bug 86490 already ...
Comment 15 Peter Vrabec 2006-01-23 11:41:41 UTC 
*** Bug 178404 has been marked as a duplicate of this bug. ***
Comment 16 Red Hat Bugzilla 2006-03-07 18:28:45 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0035.html