Bug 169813

Summary: getpwnam() randomly crashes with nscd running (invalid pointer)
Product: [Fedora] Fedora Reporter: Piotr Gackiewicz <gacek>
Component: glibcAssignee: Jakub Jelinek <jakub>
Status: CLOSED UPSTREAM QA Contact: Brian Brock <bbrock>
Severity: high Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-04 08:09:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
valgrind output none

Description Piotr Gackiewicz 2005-10-03 22:16:59 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050922 Fedora/1.0.7-1.1.fc3 Firefox/1.0.7

Description of problem:
When using nscd for caching (default configuration),
getpwnam() call randomly crashes, i.e. in perl and setquota:




Version-Release number of selected component (if applicable):
glibc-2.3.5-10.3

How reproducible:
Sometimes

Steps to Reproduce:
1.service nscd start
2.do lots of getpwnam()

  

Actual Results:  application crashes with "invalid pointer" error:
*** glibc detected *** /usr/bin/perl: free(): invalid pointer: 0x00002aaaab8831e0 ***


Additional info:

*** glibc detected *** /usr/bin/perl: free(): invalid pointer: 0x00002aaaab8831e0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2aaaab69571e]
/lib64/libc.so.6(__libc_free+0x6e)[0x2aaaab695c4e]
/lib64/libc.so.6[0x2aaaab72173d]
/lib64/libc.so.6[0x2aaaab721866]
/lib64/libc.so.6(getpwnam_r+0x168)[0x2aaaab6bc2a8]
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so(Perl_pp_gpwent+0x3f1)[0x2aaaaaca62bd]
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so(Perl_runops_debug+0x141)[0x2aaaaac453cd]
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so(perl_run+0x42e)[0x2aaaaabffdbe]
/usr/bin/perl(main+0xf9)[0x401a01]
/lib64/libc.so.6(__libc_start_main+0xef)[0x2aaaab6473cf]
/usr/bin/perl[0x401879]




*** glibc detected *** /usr/sbin/setquota: free(): invalid pointer: 0x00002aaaaadf9460 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2aaaaac3071e]
/lib64/libc.so.6(__libc_free+0x6e)[0x2aaaaac30c4e]
/lib64/libc.so.6[0x2aaaaacbc73d]
/lib64/libc.so.6[0x2aaaaacbc866]
/lib64/libc.so.6(getpwnam_r+0x168)[0x2aaaaac572a8]
/lib64/libc.so.6(getpwnam+0x61)[0x2aaaaac56bf1]
/usr/sbin/setquota[0x406270]
/usr/sbin/setquota[0x40284c]
/lib64/libc.so.6(__libc_start_main+0xef)[0x2aaaaabe23cf]
/usr/sbin/setquota[0x4025e9]

Comment 1 Jakub Jelinek 2005-10-03 23:06:49 UTC
Can you please:
1) install glibc-debuginfo-2.3.5-10.3.x86_64.rpm
2) run one of the programs under valgrind to see where exactly the bug
   occurred
Thanks.

Comment 2 Piotr Gackiewicz 2005-10-03 23:22:19 UTC
Sorry, valgrind complains about "Exec format error":
[root@mail ~]# valgrind setquota
valgrind: wrong executable class (eg. 32-bit instead
valgrind: of 64-bit)
valgrind: do_exec(/usr/sbin/setquota) failed: Exec format error

[root@mail ~]# file /usr/sbin/setquota
/usr/sbin/setquota: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for
GNU/Linux 2.4.0, dynamically linked (uses shared libs), stripped

Same with perl.
Is there available 64bit valgrind version somewhere?

I can only reproduce and track this bug with gdb:
[root@mail ~]# gdb /usr/bin/perl
GNU gdb Red Hat Linux (6.3.0.0-1.21rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib64/libthread_db.so.1".

(gdb) run -e 'while (1) { getpwnam("gacek")}'
Starting program: /usr/bin/perl -e 'while (1) { getpwnam("gacek")}'
[Thread debugging using libthread_db enabled]
[New Thread 46912510500896 (LWP 26002)]
*** glibc detected *** /usr/bin/perl: free(): invalid pointer:
0x00002aaaae7d11e0 ***
======= Backtrace: =========
/lib64/libc.so.6[0x2aaaab69571e]
/lib64/libc.so.6(__libc_free+0x6e)[0x2aaaab695c4e]
/lib64/libc.so.6[0x2aaaab72173d]
/lib64/libc.so.6[0x2aaaab721866]
/lib64/libc.so.6(getpwnam_r+0x168)[0x2aaaab6bc2a8]
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so(Perl_pp_gpwent+0x3f1)[0x2aaaaaca62bd]
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so(Perl_runops_debug+0x141)[0x2aaaaac453cd]
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so(perl_run+0x42e)[0x2aaaaabffdbe]
/usr/bin/perl(main+0xf9)[0x401a01]
/lib64/libc.so.6(__libc_start_main+0xef)[0x2aaaab6473cf]
/usr/bin/perl[0x401879]
======= Memory map: ========
00400000-00404000 r-xp 00000000 fd:03 32829                             
/usr/bin/perl
00503000-00504000 rw-p 00003000 fd:03 32829                             
/usr/bin/perl
00504000-00526000 rw-p 00504000 00:00 0                                  [heap]
2aaaaaaab000-2aaaaaac5000 r-xp 00000000 50:01 49176                     
/lib64/ld-2.3.5.so
2aaaaaac5000-2aaaaaac7000 rw-p 2aaaaaac5000 00:00 0 
2aaaaabc4000-2aaaaabc5000 r--p 00019000 50:01 49176                     
/lib64/ld-2.3.5.so
2aaaaabc5000-2aaaaabc6000 rw-p 0001a000 50:01 49176                     
/lib64/ld-2.3.5.so
2aaaaabc6000-2aaaaad07000 r-xp 00000000 fd:03 229707                    
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so
2aaaaad07000-2aaaaae07000 ---p 00141000 fd:03 229707                    
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so
2aaaaae07000-2aaaaae16000 rw-p 00141000 fd:03 229707                    
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so
2aaaaae16000-2aaaaae18000 rw-p 2aaaaae16000 00:00 0 
2aaaaae27000-2aaaaae38000 r-xp 00000000 50:01 49272                     
/lib64/libresolv-2.3.5.so
2aaaaae38000-2aaaaaf38000 ---p 00011000 50:01 49272                     
/lib64/libresolv-2.3.5.so
2aaaaaf38000-2aaaaaf39000 r--p 00011000 50:01 49272                     
/lib64/libresolv-2.3.5.so
2aaaaaf39000-2aaaaaf3a000 rw-p 00012000 50:01 49272                     
/lib64/libresolv-2.3.5.so
2aaaaaf3a000-2aaaaaf3c000 rw-p 2aaaaaf3a000 00:00 0 
2aaaaaf3c000-2aaaaaf50000 r-xp 00000000 50:01 49227                     
/lib64/libnsl-2.3.5.so
2aaaaaf50000-2aaaab04f000 ---p 00014000 50:01 49227                     
/lib64/libnsl-2.3.5.so
2aaaab04f000-2aaaab050000 r--p 00013000 50:01 49227                     
/lib64/libnsl-2.3.5.so
2aaaab050000-2aaaab051000 rw-p 00014000 50:01 49227                     
/lib64/libnsl-2.3.5.so
2aaaab051000-2aaaab053000 rw-p 2aaaab051000 00:00 0 
2aaaab053000-2aaaab055000 r-xp 00000000 50:01 49215                     
/lib64/libdl-2.3.5.so
2aaaab055000-2aaaab155000 ---p 00002000 50:01 49215                     
/lib64/libdl-2.3.5.so
2aaaab155000-2aaaab156000 r--p 00002000 50:01 49215                     
/lib64/libdl-2.3.5.so
2aaaab156000-2aaaab157000 rw-p 00003000 50:01 49215                     
/lib64/libdl-2.3.5.so
2aaaab157000-2aaaab158000 rw-p 2aaaab157000 00:00 0 
2aaaab158000-2aaaab1dc000 r-xp 00000000 50:01 49224                     
/lib64/libm-2.3.5.so
2aaaab1dc000-2aaaab2dc000 ---p 00084000 50:01 49224                     
/lib64/libm-2.3.5.so
2aaaab2dc000-2aaaab2dd000 r--p 00084000 50:01 49224                     
/lib64/libm-2.3.5.so
2aaaab2dd000-2aaaab2de000 rw-p 00085000 50:01 49224                     
/lib64/libm-2.3.5.so
2aaaab2de000-2aaaab2e3000 r-xp 00000000 50:01 49207                     
/lib64/libcrypt-2.3.5.so
2aaaab2e3000-2aaaab3e2000 ---p 00005000 50:01 49207                     
/lib64/libcrypt-2.3.5.so
2aaaab3e2000-2aaaab3e3000 r--p 00004000 50:01 49207                     
/lib64/libcrypt-2.3.5.so
2aaaab3e3000-2aaaab3e4000 rw-p 00005000 50:01 49207                     
/lib64/libcrypt-2.3.5.so
2aaaab3e4000-2aaaab412000 rw-p 2aaaab3e4000 00:00 0 
2aaaab412000-2aaaab414000 r-xp 00000000 50:01 49248                     
/lib64/libutil-2.3.5.so
2aaaab414000-2aaaab513000 ---p 00002000 50:01 49248                     
/lib64/libutil-2.3.5.so
2aaaab513000-2aaaab514000 r--p 00001000 50:01 49248                     
/lib64/libutil-2.3.5.so
2aaaab514000-2aaaab515000 rw-p 00002000 50:01 49248                     
/lib64/libutil-2.3.5.so
2aaaab515000-2aaaab516000 rw-p 2aaaab515000 00:00 0 
2aaaab516000-2aaaab525000 r-xp 00000000 50:01 49164                     
/lib64/libpthread-2.3.5.so
2aaaab525000-2aaaab625000 ---p 0000f000 50:01 49164                     
/lib64/libpthread-2.3.5.so
2aaaab625000-2aaaab626000 r--p 0000f000 50:01 49164                     
/lib64/libpthread-2.3.5.so
2aaaab626000-2aaaab627000 rw-p 00010000 50:01 49164                     
/lib64/libpthread-2.3.5.so
2aaaab627000-2aaaab62b000 rw-p 2aaaab627000 00:00 0 
2aaaab62b000-2aaaab758000 r-xp 00000000 50:01 49159                     
/lib64/libc-2.3.5.so
2aaaab758000-2aaaab857000 ---p 0012d000 50:01 49159                     
/lib64/libc-2.3.5.so
2aaaab857000-2aaaab85b000 r--p 0012c000 50:01 49159                     
/lib64/libc-2.3.5.so
2aaaab85b000-2aaaab85d000 rw-p 00130000 50:01 49159                     
/lib64/libc-2.3.5.so
2aaaab85d000-2aaaab863000 rw-p 2aaaab85d000 00:00 0 
2aaaab863000-2aaaae7b1000 r--p 00000000 fd:03 169013                    
/usr/lib/locale/locale-archive
2aaaae7b1000-2aaaae7d2000 rw-p 2aaaae7b1000 00:00 0 
2aaaae800000-2aaaae821000 rw-p 2aaaae800000 00:00 0 
2aaaae821000-2aaaae900000 ---p 2aaaae821000 00:00 0 
2aaaae900000-2aaaae90d000 r-xp 00000000 50:01 49230                     
/lib64/libgcc_s-4.0.1-20050727.so.1
2aaaae90d000-2aaaaea0c000 ---p 0000d000 50:01 49230                     
/lib64/libgcc_s-4.0.1-20050727.so.1
2aaaaea0c000-2aaaaea0d000 rw-p 0000c000 50:01 49230                     
/lib64/libgcc_s-4.0.1-20050727.so.1
7fffff998000-7fffff9ae000 rw-p 7fffff998000 00:00 0                      [stack]
ffffffffff600000-ffffffffffe00000 ---p 00000000 00:00 0                  [vdso]


Program received signal SIGABRT, Aborted.
[Switching to Thread 46912510500896 (LWP 26002)]
0x00002aaaab65a280 in *__GI_raise (sig=Variable "sig" is not available.
) at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
67        int res = INLINE_SYSCALL (tgkill, 3, pid, selftid, sig);
(gdb) where
#0  0x00002aaaab65a280 in *__GI_raise (sig=Variable "sig" is not available.
) at ../nptl/sysdeps/unix/sysv/linux/raise.c:67
#1  0x00002aaaab65b750 in *__GI_abort () at ../sysdeps/generic/abort.c:88
#2  0x00002aaaab68fa7f in __libc_message (do_abort=Variable "do_abort" is not
available.
) at ../sysdeps/unix/sysv/linux/libc_fatal.c:170
#3  0x00002aaaab69571e in _int_free (av=0x2aaaab85d680, mem=Variable "mem" is
not available.
) at malloc.c:5578
#4  0x00002aaaab695c4e in *__GI___libc_free (mem=Variable "mem" is not available.
) at malloc.c:3419
#5  0x00002aaaab72173d in nscd_getpw_r (key=0x523950 "gacek", keylen=6,
type=GETPWBYNAME, resultbuf=0x2aaaae7d11e0, buffer=0x50eaf0 "gacek", 
    buflen=4096, result=0x2aaaae7d1220) at nscd_getpw_r.c:230
#6  0x00002aaaab721866 in __nscd_getpwnam_r (name=0x523950 "gacek",
resultbuf=0x2aaaae7d11e0, buffer=0x50eaf0 "gacek", buflen=4096, 
    result=0x2aaaae7d1220) at nscd_getpw_r.c:52
#7  0x00002aaaab6bc2a8 in __getpwnam_r (name=0x523950 "gacek",
resbuf=0x2aaaae7d11e0, buffer=0x50eaf0 "gacek", buflen=4096, 
    result=0x2aaaae7d1220) at ../nss/getXXbyYY_r.c:162
#8  0x00002aaaaaca62bd in Perl_pp_gpwent () from
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so
#9  0x00002aaaaac453cd in Perl_runops_debug () from
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so
#10 0x00002aaaaabffdbe in perl_run () from
/usr/lib64/perl5/5.8.6/x86_64-linux-thread-multi/CORE/libperl.so
#11 0x0000000000401a01 in main ()


Comment 3 Jakub Jelinek 2005-10-04 07:11:51 UTC
Valgrind supporting x86-64 is in rawhide.  Just rpmbuild --rebuild the src.rpm
on FC4, so that you can use it there as well.

Comment 4 Piotr Gackiewicz 2005-10-04 07:42:47 UTC
Created attachment 119578 [details]
valgrind output

This is valgrind output

Comment 5 Piotr Gackiewicz 2005-10-04 07:45:15 UTC
I have included requested valgrind output as attachment in this bug report.


Comment 6 Jakub Jelinek 2005-10-04 08:09:59 UTC
This is upstream BZ#1363, already fixed on the trunk.
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?cvsroot=glibc&r1=1.9536&r2=1.9537
http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/nscd/nscd_getpw_r.c.diff?cvsroot=glibc&r1=1.30&r2=1.31
It will be included in the next FC4 glibc update, whenever it happens.