Bug 709267

Summary:	ssh client segfaults when nscd is running
Product:	[Fedora] Fedora	Reporter:	Petr Pisar <ppisar>
Component:	glibc	Assignee:	Andreas Schwab <schwab>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	15	CC:	fweimer, jakub, schwab, trnsz
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	glibc-2.14-2	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-06-07 04:26:13 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Petr Pisar 2011-05-31 08:49:00 UTC

nscd-2.13.90-14.x86_64
setup-2.8.31-2.fc15.noarch (/etc/services)

Running "getent services ssh tcp" with started nscd daemon causes segfault in nscd while free(aliases_len):

#0  0x00007ffff7a71265 in raise (sig=6)
    at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007ffff7a72b7b in abort () at abort.c:93
#2  0x00007ffff7aad35e in __libc_message (do_abort=2, 
    fmt=0x7ffff7b9a790 "*** glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007ffff7ab399a in malloc_printerr (action=3, 
    str=0x7ffff7b9a7c0 "munmap_chunk(): invalid pointer", ptr=<optimized out>)
    at malloc.c:6283

#4  0x00007ffff7b545ef in nscd_getserv_r (crit=0x0, critlen=0, 
    proto=<optimized out>, type=GETSERVBYNAME, resultbuf=0x7ffff7dd92c0, 
    buf=0x608000 "", buflen=1024, result=0x7fffffffe1d0)
    at nscd_getserv_r.c:375
        gc_cycle = 640
        nretries = 0
        alloca_used = 32
        mapped = <optimized out>
        protolen = <optimized out>
        keylen = 5
        alloca_key = 1
        key = 0x7fffffffdfd0 "ssh/"
        s_name = <optimized out>
        s_proto = <optimized out>
        alloca_aliases_len = <optimized out>
        aliases_len = 0x7ffff7fa7608
        aliases_list = <optimized out>
        retval = 0
        recend = <optimized out>
        sock = <optimized out>
        serv_resp = {version = 2, found = 1, s_name_len = 4, s_proto_len = 4, 
          s_aliases_cnt = 0, s_port = 5632}
#5  0x00007ffff7b5495b in __nscd_getservbyname_r (name=0x7fffffffe692 "ssh", 
    proto=0x0, result_buf=0x7ffff7dd92c0, buf=0x608000 "", buflen=1024, 
    result=0x7fffffffe1d0) at nscd_getserv_r.c:43
No locals.
#6  0x00007ffff7b37f96 in __getservbyname_r (name=0x7fffffffe692 "ssh", 
    proto=0x0, resbuf=0x7ffff7dd92c0, buffer=0x608000 "", buflen=1024, 
    result=0x7fffffffe1d0) at ../nss/getXXbyYY_r.c:194
        startp_initialized = false
        startp = 0x0
        start_fct = 0
        nip = <optimized out>
        fct = {l = 0, ptr = 0x0}
        no_more = <optimized out>
        status = NSS_STATUS_UNAVAIL
        nscd_status = <optimized out>
        res = <optimized out>
#7  0x00007ffff7b37cff in getservbyname (name=0x7fffffffe692 "ssh", proto=0x0)
    at ../nss/getXXbyYY.c:117
        buffer_size = 1024
        resbuf = {s_name = 0x608008 "ssh", s_aliases = 0x608000, 
          s_port = 5632, s_proto = 0x60800c "tcp"}
        result = <optimized out>
#8  0x00000000004027f4 in services_keys (number=2, key=0x7fffffffe3a8)
    at getent.c:748
        serv = <optimized out>
        proto = 0x0
        result = <optimized out>
        i = <optimized out>
        serv = <optimized out>
#9  0x0000000000402293 in main (argc=<optimized out>, argv=0x7fffffffe398)
    at getent.c:960
        i = <optimized out>
        remaining = 1

(gdb) frame 4
#4  0x00007ffff7b545ef in nscd_getserv_r (crit=0x0, critlen=0, 
    proto=<optimized out>, type=GETSERVBYNAME, resultbuf=0x7ffff7dd92c0, 
    buf=0x608000 "", buflen=1024, result=0x7fffffffe1d0)
    at nscd_getserv_r.c:375
375         free ((void *) aliases_len);

This affects e.g. ssh client while resolving TCP/ssh service.

Comment 1 Petr Pisar 2011-05-31 08:50:52 UTC

The segfault is not in nscd. The segfault is in getent process.

Comment 2 Andreas Schwab 2011-05-31 11:36:20 UTC

*** Bug 708896 has been marked as a duplicate of this bug. ***

Comment 3 Fedora Update System 2011-05-31 13:54:28 UTC

glibc-2.14-1 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/glibc-2.14-1

Comment 4 Fedora Update System 2011-06-02 19:09:10 UTC

Package glibc-2.14-1:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.14-1'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.14-1
then log in and leave karma (feedback).

Comment 5 Fedora Update System 2011-06-04 02:56:02 UTC

Package glibc-2.14-2:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing glibc-2.14-2'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/glibc-2.14-2
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-06-07 04:25:24 UTC

glibc-2.14-2 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.