Bug 1144480 - Crash in sssd_be be_nsupdate_create_ptr_msg()
Summary: Crash in sssd_be be_nsupdate_create_ptr_msg()
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: sssd
Version: 21
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Jakub Hrozek
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1144561
TreeView+ depends on / blocked
 
Reported: 2014-09-19 13:55 UTC by Stef Walter
Modified: 2014-12-18 10:47 UTC (History)
8 users (show)

Fixed In Version: sssd-1.12.1-2.fc21.x86_64
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-12-18 10:47:32 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Stef Walter 2014-09-19 13:55:25 UTC 
Description of problem:

[stef@stef test]$ sudo systemd-coredumpctl gdb sssd_be
           PID: 8710 (sssd_be)
           UID: 0 (root)
           GID: 0 (root)
        Signal: 11 (SEGV)
     Timestamp: Fr 2014-09-19 15:49:34 CEST (4min 58s ago)
  Command Line: /usr/libexec/sssd/sssd_be --domain ad.baseos.qe --debug-to-files
    Executable: /usr/libexec/sssd/sssd_be
 Control Group: /system.slice/sssd.service
          Unit: sssd.service
         Slice: system.slice
       Boot ID: b053136ee4c14238a140086f0168fc1c
    Machine ID: 69d27b356a94476da859461d3a3bc6fd
      Hostname: stef.ad.baseos.qe
      Coredump: /var/lib/systemd/coredump/core.sssd_be.0.b053136ee4c14238a140086f0168fc1c.8710.1411134574000000.xz
       Message: Process 8710 (sssd_be) of user 0 dumped core.
                
                Stack trace of thread 8710:
                #0  0x00007f3ea4240c69 be_nsupdate_create_ptr_msg (sssd_be)
                #1  0x00007f3e951ce5db sdap_dyndns_update_ptr_step (libsss_ldap_common.so)
                #2  0x00007f3e951ce7c8 sdap_dyndns_update_done (libsss_ldap_common.so)
                #3  0x00007f3ea423fedc be_nsupdate_done (sssd_be)
                #4  0x00007f3ea007f6a8 child_invoke_callback (libsss_child.so)
                #5  0x00007f3ea378c824 tevent_common_loop_immediate (libtevent.so.0)
                #6  0x00007f3ea379106e epoll_event_loop_once (libtevent.so.0)
                #7  0x00007f3ea378f787 std_event_loop_once (libtevent.so.0)
                #8  0x00007f3ea378bfed _tevent_loop_once (libtevent.so.0)
                #9  0x00007f3ea378c18b tevent_common_loop_wait (libtevent.so.0)
                #10 0x00007f3ea378f727 std_event_loop_wait (libtevent.so.0)
                #11 0x00007f3ea39c7913 server_loop (libsss_util.so)
                #12 0x00007f3ea4236613 main (sssd_be)
                #13 0x00007f3e9fad30e0 __libc_start_main (libc.so.6)
                #14 0x00007f3ea42366ca _start (sssd_be)

GNU gdb (GDB) Fedora 7.8-20.fc21
Copyright (C) 2014 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /usr/libexec/sssd/sssd_be...Reading symbols from /usr/lib/debug/usr/libexec/sssd/sssd_be.debug...done.
done.
[New LWP 8710]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/libexec/sssd/sssd_be --domain ad.baseos.qe --debug-to-files'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f3ea4240c69 in nsupdate_msg_add_ptr (old_addresses=0x7f3ea53f17b0, remove_af=<optimized out>, ttl=3600, 
    hostname=0x7f3ea53ca860 "stef.ad.baseos.qe", addresses=0x7f3ea53f02c0, 
    update_msg=0x7f3ea53f35b0 "realm AD.BASEOS.QE\nupdate delete 7.f.5.e.2.2.e.f.f.f.1.d.9.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.f.ip6.arpa. in PTR\nsend\n") at src/providers/dp_dyndns.c:309
309	        switch(old_record->addr->ss_family) {
(gdb) bt
#0  0x00007f3ea4240c69 in nsupdate_msg_add_ptr (old_addresses=0x7f3ea53f17b0, remove_af=<optimized out>, ttl=3600, 
    hostname=0x7f3ea53ca860 "stef.ad.baseos.qe", addresses=0x7f3ea53f02c0, 
    update_msg=0x7f3ea53f35b0 "realm AD.BASEOS.QE\nupdate delete 7.f.5.e.2.2.e.f.f.f.1.d.9.1.2.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.f.ip6.arpa. in PTR\nsend\n") at src/providers/dp_dyndns.c:309
#1  be_nsupdate_create_ptr_msg (mem_ctx=mem_ctx@entry=0x7f3ea53eefa0, realm=<optimized out>, servername=<optimized out>, 
    hostname=0x7f3ea53ca860 "stef.ad.baseos.qe", ttl=3600, remove_af=<optimized out>, addresses=0x7f3ea53f02c0, old_addresses=0x7f3ea53f17b0, 
    _update_msg=0x7f3ea53ef000) at src/providers/dp_dyndns.c:507
#2  0x00007f3e951ce5db in sdap_dyndns_update_ptr_step (req=req@entry=0x7f3ea53eee10) at src/providers/ldap/sdap_dyndns.c:403
#3  0x00007f3e951ce7c8 in sdap_dyndns_update_done (subreq=0x0) at src/providers/ldap/sdap_dyndns.c:379
#4  0x00007f3ea423fedc in be_nsupdate_done (subreq=0x7f3ea53f7ce0) at src/providers/dp_dyndns.c:1057
#5  0x00007f3ea007f6a8 in child_invoke_callback (ev=<optimized out>, imm=<optimized out>, pvt=<optimized out>) at src/util/child_common.c:616
#6  0x00007f3ea378c824 in tevent_common_loop_immediate (ev=ev@entry=0x7f3ea5384670) at ../tevent_immediate.c:135
#7  0x00007f3ea379106e in epoll_event_loop_once (ev=0x7f3ea5384670, location=<optimized out>) at ../tevent_epoll.c:907
#8  0x00007f3ea378f787 in std_event_loop_once (ev=0x7f3ea5384670, location=0x7f3ea39dab18 "src/util/server.c:587") at ../tevent_standard.c:114
#9  0x00007f3ea378bfed in _tevent_loop_once (ev=ev@entry=0x7f3ea5384670, location=location@entry=0x7f3ea39dab18 "src/util/server.c:587")
    at ../tevent.c:530
#10 0x00007f3ea378c18b in tevent_common_loop_wait (ev=0x7f3ea5384670, location=0x7f3ea39dab18 "src/util/server.c:587") at ../tevent.c:634
#11 0x00007f3ea378f727 in std_event_loop_wait (ev=0x7f3ea5384670, location=0x7f3ea39dab18 "src/util/server.c:587") at ../tevent_standard.c:140
#12 0x00007f3ea39c7913 in server_loop (main_ctx=0x7f3ea5385a40) at src/util/server.c:587
#13 0x00007f3ea4236613 in main (argc=4, argv=<optimized out>) at src/providers/data_provider_be.c:2821
(gdb) p old_record
$1 = (struct sss_iface_addr *) 0x7f3ea53ee710
(gdb) p old_record->addr
$2 = (struct sockaddr_storage *) 0x80

Version-Release number of selected component (if applicable):

sssd-common-1.12.0-7.fc21.x86_64

How reproducible:

Right now it's easily reproducible, but only on one machine.

Steps to Reproduce:
1. realm join --user Bender-admin ad.baseos.qe
2. getent passwd Bender.QE

Actual results:

Crash and no output from getent.

Expected results:

Proper output from getent.
Comment 1 Stef Walter 2014-09-19 13:55:42 UTC 
[stef@stef test]$ sudo cat /etc/sssd/sssd.conf
[sssd]
domains = ad.baseos.qe
config_file_version = 2
services = nss, pam
debug_level = 0x00F0

[nss]
default_shell = /bin/bash
[ssh]
[sudo]


[domain/ad.baseos.qe]
ad_domain = ad.baseos.qe
krb5_realm = AD.BASEOS.QE
realmd_tags = manages-system joined-with-samba 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/sh
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u
access_provider = ad
Comment 2 Stef Walter 2014-09-19 13:58:46 UTC 
Work around: dyndns_update = false
Comment 3 Jakub Hrozek 2014-09-19 13:59:29 UTC 
Can you upgrade to 1.12.1 (should be in updates-testing) ? IIRC Lukas fixed some kind of use-after-free in the dyndns code recently..
Comment 4 Lukas Slebodnik 2014-09-19 18:52:32 UTC 
Yes,
it is already fixed in newer version.

Please retest with sssd-1.12.1-2.fc21 and add karma
https://admin.fedoraproject.org/updates/FEDORA-2014-10547/sssd-1.12.1-2.fc21

LS
Note You need to log in before you can comment on or make changes to this bug.