This service will be undergoing maintenance at 20:00 UTC, 2017-04-03. It is expected to last about 30 minutes
Bug 114575 - su segfaults with an invalid pointer error
su segfaults with an invalid pointer error
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: nss_ldap (Show other bugs)
3.0
i386 Linux
medium Severity high
: ---
: ---
Assigned To: Nalin Dahyabhai
Jay Turner
:
: 116282 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-29 13:27 EST by Brian Baggett
Modified: 2015-01-07 19:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 15:30:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Output of strace -f (8.92 KB, text/plain)
2004-02-07 12:18 EST, Brian Baggett
no flags Details
/etc/pam.d/system-auth (1011 bytes, text/plain)
2004-02-18 09:02 EST, Brian Baggett
no flags Details

  None (edit)
Description Brian Baggett 2004-01-29 13:27:01 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6)
Gecko/20040113

Description of problem:
Trying to su under RHEL 3 ES with an 'everything' install causes a
segfault.

[brianb@qlc6 brianb]$ su -
Password: 
free(): invalid pointer 0x8055708!
Segmentation fault

Will attach a strace -f on it momentarily and optionally a gdb
backtrace if need be.

Logging in as root works as does doing a 'sudo su -' if you have sudo
setup for the user in question.

Version-Release number of selected component (if applicable):
coreutils-4.5.3-26

How reproducible:
Always

Steps to Reproduce:
1. Login as a non-privileged user
2. Type 'su -' and enter the proper root password.
3. The program will segfault.
    

Actual Results:  Segfault

Expected Results:  A root shell should be returned

Additional info:
Comment 1 Brian Baggett 2004-01-29 13:31:16 EST
Okay, this is weird.  My password that is thirteen characters in
length and has a mixture of numbers and letters causes a segfault. 
Setting the root password to a four character password with no numbers
doesn't segfault.
Comment 2 Brian Baggett 2004-01-29 13:37:26 EST
If I make the root password the same as my current 13 characer
password but only up to the 11th character, it works.  If I use 12 or
13 of the 13 characters, the segfault happens.
Comment 3 Tim Waugh 2004-01-30 04:55:20 EST
Is there a password you can tell me which causes the segfault?  Then I
can try it here.  Also, did you look at the strace -f output?

Other things to try:

* export MALLOC_CHECK_=1 first to get libc to diagnose malloc misuse
* try attaching gdb to get a backtrace
Comment 4 Brian Baggett 2004-02-07 12:18:29 EST
Created attachment 97526 [details]
Output of strace -f

This is the output of a 'strace -f su -'.  The password I tried was
123456789abcd which is 13 characters.  If I use that password on the console,
it works.  If I try to su it tells me incorrect password in the strace (but
segfaults otherwise) and says incorrect password in the gdb, which I'm about to
include as well.
Comment 5 Brian Baggett 2004-02-07 12:19:42 EST
[brianb@qlc6 brianb]$ gdb su
GNU gdb Red Hat Linux (6.0post-0.20031117.6rh)
[GNU copyright stuff omitted]
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run -
Starting program: /bin/su -
Password: 
Detaching after fork from child process 30431.
/bin/su: incorrect password

Program exited with code 01.
Comment 6 Tim Waugh 2004-02-18 08:26:37 EST
Could you please attach /etc/pam.d/system-auth?

Also, please try 'export MALLOC_CHECK_=1' before running the command.
Comment 7 Brian Baggett 2004-02-18 09:02:26 EST
Created attachment 97787 [details]
/etc/pam.d/system-auth

The /etc/pam.d/system-auth file, per your request.
Comment 8 Brian Baggett 2004-02-18 09:03:58 EST
[brianb@qlc6 brianb]$ export MALLOC_CHECK_=1
[brianb@qlc6 brianb]$ su -
Password: 
Segmentation fault

Should I do the MALLOC_CHECK in conjunction with the gdb backtrace or
the strace?
Comment 9 Tim Waugh 2004-02-18 09:14:12 EST
Hmm, I was hoping for a useful diagnostic from the malloc function. 
Never mind.

I suspect this is to do with pam_ldap.  Could you try disabling LDAP
authentication support by commenting out (with a '#' at the beginning
of each line) the lines in /etc/pam.d/system-auth that contain
'pam_ldap', and see if the problem still happens?
Comment 10 Tim Waugh 2004-02-18 09:14:46 EST
(Actually an easier way would be to run authconfig-gtk.)
Comment 11 Brian Baggett 2004-02-18 09:21:40 EST
Since I use LDAP for all my accounts, I had to create a local account
before running authconfig to disable LDAP.  Sure enough, once this
happened the 13 character password works.  So where do we go from here?
Comment 12 Tim Waugh 2004-02-18 09:23:07 EST
To the openldap maintainer..
Comment 13 Brian Baggett 2004-02-18 09:31:23 EST
But isn't pam_ldap a part of nss_ldap and not openldap?
Comment 14 Levente Farkas 2004-06-07 12:27:40 EDT
the nss_ldap package is broken in almost all redhat and fedora distro
even in rhel 3.
- first update to the latest nss_ldap and pam_ldap.
- then change the db version in the spec file to the one used in the
given ditro (eg: for rhel 3 use %define db_version 4.1.25)
- of course you need this db versions and it's patches.
- compile openldap with the latest 2.1.x with the same db version
- recompile postfix with cyrus sasl2 even John Dennis said:
  ------------------------------------
  revert to sasl v1, turn off ipv6 support
  for RHEL3, we'll branch and set set sasl to v1 and turn off ipv6
  ------------------------------------
  this false! rhel 3 use sasl 2 what's more postfix crash if you try
to use with ldap!
the whole nss_ldap, openldap, potfix and sasl was a nightmare for us
to put together (just check the segmentation crash in the bugzilla).
Comment 15 Matthew Davis 2005-02-14 09:59:48 EST
*** Bug 116282 has been marked as a duplicate of this bug. ***
Comment 18 RHEL Product and Program Management 2007-10-19 15:30:45 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.