Red Hat Bugzilla – Bug 114575
su segfaults with an invalid pointer error
Last modified: 2015-01-07 19:07:11 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6)
Description of problem:
Trying to su under RHEL 3 ES with an 'everything' install causes a
[brianb@qlc6 brianb]$ su -
free(): invalid pointer 0x8055708!
Will attach a strace -f on it momentarily and optionally a gdb
backtrace if need be.
Logging in as root works as does doing a 'sudo su -' if you have sudo
setup for the user in question.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Login as a non-privileged user
2. Type 'su -' and enter the proper root password.
3. The program will segfault.
Actual Results: Segfault
Expected Results: A root shell should be returned
Okay, this is weird. My password that is thirteen characters in
length and has a mixture of numbers and letters causes a segfault.
Setting the root password to a four character password with no numbers
If I make the root password the same as my current 13 characer
password but only up to the 11th character, it works. If I use 12 or
13 of the 13 characters, the segfault happens.
Is there a password you can tell me which causes the segfault? Then I
can try it here. Also, did you look at the strace -f output?
Other things to try:
* export MALLOC_CHECK_=1 first to get libc to diagnose malloc misuse
* try attaching gdb to get a backtrace
Created attachment 97526 [details]
Output of strace -f
This is the output of a 'strace -f su -'. The password I tried was
123456789abcd which is 13 characters. If I use that password on the console,
it works. If I try to su it tells me incorrect password in the strace (but
segfaults otherwise) and says incorrect password in the gdb, which I'm about to
include as well.
[brianb@qlc6 brianb]$ gdb su
GNU gdb Red Hat Linux (6.0post-0.20031117.6rh)
[GNU copyright stuff omitted]
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) run -
Starting program: /bin/su -
Detaching after fork from child process 30431.
/bin/su: incorrect password
Program exited with code 01.
Could you please attach /etc/pam.d/system-auth?
Also, please try 'export MALLOC_CHECK_=1' before running the command.
Created attachment 97787 [details]
The /etc/pam.d/system-auth file, per your request.
[brianb@qlc6 brianb]$ export MALLOC_CHECK_=1
[brianb@qlc6 brianb]$ su -
Should I do the MALLOC_CHECK in conjunction with the gdb backtrace or
Hmm, I was hoping for a useful diagnostic from the malloc function.
I suspect this is to do with pam_ldap. Could you try disabling LDAP
authentication support by commenting out (with a '#' at the beginning
of each line) the lines in /etc/pam.d/system-auth that contain
'pam_ldap', and see if the problem still happens?
(Actually an easier way would be to run authconfig-gtk.)
Since I use LDAP for all my accounts, I had to create a local account
before running authconfig to disable LDAP. Sure enough, once this
happened the 13 character password works. So where do we go from here?
To the openldap maintainer..
But isn't pam_ldap a part of nss_ldap and not openldap?
the nss_ldap package is broken in almost all redhat and fedora distro
even in rhel 3.
- first update to the latest nss_ldap and pam_ldap.
- then change the db version in the spec file to the one used in the
given ditro (eg: for rhel 3 use %define db_version 4.1.25)
- of course you need this db versions and it's patches.
- compile openldap with the latest 2.1.x with the same db version
- recompile postfix with cyrus sasl2 even John Dennis said:
revert to sasl v1, turn off ipv6 support
for RHEL3, we'll branch and set set sasl to v1 and turn off ipv6
this false! rhel 3 use sasl 2 what's more postfix crash if you try
to use with ldap!
the whole nss_ldap, openldap, potfix and sasl was a nightmare for us
to put together (just check the segmentation crash in the bugzilla).
*** Bug 116282 has been marked as a duplicate of this bug. ***
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.