Bug 114575 - su segfaults with an invalid pointer error
Summary: su segfaults with an invalid pointer error
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: nss_ldap
Version: 3.0
Hardware: i386
OS: Linux
medium
high
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Jay Turner
URL:
Whiteboard:
: 116282 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-01-29 18:27 UTC by Brian Baggett
Modified: 2015-01-08 00:07 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-10-19 19:30:45 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Output of strace -f (8.92 KB, text/plain)
2004-02-07 17:18 UTC, Brian Baggett
no flags Details
/etc/pam.d/system-auth (1011 bytes, text/plain)
2004-02-18 14:02 UTC, Brian Baggett
no flags Details

Description Brian Baggett 2004-01-29 18:27:01 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.6)
Gecko/20040113

Description of problem:
Trying to su under RHEL 3 ES with an 'everything' install causes a
segfault.

[brianb@qlc6 brianb]$ su -
Password: 
free(): invalid pointer 0x8055708!
Segmentation fault

Will attach a strace -f on it momentarily and optionally a gdb
backtrace if need be.

Logging in as root works as does doing a 'sudo su -' if you have sudo
setup for the user in question.

Version-Release number of selected component (if applicable):
coreutils-4.5.3-26

How reproducible:
Always

Steps to Reproduce:
1. Login as a non-privileged user
2. Type 'su -' and enter the proper root password.
3. The program will segfault.
    

Actual Results:  Segfault

Expected Results:  A root shell should be returned

Additional info:

Comment 1 Brian Baggett 2004-01-29 18:31:16 UTC
Okay, this is weird.  My password that is thirteen characters in
length and has a mixture of numbers and letters causes a segfault. 
Setting the root password to a four character password with no numbers
doesn't segfault.

Comment 2 Brian Baggett 2004-01-29 18:37:26 UTC
If I make the root password the same as my current 13 characer
password but only up to the 11th character, it works.  If I use 12 or
13 of the 13 characters, the segfault happens.

Comment 3 Tim Waugh 2004-01-30 09:55:20 UTC
Is there a password you can tell me which causes the segfault?  Then I
can try it here.  Also, did you look at the strace -f output?

Other things to try:

* export MALLOC_CHECK_=1 first to get libc to diagnose malloc misuse
* try attaching gdb to get a backtrace

Comment 4 Brian Baggett 2004-02-07 17:18:29 UTC
Created attachment 97526 [details]
Output of strace -f

This is the output of a 'strace -f su -'.  The password I tried was
123456789abcd which is 13 characters.  If I use that password on the console,
it works.  If I try to su it tells me incorrect password in the strace (but
segfaults otherwise) and says incorrect password in the gdb, which I'm about to
include as well.

Comment 5 Brian Baggett 2004-02-07 17:19:42 UTC
[brianb@qlc6 brianb]$ gdb su
GNU gdb Red Hat Linux (6.0post-0.20031117.6rh)
[GNU copyright stuff omitted]
This GDB was configured as "i386-redhat-linux-gnu"...Using host
libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) run -
Starting program: /bin/su -
Password: 
Detaching after fork from child process 30431.
/bin/su: incorrect password

Program exited with code 01.

Comment 6 Tim Waugh 2004-02-18 13:26:37 UTC
Could you please attach /etc/pam.d/system-auth?

Also, please try 'export MALLOC_CHECK_=1' before running the command.

Comment 7 Brian Baggett 2004-02-18 14:02:26 UTC
Created attachment 97787 [details]
/etc/pam.d/system-auth

The /etc/pam.d/system-auth file, per your request.

Comment 8 Brian Baggett 2004-02-18 14:03:58 UTC
[brianb@qlc6 brianb]$ export MALLOC_CHECK_=1
[brianb@qlc6 brianb]$ su -
Password: 
Segmentation fault

Should I do the MALLOC_CHECK in conjunction with the gdb backtrace or
the strace?

Comment 9 Tim Waugh 2004-02-18 14:14:12 UTC
Hmm, I was hoping for a useful diagnostic from the malloc function. 
Never mind.

I suspect this is to do with pam_ldap.  Could you try disabling LDAP
authentication support by commenting out (with a '#' at the beginning
of each line) the lines in /etc/pam.d/system-auth that contain
'pam_ldap', and see if the problem still happens?

Comment 10 Tim Waugh 2004-02-18 14:14:46 UTC
(Actually an easier way would be to run authconfig-gtk.)

Comment 11 Brian Baggett 2004-02-18 14:21:40 UTC
Since I use LDAP for all my accounts, I had to create a local account
before running authconfig to disable LDAP.  Sure enough, once this
happened the 13 character password works.  So where do we go from here?

Comment 12 Tim Waugh 2004-02-18 14:23:07 UTC
To the openldap maintainer..

Comment 13 Brian Baggett 2004-02-18 14:31:23 UTC
But isn't pam_ldap a part of nss_ldap and not openldap?

Comment 14 Levente Farkas 2004-06-07 16:27:40 UTC
the nss_ldap package is broken in almost all redhat and fedora distro
even in rhel 3.
- first update to the latest nss_ldap and pam_ldap.
- then change the db version in the spec file to the one used in the
given ditro (eg: for rhel 3 use %define db_version 4.1.25)
- of course you need this db versions and it's patches.
- compile openldap with the latest 2.1.x with the same db version
- recompile postfix with cyrus sasl2 even John Dennis said:
  ------------------------------------
  revert to sasl v1, turn off ipv6 support
  for RHEL3, we'll branch and set set sasl to v1 and turn off ipv6
  ------------------------------------
  this false! rhel 3 use sasl 2 what's more postfix crash if you try
to use with ldap!
the whole nss_ldap, openldap, potfix and sasl was a nightmare for us
to put together (just check the segmentation crash in the bugzilla).


Comment 15 Matthew Davis 2005-02-14 14:59:48 UTC
*** Bug 116282 has been marked as a duplicate of this bug. ***

Comment 18 RHEL Program Management 2007-10-19 19:30:45 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.


Note You need to log in before you can comment on or make changes to this bug.