Bug 125510 - useradd segfaults if too many users in one group
useradd segfaults if too many users in one group
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: shadow-utils (Show other bugs)
3.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Peter Vrabec
:
: 178404 (view as bug list)
Depends On:
Blocks: 168429
  Show dependency treegraph
 
Reported: 2004-06-08 08:12 EDT by Florian Brand
Modified: 2007-11-30 17:07 EST (History)
3 users (show)

See Also:
Fixed In Version: RHBA-2006-0035
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-07 13:28:45 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
change static limit on group count to dynamic (1.63 KB, patch)
2005-02-25 10:49 EST, Peter Vrabec
no flags Details | Diff

  None (edit)
Description Florian Brand 2004-06-08 08:12:19 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Gecko/20031114

Description of problem:


Version-Release number of selected component (if applicable):
shadow-utiles-4.0.3-7

How reproducible:
Always

Steps to Reproduce:
groupadd test
for i in `seq 1 10000` ; do 
   adduser -G test u$i
done
    

Actual Results:  Segmentation fault after user u2527 has been added.
further attempts of useradd also lead to a segfault.
deleting the big group in group and gshadow manually helps.

Expected Results:  no segfault or at least an error message

Additional info:

#strace useradd foo
unlink("/etc/gshadow.23338")            = 0
open("/etc/gshadow", O_RDWR)            = 8
fstat64(8, {st_mode=S_IFREG|0400, st_size=37347, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7275000
read(8, "root:::root\nbin:::root,bin,daemo"..., 4096) = 4096
read(8, "31,k1632,k1633,k1634,k1635,k1636"..., 4096) = 4096
read(8, "331,k332,k333,k334,k335,k336,k33"..., 4096) = 4096
read(8, "125,k1126,k1127,k1128,k1129,k113"..., 4096) = 4096
read(8, "k1808,k1809,k1810,k1811,k1812,k1"..., 4096) = 4096
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Comment 1 John Newbigin 2004-09-26 21:18:29 EDT
I am seeing this under AS2.1 as well.

open("/etc/gshadow", O_RDWR|O_LARGEFILE) = 8
fstat64(8, {st_mode=S_IFREG|0400, st_size=54615, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x401c1000
read(8, "root:::root\nbin:::root,bin,daemo"..., 4096) = 4096
read(8, "s403701,s403702,s403703,s403705,"..., 4096) = 4096
brk(0x81fb000)                          = 0x81fb000
read(8, "s526512,s526513,s526516,s838584,"..., 4096) = 4096
read(8, "s126230,s126234,s126238,s126276,"..., 4096) = 4096
brk(0x8200000)                          = 0x8200000
read(8, "s236805,s236826,s236851,s236874,"..., 4096) = 4096
read(8, "s403688,s403690,s403692,s403693,"..., 4096) = 4096
read(8, "s526426,s526434,s526445,s526446,"..., 4096) = 4096
brk(0x8207000)                          = 0x8207000
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++

# grep room_sb102 /etc/gshadow | wc
      1       1   24672

There are 3081 users in the group, most with 7 character user names.
Comment 2 John Newbigin 2004-09-26 22:54:16 EDT
I found the problem, in both shadow-utils-20000902-16 (RHEL21AS) and
shadow-utils-4.0.3-20.05 (RHEL3)

/lib/gshadow.c line 51
#define       MAXMEM  1024

sgetgrent.c contains the following:
 * FINALLY added dynamic allocation.  Still need to fix sgetsgent().
 *  --marekm

Comment 3 Lonni J Friedman 2004-11-11 09:56:31 EST
What are the chances of this getting fixed any time soon.  I'm seeing
*ALOT* of pain from this bug right now on RHEL-3.0
Comment 4 John Newbigin 2004-11-11 17:14:59 EST
I have a RHEL3 compatible version with an increased static limit here:
http://bender.it.swin.edu.au/centos-3/testing/

That should get you out of trouble if you are seeing crashes.

I am kind of glad I am not paying $$$ to RH anymore.

My RPM contains the following patch:
--- lib/gshadow.c.orig  Mon Sep 27 12:47:35 2004
+++ lib/gshadow.c       Mon Sep 27 12:48:00 2004
@@ -48,7 +48,7 @@
 static int     dbmerror;
 #endif

-#define        MAXMEM  1024
+#define        MAXMEM  4096

 static FILE    *shadow;
 static char    sgrbuf[BUFSIZ*4];
Comment 8 John Newbigin 2005-02-25 00:26:47 EST
For anyone who needs it:
http://bender.it.swin.edu.au/centos-3/testing/shadow-utils-4.0.3-22.02.c3.1.i386.rpm

RedHat: Please fix this bug......
Comment 9 Peter Vrabec 2005-02-25 10:49:27 EST
Created attachment 111425 [details]
change static limit on group count to dynamic

Patch made by Adrian Havill <havill@redhat.com> and 
fixed(#148994) by Mogens Kjaer (mk@crc.dk)
Comment 10 Mike Frysinger 2005-06-30 23:37:27 EDT
This issue has been filed as Bug 86490 already ...
Comment 15 Peter Vrabec 2006-01-23 06:41:41 EST
*** Bug 178404 has been marked as a duplicate of this bug. ***
Comment 16 Red Hat Bugzilla 2006-03-07 13:28:45 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2006-0035.html

Note You need to log in before you can comment on or make changes to this bug.