Bug 1344480 - glibc: nss_db: get*ent crashes without preceding set*ent
Summary: glibc: nss_db: get*ent crashes without preceding set*ent
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: glibc
Version: 24
Hardware: All
OS: Linux
high
medium
Target Milestone: ---
Assignee: Florian Weimer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1213603
TreeView+ depends on / blocked
 
Reported: 2016-06-09 19:10 UTC by Florian Weimer
Modified: 2016-09-05 08:40 UTC (History)
9 users (show)

Fixed In Version: glibc-2.22-18.fc23, glibc-2.23.1-10.fc24, glibc-2.23.90-21.fc25
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1213603
Environment:
Last Closed: 2016-09-05 08:40:22 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Sourceware 20237 None None None 2016-06-09 19:13:06 UTC

Description Florian Weimer 2016-06-09 19:10:27 UTC
+++ This bug was initially created as a clone of Bug #1213603 +++

Description of problem:
Baseline, with nsswitch set to use db, but no .db files. This works:

<snip>
root@garabaldi ~]# grep services /etc/nsswitch.conf | grep -v '^#'
services:   db files sss
[root@garabaldi ~]# rm -f /var/db/*
rm: cannot remove ‘/var/db/sudo’: Is a directory
[root@garabaldi ~]# perl -e getservent
[root@garabaldi ~]# 
<snip>

Now let;s build a default db file set (this is a clean install):

<snip>
[root@garabaldi ~]# perl -e getservent
[root@garabaldi ~]# cd /var/db/; make; cd -
passwd... done.
group... done.
protocols... done.
rpc... done.
services... done.
shadow... done.

Warning: The shadow password database /var/db/shadow.db
has been set to be readable only by root.  You may want
to make it readable by the `shadow' group depending
on your configuration.

gshadow... done.

Warning: The shadow group database /var/db/gshadow.db
has been set to be readable only by root.  You may want
to make it readable by the `shadow' group depending
on your configuration.

/root
[root@garabaldi ~]# perl -e getservent
Segmentation fault
<snip>
Core was generated by `perl -e getservent'.
Program terminated with signal 11, Segmentation fault.
#0  0x00007f90955685bf in __rawmemchr_sse2 () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install perl-5.16.3-285.el7.x86_64
(gdb) bt
#0  0x00007f90955685bf in __rawmemchr_sse2 () from /lib64/libc.so.6
#1  0x00007f908eba81c1 in _nss_db_getservent_r () from /lib64/libnss_db.so.2
#2  0x00007f90955e0c11 in __nss_getent_r () from /lib64/libc.so.6
#3  0x00007f90955e983a in getservent_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#4  0x00007f9096931a96 in Perl_pp_gservent () from /usr/lib64/perl5/CORE/libperl.so
#5  0x00007f90968dca46 in Perl_runops_standard ()
   from /usr/lib64/perl5/CORE/libperl.so
#6  0x00007f9096879855 in perl_run () from /usr/lib64/perl5/CORE/libperl.so
#7  0x0000000000400d99 in main ()
<snip>

Version-Release number of selected component (if applicable):
glibc-2.17-78.el7.x86_64

How reproducible:


Steps to Reproduce:
1. Set nsswitch to use 'db' for services
    > grep services /etc/nsswitch.conf | grep -v '^#'
    > services:   db files sss
2. cd /var/db/; make; cd -
3. perl -e getservent

Actual results:
Segfault

Expected results:
No Segfault

Additional info:

--- Additional comment from Florian Weimer on 2015-12-15 19:14:49 CET ---

It appears the cause is that that implicit initialization of the service by get*ent (without a preceding set*ent) does not cause initialization of the entidex variable.  _nss_db_get*_r does this:

   247	  if (state.header == NULL)
   248	    {
   249	      status = internal_setent (DBFILE, &state);
   250	      if (status != NSS_STATUS_SUCCESS)
   251		{
   252		  *errnop = errno;
   253		  H_ERRNO_SET (NETDB_INTERNAL);
   254		  goto out;
   255		}
   256	    }

While _nss_db_set* has:

    72	  status = internal_setent (DBFILE, &state);
    73	
    74	  if (status == NSS_STATUS_SUCCESS)
    75	    {
    76	      /* Remember STAYOPEN flag.  */
    77	      keep_db |= stayopen;
    78	
    79	      /* Reset the sequential index.  */
    80	      entidx  = (const char *) state.header + state.header->valstroffset;
    81	    }

As far as I can see, the bug is present upstream as well.

Comment 1 Fedora Update System 2016-08-18 15:17:08 UTC
glibc-2.23.1-10.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f050a0a6d

Comment 2 Fedora Update System 2016-08-18 17:32:46 UTC
glibc-2.22-18.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-87dde780b8

Comment 3 Fedora Update System 2016-08-19 00:21:48 UTC
glibc-2.22-18.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-87dde780b8

Comment 4 Fedora Update System 2016-08-19 00:58:37 UTC
glibc-2.23.1-10.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-5f050a0a6d

Comment 5 Fedora Update System 2016-08-19 19:52:37 UTC
glibc-2.23.1-10.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2016-09-02 23:20:41 UTC
glibc-2.22-18.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.