Bug 134837 (IT_50406) - [PATCH] mailx defines send() which overrides sys_send() when using nss_ldap
Summary: [PATCH] mailx defines send() which overrides sys_send() when using nss_ldap
Alias: IT_50406
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mailx
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Jiri Ryska
QA Contact:
: 74261 137951 (view as bug list)
Depends On:
Blocks: 132991
TreeView+ depends on / blocked
Reported: 2004-10-06 17:24 UTC by David Lehman
Modified: 2007-11-30 22:07 UTC (History)
5 users (show)

Clone Of:
Last Closed: 2005-05-19 23:09:36 UTC

Attachments (Terms of Use)
add "hidden" visibility attribute to /bin/mail send() function (573 bytes, patch)
2004-10-06 17:32 UTC, David Lehman
no flags Details | Diff

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2005:181 normal SHIPPED_LIVE mailx bug fix update 2005-05-19 04:00:00 UTC

Description David Lehman 2004-10-06 17:24:55 UTC
Description of problem:
mailx defines a function send, which probably sends an email. The
problem is that, when non-glibc nss modules are in use (like
nss_ldap), the dynamic symbol lookup resolves send calls to the
function in /bin/mail, not the syscall. This leads to a segfault, but
only when USER is not set.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Set up an ldap auth client
2. Log in as an ldap-authenticated user and unset USER
3. Try to send mail using /bin/mail
Actual results:
Segmentation fault

Expected results:
mail sent

Additional info:

Comment 1 David Lehman 2004-10-06 17:29:29 UTC
Here's the last bits of output when run with LD_DEBUG=bindings:
      5199:     binding file /lib/libresolv.so.2 to
/lib/tls/libc.so.6: normal symbol `connect' [GLIBC_2.0]
      5199:     binding file /lib/libresolv.so.2 to mail: normal
symbol `send' [GLIBC_2.0]
      5199:     binding file mail to /lib/tls/libc.so.6: normal symbol
`fflush' [GLIBC_2.0]
Segmentation fault (core dumped)

And here's a backtrace:
Core was generated by `/bin/mail -s test broken root@localhost'.
Program terminated with signal 11, Segmentation fault.
#0  0x0804ebe1 in setinput (mp=0x4) at fio.c:245
245             if (fseek(itf, (long)positionof(mp->m_block,
mp->m_offset), 0) < 0) {
(gdb) bt
#0  0x0804ebe1 in setinput (mp=0x4) at fio.c:245
#1  0x08054587 in send (mp=0x4, obuf=0xbfffb360, doign=0x2c, prefix=0x0)
    at send.c:87
#2  0x009e1615 in send_dg (statp=0x266e40, buf=0xbfffb360 "w\210\001",
    buflen=44, ansp=0xbfffb340, anssizp=0xbfffb344, terrno=0xbfffb304,
    v_circuit=0x0, gotsomewhere=0xbfffb300, anscp=0xbfffb8f0) at
#3  0x009e0d95 in __libc_res_nsend (statp=0x266e40,
    buf=0xbfffb360 "w\210\001", buflen=44, ans=0xbfffb4c0 "", anssiz=1024,
    ansp=0xbfffb8f0) at res_send.c:595
#4  0x009dfcda in __libc_res_nquery (statp=0x266e40,
    name=0xbfffb8f4 "", class=1, type=12,
    answer=0xbfffb4c0 "", anslen=0, answerp=0x0) at res_query.c:154
#5  0x00988424 in _nss_dns_gethostbyaddr_r (addr=0xbfffbe14, len=4, af=2,
    result=0xbfffbdf0, buffer=0x8b1ebb8 "\177", buflen=0,
    h_errnop=0xbfffbdd4) at nss_dns/dns-host.c:338
#6  0x0021fbbd in __gethostbyaddr_r (addr=0xbfffbe14, len=4, type=2,
    resbuf=0xbfffbdf0, buffer=0x8b1ebb8 "\177", buflen=1024,
    result=0xbfffbdd0, h_errnop=0xbfffbdd4) at getXXbyYY_r.c:216
#7  0x00294047 in ldap_pvt_gethostbyaddr_a () from /lib/libnss_ldap.so.2
#8  0x00290df1 in ldap_host_connected_to () from /lib/libnss_ldap.so.2
---Type <return> to continue, or q <return> to quit---
#9  0x002866d9 in ldap_int_open_connection () from /lib/libnss_ldap.so.2
#10 0x0028e84b in ldap_new_connection () from /lib/libnss_ldap.so.2
#11 0x00286031 in ldap_open_defconn () from /lib/libnss_ldap.so.2
#12 0x0028e47e in ldap_send_initial_request () from /lib/libnss_ldap.so.2
#13 0x0028c0b8 in ldap_sasl_bind () from /lib/libnss_ldap.so.2
#14 0x0028ca5c in ldap_simple_bind () from /lib/libnss_ldap.so.2
#15 0x0027d555 in do_bind (ld=0x8b1e390, timelimit=0,
    dn=0x41c5c4 "cn=Administrator,cn=users,dc=redhat,dc=gss", pw=0x0,
    with_sasl=0) at ldap-nss.c:1410
#16 0x0027d16f in do_open () at ldap-nss.c:1248
#17 0x0027e39a in _nss_ldap_search_s (args=0xbfffc930,
    filterprot=0x427940 "(&(objectclass=User)(msSFU30UidNumber=%d))",
    sel=LM_PASSWD, sizelimit=1, res=0xbfffc8e0) at ldap-nss.c:2285
#18 0x0027e904 in _nss_ldap_getbyname (args=0xbfffc930, result=0x0,
    buffer=0x0, buflen=0, errnop=0x0, filterprot=0x0, sel=LM_PASSWD,
    at ldap-nss.c:2635
#19 0x0027f84b in _nss_ldap_getpwuid_r (uid=0, result=0x0, buffer=0x0,
    buflen=0, errnop=0x0) at ldap-pwd.c:207
#20 0x001d8a32 in __getpwuid_r (uid=26006, resbuf=0x265ffc,
    buffer=0x8b13108 "wnn", buflen=1024, result=0xbfffc998)
---Type <return> to continue, or q <return> to quit---
    at getXXbyYY_r.c:216
#21 0x001d83c1 in getpwuid (uid=26006) at getXXbyYY.c:108
#22 0x0804f3f1 in getname (uid=0) at getname.c:60
#23 0x0804f8df in username () at v7.local.c:101
#24 0x080557b5 in tinit () at temp.c:88
#25 0x08051c39 in main (argc=4, argv=0x0) at main.c:236
#26 0x0014579d in __libc_start_main (main=0x8051900 <main>, argc=4,
    ubp_av=0xbfffcb44, init=0x8056198 <__libc_csu_init>, fini=0x4,
    rtld_fini=0xbfffcb44, stack_end=0xbfffcb3c)
    at ../sysdeps/generic/libc-start.c:205
#27 0x080499d1 in _start () at ../sysdeps/i386/elf/start.S:102

Comment 2 David Lehman 2004-10-06 17:32:59 UTC
Created attachment 104847 [details]
add "hidden" visibility attribute to /bin/mail send() function

This patch prevents nss functions from binding to /bin/mail's send function
when non-glibc nss modules are in use.

Comment 3 Jiri Ryska 2004-11-03 11:38:07 UTC
*** Bug 137951 has been marked as a duplicate of this bug. ***

Comment 4 Jiri Ryska 2004-11-03 11:58:25 UTC
*** Bug 74261 has been marked as a duplicate of this bug. ***

Comment 6 Need Real Name 2004-11-18 03:15:28 UTC
Please advise when will we see a mailx rpm in the ES 2.1 
errata released ?
a paying custonmer.

Comment 7 Need Real Name 2004-11-18 03:18:36 UTC
Please add gary.morgan@airnz.co.nz to the CC list, thanks.

Comment 10 Jindrich Novy 2005-03-03 13:57:37 UTC
The RHBA-2005-181 erratum that fixes this issue is now tested.

Comment 11 Tim Powers 2005-05-19 23:09:36 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.