Bug 134837 - (IT_50406) [PATCH] mailx defines send() which overrides sys_send() when using nss_ldap
[PATCH] mailx defines send() which overrides sys_send() when using nss_ldap
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mailx (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jiri Ryska
:
: 74261 137951 (view as bug list)
Depends On:
Blocks: 132991
  Show dependency treegraph
 
Reported: 2004-10-06 13:24 EDT by David Lehman
Modified: 2007-11-30 17:07 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-05-19 19:09:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
add "hidden" visibility attribute to /bin/mail send() function (573 bytes, patch)
2004-10-06 13:32 EDT, David Lehman
no flags Details | Diff

  None (edit)
Description David Lehman 2004-10-06 13:24:55 EDT
Description of problem:
mailx defines a function send, which probably sends an email. The
problem is that, when non-glibc nss modules are in use (like
nss_ldap), the dynamic symbol lookup resolves send calls to the
function in /bin/mail, not the syscall. This leads to a segfault, but
only when USER is not set.

Version-Release number of selected component (if applicable):
mailx-8.1.1-31

How reproducible:
Completely

Steps to Reproduce:
1. Set up an ldap auth client
2. Log in as an ldap-authenticated user and unset USER
3. Try to send mail using /bin/mail
  
Actual results:
Segmentation fault

Expected results:
mail sent

Additional info:
Comment 1 David Lehman 2004-10-06 13:29:29 EDT
Here's the last bits of output when run with LD_DEBUG=bindings:
      5199:     binding file /lib/libresolv.so.2 to
/lib/tls/libc.so.6: normal symbol `connect' [GLIBC_2.0]
      5199:     binding file /lib/libresolv.so.2 to mail: normal
symbol `send' [GLIBC_2.0]
      5199:     binding file mail to /lib/tls/libc.so.6: normal symbol
`fflush' [GLIBC_2.0]
Segmentation fault (core dumped)

And here's a backtrace:
Core was generated by `/bin/mail -s test broken root@localhost'.
Program terminated with signal 11, Segmentation fault.
<snip>
#0  0x0804ebe1 in setinput (mp=0x4) at fio.c:245
245             if (fseek(itf, (long)positionof(mp->m_block,
mp->m_offset), 0) < 0) {
(gdb) bt
#0  0x0804ebe1 in setinput (mp=0x4) at fio.c:245
#1  0x08054587 in send (mp=0x4, obuf=0xbfffb360, doign=0x2c, prefix=0x0)
    at send.c:87
#2  0x009e1615 in send_dg (statp=0x266e40, buf=0xbfffb360 "w\210\001",
    buflen=44, ansp=0xbfffb340, anssizp=0xbfffb344, terrno=0xbfffb304,
ns=0,
    v_circuit=0x0, gotsomewhere=0xbfffb300, anscp=0xbfffb8f0) at
res_send.c:961
#3  0x009e0d95 in __libc_res_nsend (statp=0x266e40,
    buf=0xbfffb360 "w\210\001", buflen=44, ans=0xbfffb4c0 "", anssiz=1024,
    ansp=0xbfffb8f0) at res_send.c:595
#4  0x009dfcda in __libc_res_nquery (statp=0x266e40,
    name=0xbfffb8f4 "163.59.16.172.in-addr.arpa", class=1, type=12,
    answer=0xbfffb4c0 "", anslen=0, answerp=0x0) at res_query.c:154
#5  0x00988424 in _nss_dns_gethostbyaddr_r (addr=0xbfffbe14, len=4, af=2,
    result=0xbfffbdf0, buffer=0x8b1ebb8 "\177", buflen=0,
errnop=0xb75e44e0,
    h_errnop=0xbfffbdd4) at nss_dns/dns-host.c:338
#6  0x0021fbbd in __gethostbyaddr_r (addr=0xbfffbe14, len=4, type=2,
    resbuf=0xbfffbdf0, buffer=0x8b1ebb8 "\177", buflen=1024,
    result=0xbfffbdd0, h_errnop=0xbfffbdd4) at getXXbyYY_r.c:216
#7  0x00294047 in ldap_pvt_gethostbyaddr_a () from /lib/libnss_ldap.so.2
#8  0x00290df1 in ldap_host_connected_to () from /lib/libnss_ldap.so.2
---Type <return> to continue, or q <return> to quit---
#9  0x002866d9 in ldap_int_open_connection () from /lib/libnss_ldap.so.2
#10 0x0028e84b in ldap_new_connection () from /lib/libnss_ldap.so.2
#11 0x00286031 in ldap_open_defconn () from /lib/libnss_ldap.so.2
#12 0x0028e47e in ldap_send_initial_request () from /lib/libnss_ldap.so.2
#13 0x0028c0b8 in ldap_sasl_bind () from /lib/libnss_ldap.so.2
#14 0x0028ca5c in ldap_simple_bind () from /lib/libnss_ldap.so.2
#15 0x0027d555 in do_bind (ld=0x8b1e390, timelimit=0,
    dn=0x41c5c4 "cn=Administrator,cn=users,dc=redhat,dc=gss", pw=0x0,
    with_sasl=0) at ldap-nss.c:1410
#16 0x0027d16f in do_open () at ldap-nss.c:1248
#17 0x0027e39a in _nss_ldap_search_s (args=0xbfffc930,
    filterprot=0x427940 "(&(objectclass=User)(msSFU30UidNumber=%d))",
    sel=LM_PASSWD, sizelimit=1, res=0xbfffc8e0) at ldap-nss.c:2285
#18 0x0027e904 in _nss_ldap_getbyname (args=0xbfffc930, result=0x0,
    buffer=0x0, buflen=0, errnop=0x0, filterprot=0x0, sel=LM_PASSWD,
parser=0)
    at ldap-nss.c:2635
#19 0x0027f84b in _nss_ldap_getpwuid_r (uid=0, result=0x0, buffer=0x0,
    buflen=0, errnop=0x0) at ldap-pwd.c:207
#20 0x001d8a32 in __getpwuid_r (uid=26006, resbuf=0x265ffc,
    buffer=0x8b13108 "wnn", buflen=1024, result=0xbfffc998)
---Type <return> to continue, or q <return> to quit---
    at getXXbyYY_r.c:216
#21 0x001d83c1 in getpwuid (uid=26006) at getXXbyYY.c:108
#22 0x0804f3f1 in getname (uid=0) at getname.c:60
#23 0x0804f8df in username () at v7.local.c:101
#24 0x080557b5 in tinit () at temp.c:88
#25 0x08051c39 in main (argc=4, argv=0x0) at main.c:236
#26 0x0014579d in __libc_start_main (main=0x8051900 <main>, argc=4,
    ubp_av=0xbfffcb44, init=0x8056198 <__libc_csu_init>, fini=0x4,
    rtld_fini=0xbfffcb44, stack_end=0xbfffcb3c)
    at ../sysdeps/generic/libc-start.c:205
#27 0x080499d1 in _start () at ../sysdeps/i386/elf/start.S:102

Comment 2 David Lehman 2004-10-06 13:32:59 EDT
Created attachment 104847 [details]
add "hidden" visibility attribute to /bin/mail send() function

This patch prevents nss functions from binding to /bin/mail's send function
when non-glibc nss modules are in use.
Comment 3 Jiri Ryska 2004-11-03 06:38:07 EST
*** Bug 137951 has been marked as a duplicate of this bug. ***
Comment 4 Jiri Ryska 2004-11-03 06:58:25 EST
*** Bug 74261 has been marked as a duplicate of this bug. ***
Comment 6 Need Real Name 2004-11-17 22:15:28 EST
Please advise when will we see a mailx rpm in the ES 2.1 
errata released ?
Thanks, 
a paying custonmer.
Comment 7 Need Real Name 2004-11-17 22:18:36 EST
Please add gary.morgan@airnz.co.nz to the CC list, thanks.
Comment 10 Jindrich Novy 2005-03-03 08:57:37 EST
The RHBA-2005-181 erratum that fixes this issue is now tested.
Comment 11 Tim Powers 2005-05-19 19:09:36 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2005-181.html

Note You need to log in before you can comment on or make changes to this bug.