From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050623 Fedora/1.0.4-5 Firefox/1.0.4 Description of problem: diff -aru glibc-orig/nscd/grpcache.c glibc-nscd-fix/nscd/grpcache.c --- glibc-orig/nscd/grpcache.c 2005-02-22 17:53:39.000000000 -0500 +++ glibc-nscd-fix/nscd/grpcache.c 2005-07-18 01:36:20.000000000 -0400 @@ -167,7 +167,7 @@ char *gr_name; char *cp; const size_t key_len = strlen (key); - const size_t buf_len = 3 + sizeof (grp->gr_gid) + key_len + 1; + const size_t buf_len = 3 * sizeof (grp->gr_gid) + key_len + 1; char *buf = alloca (buf_len); ssize_t n; size_t cnt; Version-Release number of selected component (if applicable): glibc-2.3.90-2 How reproducible: Didn't try Additional info:
This really isn't an overflow, as snprintf is used. With nscd built without -DNDEBUG, there would be an assertion failure, but Red Hat/Fedora glibcs are built with -DNDEBUG, so all that will happen is that uninitialized bytes will be added as cache entry keys.
Should be fixed in glibc-2.3.90-3 and above.
I am seeing this in the latest FC4 testing glibc/nscd (glibc-2.3.5-10.2): 30677: Reloading "14339447" in password cache! *** Segmentation fault Register dump: EAX: 00000001 EBX: 00e7aca0 ECX: 0000008c EDX: 00000005 ESI: b726b3b8 EDI: 6e54a504 EBP: b7067db4 ESP: b7067bac EIP: 00e72836 EFLAGS: 00010a13 CS: 0073 DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b Trap: 0000000e Error: 00000004 OldMask: 00000000 ESP/signal: b7067bac CR2: 6e54a518 Backtrace: /lib/libSegFault.so[0x483115] [0x1ad420] nscd[0xe6d6a0] /lib/libpthread.so.0[0xdb7b80] /lib/libc.so.6(__clone+0x5e)[0x6d99ae] Is it the same bug or a variant thereof? The patch/report mention GIDs, but in my case it's a large UID. Should I file this as a separate bug for FC4, not Raw Hide? I am not sure what the procedure is in such a case. Any chance that the glibc in testing can be fixed before release, if this patch fixes the problem I am seeing?
Re #6: That has certainly nothing to do with that: a) the above bug is fixed in 2.3.5-10.2 b) the bug used to be only in group handling code, not uid. Please file a new bugreport instead, install glibc-debuginfo and get a real backtrace, the above is not helpful.