Bug 1917382 - [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be killed by 11
Summary: [abrt] [faf] sssd: dp_client_handshake_timeout(): /usr/libexec/sssd/sssd_be k...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alexey Tikhonov
QA Contact: Steeve Goveas
URL: http://faf.lab.eng.brq.redhat.com/faf...
Whiteboard: sync-to-jira review
: 1930540 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-18 11:56 UTC by Steeve Goveas
Modified: 2021-05-18 15:04 UTC (History)
8 users (show)

Fixed In Version: sssd-2.4.0-7.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:04:21 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
crash logs files including codredump (5.77 MB, application/gzip)
2021-01-18 11:56 UTC, Steeve Goveas 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5466 0 None closed SBUS: NULL deref in dp_client_handshake_timeout() 2021-02-10 08:27:38 UTC

Description Steeve Goveas 2021-01-18 11:56:39 UTC 
Created attachment 1748438 [details]
crash logs files including codredump

This bug has been created based on an anonymous crash report requested by the package maintainer.

Report URL: http://faf.lab.eng.brq.redhat.com/faf/reports/bthash/344d448d8ec4c7d206753f3ece41e9f1a62890ee/
Comment 1 Alexey Tikhonov 2021-01-18 12:47:55 UTC 
Core corresponds to sssd-common-2.4.0-5.el8
Comment 2 Alexey Tikhonov 2021-01-18 15:53:53 UTC 
$ file coredump 
coredump: ELF 64-bit LSB core file, 64-bit PowerPC or cisco 7500, version 1 (SYSV), SVR4-style, from '/usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=file', real uid: 0, effective uid: 0, real gid: 0, effective gid: 0, execfn: '/usr/libexec/sssd/sssd_be', platform: 'power8'
Comment 3 Alexey Tikhonov 2021-01-19 16:46:42 UTC 
#0  0x000000013a22bc90 in dp_client_handshake_timeout (ev=<optimized out>, te=0x10032a63100, t=..., ptr=<optimized out>)
    at src/providers/data_provider/dp_client.c:153
#1  0x00007fffb1ad06a4 in tevent_common_invoke_timer_handler () from /lib64/libtevent.so.0
#2  0x00007fffb1ad0908 in tevent_common_loop_timer_delay () from /lib64/libtevent.so.0
#3  0x00007fffb1ad2234 in epoll_event_loop_once () from /lib64/libtevent.so.0
#4  0x00007fffb1acf6e0 in std_event_loop_once () from /lib64/libtevent.so.0
#5  0x00007fffb1ac7cd8 in _tevent_loop_once () from /lib64/libtevent.so.0
#6  0x00007fffb1ac8084 in tevent_common_loop_wait () from /lib64/libtevent.so.0
#7  0x00007fffb1acf610 in std_event_loop_wait () from /lib64/libtevent.so.0
#8  0x00007fffb1ac8178 in _tevent_loop_wait () from /lib64/libtevent.so.0
#9  0x00007fffb2559fec in server_loop (main_ctx=0x10032a2f810) at src/util/server.c:730
#10 0x000000013a2196f4 in main (argc=<optimized out>, argv=0x7fffe7ce1528) at src/providers/data_provider_be.c:772


(gdb) frame 0
#0  0x000000013a22bc90 in dp_client_handshake_timeout (ev=<optimized out>, te=0x10032a63100, t=..., ptr=<optimized out>)
    at src/providers/data_provider/dp_client.c:153
153	    if (name != NULL && strcmp(name, be_name) == 0) {


(gdb) p be_name
$1 = 0x0


(gdb) list
148	    be_name = dp_cli->provider->be_ctx->sbus_name;
149	
150	    talloc_set_destructor(dp_cli, NULL);
151	
152	    name = sbus_connection_get_name(dp_cli->conn);
153	    if (name != NULL && strcmp(name, be_name) == 0) {
154	        /* This is the data provider connection. Just free the client record
155	         * but keep the connection opened. */
156	        talloc_zfree(dp_cli);
157	        return;


(gdb) p dp_cli->provider->be_ctx->sbus_name
$2 = 0x0


(gdb) p *(dp_cli->provider->be_ctx)
$6 = {ev = 0x10032a2f4f0, cdb = 0x10032a309d0, domain = 0x10032a55b20, identity = 0x10032a3daf0 "%BE_implicit_files", 
  conf_path = 0x10032a421e0 "config/domain/implicit_files", sbus_name = 0x0, uid = 0, gid = 0, override_space = 0 '\000', sr_conf = {
    scope = SESSION_RECORDING_SCOPE_NONE, users = 0x0, groups = 0x0, exclude_users = 0x0, exclude_groups = 0x0}, be_fo = 0x10032a42270, 
  be_res = 0x10032a40cd0, online_cb_list = 0x0, run_online_cb = false, offline_cb_list = 0x0, run_offline_cb = false, reconnect_cb_list = 0x0, 
  unconditional_online_cb_list = 0x0, offline = false, check_if_online_ptask = 0x0, mon_conn = 0x0, refresh_ctx = 0x0, check_online_ref_count = 0, 
  check_online_retry_delay = 0, provider = 0x0, last_dp_state = -1}



Hi Pavel, 

is it expected `sbus_name` can be NULL here?
Comment 4 Pavel Březina 2021-01-20 11:51:10 UTC 
In theory, yes. Because we currently set be_ctx->sbus_name after data provider is initialized in dp_initialized(), there may be some async tasks that happens before we get there. But the timeout is set to 5 seconds so something unexpected must have happened that we did not get in dp_initialized() for so long. Logs would be nice to understand it. But to mitigate it we can set it in or before dp_init_send().
Comment 8 Pavel Březina 2021-01-22 11:58:19 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/5467

* `master`
    * 0c6924b8d474daf35ee30d74e5496957e503b206 - SBUS: set sbus_name before dp_init_send()
Comment 13 Pavel Březina 2021-03-05 13:12:07 UTC 
*** Bug 1930540 has been marked as a duplicate of this bug. ***
Comment 15 errata-xmlrpc 2021-05-18 15:04:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666
Note You need to log in before you can comment on or make changes to this bug.