2061727 – glibc: NSS framework can report incorrect lookup result if function lookup clobbers errno

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2061727 - glibc: NSS framework can report incorrect lookup result if function lookup clobbers errno

Summary: glibc: NSS framework can report incorrect lookup result if function lookup cl...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	glibc
Sub Component:
Version:	8.6
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Florian Weimer
QA Contact:	Martin Coufal
Docs Contact:
URL:
Whiteboard:
Depends On:	1691691 2063142
Blocks:	1630410 2063712
TreeView+	depends on / blocked

Reported:	2022-03-08 12:31 UTC by Michal Hlavinka
Modified:	2023-07-18 14:30 UTC (History)
CC List:	19 users (show)
Fixed In Version:	glibc-2.28-189.1.el8
Doc Type:	Bug Fix
Doc Text:	.`glibc` now restores errno after loading a Name Service Switch (NSS) module. Previously, the NSS implementation in `glibc` set errno incorrectly during database enumeration that used functions such as `getpwent()` if the last NSS module did not provide any data. This caused applications using these enumeration functions to fail. The bug is fixed and `glibc` now restores errno after loading an NSS module.
Clone Of:	1691691
Clones:	2063142 2063712 (view as bug list)
Environment:
Last Closed:	2022-05-10 15:18:10 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-114806	None	None	None	2022-03-08 12:37:21 UTC
Red Hat Product Errata	RHBA-2022:2005	None	None	None	2022-05-10 15:18:31 UTC
Sourceware	28953	P2	NEW	NSS lookup result can be incorrect if function lookup clobbers errno	2022-03-10 10:35:49 UTC

Internal Links: 2062648

Comment 2 David Tardon 2022-03-10 09:32:09 UTC

errno is already set to EPERM when _nss_systemd_getpwent_r is entered:

Breakpoint 1, _nss_systemd_getpwent_r (result=0x7ffff7dcc460 <resbuf>, buffer=0x602bf0 "rngd", 
    buflen=1024, errnop=0x7ffff7ff1480) at ../src/nss-systemd/nss-systemd.c:734
734	enum nss_status _nss_systemd_getpwent_r(struct passwd *result, char *buffer, size_t buflen, int *errnop) {
Missing separate debuginfos, use: yum debuginfo-install libblkid-2.32.1-35.el8.x86_64 libcap-2.48-2.el8.x86_64 libgcc-8.5.0-10.el8.x86_64 libmount-2.32.1-35.el8.x86_64 libselinux-2.9-5.el8.x86_64 libuuid-2.32.1-35.el8.x86_64 pcre2-10.32-2.el8.x86_64 sssd-client-2.6.2-3.el8.x86_64
(gdb) p errno
$1 = 1

Comment 3 Florian Weimer 2022-03-10 10:19:52 UTC

The reproducer from the private description:

#include <sys/types.h>
#include <pwd.h>
#include <errno.h>
#include <stdio.h>

int main(void)
{
    struct passwd *pw;
    errno = 0;
    setpwent();
    while ((pw = getpwent()) != NULL) {
        errno = 0;
        printf("%d: %s\n", pw->pw_uid, pw->pw_name);
    }
    printf("getpwent errno = %d (%m)\n", errno);
    endpwent();
    return 0;
}

It's a bit iffy because it does not set errno right before the getpwent call, but that is not what is causing this. EPERM is not visible in strace because of bug 2062648, the actual error is EINVAL from prctl (as seen on :

prctl(PR_CAPBSET_READ, CAP_MAC_OVERRIDE) = 1
prctl(PR_CAPBSET_READ, 0x30 /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, CAP_CHECKPOINT_RESTORE) = 1
prctl(PR_CAPBSET_READ, 0x2c /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x2a /* CAP_??? */) = -1 EINVAL (Invalid argument)
prctl(PR_CAPBSET_READ, 0x29 /* CAP_??? */) = -1 EINVAL (Invalid argument)

The libcap ELF constructor also clobbers errno. This is perhaps not a great thing to do, but a successful call to (internal) dlopen can clobber errno for other reasons as well, and the glibc NSS framework is not prepared to deal with that. So we have to fix this in glibc anyway.

This glibc bug is present in the rewritten upstream code, and earlier versions of Red Hat Enterprise Linux 8. It's not a new problem as far as glibc is concerned. How important is it that we fixed this in the upcoming 8.6.0 release?

Comment 4 Michal Hlavinka 2022-03-10 10:41:58 UTC

(In reply to Florian Weimer from comment #3)
> ... How important is it that we fixed this in the upcoming
> 8.6.0 release?

It causes problem for dovecot (recreates bug #1630410) when it tries to iterate over user list for mail administration (doveadm command) that handles mail backup,replication,acl,quota,...

Comment 5 Florian Weimer 2022-03-10 12:50:36 UTC

(In reply to Michal Hlavinka from comment #4)
> (In reply to Florian Weimer from comment #3)
> > ... How important is it that we fixed this in the upcoming
> > 8.6.0 release?
> 
> It causes problem for dovecot (recreates bug #1630410) when it tries to
> iterate over user list for mail administration (doveadm command) that
> handles mail backup,replication,acl,quota,...

I'm reading this as, “we really should fix this in the exception phase”.

Carlos, what do you think?

Meanwhile I've posted an upstream patch:

[PATCH 2/2] nss: Protect against errno changes in function lookup (bug 28953)
https://sourceware.org/pipermail/libc-alpha/2022-March/137009.html

This won't apply downstream as-is because of the NSS refactoring that happened upstream. But I expect a similar approach can be used downstream.

Comment 20 errata-xmlrpc 2022-05-10 15:18:10 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (glibc bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2005

Note You need to log in before you can comment on or make changes to this bug.