Bug 211112 – sudo occasionally segfaults

Bug 211112 - sudo occasionally segfaults

Summary:	sudo occasionally segfaults

Status:	CLOSED WORKSFORME

Aliases:	None

Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	sudo (Show other bugs)
Sub Component:
Version:	4.4
Hardware:	i386 Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Peter Vrabec
QA Contact:	Ben Levenson
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2006-10-17 10:15 EDT by James Olin Oden
Modified:	2007-11-16 20:14 EST (History)
CC List:	1 user (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2007-03-28 07:56:03 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
core file (108.00 KB, application/octet-stream) 2006-10-30 11:14 EST, Jeff Johnson	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description James Olin Oden 2006-10-17 10:15:55 EDT

Description of problem:
sudo sometimes core dumps.  I can reproduce this by running the cp command 
through sudo in a little test script over and over again.   I'm running on dule 
Xeons with hyperthreading turned on.   Also the core file produces almost a 
useless back trace with an error like:
   
    Error accessing memory address 0xbf9a9964: No such file or directory

Version-Release number of selected component (if applicable):
1.6.7p5-30.1.3

How reproducible:
I suspect it takes thousands of tries, but the little test script will merrily 
keep going till it does core.


Steps to Reproduce:
1.  Run the following script:

    touch /tmp/bother
    while sudo cp /tmp/bother /tmp/blather; do : ; done;

Actual results:
Eventually it will core dump in about 30 seconds (often times less).

Expected results:
It would keep on running along just fine.

Additional info:
Note it is assumed the user you run this test as configure to run copy, and not 
have to type a password.

Comment 1 Peter Vrabec 2006-10-20 12:08:18 EDT

I can't reproduce it on x86_64 :-(. Could you send coredump file, please.

Comment 2 James Olin Oden 2006-10-20 13:14:27 EDT

Sure, just attach it as an attachement or send it to your email?

Comment 3 Peter Vrabec 2006-10-23 08:03:34 EDT

The attachment is alright.

Comment 4 Jeff Johnson 2006-10-30 11:14:43 EST

Created attachment 139725 [details]
core file

Comment 5 Jeff Johnson 2006-10-30 11:21:07 EST

Note that this is a FC6 kernel (w 4 device related patches)

    Linux gt40 2.6.18-1.2798prerel3.0.0_60.25.0PAE #1 SMP Wed Oct 25 18:58:20 EDT 2006 i686 
athlon i386 GNU/Linux

running on a  CentOS 4.3 userland.

Even with that variance, I'm surprised to see a sudo core dump. The core dump itself is rather odd.

Lemme try to see if I can't simplify the problem some by varying how sudo is compiled and perhaps 
what glibc is installed.

Comment 6 Jeff Johnson 2006-10-30 12:28:23 EST

Backing out the WITH_SELINUX patch does not fix the segfault.

Backing out "F_PIE=-fpie LDFLAGS=-pie" does fix the segfault.

So PIE using a 2.6.18 kernel and glibc from RHLE4/CentOS4 appear to have an intrinsic difference
wrto PIE (my hunch only, consistent with the oddly uniformative core dump).

Comment 7 Jeff Johnson 2006-11-14 17:32:02 EST

The segfault is not corrected by doing (together or individually):

    echo "0" > /proc/sys/kernel/randomize_va_space
    echo "0" > /proc/sys/kernel/exec-shield

The segfault is invariant to
    execstack {-s|-c} /usr/bin/sudo

So the only known "fix" I know of is removing -fpie and -pie from compiler/linkage flags.

Note You need to log in before you can comment on or make changes to this bug.