Red Hat Bugzilla – Bug 3762
nscd receives SIGSEGV for certain domain lookups
Last modified: 2008-05-01 11:37:50 EDT
[Note: this report is *not* really about bind, but the Bugzilla system forced me to choose a component, and nscd wasn't on the list.] For the nscd-2.1.1-6 rpm, certain domain lookups consistently crash the nscd daemon with SIGSEGV. As of the time of this submission, a good demonstration of this is to ensure nscd is running, and then point a web browser at www.deja.com, which currently resolves as follows: $ host -a www.deja.com rcode = 0 (Success), ancount=23 The following answer is not authoritative: www.deja.com 530 IN A 208.10.192.221 www.deja.com 530 IN A 208.10.192.222 www.deja.com 530 IN A 208.10.192.223 www.deja.com 530 IN A 208.10.192.224 www.deja.com 530 IN A 208.10.192.225 www.deja.com 530 IN A 208.10.192.226 www.deja.com 530 IN A 208.10.192.227 www.deja.com 530 IN A 208.10.192.228 www.deja.com 530 IN A 208.10.192.229 www.deja.com 530 IN A 208.10.192.230 www.deja.com 530 IN A 208.10.192.231 www.deja.com 530 IN A 208.10.192.232 www.deja.com 530 IN A 208.10.192.233 www.deja.com 530 IN A 208.10.192.234 www.deja.com 530 IN A 208.10.192.235 www.deja.com 530 IN A 208.10.192.236 www.deja.com 530 IN A 208.10.192.237 www.deja.com 530 IN A 208.10.192.238 www.deja.com 530 IN A 208.10.192.239 www.deja.com 530 IN A 208.10.192.240 www.deja.com 530 IN A 208.10.192.241 www.deja.com 530 IN A 208.10.192.242 www.deja.com 530 IN A 208.10.192.243 For authoritative answers, see: DEJA.com 37247 IN NS ODNS1.DEJANEWS.com DEJA.com 37247 IN NS ODNS2.DEJANEWS.com DEJA.com 37247 IN NS NS.DEJANEWS.com Additional information: ODNS1.DEJANEWS.com 52407 IN A 208.10.192.67 Here are my running nscd processes: $ ps fax ... 1099 ? S 0:00 nscd 1102 ? S 0:00 \_ nscd 1103 ? S 0:00 \_ nscd 1104 ? S 0:00 \_ nscd 1105 ? S 0:00 \_ nscd 1106 ? S 0:00 \_ nscd 1107 ? S 0:00 \_ nscd Now, use strace to watch the parent nscd process (1099, in this example) as one points a web browser to www.deja.com: SYS_168(0xbffffcec, 0x1, 0x3a98, 0x3a98, 0xbffffcec) = 1 accept(0, 0, NULL) = ? ERESTARTSYS (To be restarted) --- SIGSEGV (Segmentation fault) --- So far, this is the only domain I've encountered that crashes nscd, but the fact that this looks a lot like a buffer overflow problem gives me very queasy feelings about running nscd. I have not yet looked at the source, but if this indeed is a buffer overflow problem, then it *might* be possible for a clever person to stack-smash nscd (which normally runs as root) and eventually gain root privileges. BTW, I run nscd using the default /etc/nscd.conf that comes with nscd-2.1.1-6; I have not made any modifications.
I'm changing the component to glibc because that's the name of the src.rpm from which the nscd package comes ...
You might also look at #3171 which is also nscd related. There is a fix for that problem that will be in the next glibc errata release.
Ok, I will wait for the next glibc errata release to show up on rawhide.redhat.com, and test it out then.
Ok, I've grabbed glibc-2.1.2-1 and glibc-devel-2.1.2-1 from rawhide. So far, so good; I haven't been able to get nscd to crash. I'll report back after a few days of regular use.
I wasn't able to get nscd to crash even once with glibc-2.1.2-1. As far as I'm concerned, the problem is corrected; I'll wait for glibc-2.1.2-1 to be released for Red Hat 6.0 before installing it on my production machines.
Fixed in glibc-2.1.2-1 and later, available from rawhide.