Bug 3762 - nscd receives SIGSEGV for certain domain lookups
Summary: nscd receives SIGSEGV for certain domain lookups
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 6.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-06-27 20:37 UTC by James Ralston
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Clone Of:
Environment:
Last Closed: 1999-07-28 05:34:59 UTC
Embargoed:


Attachments (Terms of Use)

Description James Ralston 1999-06-27 20:37:29 UTC
[Note: this report is *not* really about bind, but the
Bugzilla system forced me to choose a component, and nscd
wasn't on the list.]

For the nscd-2.1.1-6 rpm, certain domain lookups
consistently crash the nscd daemon with SIGSEGV.

As of the time of this submission, a good demonstration of
this is to ensure nscd is running, and then point a web
browser at www.deja.com, which currently resolves as
follows:

$ host -a www.deja.com
rcode = 0 (Success), ancount=23
The following answer is not authoritative:
www.deja.com    530 IN  A       208.10.192.221
www.deja.com    530 IN  A       208.10.192.222
www.deja.com    530 IN  A       208.10.192.223
www.deja.com    530 IN  A       208.10.192.224
www.deja.com    530 IN  A       208.10.192.225
www.deja.com    530 IN  A       208.10.192.226
www.deja.com    530 IN  A       208.10.192.227
www.deja.com    530 IN  A       208.10.192.228
www.deja.com    530 IN  A       208.10.192.229
www.deja.com    530 IN  A       208.10.192.230
www.deja.com    530 IN  A       208.10.192.231
www.deja.com    530 IN  A       208.10.192.232
www.deja.com    530 IN  A       208.10.192.233
www.deja.com    530 IN  A       208.10.192.234
www.deja.com    530 IN  A       208.10.192.235
www.deja.com    530 IN  A       208.10.192.236
www.deja.com    530 IN  A       208.10.192.237
www.deja.com    530 IN  A       208.10.192.238
www.deja.com    530 IN  A       208.10.192.239
www.deja.com    530 IN  A       208.10.192.240
www.deja.com    530 IN  A       208.10.192.241
www.deja.com    530 IN  A       208.10.192.242
www.deja.com    530 IN  A       208.10.192.243
For authoritative answers, see:
DEJA.com        37247 IN        NS      ODNS1.DEJANEWS.com
DEJA.com        37247 IN        NS      ODNS2.DEJANEWS.com
DEJA.com        37247 IN        NS      NS.DEJANEWS.com
Additional information:
ODNS1.DEJANEWS.com      52407 IN        A
208.10.192.67

Here are my running nscd processes:

$ ps fax
 ...
 1099 ?        S      0:00 nscd
 1102 ?        S      0:00  \_ nscd
 1103 ?        S      0:00      \_ nscd
 1104 ?        S      0:00      \_ nscd
 1105 ?        S      0:00      \_ nscd
 1106 ?        S      0:00      \_ nscd
 1107 ?        S      0:00      \_ nscd

Now, use strace to watch the parent nscd process (1099, in
this example) as one points a web browser to www.deja.com:

SYS_168(0xbffffcec, 0x1, 0x3a98, 0x3a98, 0xbffffcec) = 1
accept(0, 0, NULL)                      = ? ERESTARTSYS (To
be restarted)
--- SIGSEGV (Segmentation fault) ---

So far, this is the only domain I've encountered that
crashes nscd, but the fact that this looks a lot like a
buffer overflow problem gives me very queasy feelings about
running nscd.  I have not yet looked at the source, but if
this indeed is a buffer overflow problem, then it *might* be
possible for a clever person to stack-smash nscd (which
normally runs as root) and eventually gain root privileges.

BTW, I run nscd using the default /etc/nscd.conf that comes
with nscd-2.1.1-6; I have not made any modifications.

Comment 1 Jeff Johnson 1999-06-27 21:04:59 UTC
I'm changing the component to glibc because that's the name of the
src.rpm from which the nscd package comes ...

Comment 2 Jeff Johnson 1999-06-27 21:08:59 UTC
You might also look at #3171 which is also nscd related. There
is a fix for that problem that will be in the next glibc errata
release.

Comment 3 James Ralston 1999-07-13 22:09:59 UTC
Ok, I will wait for the next glibc errata release to show up on
rawhide.redhat.com, and test it out then.

Comment 4 James Ralston 1999-07-21 21:03:59 UTC
Ok, I've grabbed glibc-2.1.2-1 and glibc-devel-2.1.2-1 from rawhide.
So far, so good; I haven't been able to get nscd to crash.  I'll
report back after a few days of regular use.

Comment 5 James Ralston 1999-07-27 19:26:59 UTC
I wasn't able to get nscd to crash even once with glibc-2.1.2-1.  As
far as I'm concerned, the problem is corrected; I'll wait for
glibc-2.1.2-1 to be released for Red Hat 6.0 before installing it on
my production machines.

Comment 6 Cristian Gafton 1999-07-28 05:34:59 UTC
Fixed in glibc-2.1.2-1 and later, available from rawhide.


Note You need to log in before you can comment on or make changes to this bug.