Bug 3762 - nscd receives SIGSEGV for certain domain lookups
nscd receives SIGSEGV for certain domain lookups
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
6.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Cristian Gafton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-06-27 16:37 EDT by James Ralston
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-07-28 01:34:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description James Ralston 1999-06-27 16:37:29 EDT
[Note: this report is *not* really about bind, but the
Bugzilla system forced me to choose a component, and nscd
wasn't on the list.]

For the nscd-2.1.1-6 rpm, certain domain lookups
consistently crash the nscd daemon with SIGSEGV.

As of the time of this submission, a good demonstration of
this is to ensure nscd is running, and then point a web
browser at www.deja.com, which currently resolves as
follows:

$ host -a www.deja.com
rcode = 0 (Success), ancount=23
The following answer is not authoritative:
www.deja.com    530 IN  A       208.10.192.221
www.deja.com    530 IN  A       208.10.192.222
www.deja.com    530 IN  A       208.10.192.223
www.deja.com    530 IN  A       208.10.192.224
www.deja.com    530 IN  A       208.10.192.225
www.deja.com    530 IN  A       208.10.192.226
www.deja.com    530 IN  A       208.10.192.227
www.deja.com    530 IN  A       208.10.192.228
www.deja.com    530 IN  A       208.10.192.229
www.deja.com    530 IN  A       208.10.192.230
www.deja.com    530 IN  A       208.10.192.231
www.deja.com    530 IN  A       208.10.192.232
www.deja.com    530 IN  A       208.10.192.233
www.deja.com    530 IN  A       208.10.192.234
www.deja.com    530 IN  A       208.10.192.235
www.deja.com    530 IN  A       208.10.192.236
www.deja.com    530 IN  A       208.10.192.237
www.deja.com    530 IN  A       208.10.192.238
www.deja.com    530 IN  A       208.10.192.239
www.deja.com    530 IN  A       208.10.192.240
www.deja.com    530 IN  A       208.10.192.241
www.deja.com    530 IN  A       208.10.192.242
www.deja.com    530 IN  A       208.10.192.243
For authoritative answers, see:
DEJA.com        37247 IN        NS      ODNS1.DEJANEWS.com
DEJA.com        37247 IN        NS      ODNS2.DEJANEWS.com
DEJA.com        37247 IN        NS      NS.DEJANEWS.com
Additional information:
ODNS1.DEJANEWS.com      52407 IN        A
208.10.192.67

Here are my running nscd processes:

$ ps fax
 ...
 1099 ?        S      0:00 nscd
 1102 ?        S      0:00  \_ nscd
 1103 ?        S      0:00      \_ nscd
 1104 ?        S      0:00      \_ nscd
 1105 ?        S      0:00      \_ nscd
 1106 ?        S      0:00      \_ nscd
 1107 ?        S      0:00      \_ nscd

Now, use strace to watch the parent nscd process (1099, in
this example) as one points a web browser to www.deja.com:

SYS_168(0xbffffcec, 0x1, 0x3a98, 0x3a98, 0xbffffcec) = 1
accept(0, 0, NULL)                      = ? ERESTARTSYS (To
be restarted)
--- SIGSEGV (Segmentation fault) ---

So far, this is the only domain I've encountered that
crashes nscd, but the fact that this looks a lot like a
buffer overflow problem gives me very queasy feelings about
running nscd.  I have not yet looked at the source, but if
this indeed is a buffer overflow problem, then it *might* be
possible for a clever person to stack-smash nscd (which
normally runs as root) and eventually gain root privileges.

BTW, I run nscd using the default /etc/nscd.conf that comes
with nscd-2.1.1-6; I have not made any modifications.
Comment 1 Jeff Johnson 1999-06-27 17:04:59 EDT
I'm changing the component to glibc because that's the name of the
src.rpm from which the nscd package comes ...
Comment 2 Jeff Johnson 1999-06-27 17:08:59 EDT
You might also look at #3171 which is also nscd related. There
is a fix for that problem that will be in the next glibc errata
release.
Comment 3 James Ralston 1999-07-13 18:09:59 EDT
Ok, I will wait for the next glibc errata release to show up on
rawhide.redhat.com, and test it out then.
Comment 4 James Ralston 1999-07-21 17:03:59 EDT
Ok, I've grabbed glibc-2.1.2-1 and glibc-devel-2.1.2-1 from rawhide.
So far, so good; I haven't been able to get nscd to crash.  I'll
report back after a few days of regular use.
Comment 5 James Ralston 1999-07-27 15:26:59 EDT
I wasn't able to get nscd to crash even once with glibc-2.1.2-1.  As
far as I'm concerned, the problem is corrected; I'll wait for
glibc-2.1.2-1 to be released for Red Hat 6.0 before installing it on
my production machines.
Comment 6 Cristian Gafton 1999-07-28 01:34:59 EDT
Fixed in glibc-2.1.2-1 and later, available from rawhide.

Note You need to log in before you can comment on or make changes to this bug.