Bug 439301 - under some specific conditions nss_ldap segfaults
under some specific conditions nss_ldap segfaults
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap (Show other bugs)
5.1
i386 Linux
low Severity high
: rc
: ---
Assigned To: Nalin Dahyabhai
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-27 18:55 EDT by Stephen Roylance
Modified: 2010-07-01 13:11 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-01 13:11:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
PADL Software 315 None None None Never

  None (edit)
Description Stephen Roylance 2008-03-27 18:55:13 EDT
Description of problem:

nss_ldap is configured to use an Active Directory domain, with some large
groups.  A specific large group with a more than 1500 users causes nss_ldap to
segfault whenever id or groups is called on a user in that group.

Version-Release number of selected component (if applicable):
253

How reproducible:
data dependent
  
Additional info:
This problem exists in stock nss_ldap 253.  I ran 'id' using a non-stripped
libnss_ldap.so v253 under gdb, with the following output:
[root@--- nss_ldap-253]# gdb id
GNU gdb Red Hat Linux (6.5-25.el5_1.1rh)
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/libthread_db.so.1".

(gdb) run [user name for an affected user]
Starting program: /usr/bin/id [user name for an affected user]
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
*** glibc detected *** /usr/bin/id: realloc(): invalid next size: 0x0971c980 ***
======= Backtrace: =========
/lib/libc.so.6[0x9da390]
/lib/libc.so.6(realloc+0xfe)[0x9db21e]
/lib/libnss_ldap.so.2[0x749263]
/lib/libnss_ldap.so.2[0x749936]
/lib/libnss_ldap.so.2[0x74869c]
/lib/libnss_ldap.so.2(_nss_ldap_getgrgid_r+0x78)[0x749b98]
/lib/libc.so.6(getgrgid_r+0xa3)[0x9fd783]
/lib/libc.so.6(getgrgid+0x78)[0x9fcf78]
/usr/bin/id[0x8049b14]
/lib/libc.so.6(__libc_start_main+0xdc)[0x986dec]
/usr/bin/id[0x8048de1]
======= Memory map: ========
00110000-0011b000 r-xp 00000000 fd:00 1797445    /lib/libgcc_s-4.1.2-20070626.so.1
0011b000-0011c000 rwxp 0000a000 fd:00 1797445    /lib/libgcc_s-4.1.2-20070626.so.1
00235000-002c5000 r-xp 00000000 fd:00 3280344    /usr/lib/libkrb5.so.3.3
002c5000-002c8000 rwxp 0008f000 fd:00 3280344    /usr/lib/libkrb5.so.3.3
002ca000-003e7000 r-xp 00000000 fd:00 1797457    /lib/libcrypto.so.0.9.8b
003e7000-003fa000 rwxp 0011c000 fd:00 1797457    /lib/libcrypto.so.0.9.8b
003fa000-003fd000 rwxp 003fa000 00:00 0
00481000-004c2000 r-xp 00000000 fd:00 1797458    /lib/libssl.so.0.9.8b
004c2000-004c6000 rwxp 00040000 fd:00 1797458    /lib/libssl.so.0.9.8b
00657000-0065c000 r-xp 00000000 fd:00 1797444    /lib/libcrypt-2.5.so
0065c000-0065d000 r-xp 00004000 fd:00 1797444    /lib/libcrypt-2.5.so
0065d000-0065e000 rwxp 00005000 fd:00 1797444    /lib/libcrypt-2.5.so
0065e000-00685000 rwxp 0065e000 00:00 0
00742000-00754000 r-xp 00000000 fd:00 1796028    /lib/libnss_ldap-2.5.so
00754000-00755000 rwxp 00011000 fd:00 1796028    /lib/libnss_ldap-2.5.so
00755000-00760000 rwxp 00755000 00:00 0
00886000-00887000 r-xp 00886000 00:00 0          [vdso]
0094f000-00968000 r-xp 00000000 fd:00 1795239    /lib/ld-2.5.so
00968000-00969000 r-xp 00019000 fd:00 1795239    /lib/ld-2.5.so
00969000-0096a000 rwxp 0001a000 fd:00 1795239    /lib/ld-2.5.so
00971000-00aab000 r-xp 00000000 fd:00 1795241    /lib/libc-2.5.so
00aab000-00aad000 r-xp 0013a000 fd:00 1795241    /lib/libc-2.5.so
00aad000-00aae000 rwxp 0013c000 fd:00 1795241    /lib/libc-2.5.so
00aae000-00ab1000 rwxp 00aae000 00:00 0
00ab3000-00ab5000 r-xp 00000000 fd:00 1795420    /lib/libdl-2.5.so
00ab5000-00ab6000 r-xp 00001000 fd:00 1795420    /lib/libdl-2.5.so
00ab6000-00ab7000 rwxp 00002000 fd:00 1795420    /lib/libdl-2.5.so
00ab9000-00ad1000 r-xp 00000000 fd:00 3280626    /usr/lib/libsasl2.so.2.0.22
00ad1000-00ad2000 rwxp 00017000 fd:00 3280626    /usr/lib/libsasl2.so.2.0.22
00ad4000-00ae1000 r-xp 00000000 fd:00 3274912    /usr/lib/liblber-2.3.so.0.2.15
00ae1000-00ae2000 rwxp 0000c000 fd:00 3274912    /usr/lib/liblber-2.3.so.0.2.15
00afb000-00b36000 r-xp 00000000 fd:00 1795435    /lib/libsepol.so.1
00b36000-00b37000 rwxp 0003a000 fd:00 1795435    /lib/libsepol.so.1
00b37000-00b41000 rwxp 00b37000 00:00 0
00b43000-00b58000 r-xp 00000000 fd:00 1795440    /lib/libselinux.so.1
00b58000-00b5a000 rwxp 00015000 fd:00 1795440    /lib/libselinux.so.1
00b67000-00b79000 r-xp 00000000 fd:00 3276468    /usr/lib/libz.so.1.2.3
00b79000-00b7a000 rwxp 00011000 fd:00 3276468    /usr/lib/libz.so.1.2.3
00b7c000-00bb5000 r-xp 00000000 fd:00 3280627    /usr/lib/libldap-2.3.so.0.2.15
00bb5000-00bb6000 rwxp 00039000 fd:00 3280627    /usr/lib/libldap-2.3.so.0.2.15
00c63000-00c76000 r-xp 00000000 fd:00 1797449    /lib/libnsl-2.5.so
00c76000-00c77000 r-xp 00012000 fd:00 1797449    /lib/libnsl-2.5.so
00c77000-00c78000 rwxp 00013000 fd:00 1797449    /lib/libnsl-2.5.so
00c78000-00c7a000 rwxp 00c78000 00:00 0
00cbf000-00cce000 r-xp 00000000 fd:00 1797454    /lib/libresolv-2.5.so
00cce000-00ccf000 r-xp 0000e000 fd:00 1797454    /lib/libresolv-2.5.so
00ccf000-00cd0000 rwxp 0000f000 fd:00 1797454    /lib/libresolv-2.5.so
00cd0000-00cd2000 rwxp 00cd0000 00:00 0
00cd4000-00cd6000 r-xp 00000000 fd:00 1797455    /lib/libcom_err.so.2.1
00cd6000-00cd7000 rwxp 00001000 fd:00 1797455    /lib/libcom_err.so.2.1
00d02000-00d04000 r-xp 00000000 fd:00 1797453    /lib/libkeyutils-1.2.so
00d04000-00d05000 rwxp 00001000 fd:00 1797453    /lib/libkeyutils-1.2.so
00d84000-00d8c000 r-xp 00000000 fd:00 3271810    /usr/lib/libkrb5support.so.0.1
00uid=2472829([user name for an affected user]) gid=100001(PosixUsers)
groups=100001(PosixUsers),102744(---),113787
Program received signal SIGABRT, Aborted.
0x00886402 in __kernel_vsyscall ()
(gdb) bt
#0  0x00886402 in __kernel_vsyscall ()
#1  0x00999ba0 in raise () from /lib/libc.so.6
#2  0x0099b4b1 in abort () from /lib/libc.so.6
#3  0x009cfdfb in __libc_message () from /lib/libc.so.6
#4  0x009da390 in _int_realloc () from /lib/libc.so.6
#5  0x009db21e in realloc () from /lib/libc.so.6
#6  0x00749263 in do_parse_group_members (e=0x971b700, pGroupMembers=0xbfc60540,
pGroupMembersCount=0xbfc6053c,
    pGroupMembersBufferSize=0xbfc60538,
pGroupMembersBufferIsMalloced=0xbfc60534, buffer=0xbfc60568, buflen=0xbfc6056c,
depth=0xbfc60530,
    pKnownGroups=0xbfc6052c) at ldap-grp.c:382
#7  0x00749936 in _nss_ldap_parse_gr (e=0x971c3e8, pvt=0xbfc6057c, result=0xaae8dc,
    buffer=0x96dff54 "---"..., buflen=7524) at ldap-grp.c:609
#8  0x0074869c in _nss_ldap_getbyname (args=0xbfc605d8, result=0xaae8dc,
buffer=0x96ddcb8 "113787", buflen=16384, errnop=0xb7f80898,
    filterprot=0x758740 "(&(objectClass=group)(gidNumber=%d))", sel=LM_GROUP,
parser=0x7497a0 <_nss_ldap_parse_gr>) at ldap-nss.c:2861
#9  0x00749b98 in _nss_ldap_getgrgid_r (gid=113787, result=0xaae8dc,
buffer=0x96ddcb8 "113787", buflen=6, errnop=0x6fae) at ldap-grp.c:1216
#10 0x009fd783 in getgrgid_r@@GLIBC_2.1.2 () from /lib/libc.so.6
#11 0x009fcf78 in getgrgid () from /lib/libc.so.6
#12 0x08049b14 in ?? ()
#13 0x00986dec in __libc_start_main () from /lib/libc.so.6
#14 0x08048de1 in ?? ()

the problem does not exist in stock v260, a diff of ldap-grp.x between 253 and
260 indicates the resolution of an off-by-one error.
Comment 1 Travis Kepley 2008-04-04 16:25:00 EDT
In addition to this information, Stephen has provided me with the following
steps to recreate as well as a few other tidbits that would be helpful in
recreating and understanding the segfault:

Stephen wrote,
We are running nss_ldap and pam_ldap fully updated to current from RHN on RHEL
5.1.  Our /etc/ldap.conf looks like so:
###################################################
# partners.org points to the domain controllers
uri ldaps://ldap.partners.org/
scope sub
timelimit 120
bind_timelimit 5
bind_policy hard_open
idle_timelimit 3600
ssl yes
tls_cacertdir /etc/ldap/cacerts

# WARNING: LOTS OF OUTPUT!
#debug 5
#logdir /tmp/log

pam_filter
&(objectclass=User)(memberof=CN=PHS-HPCGGSSH-G,CN=Users,DC=partners,DC=org)

# Proxy User XXX: Should not be "service"
binddn cn=proxyuser,cn=users,dc=partners,dc=org
bindpw XXXXX

#rootbinddn cn=manager,dc=example,dc=com

#ldap_version 3

# Specify a minium or maximum UID number allowed
pam_min_uid 10000
#pam_max_uid 0

pam_password_prohibit_message Please Use Partners Password Self Service to
Change your password (http://myprofile.partners.org/)


# RFC2307bis naming contexts
nss_base_passwd cn=users,dc=partners,dc=org?one
nss_base_shadow cn=users,dc=partners,dc=org?one
nss_base_group  cn=users,dc=partners,dc=org?one
# We don't use any of these
#nss_base_hosts         ou=Hosts,dc=example,dc=com?one
#nss_base_services      ou=Services,dc=example,dc=com?one
#nss_base_networks      ou=Networks,dc=example,dc=com?one
#nss_base_protocols     ou=Protocols,dc=example,dc=com?one
#nss_base_rpc           ou=Rpc,dc=example,dc=com?one
#nss_base_ethers        ou=Ethers,dc=example,dc=com?one
#nss_base_netmasks      ou=Networks,dc=example,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=example,dc=com?one
#nss_base_aliases       ou=Aliases,dc=example,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=example,dc=com?one

# RFC 2307 (AD) mappings
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
pam_login_attribute sAMAccountName

nss_initgroups backlink
###################################################

This configuration works as expected for most users in the directory.  Users in
AD can login, all file permissions operations (chown, chgrp) operate as expected
using usernames from AD, and group membership appears correct using commands
like 'id' and 'groups'.

As posted in the linked bug, any user who is a member of a specific large group
causes nss_ldap to crash when id is called on them and cannot log in.


Thanks,
Travis Kepley
GSS Red Hat Inc
Comment 2 Nalin Dahyabhai 2010-04-01 13:14:27 EDT
This looks similar to or the same as the heap corruption we were seeing in #444031, which was fixed in 5.2.  Are you still experiencing this error?
Comment 3 Dmitri Pal 2010-07-01 13:11:19 EDT
We think it is fixed in the current release.
I you can still reproduce it please reopen or file another bug.

Note You need to log in before you can comment on or make changes to this bug.