Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 457519 - groups_search() cannot handle large gid correctly
Summary: groups_search() cannot handle large gid correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: kernel
Version: 4.7
Hardware: i686
OS: Linux
medium
medium
Target Milestone: rc
: ---
Assignee: Jerome Marchand
QA Contact: Petr Beňas
URL:
Whiteboard:
Depends On:
Blocks: 629626 629629
TreeView+ depends on / blocked
 
Reported: 2008-08-01 10:27 UTC by masaya.hasegawa.hp
Modified: 2015-01-04 22:58 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 629626 629629 (view as bug list)
Environment:
Last Closed: 2011-02-16 16:00:17 UTC
Target Upstream Version:


Attachments (Terms of Use)
patch (675 bytes, patch)
2008-08-01 10:27 UTC, masaya.hasegawa.hp
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0263 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 4.9 kernel security and bug fix update 2011-02-16 15:14:55 UTC

Description masaya.hasegawa.hp 2008-08-01 10:27:10 UTC
Description of problem:
RHEL 4.7(X86)

If user account over 0x7fffffff gid, groups_search(kernel/sys.c) does not work 
correctly.

ex)
$ whoami
was
$ id
uid=502(was) gid=502(was) groups=502(was),600(oninstall),2151678465
(was2),2151678496(was3)

$ ls -l /tmp
drwxrwx---  2 root     oninstall   4096 Jul 29 13:56 aaa

user "was" have "oninstall" gid and  should be able to access /tmp/aaa
But "was" cannot access /tmp/aaa

$ ls -l /tmp/aaa
ls: /tmp/aaa: Permission denied

As a result of investigation, I think  groups_search() function has a bug.
The argument gid_t grp is unsigned int. However cmp is int. If gid is 
over 0x7fffffff(2147483647), value of cmp will become incorrect value.
As a result, return value will be incorrect(0) also. 

/* a simple bsearch */
int groups_search(struct group_info *group_info, gid_t grp)
{
        int left, right;

        if (!group_info)
                return 0;

        left = 0;
        right = group_info->ngroups;
        while (left < right) {
                int mid = (left+right)/2;
                int cmp = grp - GROUP_AT(group_info, mid);
                if (cmp > 0)
                        left = mid + 1;
                else if (cmp < 0)
                        right = mid;
                else
                        return 1;
        }
        return 0;
}



Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:

1.  create account and set data to /etc/group so that it have the below gids.

oninstall:x:600:test1,was,test2
was2:x:2151678465:was,test2
was3:x:2151678496:was
was:x:502:

$ id was
uid=502(was) gid=502(was) groups=502(was),600(oninstall),2151678465
(was2),2151678496(was3)

2. #mkdir /tmp/aaa
    #chgrp oninstall /tmp/aaa

3.  # su - was
    [was]$ ls -l /tmp/aaa
    ls: /tmp/aaa: Permission denied
  
Actual results:

ls fail with "Permission denied error"

Expected results:

ls success

Additional info:

I think this can be fixed by attachment way.

Comment 1 masaya.hasegawa.hp 2008-08-01 10:27:10 UTC
Created attachment 313181 [details]
patch

Comment 10 RHEL Program Management 2009-03-12 18:52:13 UTC
Since RHEL 4.8 External Beta has begun, and this bugzilla remains 
unresolved, it has been rejected as it is not proposed as exception or 
blocker.

Comment 13 RHEL Program Management 2010-10-12 17:10:58 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.

Comment 15 Vivek Goyal 2010-10-15 13:26:45 UTC
Committed in 89.44.EL . RPMS are available at http://people.redhat.com/vgoyal/rhel4/

Comment 19 Petr Beňas 2010-12-22 14:31:15 UTC
Reproduced in 2.6.9-89.43.EL and verified in 2.6.9-89.44.EL.

Comment 21 errata-xmlrpc 2011-02-16 16:00:17 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0263.html


Note You need to log in before you can comment on or make changes to this bug.