Description of problem: On a system with nss_db configured in /etc/nsswitch.conf, queries that go through libnss_db cause edquota to crash because the module expects to be calling libc's dirname() function, but ends up attempting to call the global variable named "dirname" that edquota defines (confirmed by running edquota with "$LD_DEBUG=bindings"). Version-Release number of selected component (if applicable): quota-4.00-0.14.pre1.fc16.x86_64 How reproducible: Always Steps to Reproduce: 1. Install nss_db 2. make -C /var/db 3. Add "db" to the beginning of the "passwd", "group", and "shadow" lists in /etc/nsswitch.conf. 4. Run "edquota -f $fs -u $user" for a given mountpoint and user. Actual results: Segfault. Expected results: Text editor opens, as you'd expect. Additional info: Renaming "dirname" or making it static both prevent this from happening. I'm open to changes to how we build nss_db to prevent this there, but it won't help other nsswitch modules which might also be calling this dirname().
This is nasty bug. Actually it means any program that does (indirectly) dlopen() can clash with any exported symbols. Especially if the dlopen()ed object can be linked against any obscure library. Clean solution is to not export any global variables/functions from main program and the ones that must be exported (e.g. due to communication between object program and it's own direct plug-in) must be prefixed uniquely. This like in the old days everything was linked statically. I will audit quota tools code for that. Meanwhile use nscd to separate address space and to avoid segfault.
All Fedoras affected.
Created attachment 498523 [details] Fix Minimal fix. More comprehensive patch proposed to upstream.
Fix commited as quota-4.00-0.15.pre1.fc16 for F16, but it has not been built because glibc stopped to deliver RPC. quota tools must be ported to standalone tirpc.
quota-4.00-0.12.pre1.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/quota-4.00-0.12.pre1.fc15
quota-3.17-16.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/quota-3.17-16.fc14
quota-3.17-13.fc13 has been submitted as an update for Fedora 13. https://admin.fedoraproject.org/updates/quota-3.17-13.fc13
The F16 fix is blocked by bug #704219 (migrate to tirpc) now.
(In reply to comment #1) > This is nasty bug. Actually it means any program that does (indirectly) > dlopen() can clash with any exported symbols. Especially if the dlopen()ed > object can be linked against any obscure library. > The real reason why global non-static variable dirname is exported into dynamic symbol table is the code is compiled with -fPIE. Without this option resulting binary does not provide dirname symbol because compiler does not make it dynamic because it's referenced in the original object file only.
this hits rhel6, as well, doesn't it? Do we have a bug open there?
found the rhel6 bug open for it. thanks
Fixed in F16 as quota-4.00-0.15.pre1.fc16 compiled against glibc-2.13.90-12.
quota-4.00-0.12.pre1.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report.
quota-3.17-13.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
quota-3.17-16.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.
All supported Fedoras have been fixed.