748924 – RHEL6.1/sssd_pam segmentation fault

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 748924 - RHEL6.1/sssd_pam segmentation fault

Summary: RHEL6.1/sssd_pam segmentation fault

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.1
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Stephen Gallagher
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	750914
TreeView+	depends on / blocked

Reported:	2011-10-25 15:14 UTC by Masaki Furuta ( RH )
Modified:	2020-05-02 16:28 UTC (History)
CC List:	6 users (show)
Fixed In Version:	sssd-1.5.1-62.el6
Doc Type:	Bug Fix
Doc Text:	Cause: When an error occurred in SSSD during composition of reply message to PAM, SSSD tried to send a reply packet to pam_sss even though the packet was not prepared yet. Consequence: SSSD PAM responder crashed. Fix: SSSD now detects if the response packet is already created. Result: In case of internal error such as that described above, the client will be forcibly disconnected and the SSSD won't crash.
Clone Of:
Environment:
Last Closed:	2011-12-06 16:41:17 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 2103	0	None	closed	RHEL6.1/sssd_pam segmentation fault	2020-06-22 16:10:55 UTC
Red Hat Product Errata	RHBA-2011:1529	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2011-12-06 00:50:20 UTC

Description Masaki Furuta ( RH ) 2011-10-25 15:14:33 UTC

Created attachment 530119 [details]
corefile of segrault with sssd_pam

Description of problem:

  sssd_pam segmentation fault

  messages
  ---------
  Sep 20 09:33:19 jonah kernel: sssd_pam[1971]: segfault at 10 ip 000000000042f453 sp 00007fffbab2d780 error 4 in sssd_pam[400000+3d000]
  Sep 20 09:33:19 jonah abrt[10948]: saved core dump of pid 1971 (/usr/libexec/sssd/sssd_pam) to /var/spool/abrt/ccpp-1316478799-

  1971.new/coredump (1568768 bytes)
  Sep 20 09:33:19 jonah abrtd: Directory 'ccpp-1316478799-1971' creation detected
  Sep 20 09:33:20 jonah sssd[pam]: Starting up
  Sep 20 09:33:20 jonah abrtd: New crash /var/spool/abrt/ccpp-1316478799-1971, processing

Version-Release number of selected component (if applicable):

  RHEL6.1
  kernel 2.6.32-131.0.15.el6.x86_64
  sssd-1.5.1-34.el6.x86_64 

How reproducible:

  Sometimes, the customer is trying to reproduce it, but still not sure.
  Nothig but core file.

----
$ tar tvzf sssd_pam_abrtlog.tar.gz 
-rw-r----- abrt/root         4 2011-09-20 09:33 ./analyzer
-rw-r----- abrt/root         6 2011-09-20 09:33 ./architecture
-rw-r----- abrt/root      4786 2011-09-20 11:45 ./backtrace
-rw-r----- abrt/root        48 2011-09-20 09:33 ./cmdline
-rw-r----- abrt/root         4 2011-09-20 09:33 ./component
-rw-r--r-- root/root   1568768 2011-09-20 09:33 ./coredump <======= core file
-rw-r----- abrt/root       359 2011-09-20 09:33 ./description
-rw-r----- abrt/root        26 2011-09-20 09:33 ./executable
-rw-r----- abrt/root        40 2011-09-20 11:45 ./global_uuid
-rw-r----- abrt/root         5 2011-09-20 09:33 ./hostname
-rw-r----- abrt/root        26 2011-09-20 09:33 ./kernel
-rw-r----- abrt/root        17 2011-09-20 09:33 ./package
-rw-r----- abrt/root         1 2011-09-20 11:45 ./rating
-rw-r----- abrt/root        68 2011-09-20 09:33 ./reason
-rw-r----- abrt/root        54 2011-09-20 09:33 ./release
-rw------- root/root  12357332 2011-09-20 09:33 ./sosreport.tar.xz
-rw-r----- abrt/root        10 2011-09-20 09:33 ./time
-rw-r----- abrt/root         1 2011-09-20 09:33 ./uid
---

Steps to Reproduce:
1.
2.
3.
  
Actual results:

  Crashed with Segfault with sssd_pam

Expected results:

No crash.

Additional info:

[root@dhcp-207-132 sssd_pam_abrtlog]# gdb /usr/libexec/sssd/sssd_pam coredump 
<snip>
Core was generated by `/usr/libexec/sssd/sssd_pam -d 0 --debug-to-files'.
Program terminated with signal 11, Segmentation fault.
#0  sss_packet_send (packet=0x0, fd=27)
    at src/responder/common/responder_packet.c:221
221	    len = *packet->len - packet->iop;
(gdb) info share
From                To                  Syms Read   Shared Object Library
0x0000003dfb4022d0  0x0000003dfb4068a8  Yes         /usr/lib64/libtevent.so.0.9.8
0x0000003dfd001870  0x0000003dfd007a18  Yes         /usr/lib64/libtalloc.so.2.0.1
0x0000003e0ac01b10  0x0000003e0ac06ee8  Yes         /lib64/libpopt.so.0.0.0
0x0000003dfc0074a0  0x0000003dfc026968  Yes         /usr/lib64/libldb.so.0.9.10
0x0000003dfec07090  0x0000003dfec2e518  Yes         /lib64/libdbus-1.so.3.4.0
0x0000003dfb002140  0x0000003dfb0055a8  Yes         /lib64/librt-2.12.so
0x0000003e0b001540  0x0000003e0b01ae58  Yes         /lib64/libpcre.so.0.0.1
0x0000003dfc402740  0x0000003dfc406138  Yes         /usr/lib64/libini_config.so.2.0.0
0x0000003dfd802f80  0x0000003dfd808958  Yes         /usr/lib64/libcollection.so.2.0.0
0x0000003dfd400980  0x0000003dfd401b48  Yes         /usr/lib64/libdhash.so.1.0.0
0x0000003e0b803590  0x0000003e0b80a848  Yes         /lib64/liblber-2.4.so.2.5.6
0x0000003e0c80e050  0x0000003e0c83a468  Yes         /lib64/libldap-2.4.so.2.5.6
0x0000003e0fc01e30  0x0000003e0fc09cb8  Yes         /usr/lib64/libtdb.so.1.2.1
0x0000003e09807b90  0x0000003e09829ed8  Yes         /usr/lib64/libssl3.so
0x0000003e09c09880  0x0000003e09c219c8  Yes         /usr/lib64/libsmime3.so
0x0000003e08818630  0x0000003e088fd178  Yes         /usr/lib64/libnss3.so
0x0000003e08408560  0x0000003e084137e8  Yes         /usr/lib64/libnssutil3.so
0x0000003e09400ea0  0x0000003e09401d58  Yes         /lib64/libplds4.so
0x0000003e08c013d0  0x0000003e08c02b08  Yes         /lib64/libplc4.so
0x0000003e0900cf90  0x0000003e0902c758  Yes         /lib64/libnspr4.so
0x0000003dfa405640  0x0000003dfa410f28  Yes         /lib64/libpthread-2.12.so
0x0000003df9c00de0  0x0000003df9c01998  Yes         /lib64/libdl-2.12.so
0x0000003dfa01e9e0  0x0000003dfa13d370  Yes         /lib64/libc-2.12.so
0x0000003df9800b00  0x0000003df981984b  Yes         /lib64/ld-2.12.so
0x0000003dfb800c80  0x0000003dfb801ee8  Yes         /usr/lib64/libpath_utils.so.1.0.0
0x0000003dfc8008d0  0x0000003dfc801158  Yes         /usr/lib64/libref_array.so.1.0.0
0x0000003dfbc038c0  0x0000003dfbc12558  Yes         /lib64/libresolv-2.12.so
0x0000003e0a8046a0  0x0000003e0a814408  Yes         /usr/lib64/libsasl2.so.2.0.23
0x0000003dfac01ef0  0x0000003dfac0d1a8  Yes         /lib64/libz.so.1.2.3
0x0000003e05400c00  0x0000003e054059a8  Yes         /lib64/libcrypt-2.12.so
0x0000003e06c03270  0x0000003e06c42928  Yes         /lib64/libfreebl3.so
0x00007f6ea1d13270  0x00007f6ea1d19c48  Yes         /usr/lib64/ldb/memberof.so
(gdb) bt full
#0  sss_packet_send (packet=0x0, fd=27)
    at src/responder/common/responder_packet.c:221
        rb = <value optimized out>
        len = <value optimized out>
        buf = <value optimized out>
#1  0x000000000042b74b in client_send (ev=<value optimized out>, 
    fde=<value optimized out>, flags=<value optimized out>, 
    ptr=<value optimized out>) at src/responder/common/responder_common.c:134
        ret = <value optimized out>
#2  client_fd_handler (ev=<value optimized out>, fde=<value optimized out>, 
    flags=<value optimized out>, ptr=<value optimized out>)
    at src/responder/common/responder_common.c:224
        cctx = 0x1a196a0
#3  0x0000003dfb405456 in epoll_event_loop (ev=<value optimized out>, 
    location=<value optimized out>) at tevent_standard.c:309
        fde = <value optimized out>
        flags = <value optimized out>
        ret = 1
        i = <value optimized out>
        events = {{events = 4, data = {ptr = 0x1a18350, fd = 27362128, 
              u32 = 27362128, u64 = 27362128}}}
        timeout = <value optimized out>
#4  std_event_loop_once (ev=<value optimized out>, 
    location=<value optimized out>) at tevent_standard.c:544
        std_ev = 0x1a103e0
        tval = {tv_sec = 30, tv_usec = 0}
#5  0x0000003dfb4026d0 in _tevent_loop_once (ev=0x1a10320, 
    location=0x436b75 "src/util/server.c:526") at tevent.c:490
        ret = <value optimized out>
        nesting_stack_ptr = 0x0
#6  0x0000003dfb40273b in tevent_common_loop_wait (ev=0x1a10320, 
    location=0x436b75 "src/util/server.c:526") at tevent.c:591
        ret = <value optimized out>
#7  0x0000000000425861 in server_loop (main_ctx=0x1a11420)
    at src/util/server.c:526
No locals.
#8  0x00000000004079b0 in main (argc=<value optimized out>, 
    argv=<value optimized out>) at src/responder/pam/pamsrv.c:230
        opt = <value optimized out>
        pc = <value optimized out>
        main_ctx = 0x1a11420
        ret = <value optimized out>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4, 
            arg = 0x63dd20, val = 0, descrip = 0x430e02 "Help options:", 
            argDescrip = 0x0}, {longName = 0x430e10 "debug-level", 
            shortName = 100 'd', argInfo = 2, arg = 0x63de18, val = 0, 
            descrip = 0x430de1 "Debug level", argDescrip = 0x0}, {
            longName = 0x430e1c "debug-to-files", shortName = 102 'f', 
            argInfo = 0, arg = 0x63de1c, val = 0, 
            descrip = 0x430f48 "Send the debug output to files instead of stderr", argDescrip = 0x0}, {longName = 0x430e2b "debug-timestamps", 
            shortName = 0 '\000', argInfo = 2, arg = 0x63dce0, val = 0, 
            descrip = 0x430ded "Add debug timestamps", argDescrip = 0x0}, {
            longName = 0x0, shortName = 0 '\000', argInfo = 0, arg = 0x0, 
            val = 0, descrip = 0x0, argDescrip = 0x0}}
        __FUNCTION__ = "main"

Comment 2 Stephen Gallagher 2011-10-25 18:13:41 UTC

Upstream ticket:
https://fedorahosted.org/sssd/ticket/1061

Comment 7 Jan Zeleny 2011-10-27 11:40:52 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When an error occurred in SSSD during composition of reply message to PAM, SSSD tried to send a reply packet to pam_sss even though the packet was not prepared yet.
Consequence: SSSD PAM responder crashed.
Fix: SSSD now detects if the response packet is already created.
Result: In case of internal error such as that described above, the client will be forcibly disconnected and the SSSD won't crash.

Comment 8 Kaushik Banerjee 2011-11-07 14:23:38 UTC

Marking this bug VERIFIED as all automation regression tests have passed.

Verified in version:
# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 66.el6                        Build Date: Tue 01 Nov 2011 02:05:40 AM IST
Install Date: Thu 03 Nov 2011 04:06:20 PM IST      Build Host: x86-003.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-66.el6.src.rpm
Size        : 3628521                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 9 errata-xmlrpc 2011-12-06 16:41:17 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1529.html

Note You need to log in before you can comment on or make changes to this bug.