Bug 748926 - RHEL6.1/sssd_nss segmentation fault
Summary: RHEL6.1/sssd_nss segmentation fault
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.1
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Stephen Gallagher
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks: 756082
TreeView+ depends on / blocked
 
Reported: 2011-10-25 15:24 UTC by Masaki Furuta ( RH )
Modified: 2020-05-02 16:28 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-04 16:47:07 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 2110 0 None closed RHEL6.1/sssd_nss segmentation fault 2020-06-22 15:46:14 UTC

Description Masaki Furuta ( RH ) 2011-10-25 15:24:40 UTC 
Description of problem:

  sssd_nss segmentation fault

  <messages>
  Oct 19 09:35:32 jonah kernel: sssd_nss[31781]: segfault at 94 ip 0000003dfec24e4c sp 00007ffff666ca20 error 4 in libdbus-1.so.3.4.0[3dfec00000+40000]

  <sssd_nss.log-20111023>
  (Wed Oct 19 19:33:21 2011) [sssd[nss]] [sss_dp_send_acct_req_create] (0): D-BUS send failed.

  The Customer portal case attached to this Bug was branched from Case 00532904 for segfault issue of sssd-1.5.1-34.el6_1.3 with sssd_nss (Bug #), on that case customer firstly met sssd_pam segmentation fault issue with sssd-1.5.1-34.el6.x86_64 .

  [Environment on original case 00532904]
    kernel 2.6.32-131.0.15.el6.x86_64
    sssd-1.5.1-34.el6.x86_64 

  Then TAM suggested Dell Japan to verify this with our newest version, sssd-1.5.1-34.el6_1.3, then customer met another sssd_nss segmentation fault issue with newer version...

  [Environment on this case 00554044] 
    kernel 2.6.32-131.0.15.el6.x86_64
    sssd-1.5.1-34.el6_1.3.x86_64

  ---- Customer's comment #19 on original case 00532904 ----

  The customer updated sssd to 1.5.1-34.el6_1.3 on Oct 19th, sssd_nss was killed by segfault on Oct 21th.
  Can I create another new case? or should I upload the core file on this site?
  <snip>
  I attached ccpp-1319161809-30913.tar.gz and sssd_nss-segfault-memo.txt on this site.
  ----


Version-Release number of selected component (if applicable):

  RHEL6.1
  kernel 2.6.32-131.0.15.el6.x86_64
  sssd-1.5.1-34.el6_1.3.x86_64

How reproducible:

  Sometimes, but not sure so far, only corefile too.

----
$ tar tvzf ccpp-1319161809-30913.tar.gz 
drwxr-x--- abrt/root         0 2011-10-21 10:50 ccpp-1319161809-30913/
-rw-r--r-- root/root   7811072 2011-10-21 10:50 ccpp-1319161809-30913/coredump <====corefile
-rw------- root/root   9108792 2011-10-21 10:50 ccpp-1319161809-30913/sosreport.tar.xz
-rw-r----- abrt/root        54 2011-10-21 10:50 ccpp-1319161809-30913/release
-rw-r----- abrt/root         4 2011-10-21 10:50 ccpp-1319161809-30913/component
-rw-r----- abrt/root        48 2011-10-21 10:50 ccpp-1319161809-30913/cmdline
-rw-r----- abrt/root         5 2011-10-21 10:50 ccpp-1319161809-30913/hostname
-rw-r----- abrt/root         6 2011-10-21 10:50 ccpp-1319161809-30913/architecture
-rw-r----- abrt/root        26 2011-10-21 10:50 ccpp-1319161809-30913/executable
-rw-r----- abrt/root        21 2011-10-21 10:50 ccpp-1319161809-30913/package
-rw-r----- abrt/root         1 2011-10-21 10:50 ccpp-1319161809-30913/uid
-rw-r----- abrt/root         4 2011-10-21 10:50 ccpp-1319161809-30913/analyzer
-rw-r----- abrt/root        26 2011-10-21 10:50 ccpp-1319161809-30913/kernel
-rw-r----- abrt/root        10 2011-10-21 10:50 ccpp-1319161809-30913/time
-rw-r----- abrt/root       359 2011-10-21 10:50 ccpp-1319161809-30913/description
-rw-r----- abrt/root        68 2011-10-21 10:50 ccpp-1319161809-30913/reason
----


Steps to Reproduce:
1.
2.
3.
  
Actual results:

  Crashed with Segfault with sssd_nss

Expected results:

  No crash.

Additional info:

I installed libtevent-debuginfo-0.9.8-8.el6 and sssd-debuginfo-1.5.1-34.el6_1.3 on my system.

# gdb /usr/libexec/sssd/sssd_nss /tmp/coredump
...snip

Core was generated by `/usr/libexec/sssd/sssd_nss -d 0 --debug-to-files'.
Program terminated with signal 11, Segmentation fault.
#0  0x0000003dfec24e4c in dbus_watch_handle () from /lib64/libdbus-1.so.3
Missing separate debuginfos, use: debuginfo-install cyrus-sasl-lib-2.1.23-8.el6.x86_64 dbus-libs-1.2.24-4.el6_0.x86_64 glibc-2.12-1.25.el6.x86_64 libcollection-0.6.0-6.el6.x86_64 libdhash-0.4.2-6.el6.x86_64 libini_config-0.6.1-6.el6.x86_64 libldb-0.9.10-23.el6.x86_64 libpath_utils-0.2.1-6.el6.x86_64 libref_array-0.1.1-6.el6.x86_64 libtalloc-2.0.1-1.1.el6.x86_64 libtdb-1.2.1-3.el6.x86_64 nspr-4.8.7-1.el6.x86_64 nss-3.12.9-9.el6.x86_64 nss-softokn-freebl-3.12.9-3.el6.x86_64 nss-util-3.12.9-1.el6.x86_64 openldap-2.4.23-15.el6.x86_64 pcre-7.8-3.1.el6.x86_64 popt-1.13-7.el6.x86_64 zlib-1.2.3-25.el6.x86_64
(gdb)
(gdb) bt
#0  0x0000003dfec24e4c in dbus_watch_handle () from /lib64/libdbus-1.so.3
#1  0x0000000000427e2a in sbus_watch_handler (ev=<value optimized out>, fde=<value optimized out>,
    flags=<value optimized out>, data=<value optimized out>) at src/sbus/sssd_dbus_common.c:93
#2  0x0000003dfb405456 in epoll_event_loop (ev=<value optimized out>, location=<value optimized out>)
    at tevent_standard.c:309
#3  std_event_loop_once (ev=<value optimized out>, location=<value optimized out>) at tevent_standard.c:544
#4  0x0000003dfb4026d0 in _tevent_loop_once (ev=0xb0f360, location=0x43ef75 "src/util/server.c:526") at tevent.c:490
#5  0x0000003dfb40273b in tevent_common_loop_wait (ev=0xb0f360, location=0x43ef75 "src/util/server.c:526") at tevent.c:591
#6  0x000000000042c841 in server_loop (main_ctx=0xb10460) at src/util/server.c:526
#7  0x00000000004067ac in main (argc=4, argv=<value optimized out>) at src/responder/nss/nsssrv.c:276
(gdb) info registers
rax            0x1      1
rbx            0x90     144
rcx            0x3dfec2efb1     266267193265
rdx            0x7      7
rsi            0x2      2
rdi            0x90     144
rbp            0x1      0x1
rsp            0x7fff75f93c10   0x7fff75f93c10
r8             0xa90    2704
r9             0x0      0
r10            0x7fff75f93980   140735172655488
r11            0x246    582
r12            0x111bf40        17940288
r13            0x2      2
r14            0x1      1
r15            0x1      1
rip            0x3dfec24e4c     0x3dfec24e4c <dbus_watch_handle+12>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0
(gdb) disassemble dbus_watch_handle
Dump of assembler code for function dbus_watch_handle:
   0x0000003dfec24e40 <+0>:     push   %rbx
   0x0000003dfec24e41 <+1>:     mov    %rdi,%rbx
   0x0000003dfec24e44 <+4>:     sub    $0x10,%rsp
   0x0000003dfec24e48 <+8>:     mov    %esi,0xc(%rsp)
=> 0x0000003dfec24e4c <+12>:    mov    0x4(%rdi),%edx
   0x0000003dfec24e4f <+15>:    test   %edx,%edx
...snip
(gdb) x 0x94
0x94:   Cannot access memory at address 0x94
(gdb)

645 dbus_bool_t
646 dbus_watch_handle (DBusWatch    *watch,
647                    unsigned int  flags)
648 {
649 #ifndef DBUS_DISABLE_CHECKS
650   if (watch->fd < 0 || watch->flags == 0)		<-- Segmentation fault
651     {
652       _dbus_warn_check_failed ("%s: Watch is invalid, it should have been removed\n",
653                                _DBUS_FUNCTION_NAME);
654       return TRUE;
655     }
656 #endif


struct DBusWatch
{
  int refcount;                        /**< Reference count */
  int fd;                              /**< File descriptor. */
  unsigned int flags;                  /**< Conditions to watch. */
...snip
Comment 7 Dmitri Pal 2011-10-27 13:28:06 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/1068
Comment 17 Dmitri Pal 2011-12-15 14:09:54 UTC 
We do not have enough information to determine the cause of the problem. Until provided with the requested info we are not going to proceed and thus pushing till 6.4.
Note You need to log in before you can comment on or make changes to this bug.