[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#245029: marked as done (libc6: SIGSEGV in getgrouplist()/getpwnam())

Your message dated Fri, 05 Aug 2005 19:15:42 +0900
with message-id <[🔎] 81psssu1td.wl%gotom@debian.or.jp>
and subject line Close bugs tagged as woody
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Received: (at submit) by bugs.debian.org; 21 Apr 2004 03:50:52 +0000
>From norbi.spam@nix.hu Tue Apr 20 20:50:52 2004
Return-path: <norbi.spam@nix.hu>
Received: from adsl-192-067.vnet.hu (mail.cyber-cafe.hu) [] 
	by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
	id 1BG8l9-0007NC-00; Tue, 20 Apr 2004 20:50:51 -0700
Received: (qmail 20592 invoked from network); 21 Apr 2004 03:50:48 -0000
X-Scanned-By: AMaViS-ng + ClamAV at mail.cyber-cafe.hu
Received: from unknown (HELO leo.itthon) (
  by bd.arena.cyber-cafe.hu with SMTP; 21 Apr 2004 03:50:47 -0000
Date: Wed, 21 Apr 2004 05:50:47 +0200
From: BUCHMULLER Norbert <norbi.spam@nix.hu>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libc6: SIGSEGV in getgrouplist()/getpwnam()
Message-Id: <20040421055047.6eb3e3f9.norbi.spam@nix.hu>
X-Mailer: Sylpheed version 0.8.11 (GTK+ 1.2.10; i386-debian-linux-gnu)
Mime-Version: 1.0
Content-Type: multipart/mixed;
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2004_03_25 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-7.0 required=4.0 tests=BAYES_00,HAS_PACKAGE 
	autolearn=no version=2.60-bugs.debian.org_2004_03_25
X-CrossAssassin-Score: 1

This is a multi-part message in MIME format.

Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Package: libc6
Version: 2.2.5-11.5
Severity: important

Found that under certain circumstances my program got SIGSEGV in
getgrouplist(). Tryed it on three different machines, with the same

When all of these hold true, it segfaults:

* two calls to getgrouplist() (the second yields the segmentation fault)
(these two calls can be unrelated - I mean they need not have any of their
arguments be the same, unlike in the sample program)
* a getpwnam() call must precede the getgrouplist()
* the user must be a member of at least 6 supplementary groups
* (this is rather strange to me) the malloc() that gets the space to hold
the group list must be preceded by the getpwnam() call

(Seems to be some bounds violation in the heap to me, even may have
security concerns.)

I attached two sample 'proglets' that demonstrate the last argument, and a
backtrace using libc6-dbg (plus some additional info).


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux ***** 2.4.24 #1 Wed Mar 3 21:16:10 CET 2004 i686
Locale: LANG=C, LC_CTYPE=hu_HU

Content-Type: text/x-csrc;
Content-Disposition: attachment;
Content-Transfer-Encoding: 7bit

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>

gid_t *supplementary_groups(char *user)
	struct passwd *pw;
	int ngroups = 1;
	gid_t *groups;

	/* Order is significant for the next two calls. This works: */
	groups = (gid_t *) malloc(ngroups * sizeof(gid_t));
	pw = getpwnam(user);

	if (!pw)
		return NULL;

	if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) < 0) {
		groups = realloc(groups, ngroups * sizeof(gid_t));
		getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups);
	return groups;

Content-Type: text/x-csrc;
Content-Disposition: attachment;
Content-Transfer-Encoding: 7bit

#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <pwd.h>
#include <grp.h>

gid_t *supplementary_groups(char *user)
	struct passwd *pw;
	int ngroups = 1;
	gid_t *groups;

	/* Order is significant for the next two calls. This generates a SIGSEGV: */
	pw = getpwnam(user);
	groups = (gid_t *) malloc(ngroups * sizeof(gid_t));

	if (!pw)
		return NULL;

	if (getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups) < 0) {
		groups = realloc(groups, ngroups * sizeof(gid_t));
		getgrouplist(pw->pw_name, pw->pw_gid, groups, &ngroups);
	return groups;

Content-Type: application/octet-stream;
Content-Disposition: attachment;
Content-Transfer-Encoding: base64


Content-Type: text/plain;
Content-Disposition: attachment;
Content-Transfer-Encoding: 7bit

Script started on Wed Apr 21 04:43:22 2004
norbi@mymachine:~/tmp/toroljle/getgrouplist-bug$ make
cc -g -O0    works.c   -o works
cc -g -O0    dies.c   -o dies
norbi@mymachine:~/tmp/toroljle/getgrouplist-bug$ ./works 
norbi@mymachine:~/tmp/toroljle/getgrouplist-bug$ ./dies 
Segmentation fault (core dumped)
norbi@mymachine:~/tmp/toroljle/getgrouplist-bug$ export LD_LIBRARY_PATH=/usr/lib/debug
norbi@mymachine:~/tmp/toroljle/getgrouplist-bug$ gdb dies
(gdb) r
Starting program: /home/norbi/Scratch/toroljle/getgrouplist-bug/dies 

Program received signal SIGSEGV, Segmentation fault.
0x400f0248 in known_compare (p1=0xbffff828, p2=0x72) at nsswitch.c:259
259	nsswitch.c: No such file or directory.
	in nsswitch.c
(gdb) bt
#0  0x400f0248 in known_compare (p1=0xbffff828, p2=0x72) at nsswitch.c:259
#1  0x400e23b8 in __tsearch (key=0xbffff828, vrootp=0x8049dac, 
    compar=0x400f0228 <known_compare>) at tsearch.c:260
#2  0x400f02a9 in __nss_lookup_function (ni=0x8049d90, 
    fct_name=0x40121425 "initgroups_dyn") at nsswitch.c:280
#3  0x400b2ab5 in internal_getgrouplist (user=0x8049728 "norbi", group=100, 
    size=0xbffff8a4, groupsp=0xbffff8a8, limit=-1) at initgroups.c:163
#4  0x400b2bc8 in getgrouplist (user=0x8049728 "norbi", group=100, 
    groups=0x804a588, ngroups=0xbffff8d4) at initgroups.c:209
#5  0x08048566 in supplementary_groups (user=0x80485e4 "norbi") at dies.c:22
#6  0x08048587 in main () at dies.c:29
(gdb) q
A debugging session is active.
Do you still want to close the debugger?(y or n) y
norbi@mymachine:~/tmp/toroljle/getgrouplist-bug$ dpkg -l libc6 libc6-dbg
| Status=Not/Installed/Config-files/Unpacked/Failed-config/Half-installed
|/ Err?=(none)/Hold/Reinst-required/X=both-problems (Status,Err: uppercase=bad)
||/ Name           Version        Description
ii  libc6          2.2.5-11.5     GNU C Library: Shared libraries and Timezone
ii  libc6-dbg      2.2.5-11.5     GNU C Library: Libraries with debugging symb
norbi@mymachine:~/tmp/toroljle/getgrouplist-bug$ cat /etc/nsswitch.conf
# /etc/nsswitch.conf
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:         compat
group:          compat
shadow:         compat

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
Script done on Wed Apr 21 04:45:18 2004


Received: (at 245029-done) by bugs.debian.org; 5 Aug 2005 10:15:49 +0000
>From gotom@debian.or.jp Fri Aug 05 03:15:49 2005
Return-path: <gotom@debian.or.jp>
Received: from omega.webmasters.gr.jp (webmasters.gr.jp) [] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1E0zEy-0001Gb-00; Fri, 05 Aug 2005 03:15:49 -0700
Received: from omega.webmasters.gr.jp (localhost [])
	by webmasters.gr.jp (Postfix) with ESMTP id B0A5CDEB83;
	Fri,  5 Aug 2005 19:15:42 +0900 (JST)
Date: Fri, 05 Aug 2005 19:15:42 +0900
Message-ID: <[🔎] 81psssu1td.wl%gotom@debian.or.jp>
From: GOTO Masanori <gotom@debian.org>
To: 153263-done@bugs.debian.org, 121396-done@bugs.debian.org,
	142379-done@bugs.debian.org, 153762-done@bugs.debian.org,
	159411-done@bugs.debian.org, 165760-done@bugs.debian.org,
	169758-done@bugs.debian.org, 173486-done@bugs.debian.org,
	194339-done@bugs.debian.org, 196291-done@bugs.debian.org,
	248271-done@bugs.debian.org, 294903-done@bugs.debian.org,
	165921-done@bugs.debian.org, 205039-done@bugs.debian.org,
	294483-done@bugs.debian.org, 240608-done@bugs.debian.org,
	245029-done@bugs.debian.org, 295618-done@bugs.debian.org,
	156937-done@bugs.debian.org, 161515-done@bugs.debian.org,
	188843-done@bugs.debian.org, 212697-done@bugs.debian.org,
	247223-done@bugs.debian.org, 250055-done@bugs.debian.org,
	262162-done@bugs.debian.org, 290518-done@bugs.debian.org,
	188589-done@bugs.debian.org, 209095-done@bugs.debian.org,
Subject: Close bugs tagged as woody
User-Agent: Wanderlust/2.11.30 (Wonderwall) SEMI/1.14.6 (Maruoka) FLIM/1.14.6 (Marutamachi) APEL/10.6 Emacs/21.4 (i386-pc-linux-gnu) MULE/5.0 (SAKAKI)
MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka")
Content-Type: text/plain; charset=US-ASCII
Delivered-To: 245029-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-3.0 required=4.0 tests=BAYES_00 autolearn=no 
X-CrossAssassin-Score: 20

These bugs are tagged as woody, because they're well-known problems
and for keeping open to come to light what the problem is.  However,
as you know, sarge was released.  Our stable version was moved from
woody to sarge.  It's high time to close old woody's bugs that are
still open.  Now I close these bugs.  If you have any objections to
close them, please reopen and let us know your trouble.

-- gotom

Reply to: