[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#226515: marked as done (getgrouplist() segfaults for NIS groups; breaks sshd's AllowGroups feature in some situations)

Your message dated Sun, 8 May 2011 16:13:09 -0500
with message-id <20110508211308.GA24035@elie>
and subject line Re: dbus-1 does not start because of segmentation fault
has caused the Debian Bug report #226515,
regarding getgrouplist() segfaults for NIS groups; breaks sshd's AllowGroups feature in some situations
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
226515: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=226515
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: libc6
Version: 2.3.2.ds1-10
Severity: important

There appears to be a bug in the getgrouplist() function or a function
that it calls which causes a segmentation fault under the following
circumstances (as far as I can observe):

 - NIS maps must be used to find some or all of the user's group
   information.
 - The user is in one or more supplementary groups from the NIS "group"
   map.  (If the user has a primary group from the NIS map but no
   supplementary groups from the NIS map, the problem doesn't occur.)

I first noticed this bug when enabling sshd's AllowGroups feature caused
sshd to crash (before asking for a password) when users meeting the above
criteria connected.  When I recompiled sshd (with debug symbols) from the
Debian source packages (glibc_2.3.2.ds1-10), I got output like the
following when I ran it inside gdb (stuff in [[double square brackets]]
has been removed by me):

root@[[SERVER NAME]]:/usr/src/openssh-3.6.1p2# gdb sshd
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking
GNU gdb 2002-04-01-cvs
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...
(gdb) run -ddd -D -f /etc/ssh/sshd_config.experiment -p 8022
Starting program: /usr/src/openssh-3.6.1p2/sshd -ddd -D -f /etc/ssh/sshd_config.experiment -p 8022
debug2: read_server_config: filename /etc/ssh/sshd_config.experiment
debug1: sshd version OpenSSH_3.6.1p2
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 8022 on 0.0.0.0.
Server listening on 0.0.0.0 port 8022.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from [[SERVER IP ADDRESS]] port 39620
debug1: Client protocol version 1.5; client software version OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10
debug1: match: OpenSSH_3.6.1p2 Debian 1:3.6.1p2-10 pat OpenSSH*
debug1: Local version string SSH-1.99-OpenSSH_3.6.1p2
debug2: Network child is on pid 29464
debug3: privsep user:group 102:65534
debug1: permanently_set_uid: 102/65534
debug1: Sent 768 bit server key and 1024 bit host key.
debug3: preauth child monitor started
debug3: mm_request_receive entering
debug1: Encryption type: 3des
debug3: mm_request_send entering: type 28
debug3: mm_request_receive_expect entering: type 29
debug3: mm_request_receive entering
debug3: monitor_read: checking request 28
debug3: mm_request_send entering: type 29
debug3: mm_ssh1_session_id entering
debug3: mm_request_send entering: type 30
debug2: cipher_init: set keylen (16 -> 32)
debug2: cipher_init: set keylen (16 -> 32)
debug1: Received session key; encryption turned on.
debug2: monitor_read: 28 used once, disabling now
debug3: mm_request_receive entering
debug3: monitor_read: checking request 30
debug3: mm_answer_sessid entering
debug2: monitor_read: 30 used once, disabling now
debug3: mm_request_receive entering
debug1: Installing crc compensation attack detector.
debug3: mm_getpwnamallow entering
debug3: mm_request_send entering: type 6
debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM
debug3: mm_request_receive_expect entering: type 7
debug3: mm_request_receive entering
debug3: monitor_read: checking request 6
debug3: mm_answer_pwnamallow

Program received signal SIGSEGV, Segmentation fault.
0x401dd700 in strcmp () from /lib/libc.so.6
(gdb) backtrace
#0  0x401dd700 in strcmp () from /lib/libc.so.6
#1  0x402a4a24 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#2  0x402a4c90 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#3  0x402a4f48 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#4  0x402a5084 in _nss_compat_initgroups_dyn () from /lib/libnss_compat.so.2
#5  0x4020e124 in fgetgrent () from /lib/libc.so.6
#6  0x4020e263 in getgrouplist () from /lib/libc.so.6
#7  0x0805c46a in ga_init (user=0x8099f70 "abradley", base=550) at groupaccess.c:51
#8  0x08055525 in allowed_user (pw=0x40299628) at auth.c:173
#9  0x08055da4 in getpwnamallow (user=0x809b540 "abradley") at auth.c:506
#10 0x0805fb1d in mm_answer_pwnamallow (socket=11, m=0xbffff588) at monitor.c:534
#11 0x0805f663 in monitor_read (pmonitor=0x809b768, ent=0x8091cc8, pent=0xbffff5c4)
    at monitor.c:388
#12 0x0805f326 in monitor_child_preauth (pmonitor=0x809b768) at monitor.c:281
#13 0x0804cb41 in privsep_preauth () at sshd.c:600
#14 0x0804ea99 in main (ac=7, av=0xbffffbd4) at sshd.c:1511
(gdb) quit
A debugging session is active.
Do you still want to close the debugger?(y or n) y
debug1: Calling cleanup 0x8072344(0x0)

Testing sshd on other machines, I found that (1) on a machine with a
similar configuration (NIS client of same NIS master, same users tested)
with an older version of libc6, 2.3.2-4, the problem did not occur and (2)
even with libc6 2.3.2.ds1-10, the problem did not occur on the NIS master,
where a user's groups could be found directly from /etc/group.

I wrote the following C program to test getgrouplist alone:

#include <stdio.h>
#include <unistd.h>
#include <grp.h>
#include <stdlib.h>

#define NGROUPS_MAX 32

int main (int argc, char *argv[])
{
   if (argc > 2) {
      char * username = argv[1];
      gid_t gid = atoi(argv[2]);

      gid_t groups_bygid[NGROUPS_MAX];
      int ngroups = NGROUPS_MAX;
      int i;

      if (getgrouplist(username, gid, groups_bygid, &ngroups) == -1) {
	 printf("getgrouplist() returned -1\n");
      } else {
	 printf("getgrouplist() call successful.\n");
	 for (i = 0; i < ngroups; i++)
	   printf("%d ", groups_bygid[i]);
	 printf("\n");
      }
   }

   return 0;
}

This program segfaulted and had the following stack trace on the server on
which I first observed sshd to crash:

05:21 PM abradley@[[SERVER NAME]]:~/bin/c$ gdb grplist
gdb: Symbol `emacs_ctlx_keymap' has different size in shared object, consider re-linking
GNU gdb 2002-04-01-cvs
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...
(gdb) run abradley 550
Starting program: /home/abradley/bin/c/grplist abradley 550

Program received signal SIGSEGV, Segmentation fault.
0x40099700 in strcmp () from /lib/libc.so.6
(gdb) bt
#0  0x40099700 in strcmp () from /lib/libc.so.6
#1  0x4015ca24 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#2  0x4015cc90 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#3  0x4015cf48 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#4  0x4015d084 in _nss_compat_initgroups_dyn () from /lib/libnss_compat.so.2
#5  0x400ca124 in fgetgrent () from /lib/libc.so.6
#6  0x400ca263 in getgrouplist () from /lib/libc.so.6
#7  0x080484ca in main ()
#8  0x4003ada6 in __libc_start_main () from /lib/libc.so.6
(gdb) quit

A sample session from one of our lab machines shows that my program
works with libc6 2.3.2-4 but crashes when libc6 is upgraded to
2.3.2.ds1-10:

05:16 PM root@[[MACHINE NAME]]:~$ dpkg -s libc6 | grep ^Version:
Version: 2.3.2-4
05:17 PM root@[[MACHINE NAME]]:~$ ~abradley/bin/c/grplist abradley 550
getgrouplist() call successful.
550 [[LIST OF OTHER GIDS]]
05:17 PM root@[[MACHINE NAME]]:~$ apt-get install libc6
Reading Package Lists... Done
Building Dependency Tree... Done
The following extra packages will be installed:
  libc6-dev linux-kernel-headers locales
Suggested packages:
  glibc-doc manpages-dev
The following NEW packages will be installed:
  linux-kernel-headers
3 packages upgraded, 1 newly installed, 0 to remove and 556 not upgraded.
Need to get 0B/12.6MB of archives.
After unpacking 6742kB of additional disk space will be used.
Do you want to continue? [Y/n] y


Preconfiguring packages ...
(Reading database ... 101691 files and directories currently installed.)
Preparing to replace libc6-dev 2.3.2-4 (using .../libc6-dev_2.3.2.ds1-10_i386.deb) ...
Unpacking replacement libc6-dev ...
Selecting previously deselected package linux-kernel-headers.
Unpacking linux-kernel-headers (from .../linux-kernel-headers_2.5.999-test7-bk-9_i386.deb) ...
Preparing to replace locales 2.3.2-4 (using .../locales_2.3.2.ds1-10_all.deb) ...
Unpacking replacement locales ...
Preparing to replace libc6 2.3.2-4 (using .../libc6_2.3.2.ds1-10_i386.deb) ...
Unpacking replacement libc6 ...
Setting up libc6 (2.3.2.ds1-10) ...
Current default timezone: 'Canada/Pacific'.
Local time is now:      Tue Jan  6 17:18:11 PST 2004.
Universal Time is now:  Wed Jan  7 01:18:11 UTC 2004.
Run 'tzconfig' if you wish to change it.

Setting up linux-kernel-headers (2.5.999-test7-bk-9) ...
Setting up libc6-dev (2.3.2.ds1-10) ...
Setting up locales (2.3.2.ds1-10) ...
Installing new version of config file /etc/locale.alias ...
Generating locales...
  en_US.ISO-8859-1... done
Generation complete.

05:18 PM root@[[MACHINE NAME]]:~$ ~abradley/bin/c/grplist abradley 550
Segmentation fault
05:18 PM root@[[MACHINE NAME]]:~$ gdb ~abradley/bin/c/grplist
GNU gdb 5.3-debian
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...
(gdb) run abradley 550
Starting program: /home/abradley/bin/c/grplist abradley 550

Program received signal SIGSEGV, Segmentation fault.
0x4009a700 in strcmp () from /lib/libc.so.6
(gdb) backtrace
#0  0x4009a700 in strcmp () from /lib/libc.so.6
#1  0x4015da24 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#2  0x4015dc90 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#3  0x4015df48 in _nss_compat_getspnam_r () from /lib/libnss_compat.so.2
#4  0x4015e084 in _nss_compat_initgroups_dyn () from /lib/libnss_compat.so.2
#5  0x400cb124 in fgetgrent () from /lib/libc.so.6
#6  0x400cb263 in getgrouplist () from /lib/libc.so.6
#7  0x080484ca in main ()
#8  0x4003bda6 in __libc_start_main () from /lib/libc.so.6
(gdb) quit

The presence of _nss_compat_getspnam_r in the trace made me suspect that
shadow password configurations might have something to do with the
problem, but I have tried my test program on various machines with shadow
passwords on and off and I haven't found any evidence that the shadow
password configuration makes a difference.

FWIW, /etc/nsswitch.conf on the server on which I first found the problem
is as follows:

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
#

passwd:         compat
group:          compat
shadow:         compat

hosts:          nis files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis
# end of nsswitch.conf

------------------------------------------------------------
Alex Bradley
Vancouver College IT Department

--- End Message ---
--- Begin Message --- 
Version: 2.3.5-3

GOTO Masanori wrote:

> These bugs are marked as important when glibc 2.3.2.ds1 is used in
> sarge.  Nowadays we have new glibc 2.3.5-3 in unstable.  Could you
> test dbus-1 with new glibc?  I guess this problem is already fixed.

This might have been fixed by

    2003-04-23  Ulrich Drepper  <drepper@redhat.com>

        * grp/initgroups.c (getgrouplist): Don't copy too much into the
        user buffer if more groups are found than fit into it.

        * nis/nss_nis/nis-initgroups.c (_nss_nis_initgroups_dyn): Use
        extend_alloca.

or

    2005-03-29  Thorsten Kukuk  <kukuk@suse.de>

        [BZ #661]
        * grp/initgroups.c (internal_getgrouplist): Check if we have
        enough space before adding the primary group to the list.

or

    2003-06-27  Thorsten Kukuk  <kukuk@suse.de>

        * nis/nss_compat/compat-initgroups.c: Don't use our own NIS/NIS+
        functions, dlopen corresponding NSS module instead.

After gotom's ping, no one responded except someone reporting the same
bug with 2.3.2, and I suspect this is the sort of bug that would make
people unhappy enough to report it when they see it.  Closing.

Please reopen if it happens again.

--- End Message ---
Reply to: