Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 127214 - `getent group` dies with double free when using nss_ldap
Summary: `getent group` dies with double free when using nss_ldap
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: Gentoo LDAP project
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-22 11:43 UTC by Fernando Ribeiro
Modified: 2006-06-14 18:46 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fernando Ribeiro 2006-03-22 11:43:39 UTC 
*  sys-libs/glibc
      Latest version available: 2.3.5-r2
      Latest version installed: 2.3.5-r2

*  sys-auth/nss_ldap
      Latest version available: 239-r1
      Latest version installed: 239-r1

*  net-nds/openldap
      Latest version available: 2.2.28-r3
      Latest version installed: 2.2.28-r3


I have a ldap group (usuarios) with 753 members, and while i trying to get member list with 'getent group usuarios' it return:

fernando ~ # getent group usuarios
*** glibc detected *** double free or corruption (out): 0x08055ad0 ***
Aborted

Then i write a simple C code test using getgrnam_r and alloc static memory it work fine:

fernando C # ./pega_gid usuarios

The group name is: usuarios
The gid        is: 1000
Group Member 1 is: USUARIO1
Group Member 2 is: USUARIO2
Group Member 3 is: USUARIO3
Group Member 4 is: USUARIO4
Group Member 5 is: USUARIO5
Group Member 6 is: USUARIO6
Group Member 7 is: USUARIO7
Group Member 8 is: USUARIO8
Group Member 9 is: USUARIO9
Group Member 10 is: USUARIO10
...
Group Member 750 is: USUARIO750
Group Member 751 is: USUARIO751
Group Member 752 is: USUARIO752
Group Member 753 is: USUARIO753

Is this a glibc allocation memory problem?

 fernando ~ # emerge --info

Portage 2.1_pre5-r4 (default-linux/x86/2006.0, gcc-3.4.5-vanilla, glibc-2.3.5-r2, 2.6.15-suspend2-r6 i686)
=================================================================
System uname: 2.6.15-suspend2-r6 i686 Intel(R) Pentium(R) M processor 1.60GHz
Gentoo Base System version 1.6.14
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled]
ccache version 2.3 [enabled]
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=pentium-m -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown /usr/kde/3/share/config /usr/lib/mozilla/defaults/pref /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium-m -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://linux.rz.ruhr-uni-bochum.de/download/gentoo-mirror/ http://pandemonium.tiscali.de/pub/gentoo/ "
LANG="pt_BR"
LC_ALL="C"
LINGUAS="pt_BR en"
MAKEOPTS="-j6"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X Xaw3d a52 aac aalib accessibility acl acpi aim alsa apache2 apm audiofile avi bash-completion bcmath berkdb bidi bitmap-fonts bluetooth bonobo bzip2 calendar caps cdinstall cdparanoia cdr clamav cli crypt cscope ctype cups curlwrappers dba dbm dga dio directfb doc dri dts dv dvb dvd dvdr dvdread eds emacs emboss encode esd evo examples exif expat fam fastbuild fbcon fdftk ffmpeg fftw flac flash flatfile foomaticdb force-cgi-redirect fortran freetds ftp gcj gd gdbm gif glut gmp gnome gnustep gnutls gphoto2 gpm gstreamer gtk gtk2 gtkhtml guile hardened howl iconv icq idn ieee1394 imagemagick imap imlib iodbc ipv6 jabber jack java javascript jikes jpeg jpeg2k junit kde kdeenablefinal kdexdeltas kerberos krb4 ladcca lapack lcms ldap leim lesstif libcaca libedit libg++ libgda libwww lm_sensors lua mad maildir mailwrapper matrox mbox mcal memlimit mhash mikmod mime ming mmap mmx mng mono motif mozilla mp3 mpeg mpi msession msn mule mysqli nas ncurses neXt netboot nls nocd nptl nsplugin odbc ogg oggvorbis openal opengl osc oscar oss pam pcmcia pcntl pcre pda pdf pdflib perl plotutils png portaudio posix profile python qt quicktime radius readline real recode ruby samba sasl scanner sdl session sharedmem simplexml skey slang slp smartcard sndfile snmp soap sockets socks5 source sox speel speex spell spl sqlite sqlite3 sse sse2 ssl svg svga symlink sysvipc szip tcltk tcpd test tetex theora threads tidy tiff tokenizer truetype truetype-fonts type1-fonts udev unicode usb vcd videos vorbis wifi win32codecs wmf wxwindows xface xine xinerama xml xml2 xmlrpc xmms xosd xpm xprint xsl xv xvid yahoo zlib elibc_glibc input_devices_keyboard input_devices_mouse input_devices_evdev kernel_linux linguas_pt_BR linguas_en userland_GNU video_cards_i810 video_cards_i830 video_cards_i915"
Unset:  ASFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, LDFLAGS



My code test:

fernando C # cat pega_gid.c
#include <sys/types.h>
#include <grp.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>

int main(int argc, char *argv[]){
  short int lp;
  struct group grp;
  struct group * grpptr = &grp;
  struct group * tempGrpPtr;
  char grpbuffer[20000];
  int  grplinelen = sizeof(grpbuffer);

  if (argc != 2){
        printf("Use: %s groupname.\n", argv[0]);
        exit(1);
  }

  if ((getgrnam_r(argv[1],grpptr,grpbuffer,grplinelen,&tempGrpPtr))!=0)
     perror("getgrgid_r() error.");
  else
  {
     printf("\nThe group name is: %s\n", grp.gr_name);
     printf("The gid        is: %u\n", grp.gr_gid);
     for (lp = 1; NULL != *(grp.gr_mem); lp++, (grp.gr_mem)++)
        printf("Group Member %d is: %s\n", lp, *(grp.gr_mem));
  }
  return 0;
}


I have openldap, nss_ldap and nscd working fine.
Comment 1 SpanKY gentoo-dev 2006-03-22 12:48:46 UTC 
i'd try a newer version of nss_ldap and/or glibc
Comment 2 Fernando Ribeiro 2006-03-22 15:02:44 UTC 
My gdb output.



(gdb) file /usr/bin/getent
Reading symbols from /usr/bin/getent...(no debugging symbols found)...done.
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) r group
Starting program: /usr/bin/getent group
(no debugging symbols found)
(no debugging symbols found)
Domain Admins:x:512:root
Domain Users:x:513:
Domain Guests:x:514:
Domain Computers:x:515:
Administrators:x:544:
Account Operators:x:548:
Print Operators:x:550:
Backup Operators:x:551:
Replicators:x:552:
*** glibc detected *** corrupted double-linked list: 0x0805ae48 ***

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) bt
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7ed0271 in raise () from /lib/tls/libc.so.6
#2  0xb7ed1a09 in abort () from /lib/tls/libc.so.6
#3  0xb7f03f0a in __fsetlocking () from /lib/tls/libc.so.6
#4  0xb7f09e27 in malloc_usable_size () from /lib/tls/libc.so.6
#5  0xb7f09fab in malloc_usable_size () from /lib/tls/libc.so.6
#6  0xb7f0a5a1 in malloc_trim () from /lib/tls/libc.so.6
#7  0xb7f0a8bb in free () from /lib/tls/libc.so.6
#8  0xb7d681f6 in _nss_ldap_getpwent_r () from /usr/lib/libnss_ldap.so.2
#9  0xbfdf4d5c in ?? ()
#10 0xbfdf4d60 in ?? ()
#11 0xbfdf4e9c in ?? ()
#12 0xbfdf4ea0 in ?? ()
#13 0xbfdf4d64 in ?? ()
#14 0xbfdf4d68 in ?? ()
#15 0xb7febce9 in do_lookup_x (undef_name=Cannot access memory at address 0x2e1
) at do-lookup.h:96
Previous frame inner to this frame (corrupt stack?)
Comment 3 Fernando Ribeiro 2006-03-22 16:51:32 UTC 
I look in ldap-pwd.c

#ifdef HAVE_NSS_H
NSS_STATUS
_nss_ldap_getpwnam_r (const char *name,
                      struct passwd * result,
                      char *buffer, size_t buflen, int *errnop)
{
  LOOKUP_NAME (name, result, buffer, buflen, errnop, _nss_ldap_filt_getpwnam,
               LM_PASSWD, _nss_ldap_parse_pw, LDAP_NSS_BUFLEN_DEFAULT);
}


look LDAP_NSS_BUFLEN_DEFAULT 0

Why 0? Infinite?


In ldap-nss.h


#if defined(HAVE_NSSWITCH_H) || defined(HAVE_IRS_H)
#define LDAP_NSS_MAXNETGR_DEPTH  16     /* maximum depth of netgroup nesting for innetgr() */
#endif /* HAVE_NSSWITCH_H */

#define LDAP_NSS_MAXGR_DEPTH     16     /* maximum depth of group nesting for getgrent()/initgroups() */

#if LDAP_NSS_NGROUPS > 64
#define LDAP_NSS_BUFLEN_GROUP   (NSS_BUFSIZ + (LDAP_NSS_NGROUPS * (sizeof (char *) + LOGNAME_MAX)))
#else
#define LDAP_NSS_BUFLEN_GROUP   NSS_BUFSIZ
#endif /* LDAP_NSS_NGROUPS > 64 */

#define LDAP_NSS_BUFLEN_DEFAULT 0

#ifdef HAVE_USERSEC_H
#define LDAP_NSS_MAXUESS_ATTRS  8       /* maximum number of attributes in a getentry call */
#endif /* HAVE_USERSEC_H */

#ifdef PAGE_RESULTS
#define LDAP_PAGESIZE 1000
#endif /* PAGE_RESULTS */
Comment 4 Fernando Ribeiro 2006-03-22 17:18:03 UTC 
In do-lookup.h line 96


          if (sym != ref && strcmp (strtab + sym->st_name, undef_name))
            /* Not the symbol we are looking for.  */
            continue;
Comment 5 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-05-28 18:48:16 UTC 
please test the nss_ldap-250 that I just commited to ~arch. Upstream has changed some of the group stuff.
Comment 6 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2006-06-14 18:46:36 UTC 
No response from user. Please reopen if this is still an issue with 250-r1.