Created user using "useradd test", "userdel test" gives segfault Reproducible: Always Steps to Reproduce: 1. install sys-apps/shadow-4.1.5 2. useradd test 3. userdel test Actual Results: Segfault Expected Results: user test deleted ACCEPT_KEYWORDS="~x86" CFLAGS="-O2 -march=native -pipe -mmmx -msse -msse2 -m3dnow" CXXFLAGS="${CFLAGS}" USE flags: "acl cracklib nls pam -xattr" # emerge --info Portage 2.1.10.46 (default/linux/x86/10.0/desktop, gcc-4.5.3, glibc-2.14.1-r2, 3.2.1-gentoo-r2 i686) ================================================================= System uname: Linux-3.2.1-gentoo-r2-i686-AMD_Athlon-tm-_64_Processor_3200+-with-gentoo-2.1 Timestamp of tree: Wed, 15 Feb 2012 13:45:01 +0000 app-shells/bash: 4.2_p20 dev-java/java-config: 2.1.11-r3 dev-lang/python: 2.7.2-r3, 3.1.4-r3, 3.2.2 dev-util/cmake: 2.8.7-r3 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1 sys-apps/openrc: 0.9.8.4 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.9.6-r3, 1.11.3 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.5.3-r2 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.2 (virtual/os-headers) sys-libs/glibc: 2.14.1-r2 Repositories: gentoo x-portage-mamay ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe -mmmx -msse -msse2 -m3dnow" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/openvpn/easy-rsa" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O2 -march=native -pipe -mmmx -msse -msse2 -m3dnow" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch xattr" FFLAGS="" GENTOO_MIRRORS="http://mirror.yandex.ru/gentoo-distfiles/" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en_US en ru" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/portage.mamay" SYNC="rsync://rsync.ru.gentoo.org/gentoo-portage" USE="3dnow 3dnowext X a52 aac aacplus acl acpi alsa amr ass avahi berkdb bluetooth bluray branding bzip2 cairo ccache cdda cddb cdio cdr cleartype cli consolekit corefonts cpudetection cracklib crypt cue cups curl custom-cflags cxx dbus digitalradio diskio djvu dri dts dvd dvdr elf emboss encode exif expat faac fam fbcon fbcondecor ffmpeg fftw firefox flac fortran ftp g3dvl gdbm gdu gif gpm gsm gstreamer gtk gtk3 gzip iconv icu idn inotify ios iproute2 ipv6 iso jbig jpeg jpeg2k lame lastfmradio lcms ldap libkms libnotify libsamplerate lm_sensors loop-aes lto lzma lzo mad mmap mms mmx mmxext mng modules mp3 mp3rtp mp4 mpeg mudflap musepack nas ncurses network nls nptl nptlonly ntp objc objc++ ogg openal opengl openmp openssl optimized-qmake pam pango pcre pdf perl phonon png pnm policykit postproc ppds pppd pstricks python qt qt3support qt4 quota readline rtmp samba sdl session smb sndfile snmp speex spell sqlite sse sse2 ssl startup-notification svg sysfs tcpd tga theora thread threads tiff truetype twolame type1 udev unicode usb vdpau vorbis wavpack webp x264 x86 xattr xcb xml xorg xulrunner xv xvid xvmc xz zeroconf zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev keyboard mouse" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en_US en ru" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18 ruby19" USERLAND="GNU" VIDEO_CARDS="nvidia nouveau" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Created attachment 302959 [details] strace userdel test
Could you get a gdb backtrace too?
For bug reporting instructions, please see: <http://bugs.gentoo.org/>... Reading symbols from /usr/sbin/userdel...Reading symbols from /mnt/alt/debug/usr/sbin/userdel.debug...done. done. BFD: Warning: /root/core is truncated: expected core file size >= 1896448, found: 1810432. [New LWP 28105] Core was generated by `userdel test'. Program terminated with signal 11, Segmentation fault. #0 0x400fe3e0 in __strncat_chk () from /lib/libc.so.6 (gdb) thread apply all bt full Thread 1 (LWP 28105): #0 0x400fe3e0 in __strncat_chk () from /lib/libc.so.6 No symbol table info available. #1 0x4071897c in audit_log_acct_message () from /lib/libaudit.so.0 No symbol table info available. #2 0x00014618 in audit_logger (type=<optimized out>, pgname=<optimized out>, op=<optimized out>, name=<optimized out>, id=4294967295, result=SHADOW_AUDIT_SUCCESS) at audit_help.c:86 No locals. #3 0x00013fb0 in remove_usergroup () at userdel.c:362 grp = 0x30e18 pwd = 0x0 #4 update_groups () at userdel.c:213 grp = <optimized out> ngrp = <optimized out> sgrp = <optimized out> nsgrp = <optimized out> #5 main (argc=<optimized out>, argv=<optimized out>) at userdel.c:1040 errors = 0 pamh = 0x21020 retval = <optimized out>
With -O0: elmer ~ # gdb /usr/sbin/userdel core GNU gdb (Gentoo 7.3.1 p2) 7.3.1 Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "hppa2.0-unknown-linux-gnu". For bug reporting instructions, please see: <http://bugs.gentoo.org/>... Reading symbols from /usr/sbin/userdel...Reading symbols from /mnt/alt/debug/usr/sbin/userdel.debug...done. done. BFD: Warning: /root/core is truncated: expected core file size >= 1896448, found: 1810432. [New LWP 6996] Core was generated by `userdel test'. Program terminated with signal 11, Segmentation fault. #0 0x400fe3e0 in __strncat_chk () from /lib/libc.so.6 (gdb) thread apply all bt full Thread 1 (LWP 6996): #0 0x400fe3e0 in __strncat_chk () from /lib/libc.so.6 No symbol table info available. #1 0x4071897c in audit_log_acct_message () from /lib/libaudit.so.0 No symbol table info available. #2 0x000156d4 in audit_logger (type=1117, pgname=0xfb02e99b "userdel", op=0x1f584 "deleting shadow group", name=0x462d3800 <Address 0x462d3800 out of bounds>, id=4294967295, result=SHADOW_AUDIT_SUCCESS) at audit_help.c:86 No locals. #3 0x00012a48 in remove_usergroup () at userdel.c:362 grp = 0x35e18 pwd = 0x0 #4 0x00012228 in update_groups () at userdel.c:213 grp = 0x0 ngrp = 0x0 sgrp = 0x24820 nsgrp = 0xe40fc #5 0x000151e8 in main (argc=2, argv=0xfb031020) at userdel.c:1040 errors = 0 pamh = 0x26020 retval = 0
[ebuild R ] sys-apps/shadow-4.1.5 USE="audit cracklib nls pam (-acl) (-selinux) -skey -tcb (-xattr)" [ebuild R ] sys-process/audit-1.7.4 USE="ldap"
(gdb) run Starting program: /usr/sbin/userdel test Program received signal SIGSEGV, Segmentation fault. 0x44a0e622 in vfprintf () from /lib/libc.so.6 (gdb) thread apply all bt full Thread 1 (process 14744): #0 0x44a0e622 in vfprintf () from /lib/libc.so.6 No symbol table info available. #1 0x44a9b1ee in __vsyslog_chk () from /lib/libc.so.6 No symbol table info available. #2 0x44a9b397 in syslog () from /lib/libc.so.6 No symbol table info available. #3 0x0804a718 in remove_usergroup () at userdel.c:367 old_locale = 0x805f5d8 "\220\375\005\b@\276\005\bF-8" saved_locale = 0x80610e0 "en_US.UTF-8" grp = 0x805f2c8 pwd = 0x0 #4 0x0804a1d7 in update_groups () at userdel.c:213 grp = 0x0 ngrp = 0x1 sgrp = 0x8057820 nsgrp = 0x8055cc0 #5 0x0804bfbb in main (argc=2, argv=0xbffff7b4) at userdel.c:10 errors = 0 pamh = 0x8057c60 retval =
elmer ~ # gdb /usr/sbin/userdel core GNU gdb (Gentoo 7.3.1 p2) 7.3.1 Copyright (C) 2011 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "hppa2.0-unknown-linux-gnu". For bug reporting instructions, please see: <http://bugs.gentoo.org/>... Reading symbols from /usr/sbin/userdel...Reading symbols from /mnt/alt/debug/usr/sbin/userdel.debug...done. done. BFD: Warning: /root/core is truncated: expected core file size >= 1892352, found: 1806336. [New LWP 29611] Core was generated by `userdel test'. Program terminated with signal 11, Segmentation fault. #0 0x40488c04 in strncat () from /lib/libc.so.6 (gdb) thread apply all bt full Thread 1 (LWP 29611): #0 0x40488c04 in strncat () from /lib/libc.so.6 No symbol table info available. #1 0x400d4794 in audit_log_acct_message (audit_fd=3, type=1117, pgname=0xfb2bc8d8 "\"/usr/sbin/userdel\"", op=0x1f584 "deleting shadow group", name=0x462d3800 <Address 0x462d3800 out of bounds>, id=4294967295, host=0x0, addr=0x0, tty=0xfb2be8dd "pts/6", result=1) at audit_logging.c:368 len = 4213941568 user = "\000\016P\254\373+\350]\373+\310*@\016P\364\373+\310X\373+\350x\373+\245 \000\000\000\000\000\000\004[\000\000\000\003@\016c\000\000\000\000\000\000\000\000\000@\rJ;\000\000\000\000\000\000\000\000@\016P\254\373", <incomplete sequence \350\235> format = 0x0 p = 0x0 enc = 0 success = 0x400e50ac "success" buf = "\000\000\000\000\000$\254H\000\016X\374\000\001\244\357\000\016@\374\000\000\000\000@U\326`\000\000\000\000\373+\245\200\000\f\020\000\000\000\000\000@U\326`\377\377\377\377\377\377\377\377\000$\225h\000\003\246P@U\326`\000\016X\374\000\001\325;\000\001\246_\000\000\000\373@U\326`@U\365\314\000\000\000\000\373+\245\300\373+\245\020\000\000\000\001\000\000\000\000\000\000\000\000\000\003\246x\373+\245\300\377\377\377\377@U\326`\373+\245\020@U\326`\373+\245\000@U\261\240\373+\245\020@U\326`\000\000\000\000\000\000\000\000\000\f\020\000\000\016\210\374\000\000\000\000\377\377\377\377\377\377\377\377\000$\225h\000\000\000\000@U\326`\000\016X\374\000\020`\b@H;k\000\000\000\373@U\326`@U\365\314\373+\246\200\000\003i\200@U\326`\000\000\000\000\000\000\000\001\000\000\000\f\000\000\001\031@U\262\020\000\002G\200@U\326`@S\352\354@Fq;@H1\003\000\000\000\000@U\326`\377"... addrbuf = "?", '\000' <repeats 44 times> exename = "\"/usr/sbin/userdel\"", '\000' <repeats 8045 times>, "/dev/pts/6", '\000' <repeats 22 times>, "test", '\000' <repeats 28 times>, "/dev/pts/6", '\000' <repeats 22 times>, "root\000\000\000\000@U\326`", '\000' <repeats 19 times> ttyname = "/dev/pts/6", '\000' <repeats 21 times> ret = 239184 #2 0x000156d4 in audit_logger (type=1117, pgname=0xfb2b799b "userdel", op=0x1f584 "deleting shadow group", name=0x462d3800 <Address 0x462d3800 out of bounds>, id=4294967295, result=SHADOW_AUDIT_SUCCESS) at audit_help.c:86 No locals. #3 0x00012a48 in remove_usergroup () at userdel.c:362 grp = 0x35e18 ---Type <return> to continue, or q <return> to quit--- pwd = 0x0 #4 0x00012228 in update_groups () at userdel.c:213 grp = 0x0 ngrp = 0x0 sgrp = 0x24820 nsgrp = 0xe40fc #5 0x000151e8 in main (argc=2, argv=0xfb2ba020) at userdel.c:1040 errors = 0 pamh = 0x26020 retval = 0
only tickles the bug for me on x86 and USE=nls. at any rate, looks pretty straight forward ... they do gr_remove(grp->gr_name) which ends up freeing the memory that grp points to, and then they try to use it later on to display the name at the end of userdel.c. looks like the bug has been there for a while. at least, the grp_remove+grp usage has been there for many years. maybe something in the core changed. *shrug*, patch sent upstream. http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/2012-February/009159.html
Mikes's patch works for me. Alternatively, you can set 'USERGROUPS_ENAB no' in /etc/login.defs, if you're ok with that behavior (I'm not). I see no reaction from upstream on the mailing list. Maintainers, can we have a -r1 Gentoo package that includes Mike's patch? This bug is really, really bad. Thanks.
should be all set now in the tree; thanks for the report! Commit message: Fix crash when calling userdel http://sources.gentoo.org/sys-apps/shadow/files/shadow-4.1.5-grremove.patch?rev=1.1 http://sources.gentoo.org/sys-apps/shadow/shadow-4.1.5-r2.ebuild?rev=1.1
