I recently upgraded one of our servers to openssl-1.0.0a-r1 and nss_ldap-265. After revdep-rebuild-ing everything and updating all config files, I still got a problem with nss_ldap: As soon as I activate tls or ssl in /etc/ldap.conf via "ssl on" or "ssl start_tls", both of which worked before using openssl-0.9.8, I get a segmentation fault on every user lookup, i.e. emerge doesn't work while dropping privileges, as don't su and the like. In /var/log/messages I get lines like: Aug 18 14:16:41 hostname kernel: su[24747] general protection ip:b71afa42 sp:bfbc4e9c error:0 in libcrypto.so.1.0.0[b70fd000+14e000] Reproducible: Always Steps to Reproduce: 1. USE="ssl" emerge openssl openldap pam_ldap nss_ldap 2. Set up slapd with StartTLS and/or SSL encryption, set up pam_ldap and nss_ldap accordingly 3. As root try: su - <someuser> Actual Results: Segmentation fault Portage 2.1.8.3 (default/linux/x86/10.0, gcc-4.4.4, glibc-2.12.1-r0, 2.6.35-gentoo-r1 i686) ================================================================= System uname: Linux-2.6.35-gentoo-r1-i686-Intel-R-_Xeon-TM-_CPU_2.40GHz-with-gentoo-2.0.1 Timestamp of tree: Wed, 18 Aug 2010 10:45:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.1_p7 dev-java/java-config: 2.1.11 dev-lang/python: 2.4.6, 2.5.4-r4, 2.6.5-r3, 3.1.2-r4 dev-util/ccache: 2.4-r8 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.1-r1 sys-apps/sandbox: 2.3-r1 sys-devel/autoconf: 2.65-r1 sys-devel/automake: 1.6.3-r1, 1.8.5-r4, 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.4-r1 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 virtual/os-headers: 2.6.34 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=pentium4 -O3 -msse2 -mfpmath=sse -mmmx" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/samba/scripts /var/bind /var/qmail/alias /var/qmail/control" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-march=pentium4 -O3 -msse2 -mfpmath=sse -mmmx" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="ftp://ftp.informatik.rwth-aachen.de/pub/Linux/gentoo http://distfiles.gentoo.org http://www.ibiblio.org/pub/Linux/distributions/gentoo" LANG="de_DE" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en" MAKEOPTS="-j5" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/iwm /usr/local/portage" SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" USE="acl ads afs apache2 async bash-completion bcmath berkdb bzip2 bzlib calendar cgi cli colordiff cracklib crypt ctype cups curl cxx dbus exif fam fortran ftp gd gdbm gif gmp gnutls gpm iconv imap inifile java jpeg kerberos kpathsea ldap ldb libwww maildir memlimit mime mmx modules mudflap ncurses nls nomotif nptl nptlonly offensive openmp pam pcntl pcre pdf pdflib pear perl php png posix ppds pppd python qmail quota quotas readline recode reflection samba sasl session sharedext sharedmem simplexml slang slp snmp sockets spell spl sse ssl suhosin sysfs sysvipc tcpd threads tidy tiff tokenizer truetype ungif unicode usb x86 xattr xfs xml xml2 xmlrpc xorg xsl zip zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation proxy proxy_connect proxy_ftp proxy_http rewrite setenvif speling status unique_id userdir usertrack vhost_alias" APACHE2_MPMS="prefork" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="none" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Contents of /etc/ldap.conf: uri ldap://ldapsrv.iwm-kmrc.de base o=IWM,dc=iwm-kmrc,dc=de rootbinddn cn=ldapadmin,o=IWM,dc=iwm-kmrc,dc=de scope one nss_base_passwd ou=People,o=IWM,dc=iwm-kmrc,dc=de?one nss_base_passwd ou=Machines,o=IWM,dc=iwm-kmrc,dc=de?one nss_base_shadow ou=People,o=IWM,dc=iwm-kmrc,dc=de?one nss_base_group ou=Groups,o=IWM,dc=iwm-kmrc,dc=de?one ssl start_tls tls_cacertfile /etc/iwm/ssl/certs/iwm-CA_cert.pem tls_ciphers HIGH:MEDIUM:+SSLv2 Contents of /etc/openldap/slapd.conf (openldap version 2.4.21): pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args modulepath /usr/lib/openldap/openldap moduleload back_bdb.la back_hdb.la loglevel 0 include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/krb5-kdc.schema include /etc/openldap/schema/samba.schema include /etc/openldap/schema/quota.schema sasl-realm IWM-KMRC.DE sasl-host ldapsrv.iwm-kmrc.de sasl-regexp uid=ldapadmin,cn=iwm-kmrc.de,cn=gssapi,cn=auth cn=ldapadmin,o=IWM,dc=iwm-kmrc,dc=de sasl-regexp uid=.*/admin,cn=iwm-kmrc.de,cn=gssapi,cn=auth cn=ldapadmin,o=IWM,dc=iwm-kmrc,dc=de sasl-regexp uid=(.*),cn=iwm-kmrc.de,cn=gssapi,cn=auth uid=$1,ou=People,o=IWM,dc=iwm-kmrc,dc=de sasl-secprops maxssf=0 TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /etc/iwm/ssl/certs/iwm-CA_cert.pem TLSCertificateFile /etc/iwm/ssl/certs/iwm-ldap_cert.pem TLSCertificateKeyFile /etc/iwm/ssl/private/iwm-ldap_key.pem database hdb suffix "o=IWM,dc=iwm-kmrc,dc=de" directory /var/lib/openldap-data/iwm lastmod on index objectClass,uid,uidNumber,gidNumber,memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index cn,mail,surname,givenname eq,subinitial sizelimit unlimited password-hash {SASL} rootdn "cn=ldapadmin,o=IWM,dc=iwm-kmrc,dc=de" rootpw {SSHA}... ... ACL definitions
Need a backtrace[1] of the segmentation fault. [1] http://www.gentoo.org/proj/en/qa/backtraces.xml
(In reply to comment #2) > Need a backtrace[1] of the segmentation fault. > > [1] http://www.gentoo.org/proj/en/qa/backtraces.xml > After building all required packages with FEATURES, CFLAGS and so on needed for debugging, no further segfaults occured. So could this problem be related to my CFLAGS?
(In reply to comment #3) > debugging, no further segfaults occured. So could this problem be related to my > CFLAGS? It's possible, for example -O3 with GCC 4.4.x is known to produce bad code on x86 wrt bug 270120.
> It's possible, for example -O3 with GCC 4.4.x is known to produce bad code on > x86 wrt bug 270120. Further investigating this, I found that the problem lies with openssl. Apparently to prevent the segfaults from occuring, it's necessary to compile dev-libs/openssl with -O2, while using GCC 4.4.x. These flags seem work for me now: CFLAGS="-march=pentium4 -O2 -msse2 -mfpmath=sse -mmmx" CXXFLAGS="${CFLAGS}" If I understand bug #270120 correctly, these problems aren't to be expected on amd64 machines, right? Would this one warrant some flag-o-matic for the combination of x86 and GCC 4.4.x to a dev-libs/openssl-1.0.0a-r2?
(In reply to comment #5) > > It's possible, for example -O3 with GCC 4.4.x is known to produce bad code on > > x86 wrt bug 270120. > > Further investigating this, I found that the problem lies with openssl. > > Apparently to prevent the segfaults from occuring, it's necessary to compile > dev-libs/openssl with -O2, while using GCC 4.4.x. > These flags seem work for me now: > > CFLAGS="-march=pentium4 -O2 -msse2 -mfpmath=sse -mmmx" CXXFLAGS="${CFLAGS}" > > If I understand bug #270120 correctly, these problems aren't to be expected on > amd64 machines, right? > > Would this one warrant some flag-o-matic for the combination of x86 and GCC > 4.4.x to a dev-libs/openssl-1.0.0a-r2? > Try combination of "-O3 -fno-tree-vectorize", if that works, this is a duplicate of bug 270120 for sure And nope, I don't think any flag-o-matic hackery is required, -O3 is expected to break...
> Try combination of "-O3 -fno-tree-vectorize", if that works, this is a > duplicate of bug 270120 for sure It is, definitely. I'll go rebuild my world with -fno-tree-vectorize... ;-) Thanks, Torsten *** This bug has been marked as a duplicate of bug 270120 ***
