#2018 sssd_nss terminated with segmentation fault
Closed: Fixed None Opened 6 years ago by pbrezina.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 984814

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
sssd_nss terminated with segmentation fault when sss_mc_find_record() tried to
access
invalid rec address.

Program terminated with signal 11, Segmentation fault.
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:1173


backtrace:
(gdb) bt
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:1173
#1  0x0000000000424d8b in sss_mc_find_record (mcc=<value optimized out>,
key=<value optimized out>) at src/responder/nss/nsssrv_mmap_cache.c:381
#2  0x0000000000426480 in sss_mc_get_record (_mcc=<value optimized out>,
rec_len=101, key=<value optimized out>, _rec=0x7fffe3a38508) at
src/responder/nss/nsssrv_mmap_cache.c:411
#3  0x0000000000426cf1 in sss_mmap_cache_pw_store (_mcc=0x18e62e0,
name=0x7fffe3a38640, pw=0x7fffe3a38650, uid=2000, gid=2000,
gecos=0x7fffe3a38680, homedir=0x7fffe3a38670, shell=0x7fffe3a38660)
    at src/responder/nss/nsssrv_mmap_cache.c:510
#4  0x00000000004140c5 in fill_pwent (packet=0x18f5790, dom=0x18e9f40,
nctx=0x18e6250, filter_users=false, pw_mmap_cache=true, msgs=<value optimized
out>, count=0x7fffe3a3874c)
    at src/responder/nss/nsssrv_cmd.c:433
#5  0x0000000000415ce8 in nss_cmd_getpw_send_reply (dctx=0x18ee0d0,
filter=false) at src/responder/nss/nsssrv_cmd.c:477
#6  0x0000000000416ba8 in nss_cmd_getpwnam_dp_callback (err_maj=<value
optimized out>, err_min=0, err_msg=0x18e8310 "Success", ptr=<value optimized
out>) at src/responder/nss/nsssrv_cmd.c:859
#7  0x000000000040b7d4 in nsssrv_dp_send_acct_req_done (req=0x0) at
src/responder/nss/nsssrv_cmd.c:643
#8  0x00000000004328ae in sss_dp_internal_get_done (pending=<value optimized
out>, ptr=<value optimized out>) at src/responder/common/responder_dp.c:763
#9  0x0000003446c0e61a in complete_pending_call_and_unlock
(connection=0x18eb2e0, pending=0x18f5060, message=<value optimized out>) at
dbus-connection.c:2234
#10 0x0000003446c1086f in dbus_connection_dispatch (connection=0x18eb2e0) at
dbus-connection.c:4397
#11 0x000000000045885e in sbus_dispatch (ev=0x18e03b0, te=<value optimized
out>, tv=..., data=<value optimized out>) at
src/sbus/sssd_dbus_connection.c:104
#12 0x0000003444007bd9 in tevent_common_loop_timer_delay (ev=0x18e03b0) at
../tevent_timed.c:254
#13 0x00000034440072ab in std_event_loop_once (ev=<value optimized out>,
location=<value optimized out>) at ../tevent_standard.c:560
#14 0x00000034440038f0 in _tevent_loop_once (ev=0x18e03b0, location=0x4816a3
"src/util/server.c:601") at ../tevent.c:507
#15 0x000000344400395b in tevent_common_loop_wait (ev=0x18e03b0,
location=0x4816a3 "src/util/server.c:601") at ../tevent.c:608
#16 0x000000000045a1b3 in server_loop (main_ctx=0x18e1530) at
src/util/server.c:601
#17 0x00000000004090a0 in main (argc=<value optimized out>, argv=<value
optimized out>) at src/responder/nss/nsssrv.c:564

Version-Release number of selected component (if applicable):
sssd-1.9.2-82.4.el6_4.x86_64
(glibc-2.12-1.107.el6.x86_64)
(kernel 2.6.32-279)

How reproducible:
at least once

Steps to Reproduce:
N/A

Actual results:
Segmentation fault

Expected results:
No Segmentation fault

Additional info:

(gdb) info local
rec = 0x7f789c7cbed8
hash = <value optimized out>
slot = <value optimized out>
(gdb) p *rec
Cannot access memory at address 0x7f789c7cbed8
(gdb) disas sss_mc_find_record+123
Dump of assembler code for function sss_mc_find_record:
   0x0000000000424d10 <+0>:     mov    %rbx,-0x18(%rsp)
   0x0000000000424d15 <+5>:     mov    %rbp,-0x10(%rsp)
   0x0000000000424d1a <+10>:    mov    %rsi,%rbp
   0x0000000000424d1d <+13>:    mov    %r12,-0x8(%rsp)
   0x0000000000424d22 <+18>:    sub    $0x18,%rsp
   0x0000000000424d26 <+22>:    mov    0x8(%rsi),%rdx
   0x0000000000424d2a <+26>:    mov    (%rsi),%rsi
   0x0000000000424d2d <+29>:    mov    %rdi,%rbx
   0x0000000000424d30 <+32>:    callq  0x424b70 <sss_mc_hash>
   0x0000000000424d35 <+37>:    mov    0x38(%rbx),%rdx
   0x0000000000424d39 <+41>:    mov    %eax,%eax
   0x0000000000424d3b <+43>:    mov    (%rdx,%rax,4),%eax
   0x0000000000424d3e <+46>:    mov    0x60(%rbx),%edx
   0x0000000000424d41 <+49>:    add    $0x1f,%edx
   0x0000000000424d44 <+52>:    shr    $0x5,%edx
   0x0000000000424d47 <+55>:    cmp    %edx,%eax
   0x0000000000424d49 <+57>:    jbe    0x424d68 <sss_mc_find_record+88>
   0x0000000000424d4b <+59>:    xor    %ebx,%ebx
   0x0000000000424d4d <+61>:    mov    %rbx,%rax
   0x0000000000424d50 <+64>:    mov    0x8(%rsp),%rbp
   0x0000000000424d55 <+69>:    mov    (%rsp),%rbx
   0x0000000000424d59 <+73>:    mov    0x10(%rsp),%r12
   0x0000000000424d5e <+78>:    add    $0x18,%rsp
   0x0000000000424d62 <+82>:    retq
   0x0000000000424d63 <+83>:    nopl   0x0(%rax,%rax,1)
   0x0000000000424d68 <+88>:    mov    0x58(%rbx),%r12
   0x0000000000424d6c <+92>:    mov    0x0(%rbp),%rbp
   0x0000000000424d70 <+96>:    mov    %eax,%ebx
---Type <return> to continue, or q <return> to quit---
   0x0000000000424d72 <+98>:    mov    %rbp,%rdi
   0x0000000000424d75 <+101>:   shl    $0x5,%ebx
   0x0000000000424d78 <+104>:   mov    %ebx,%ebx
   0x0000000000424d7a <+106>:   lea    (%r12,%rbx,1),%rbx
   0x0000000000424d7e <+110>:   mov    0x20(%rbx),%eax
   0x0000000000424d81 <+113>:   lea    0x20(%rbx,%rax,1),%rsi
   0x0000000000424d86 <+118>:   callq  0x4064f0 <strcmp@plt>
=> 0x0000000000424d8b <+123>:   test   %eax,%eax
   0x0000000000424d8d <+125>:   je     0x424d4d <sss_mc_find_record+61>

(gdb) info reg
rax            0x0      0
rbx            0x7f789c7cbed8   140155998224088
rcx            0x7      7
rdx            0xffff   65535
rsi            0x7f799c7cbef0   140160293191408
rdi            0x18f5120        26169632
rbp            0x18f5120        0x18f5120
rsp            0x7fffe3a383d0   0x7fffe3a383d0
r8             0x0      0
r9             0xfffffffffffcea60       -202144
r10            0x3441d282a0     224442614432
r11            0x1999999999999999       1844674407370955161
r12            0x7f789c7a7038   140155998072888
r13            0x4      4
r14            0x7fffe3a38650   140737012532816
r15            0x7fffe3a38508   140737012532488
rip            0x424d8b 0x424d8b <sss_mc_find_record+123>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

(gdb) f 2
#2  0x0000000000426480 in sss_mc_get_record (_mcc=<value optimized out>,
rec_len=101, key=<value optimized out>, _rec=0x7fffe3a38508) at
src/responder/nss/nsssrv_mmap_cache.c:411
411         old_rec = sss_mc_find_record(mcc, key);
(gdb) p mcc
$2 = (struct sss_mc_ctx *) 0x18ea320
(gdb) p *(struct sss_mc_ctx *)0x18ea320
$9 = {name = 0x18f1ff0 "passwd", type = SSS_MC_PASSWD, file = 0x18e6ef0
"/var/lib/sss/mc/passwd", fd = 18, seed = 807039511, valid_time_slot = 300,
mmap_base = 0x7f789c7a7000, mmap_size = 6806312,
  hash_table = 0x7f789cdc30a8, ht_size = 400000, free_table = 0x7f789cdc1838
<Address 0x7f789cdc1838 out of bounds>, ft_size = 6250, next_slot = 0,
  data_table = 0x7f789c7a7038 <Address 0x7f789c7a7038 out of bounds>, dt_size =
6400000}

(gdb) f 3
#3  0x0000000000426cf1 in sss_mmap_cache_pw_store (_mcc=0x18e62e0,
name=0x7fffe3a38640, pw=0x7fffe3a38650, uid=2000, gid=2000,
gecos=0x7fffe3a38680, homedir=0x7fffe3a38670, shell=0x7fffe3a38660)
    at src/responder/nss/nsssrv_mmap_cache.c:510
510         ret = sss_mc_get_record(_mcc, rec_len, name, &rec);
(gdb) info local
mcc = 0x18ea320
rec = <value optimized out>
data = <value optimized out>
uidkey = {str = 0x7fffe3a38510 "2000", len = 5}
uidstr = "2000\000\000\000\000\021\251", <incomplete sequence \307>
data_len = 53
rec_len = <value optimized out>
pos = <value optimized out>
ret = <value optimized out>


Simliar report:
https://retrace.fedoraproject.org/faf/reports/69081/
https://retrace.fedoraproject.org/faf/problems/256431/
https://bugzilla.redhat.com/show_bug.cgi?id=967012

Lukas and Michal were already digging into the issue for the better part of yesterday. Most probably this crash has the same cause as #1948 so I'll set the same severity, owner and add Lukas to CC.

blockedby: =>
blocking: =>
cc: => lslebodn
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => mzidek
priority: major => critical
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.1

Moving tickets that didn't make 1.10.1 to the 1.10.2 bucket.

Moving tickets that didn't make 1.10.1 to 1.10.2

milestone: SSSD 1.10.1 => SSSD 1.10.2

Fields changed

patch: 0 => 1

resolution: => fixed
status: new => closed

Fields changed

changelog: => N/A, just a bugfix

Metadata Update from @pbrezina:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.10.2

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3060

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata