Learn more about these different git repos.
Other Git URLs
Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 984814
Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.
Description of problem: sssd_nss terminated with segmentation fault when sss_mc_find_record() tried to access invalid rec address. Program terminated with signal 11, Segmentation fault. #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:1173 backtrace: (gdb) bt #0 __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:1173 #1 0x0000000000424d8b in sss_mc_find_record (mcc=<value optimized out>, key=<value optimized out>) at src/responder/nss/nsssrv_mmap_cache.c:381 #2 0x0000000000426480 in sss_mc_get_record (_mcc=<value optimized out>, rec_len=101, key=<value optimized out>, _rec=0x7fffe3a38508) at src/responder/nss/nsssrv_mmap_cache.c:411 #3 0x0000000000426cf1 in sss_mmap_cache_pw_store (_mcc=0x18e62e0, name=0x7fffe3a38640, pw=0x7fffe3a38650, uid=2000, gid=2000, gecos=0x7fffe3a38680, homedir=0x7fffe3a38670, shell=0x7fffe3a38660) at src/responder/nss/nsssrv_mmap_cache.c:510 #4 0x00000000004140c5 in fill_pwent (packet=0x18f5790, dom=0x18e9f40, nctx=0x18e6250, filter_users=false, pw_mmap_cache=true, msgs=<value optimized out>, count=0x7fffe3a3874c) at src/responder/nss/nsssrv_cmd.c:433 #5 0x0000000000415ce8 in nss_cmd_getpw_send_reply (dctx=0x18ee0d0, filter=false) at src/responder/nss/nsssrv_cmd.c:477 #6 0x0000000000416ba8 in nss_cmd_getpwnam_dp_callback (err_maj=<value optimized out>, err_min=0, err_msg=0x18e8310 "Success", ptr=<value optimized out>) at src/responder/nss/nsssrv_cmd.c:859 #7 0x000000000040b7d4 in nsssrv_dp_send_acct_req_done (req=0x0) at src/responder/nss/nsssrv_cmd.c:643 #8 0x00000000004328ae in sss_dp_internal_get_done (pending=<value optimized out>, ptr=<value optimized out>) at src/responder/common/responder_dp.c:763 #9 0x0000003446c0e61a in complete_pending_call_and_unlock (connection=0x18eb2e0, pending=0x18f5060, message=<value optimized out>) at dbus-connection.c:2234 #10 0x0000003446c1086f in dbus_connection_dispatch (connection=0x18eb2e0) at dbus-connection.c:4397 #11 0x000000000045885e in sbus_dispatch (ev=0x18e03b0, te=<value optimized out>, tv=..., data=<value optimized out>) at src/sbus/sssd_dbus_connection.c:104 #12 0x0000003444007bd9 in tevent_common_loop_timer_delay (ev=0x18e03b0) at ../tevent_timed.c:254 #13 0x00000034440072ab in std_event_loop_once (ev=<value optimized out>, location=<value optimized out>) at ../tevent_standard.c:560 #14 0x00000034440038f0 in _tevent_loop_once (ev=0x18e03b0, location=0x4816a3 "src/util/server.c:601") at ../tevent.c:507 #15 0x000000344400395b in tevent_common_loop_wait (ev=0x18e03b0, location=0x4816a3 "src/util/server.c:601") at ../tevent.c:608 #16 0x000000000045a1b3 in server_loop (main_ctx=0x18e1530) at src/util/server.c:601 #17 0x00000000004090a0 in main (argc=<value optimized out>, argv=<value optimized out>) at src/responder/nss/nsssrv.c:564 Version-Release number of selected component (if applicable): sssd-1.9.2-82.4.el6_4.x86_64 (glibc-2.12-1.107.el6.x86_64) (kernel 2.6.32-279) How reproducible: at least once Steps to Reproduce: N/A Actual results: Segmentation fault Expected results: No Segmentation fault Additional info: (gdb) info local rec = 0x7f789c7cbed8 hash = <value optimized out> slot = <value optimized out> (gdb) p *rec Cannot access memory at address 0x7f789c7cbed8 (gdb) disas sss_mc_find_record+123 Dump of assembler code for function sss_mc_find_record: 0x0000000000424d10 <+0>: mov %rbx,-0x18(%rsp) 0x0000000000424d15 <+5>: mov %rbp,-0x10(%rsp) 0x0000000000424d1a <+10>: mov %rsi,%rbp 0x0000000000424d1d <+13>: mov %r12,-0x8(%rsp) 0x0000000000424d22 <+18>: sub $0x18,%rsp 0x0000000000424d26 <+22>: mov 0x8(%rsi),%rdx 0x0000000000424d2a <+26>: mov (%rsi),%rsi 0x0000000000424d2d <+29>: mov %rdi,%rbx 0x0000000000424d30 <+32>: callq 0x424b70 <sss_mc_hash> 0x0000000000424d35 <+37>: mov 0x38(%rbx),%rdx 0x0000000000424d39 <+41>: mov %eax,%eax 0x0000000000424d3b <+43>: mov (%rdx,%rax,4),%eax 0x0000000000424d3e <+46>: mov 0x60(%rbx),%edx 0x0000000000424d41 <+49>: add $0x1f,%edx 0x0000000000424d44 <+52>: shr $0x5,%edx 0x0000000000424d47 <+55>: cmp %edx,%eax 0x0000000000424d49 <+57>: jbe 0x424d68 <sss_mc_find_record+88> 0x0000000000424d4b <+59>: xor %ebx,%ebx 0x0000000000424d4d <+61>: mov %rbx,%rax 0x0000000000424d50 <+64>: mov 0x8(%rsp),%rbp 0x0000000000424d55 <+69>: mov (%rsp),%rbx 0x0000000000424d59 <+73>: mov 0x10(%rsp),%r12 0x0000000000424d5e <+78>: add $0x18,%rsp 0x0000000000424d62 <+82>: retq 0x0000000000424d63 <+83>: nopl 0x0(%rax,%rax,1) 0x0000000000424d68 <+88>: mov 0x58(%rbx),%r12 0x0000000000424d6c <+92>: mov 0x0(%rbp),%rbp 0x0000000000424d70 <+96>: mov %eax,%ebx ---Type <return> to continue, or q <return> to quit--- 0x0000000000424d72 <+98>: mov %rbp,%rdi 0x0000000000424d75 <+101>: shl $0x5,%ebx 0x0000000000424d78 <+104>: mov %ebx,%ebx 0x0000000000424d7a <+106>: lea (%r12,%rbx,1),%rbx 0x0000000000424d7e <+110>: mov 0x20(%rbx),%eax 0x0000000000424d81 <+113>: lea 0x20(%rbx,%rax,1),%rsi 0x0000000000424d86 <+118>: callq 0x4064f0 <strcmp@plt> => 0x0000000000424d8b <+123>: test %eax,%eax 0x0000000000424d8d <+125>: je 0x424d4d <sss_mc_find_record+61> (gdb) info reg rax 0x0 0 rbx 0x7f789c7cbed8 140155998224088 rcx 0x7 7 rdx 0xffff 65535 rsi 0x7f799c7cbef0 140160293191408 rdi 0x18f5120 26169632 rbp 0x18f5120 0x18f5120 rsp 0x7fffe3a383d0 0x7fffe3a383d0 r8 0x0 0 r9 0xfffffffffffcea60 -202144 r10 0x3441d282a0 224442614432 r11 0x1999999999999999 1844674407370955161 r12 0x7f789c7a7038 140155998072888 r13 0x4 4 r14 0x7fffe3a38650 140737012532816 r15 0x7fffe3a38508 140737012532488 rip 0x424d8b 0x424d8b <sss_mc_find_record+123> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) f 2 #2 0x0000000000426480 in sss_mc_get_record (_mcc=<value optimized out>, rec_len=101, key=<value optimized out>, _rec=0x7fffe3a38508) at src/responder/nss/nsssrv_mmap_cache.c:411 411 old_rec = sss_mc_find_record(mcc, key); (gdb) p mcc $2 = (struct sss_mc_ctx *) 0x18ea320 (gdb) p *(struct sss_mc_ctx *)0x18ea320 $9 = {name = 0x18f1ff0 "passwd", type = SSS_MC_PASSWD, file = 0x18e6ef0 "/var/lib/sss/mc/passwd", fd = 18, seed = 807039511, valid_time_slot = 300, mmap_base = 0x7f789c7a7000, mmap_size = 6806312, hash_table = 0x7f789cdc30a8, ht_size = 400000, free_table = 0x7f789cdc1838 <Address 0x7f789cdc1838 out of bounds>, ft_size = 6250, next_slot = 0, data_table = 0x7f789c7a7038 <Address 0x7f789c7a7038 out of bounds>, dt_size = 6400000} (gdb) f 3 #3 0x0000000000426cf1 in sss_mmap_cache_pw_store (_mcc=0x18e62e0, name=0x7fffe3a38640, pw=0x7fffe3a38650, uid=2000, gid=2000, gecos=0x7fffe3a38680, homedir=0x7fffe3a38670, shell=0x7fffe3a38660) at src/responder/nss/nsssrv_mmap_cache.c:510 510 ret = sss_mc_get_record(_mcc, rec_len, name, &rec); (gdb) info local mcc = 0x18ea320 rec = <value optimized out> data = <value optimized out> uidkey = {str = 0x7fffe3a38510 "2000", len = 5} uidstr = "2000\000\000\000\000\021\251", <incomplete sequence \307> data_len = 53 rec_len = <value optimized out> pos = <value optimized out> ret = <value optimized out> Simliar report: https://retrace.fedoraproject.org/faf/reports/69081/ https://retrace.fedoraproject.org/faf/problems/256431/ https://bugzilla.redhat.com/show_bug.cgi?id=967012
Lukas and Michal were already digging into the issue for the better part of yesterday. Most probably this crash has the same cause as #1948 so I'll set the same severity, owner and add Lukas to CC.
blockedby: => blocking: => cc: => lslebodn changelog: => coverity: => design: => design_review: => 0 feature_milestone: => fedora_test_page: => owner: somebody => mzidek priority: major => critical review: True => 0 selected: => testsupdated: => 0
Fields changed
milestone: NEEDS_TRIAGE => SSSD 1.10.1
Moving tickets that didn't make 1.10.1 to the 1.10.2 bucket.
Moving tickets that didn't make 1.10.1 to 1.10.2
milestone: SSSD 1.10.1 => SSSD 1.10.2
patch: 0 => 1
resolution: => fixed status: new => closed
changelog: => N/A, just a bugfix
Metadata Update from @pbrezina: - Issue assigned to mzidek - Issue set to the milestone: SSSD 1.10.2
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/3060
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Log in to comment on this ticket.