#2018 sssd_nss terminated with segmentation fault
Closed: Fixed None Opened 5 years ago by pbrezina.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 984814

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
sssd_nss terminated with segmentation fault when sss_mc_find_record() tried to
access
invalid rec address.

Program terminated with signal 11, Segmentation fault.
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:1173


backtrace:
(gdb) bt
#0  __strcmp_sse42 () at ../sysdeps/x86_64/multiarch/strcmp.S:1173
#1  0x0000000000424d8b in sss_mc_find_record (mcc=<value optimized out>,
key=<value optimized out>) at src/responder/nss/nsssrv_mmap_cache.c:381
#2  0x0000000000426480 in sss_mc_get_record (_mcc=<value optimized out>,
rec_len=101, key=<value optimized out>, _rec=0x7fffe3a38508) at
src/responder/nss/nsssrv_mmap_cache.c:411
#3  0x0000000000426cf1 in sss_mmap_cache_pw_store (_mcc=0x18e62e0,
name=0x7fffe3a38640, pw=0x7fffe3a38650, uid=2000, gid=2000,
gecos=0x7fffe3a38680, homedir=0x7fffe3a38670, shell=0x7fffe3a38660)
    at src/responder/nss/nsssrv_mmap_cache.c:510
#4  0x00000000004140c5 in fill_pwent (packet=0x18f5790, dom=0x18e9f40,
nctx=0x18e6250, filter_users=false, pw_mmap_cache=true, msgs=<value optimized
out>, count=0x7fffe3a3874c)
    at src/responder/nss/nsssrv_cmd.c:433
#5  0x0000000000415ce8 in nss_cmd_getpw_send_reply (dctx=0x18ee0d0,
filter=false) at src/responder/nss/nsssrv_cmd.c:477
#6  0x0000000000416ba8 in nss_cmd_getpwnam_dp_callback (err_maj=<value
optimized out>, err_min=0, err_msg=0x18e8310 "Success", ptr=<value optimized
out>) at src/responder/nss/nsssrv_cmd.c:859
#7  0x000000000040b7d4 in nsssrv_dp_send_acct_req_done (req=0x0) at
src/responder/nss/nsssrv_cmd.c:643
#8  0x00000000004328ae in sss_dp_internal_get_done (pending=<value optimized
out>, ptr=<value optimized out>) at src/responder/common/responder_dp.c:763
#9  0x0000003446c0e61a in complete_pending_call_and_unlock
(connection=0x18eb2e0, pending=0x18f5060, message=<value optimized out>) at
dbus-connection.c:2234
#10 0x0000003446c1086f in dbus_connection_dispatch (connection=0x18eb2e0) at
dbus-connection.c:4397
#11 0x000000000045885e in sbus_dispatch (ev=0x18e03b0, te=<value optimized
out>, tv=..., data=<value optimized out>) at
src/sbus/sssd_dbus_connection.c:104
#12 0x0000003444007bd9 in tevent_common_loop_timer_delay (ev=0x18e03b0) at
../tevent_timed.c:254
#13 0x00000034440072ab in std_event_loop_once (ev=<value optimized out>,
location=<value optimized out>) at ../tevent_standard.c:560
#14 0x00000034440038f0 in _tevent_loop_once (ev=0x18e03b0, location=0x4816a3
"src/util/server.c:601") at ../tevent.c:507
#15 0x000000344400395b in tevent_common_loop_wait (ev=0x18e03b0,
location=0x4816a3 "src/util/server.c:601") at ../tevent.c:608
#16 0x000000000045a1b3 in server_loop (main_ctx=0x18e1530) at
src/util/server.c:601
#17 0x00000000004090a0 in main (argc=<value optimized out>, argv=<value
optimized out>) at src/responder/nss/nsssrv.c:564

Version-Release number of selected component (if applicable):
sssd-1.9.2-82.4.el6_4.x86_64
(glibc-2.12-1.107.el6.x86_64)
(kernel 2.6.32-279)

How reproducible:
at least once

Steps to Reproduce:
N/A

Actual results:
Segmentation fault

Expected results:
No Segmentation fault

Additional info:

(gdb) info local
rec = 0x7f789c7cbed8
hash = <value optimized out>
slot = <value optimized out>
(gdb) p *rec
Cannot access memory at address 0x7f789c7cbed8
(gdb) disas sss_mc_find_record+123
Dump of assembler code for function sss_mc_find_record:
   0x0000000000424d10 <+0>:     mov    %rbx,-0x18(%rsp)
   0x0000000000424d15 <+5>:     mov    %rbp,-0x10(%rsp)
   0x0000000000424d1a <+10>:    mov    %rsi,%rbp
   0x0000000000424d1d <+13>:    mov    %r12,-0x8(%rsp)
   0x0000000000424d22 <+18>:    sub    $0x18,%rsp
   0x0000000000424d26 <+22>:    mov    0x8(%rsi),%rdx
   0x0000000000424d2a <+26>:    mov    (%rsi),%rsi
   0x0000000000424d2d <+29>:    mov    %rdi,%rbx
   0x0000000000424d30 <+32>:    callq  0x424b70 <sss_mc_hash>
   0x0000000000424d35 <+37>:    mov    0x38(%rbx),%rdx
   0x0000000000424d39 <+41>:    mov    %eax,%eax
   0x0000000000424d3b <+43>:    mov    (%rdx,%rax,4),%eax
   0x0000000000424d3e <+46>:    mov    0x60(%rbx),%edx
   0x0000000000424d41 <+49>:    add    $0x1f,%edx
   0x0000000000424d44 <+52>:    shr    $0x5,%edx
   0x0000000000424d47 <+55>:    cmp    %edx,%eax
   0x0000000000424d49 <+57>:    jbe    0x424d68 <sss_mc_find_record+88>
   0x0000000000424d4b <+59>:    xor    %ebx,%ebx
   0x0000000000424d4d <+61>:    mov    %rbx,%rax
   0x0000000000424d50 <+64>:    mov    0x8(%rsp),%rbp
   0x0000000000424d55 <+69>:    mov    (%rsp),%rbx
   0x0000000000424d59 <+73>:    mov    0x10(%rsp),%r12
   0x0000000000424d5e <+78>:    add    $0x18,%rsp
   0x0000000000424d62 <+82>:    retq
   0x0000000000424d63 <+83>:    nopl   0x0(%rax,%rax,1)
   0x0000000000424d68 <+88>:    mov    0x58(%rbx),%r12
   0x0000000000424d6c <+92>:    mov    0x0(%rbp),%rbp
   0x0000000000424d70 <+96>:    mov    %eax,%ebx
---Type <return> to continue, or q <return> to quit---
   0x0000000000424d72 <+98>:    mov    %rbp,%rdi
   0x0000000000424d75 <+101>:   shl    $0x5,%ebx
   0x0000000000424d78 <+104>:   mov    %ebx,%ebx
   0x0000000000424d7a <+106>:   lea    (%r12,%rbx,1),%rbx
   0x0000000000424d7e <+110>:   mov    0x20(%rbx),%eax
   0x0000000000424d81 <+113>:   lea    0x20(%rbx,%rax,1),%rsi
   0x0000000000424d86 <+118>:   callq  0x4064f0 <strcmp@plt>
=> 0x0000000000424d8b <+123>:   test   %eax,%eax
   0x0000000000424d8d <+125>:   je     0x424d4d <sss_mc_find_record+61>

(gdb) info reg
rax            0x0      0
rbx            0x7f789c7cbed8   140155998224088
rcx            0x7      7
rdx            0xffff   65535
rsi            0x7f799c7cbef0   140160293191408
rdi            0x18f5120        26169632
rbp            0x18f5120        0x18f5120
rsp            0x7fffe3a383d0   0x7fffe3a383d0
r8             0x0      0
r9             0xfffffffffffcea60       -202144
r10            0x3441d282a0     224442614432
r11            0x1999999999999999       1844674407370955161
r12            0x7f789c7a7038   140155998072888
r13            0x4      4
r14            0x7fffe3a38650   140737012532816
r15            0x7fffe3a38508   140737012532488
rip            0x424d8b 0x424d8b <sss_mc_find_record+123>
eflags         0x10202  [ IF RF ]
cs             0x33     51
ss             0x2b     43
ds             0x0      0
es             0x0      0
fs             0x0      0
gs             0x0      0

(gdb) f 2
#2  0x0000000000426480 in sss_mc_get_record (_mcc=<value optimized out>,
rec_len=101, key=<value optimized out>, _rec=0x7fffe3a38508) at
src/responder/nss/nsssrv_mmap_cache.c:411
411         old_rec = sss_mc_find_record(mcc, key);
(gdb) p mcc
$2 = (struct sss_mc_ctx *) 0x18ea320
(gdb) p *(struct sss_mc_ctx *)0x18ea320
$9 = {name = 0x18f1ff0 "passwd", type = SSS_MC_PASSWD, file = 0x18e6ef0
"/var/lib/sss/mc/passwd", fd = 18, seed = 807039511, valid_time_slot = 300,
mmap_base = 0x7f789c7a7000, mmap_size = 6806312,
  hash_table = 0x7f789cdc30a8, ht_size = 400000, free_table = 0x7f789cdc1838
<Address 0x7f789cdc1838 out of bounds>, ft_size = 6250, next_slot = 0,
  data_table = 0x7f789c7a7038 <Address 0x7f789c7a7038 out of bounds>, dt_size =
6400000}

(gdb) f 3
#3  0x0000000000426cf1 in sss_mmap_cache_pw_store (_mcc=0x18e62e0,
name=0x7fffe3a38640, pw=0x7fffe3a38650, uid=2000, gid=2000,
gecos=0x7fffe3a38680, homedir=0x7fffe3a38670, shell=0x7fffe3a38660)
    at src/responder/nss/nsssrv_mmap_cache.c:510
510         ret = sss_mc_get_record(_mcc, rec_len, name, &rec);
(gdb) info local
mcc = 0x18ea320
rec = <value optimized out>
data = <value optimized out>
uidkey = {str = 0x7fffe3a38510 "2000", len = 5}
uidstr = "2000\000\000\000\000\021\251", <incomplete sequence \307>
data_len = 53
rec_len = <value optimized out>
pos = <value optimized out>
ret = <value optimized out>


Simliar report:
https://retrace.fedoraproject.org/faf/reports/69081/
https://retrace.fedoraproject.org/faf/problems/256431/
https://bugzilla.redhat.com/show_bug.cgi?id=967012

Lukas and Michal were already digging into the issue for the better part of yesterday. Most probably this crash has the same cause as #1948 so I'll set the same severity, owner and add Lukas to CC.

blockedby: =>
blocking: =>
cc: => lslebodn
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => mzidek
priority: major => critical
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.1

Moving tickets that didn't make 1.10.1 to the 1.10.2 bucket.

Moving tickets that didn't make 1.10.1 to 1.10.2

milestone: SSSD 1.10.1 => SSSD 1.10.2

Fields changed

patch: 0 => 1

resolution: => fixed
status: new => closed

Fields changed

changelog: => N/A, just a bugfix

Metadata Update from @pbrezina:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.10.2

2 years ago

Login to comment on this ticket.

Metadata