#2380 Race condition in the client code
Closed: Fixed None Opened 6 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 6): Bug 1118541

Description of problem:
Floating point exception with core generated
dmesg:
 a1[13223] trap divide error ip:7fedf417d06b sp:7fedef7fbca8 error:0
a1[13219] trap divide error ip:7fedf417d06b sp:7fedf5d8dca8 error:0 in
libnss_sss.so.2[7fedf4178000+7000]
 in libnss_sss.so.2[7fedf4178000+7000]

We are using ldap/sssd authentication with Windows2012 active directory.
Happens only for ldap users. not root


Version-Release number of selected component (if applicable):
uname -a: 2.6.39-400.214.6.el6uek.x86_64

How reproducible:
This simple program reproduces the crash:

#include <pwd.h>
#include <unistd.h>
#include <pthread.h>

void *tr(void *) {
        struct passwd pwd;
        char buf[8192];
        struct passwd *res;

        getpwuid_r(getuid(), &pwd, buf, sizeof(buf), &res); }

#define NTH 100
pthread_t t[NTH];
int main()
{
        int i;
        for (i=0; i<NTH; ++i) {
                pthread_create(&t[i], NULL, tr, NULL);
        }
        for (i=0; i<NTH; ++i) {
                pthread_join(t[i], NULL);
        }
        return 0;
}


--------------


$ g++ -lpthread -o a1 a1.cpp

$ ./a1

$ ./a1

$ ./a1

$ ./a1

$ ./a1

$ ./a1
Floating point exception

$ ./a1
Segmentation fault

$ ./a1
Floating point exception

$ ./a1

$ ./a1

$ ./a1
Floating point exception

$ ./a1

$ ./a1

$ ./a1
Floating point exception

$ ./a1

$ ./a1

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
owner: somebody => lslebodn
review: True => 0
selected: =>
testsupdated: => 0

Attaching back trace requested by simo:

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `./a1'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  sss_nss_check_header (ctx=ctx@entry=0x7f9bba98c240 <pw_mc_ctx>) at src/sss_client/nss_mc_common.c:65
65              MEMCPY_WITH_BARRIERS(copy_ok, &h,
(gdb) bt
#0  sss_nss_check_header (ctx=ctx@entry=0x7f9bba98c240 <pw_mc_ctx>) at src/sss_client/nss_mc_common.c:65
#1  0x00007f9bba788f51 in sss_nss_mc_get_ctx (name=name@entry=0x7f9bba789f86 "passwd", ctx=ctx@entry=0x7f9bba98c240 <pw_mc_ctx>) at src/sss_client/nss_mc_common.c:117
#2  0x00007f9bba78982a in sss_nss_mc_getpwuid (uid=uid@entry=325600000, result=result@entry=0x7f9bbc399e90, buffer=0x7f9bbc399ec0 "postfix", buflen=buflen@entry=8192)
    at src/sss_client/nss_mc_passwd.c:184
#3  0x00007f9bba787206 in _nss_sss_getpwuid_r (uid=325600000, result=0x7f9bbc399e90, buffer=0x7f9bbc399ec0 "postfix", buflen=8192, errnop=0x7f9bbc39c640)
    at src/sss_client/nss_passwd.c:240
#4  0x0000003ce1cbbd6c in __getpwuid_r (uid=325600000, resbuf=0x7f9bbc399e90, buffer=0x7f9bbc399ec0 "postfix", buflen=8192, result=0x7f9bbc39bec8) at ../nss/getXXbyYY_r.c:266
#5  0x0000000000400748 in tr () at a1.cpp:10
#6  0x0000003ce2807f33 in start_thread (arg=0x7f9bbc39c700) at pthread_create.c:309
#7  0x0000003ce1cf4ded in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

(gdb) l 65
60          bool copy_ok;
61          int count;
62
63          /* retry barrier protected reading max 5 times then give up */
64          for (count = 5; count > 0; count--) {
65              MEMCPY_WITH_BARRIERS(copy_ok, &h,
66                                   (struct sss_mc_header *)ctx->mmap_base,
67                                   sizeof(struct sss_mc_header));
68              if (copy_ok) {
69                  /* record is consistent so we can proceed */

(gdb) p *ctx
$2 = {initialized = false, fd = 0, seed = 0, mmap_base = 0x0, mmap_size = 0, data_table = 0x0, dt_size = 0, hash_table = 0x0, ht_size = 0}

Fields changed

patch: 0 => 1

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.11.7

Fields changed

status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to lslebodn
- Issue set to the milestone: SSSD 1.11.7

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/3422

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata