subject:"Bug#815974\: Segmentation fault in libresolv triggered by php5\-fpm"

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-03-01 Thread Florian Weimer

* Aurelien Jarno:

> On 2016-02-26 13:31, Carlos O'Donell wrote:
>> On Fri, Feb 26, 2016 at 7:46 AM, Fabian Niepelt  
>> wrote:
>> > This is the correct output, the older one contains a test I thought was
>> > in an endless loop but succeeded after a few minutes.
>> 
>> The glibc maintainers for debian need to review those failures. They
>> indicate serious deviation from expected behaviour. At the very least
>> the bug 18665* tests should not fail. However, the tests are sensitive
>> to response order.
>> 
>> -address: STREAM/TCP 10.0.3.6 80
>> -address: STREAM/TCP 2001:db8::4:6 80
>> +error: Name or service not known
>> 
>> This is a weird failure.
>
> The failures in this testsuite do not pass due to the patch we have that
> dynamically reloads /etc/resolv.conf when it changes. Just after the
> fake servers have been initialized, our libc reloads the configuration
> from /etc/resolv.conf, and thus the tests fail. Once removing the
> corresponding patch the tests pass, at least on my system.

Correct, the version Carlos posted does not have the compensation I
added for that, sorry.  I added this after the call to res_init in
resolv_redirect:

  /* Debian's local-dynamic-resolvconf.diff breaks name server
 overrides by application code.  The following triggers lazy
 initialization of the /etc/resolv.conf mtime value because
 res_mkquery calls __res_maybe_init internally.  Subsequent calls
 to this function will not try reload /etc/resolv.conf as a
 result.  */
  {
unsigned char query[512];
if (res_mkquery (QUERY, "query.example", C_IN, T_A,
 NULL, 0, NULL,
 query, sizeof (query)) < 0)
  {
printf ("error: res_mkquery: %m\n");
abort ();
  }
  }

> IMHO making sure that programs are restarted after applying the security
> update should be enough, but I am not fully sure about my analysis, so a
> confirmation would be nice to have.

This report 
is about an incomplete chroot update.  See comment 4 in particular
(although I wrote it without access to the actual installation).

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-29 Thread Fabian Niepelt

Am Samstag, den 27.02.2016, 23:59 +0100 schrieb Aurelien Jarno:
> On 2016-02-26 22:03, Fabian Niepelt wrote:
> > 
> > > 
> > > IMHO making sure that programs are restarted after applying the
> > > security
> > > update should be enough, but I am not fully sure about my
> > > analysis, so a
> > > confirmation would be nice to have.
> > The machines in question have been rebooted a few times after
> > upgrading.
> Ok then my scenario might be wrong.
> 
> > 
> > I will try to get a full backtrace next week. Sadly, I won't have
> > access to the systems over the weekend.
> Ok, no problem.
> 
> > 
> > > 
> > > It wonder if it could be that the process is started with the
> > > old libc and is later dlopening the new nss libraries.
> > Going to investigate if there are old libs lying around somewhere
> > in the system on monday.
> I am able to trigger similar (but slightly different) segmentation
> fault
> by doing name resolving with the new libc (ie 2.13-38+deb7u10) but
> with
> the old /lib/x86_64-linux-gnu/libnss_dns.so.2 (ie from 2.13-
> 38+deb7u9).
> Do you have any nss modules which do not come from the libc6 package
> installed (either from another package or manually installed)?
> 

Yep, this was it. Searching for the lib yielded an old version of it
that is not managed by package management...
Thank you for giving me the hint.

> Thanks for your help in debugging.

Thank you all for your time and sorry for the noise!

Greetings

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-27 Thread Aurelien Jarno

On 2016-02-26 22:03, Fabian Niepelt wrote:
> > IMHO making sure that programs are restarted after applying the security
> > update should be enough, but I am not fully sure about my analysis, so a
> > confirmation would be nice to have.
> 
> The machines in question have been rebooted a few times after upgrading.

Ok then my scenario might be wrong.

> I will try to get a full backtrace next week. Sadly, I won't have access to 
> the systems over the weekend.

Ok, no problem.

> > It wonder if it could be that the process is started with the
> > old libc and is later dlopening the new nss libraries.
> 
> Going to investigate if there are old libs lying around somewhere in the 
> system on monday.

I am able to trigger similar (but slightly different) segmentation fault
by doing name resolving with the new libc (ie 2.13-38+deb7u10) but with
the old /lib/x86_64-linux-gnu/libnss_dns.so.2 (ie from 2.13-38+deb7u9).
Do you have any nss modules which do not come from the libc6 package
installed (either from another package or manually installed)?

Thanks for your help in debugging.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Fabian Niepelt

> IMHO making sure that programs are restarted after applying the security
> update should be enough, but I am not fully sure about my analysis, so a
> confirmation would be nice to have.

The machines in question have been rebooted a few times after upgrading.
I will try to get a full backtrace next week. Sadly, I won't have access to the 
systems over the weekend.

> It wonder if it could be that the process is started with the
> old libc and is later dlopening the new nss libraries.

Going to investigate if there are old libs lying around somewhere in the system 
on monday.

Greetings

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Aurelien Jarno

On 2016-02-26 13:31, Carlos O'Donell wrote:
> On Fri, Feb 26, 2016 at 7:46 AM, Fabian Niepelt  wrote:
> > This is the correct output, the older one contains a test I thought was
> > in an endless loop but succeeded after a few minutes.
> 
> The glibc maintainers for debian need to review those failures. They
> indicate serious deviation from expected behaviour. At the very least
> the bug 18665* tests should not fail. However, the tests are sensitive
> to response order.
> 
> -address: STREAM/TCP 10.0.3.6 80
> -address: STREAM/TCP 2001:db8::4:6 80
> +error: Name or service not known
> 
> This is a weird failure.

The failures in this testsuite do not pass due to the patch we have that
dynamically reloads /etc/resolv.conf when it changes. Just after the
fake servers have been initialized, our libc reloads the configuration
from /etc/resolv.conf, and thus the tests fail. Once removing the
corresponding patch the tests pass, at least on my system.

Anyway I don't think it's related to the problem reported here. The
problem lies in the backport of the following patch, which is a
prerequisite for fixing CVE-2015-7547.

  commit ab09bf616ad527b249aca5f2a4956fd526f0712f
  Author: Andreas Schwab 
  Date:   Tue Feb 18 10:57:25 2014 +0100

  Properly fix memory leak in _nss_dns_gethostbyname4_r with big DNS answer

  Instead of trying to guess whether the second buffer needs to be freed
  set a flag at the place it is allocated

This patch changes the ABI of the __libc_res_nsearch function, adding
the ansp2_malloced argument. When this function is called by
_nss_dns_gethostbyname4_r  from a libc without the patch (ie the one
installed before applying the security fix), the argument contains
random values, leading to a segfault.

IMHO making sure that programs are restarted after applying the security
update should be enough, but I am not fully sure about my analysis, so a
confirmation would be nice to have.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Carlos O'Donell

On Fri, Feb 26, 2016 at 7:46 AM, Fabian Niepelt  wrote:
> This is the correct output, the older one contains a test I thought was
> in an endless loop but succeeded after a few minutes.

The glibc maintainers for debian need to review those failures. They
indicate serious deviation from expected behaviour. At the very least
the bug 18665* tests should not fail. However, the tests are sensitive
to response order.

-address: STREAM/TCP 10.0.3.6 80
-address: STREAM/TCP 2001:db8::4:6 80
+error: Name or service not known

This is a weird failure.

Cheers,
CArlos.

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Aurelien Jarno

On 2016-02-26 08:57, Fabian Niepelt wrote:
> Package: libc6
> Version: 2.13-38+deb7u10
> 
> Dear maintainer,
> 
> since the latest update for glibc we keep observing occasional
> segmentation faults in libresolv [1]. They are triggered (for us) by
> php5-fpm which runs an Owncloud instance when logging in. After the
> segfault happens, I can relogin successfuly for about 20 minutes at
> which point the segfault happens again. Restarting php5-fpm or
> rebooting also does not influence the occurence of it.
> 
> We were using the 5.5 packages from the dotdeb repository, but the
> segfaults persist in the 5.6 packages and the official wheezy 5.4
> packages. 
> 
> Attaching to the php5-fpm worker process with GDB yields [2] at
> segfault time. (for debugging purposes I set the amount of pool workers
> to 1 so I would not attach to the wrong process)

Would it be possible to get a full backtrace to get an idea from where
__libc_res_nsearch is called? You can get it running the command "bt
full" in GDB.

> Ubuntu seems to have a similar problem since the update:
> https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1546459
 
I am not fully sure it's the same bug, it looks like more a mismatch
between the nss libraries and the libc, at least for the
ubuntu-installer issue.

> I'll be gladly providing additional info if you require it.

When you do such a test do you restart all the processes after upgrading
the libc? It wonder if it could be that the process is started with the
old libc and is later dlopening the new nss libraries.

> [1]
> [57348.111866] php5-fpm[20421]: segfault at 20001 ip
> 7fd339eb74fa sp 7fff9f055700 error 4 in libresolv-
> 2.13.so[7fd339eaf000+13000]
> [62889.617877] php5-fpm[20420]: segfault at 270752f65 ip
> 7fd339eb74fa sp 7fff9f055700 error 4 in libresolv-
> 2.13.so[7fd339eaf000+13000]
> [64717.111099] php5-fpm[20753]: segfault at 270752f65 ip
> 7ff6819ef4fa sp 7fff0d576a90 error 4 in libresolv-
> 2.13.so[7ff6819e7000+13000]
> [66684.547776] php5-fpm[21385]: segfault at 270752f65 ip
> 7fd55be4f4fa sp 7fffe6a3dcd0 error 4 in libresolv-
> 2.13.so[7fd55be47000+13000]
> 
> [2]
> [many symbols being loaded messages]
> 82  ../sysdeps/unix/syscall-template.S: No such file or directory.
> Traceback (most recent call last):
>   File "/usr/lib/debug/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17-
> gdb.py", line 62, in 
> from libstdcxx.v6.printers import register_libstdcxx_printers
> ImportError: No module named libstdcxx.v6.printers
> (gdb) continue
> Continuing.
> warning: Could not load shared library symbols for
> /lib/libnss_dns.so.2.
> Do you need "set solib-search-path" or "set sysroot"?
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x7f146545e4fa in *__GI___libc_res_nsearch (statp=0x7f14659f7300,
> name=, class=, type=,
> answer=0x7fff6d6c0df0 "2", anslen=,
> answerp=0x7fff6d6c1660,
> answerp2=0x7fff6d6c1658, nanswerp2=0x7fff6d6c167c,
> resplen2=0x7fff6d6c1678, answerp2_malloced=0x20032) at
> res_query.c:393
> 393 res_query.c: No such file or directory.

This clearly shows that the crash is due the answerp2_malloced pointing
at a random location in the following code:
  
  if (answerp2 && *answerp2_malloced)

Well not so random if you look at the kernel logs and the GDB entry. We
have 0x20001, 0x20032 and 3 times 0x270752f65.

Aurelien

-- 
Aurelien Jarno  GPG: 4096R/1DDD8C9B
aurel...@aurel32.net http://www.aurel32.net


signature.asc
Description: PGP signature

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Fabian Niepelt

This is the correct output, the older one contains a test I thought was
in an endless loop but succeeded after a few minutes.

Greetingsroot@linux-6sir:~/glibc_tests > ./bug18665-tcp
info: old timeout value: 1
info: old retry attempt value: 4
info: old _res.options: 0x802c1
info: old _res.nscount value: 1
info: old _res.ndots value: 1
info: new timeout value: 1
info: new retry attempt value: 4
info: new _res.options: 0x802c1
info: new _res.nscount value: 3
info: new _res.ndots value: 1
info: server 0: 127.0.0.1/51085
info: server 1: 127.0.0.1/40189
info: server 2: 127.0.0.1/41315
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-address: STREAM/TCP 10.0.3.6 80
-address: STREAM/TCP 2001:db8::4:6 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-address: STREAM/TCP 10.0.3.6 80
-address: STREAM/TCP 2001:db8::4:6 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-address: STREAM/TCP 10.0.3.6 80
-address: STREAM/TCP 2001:db8::4:6 80
+error: Name or service not known
error: 3 errors detected
Aborted (core dumped)

root@linux-6sir:~/glibc_tests > ./tst-basic 
info: old timeout value: 1
info: old retry attempt value: 4
info: old _res.options: 0x802c1
info: old _res.nscount value: 1
info: old _res.ndots value: 1
info: new timeout value: 1
info: new retry attempt value: 4
info: new _res.options: 0x802c1
info: new _res.nscount value: 3
info: new _res.ndots value: 1
info: server 0: 127.0.0.1/53644
info: server 1: 127.0.0.1/35595
info: server 2: 127.0.0.1/36343
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: www.example
-address: 192.0.2.17
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: www.example
-address: 192.0.2.17
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: www.example
-address: 192.0.2.17
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: www.example
-address: 192.0.2.17
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-name: www.example
-alias: alias.example
-address: 192.0.2.18
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-name: www.example
-alias: alias.example
-address: 192.0.2.18
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-name: www.example
-alias: alias.example
-address: 192.0.2.18
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-name: www.example
-alias: alias.example
-address: 192.0.2.18
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: www.example
-address: 2001:db8::1
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: www.example
-address: 2001:db8::1
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-name: www.example
-alias: alias.example
-address: 2001:db8::2
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-name: www.example
-alias: alias.example
-address: 2001:db8::2
+error: HOST_NOT_FOUND
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,6 +1 @@
-address: STREAM/TCP 192.0.2.17 80
-address: DGRAM/UDP 192.0.2.17 80
-address: RAW/IP 192.0.2.17 80
-address: STREAM/TCP 2001:db8::1 80
-address: DGRAM/UDP 2001:db8::1 80
-address: RAW/IP 2001:db8::1 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,6 +1 @@
-address: STREAM/TCP 192.0.2.18 80
-address: DGRAM/UDP 192.0.2.18 80
-address: RAW/IP 192.0.2.18 80
-address: STREAM/TCP 2001:db8::2 80
-address: DGRAM/UDP 2001:db8::2 80
-address: RAW/IP 2001:db8::2 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-address: STREAM/TCP 192.0.2.17 80
-address: DGRAM/UDP 192.0.2.17 80
-address: RAW/IP 192.0.2.17 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-address: STREAM/TCP 192.0.2.18 80
-address: DGRAM/UDP 192.0.2.18 80
-address: RAW/IP 192.0.2.18 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-address: STREAM/TCP 2001:db8::1 80
-address: DGRAM/UDP 2001:db8::1 80
-address: RAW/IP 2001:db8::1 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,3 +1 @@
-address: STREAM/TCP 2001:db8::2 80
-address: DGRAM/UDP 2001:db8::2 80
-address: RAW/IP 2001:db8::2 80
+error: Name or service not known
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: t.www.example
-address: 192.0.2.19
+error: HOST_NOT_FOUND
error: hostent comparison failure

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Fabian Niepelt

Am Freitag, den 26.02.2016, 05:01 -0500 schrieb Carlos O'Donell:
> On Fri, Feb 26, 2016 at 3:57 AM, Fabian Niepelt  e> wrote:
> > 
> > I'll be gladly providing additional info if you require it.
> > Program received signal SIGSEGV, Segmentation fault.
> > 0x7f146545e4fa in *__GI___libc_res_nsearch
> > (statp=0x7f14659f7300,
> > name=, class=, type=,
> > answer=0x7fff6d6c0df0 "2", anslen=,
> > answerp=0x7fff6d6c1660,
> > answerp2=0x7fff6d6c1658, nanswerp2=0x7fff6d6c167c,
> > resplen2=0x7fff6d6c1678, answerp2_malloced=0x20032) at
> > res_query.c:393
> > 393 res_query.c: No such file or directory.
> 1) Download the tarball from the official CVE-2015-7547 tests here:
> https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html
> 
> 2) Comment out BUILDDIR (to build against your system libraries)
> 
> 3) Run 'make' to build the test, and run them all one-by-one.
> 
> Do any of them fail on your system?
> 
> Cheers,
> Carlos.
> 

Hello,

indeed most of them fail. I attached a text file with the output of the
failed tests. If a test is not included in the text file it is because
it didn't throw any errors.

I tried them on the system in question, another updated system and out
of curiosity on two opensuse systems, the results were the same. Is
there another prerequisite to running these tests?

Greetingsroot@linux-6sir:~/glibc_tests > ./bug18665-tcp
info: old timeout value: 1
info: old retry attempt value: 4
info: old _res.options: 0x802c1
info: old _res.nscount value: 1
info: old _res.ndots value: 1
info: new timeout value: 1
info: new retry attempt value: 4
info: new _res.options: 0x802c1
info: new _res.nscount value: 3
info: new _res.ndots value: 1
info: server 0: 127.0.0.1/51085
info: server 1: 127.0.0.1/40189
info: server 2: 127.0.0.1/41315
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-address: STREAM/TCP 10.0.3.6 80
-address: STREAM/TCP 2001:db8::4:6 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-address: STREAM/TCP 10.0.3.6 80
-address: STREAM/TCP 2001:db8::4:6 80
+error: Name or service not known
error: addrinfo comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-address: STREAM/TCP 10.0.3.6 80
-address: STREAM/TCP 2001:db8::4:6 80
+error: Name or service not known
error: 3 errors detected
Aborted (core dumped)

root@linux-6sir:~/glibc_tests > ./bug18665-tcp-2 
info: old timeout value: 1
info: old retry attempt value: 4
info: old _res.options: 0x802c1
info: old _res.nscount value: 1
info: old _res.ndots value: 1
info: new timeout value: 1
info: new retry attempt value: 4
info: new _res.options: 0x802c1
info: new _res.nscount value: 3
info: new _res.ndots value: 1
info: server 0: 127.0.0.1/52584
info: server 1: 127.0.0.1/39059
info: server 2: 127.0.0.1/55518
info: name: www.example
info: initial_address_count: 2
info: subsequent_address_count: 3
info: name: www.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www1.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www12.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www123.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www.example
info: initial_address_count: 2
info: subsequent_address_count: 3
info: name: www.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www1.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www12.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www123.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www.example
info: initial_address_count: 2
info: subsequent_address_count: 3
info: name: www.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www1.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www12.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www123.example
info: initial_address_count: 124
info: subsequent_address_count: 2000
info: name: www.example
info: initial_address_count: 2
info: subsequent_address_count: 3
[...]
^C

root@linux-6sir:~/glibc_tests > ./tst-basic 
info: old timeout value: 1
info: old retry attempt value: 4
info: old _res.options: 0x802c1
info: old _res.nscount value: 1
info: old _res.ndots value: 1
info: new timeout value: 1
info: new retry attempt value: 4
info: new _res.options: 0x802c1
info: new _res.nscount value: 3
info: new _res.ndots value: 1
info: server 0: 127.0.0.1/53644
info: server 1: 127.0.0.1/35595
info: server 2: 127.0.0.1/36343
error: hostent comparison failure
--- expected
+++ actual
@@ -1,2 +1 @@
-name: www.example
-address: 192.0.2.17
+error: HOST_NOT_FOUND
error: hostent comparison failure
--- expected
+++ actual

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Carlos O'Donell

On Fri, Feb 26, 2016 at 3:57 AM, Fabian Niepelt  wrote:
> I'll be gladly providing additional info if you require it.
> Program received signal SIGSEGV, Segmentation fault.
> 0x7f146545e4fa in *__GI___libc_res_nsearch (statp=0x7f14659f7300,
> name=, class=, type=,
> answer=0x7fff6d6c0df0 "2", anslen=,
> answerp=0x7fff6d6c1660,
> answerp2=0x7fff6d6c1658, nanswerp2=0x7fff6d6c167c,
> resplen2=0x7fff6d6c1678, answerp2_malloced=0x20032) at
> res_query.c:393
> 393 res_query.c: No such file or directory.

1) Download the tarball from the official CVE-2015-7547 tests here:
https://sourceware.org/ml/libc-alpha/2016-02/msg00418.html

2) Comment out BUILDDIR (to build against your system libraries)

3) Run 'make' to build the test, and run them all one-by-one.

Do any of them fail on your system?

Cheers,
Carlos.

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

2016-02-26 Thread Fabian Niepelt

Package: libc6
Version: 2.13-38+deb7u10

Dear maintainer,

since the latest update for glibc we keep observing occasional
segmentation faults in libresolv [1]. They are triggered (for us) by
php5-fpm which runs an Owncloud instance when logging in. After the
segfault happens, I can relogin successfuly for about 20 minutes at
which point the segfault happens again. Restarting php5-fpm or
rebooting also does not influence the occurence of it.

We were using the 5.5 packages from the dotdeb repository, but the
segfaults persist in the 5.6 packages and the official wheezy 5.4
packages. 

Attaching to the php5-fpm worker process with GDB yields [2] at
segfault time. (for debugging purposes I set the amount of pool workers
to 1 so I would not attach to the wrong process)

Ubuntu seems to have a similar problem since the update:
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/1546459

I'll be gladly providing additional info if you require it.

Thank you for your time.

Greetings

[1]
[57348.111866] php5-fpm[20421]: segfault at 20001 ip
7fd339eb74fa sp 7fff9f055700 error 4 in libresolv-
2.13.so[7fd339eaf000+13000]
[62889.617877] php5-fpm[20420]: segfault at 270752f65 ip
7fd339eb74fa sp 7fff9f055700 error 4 in libresolv-
2.13.so[7fd339eaf000+13000]
[64717.111099] php5-fpm[20753]: segfault at 270752f65 ip
7ff6819ef4fa sp 7fff0d576a90 error 4 in libresolv-
2.13.so[7ff6819e7000+13000]
[66684.547776] php5-fpm[21385]: segfault at 270752f65 ip
7fd55be4f4fa sp 7fffe6a3dcd0 error 4 in libresolv-
2.13.so[7fd55be47000+13000]

[2]
[many symbols being loaded messages]
82  ../sysdeps/unix/syscall-template.S: No such file or directory.
Traceback (most recent call last):
  File "/usr/lib/debug/usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.17-
gdb.py", line 62, in 
from libstdcxx.v6.printers import register_libstdcxx_printers
ImportError: No module named libstdcxx.v6.printers
(gdb) continue
Continuing.
warning: Could not load shared library symbols for
/lib/libnss_dns.so.2.
Do you need "set solib-search-path" or "set sysroot"?

Program received signal SIGSEGV, Segmentation fault.
0x7f146545e4fa in *__GI___libc_res_nsearch (statp=0x7f14659f7300,
name=, class=, type=,
answer=0x7fff6d6c0df0 "2", anslen=,
answerp=0x7fff6d6c1660,
answerp2=0x7fff6d6c1658, nanswerp2=0x7fff6d6c167c,
resplen2=0x7fff6d6c1678, answerp2_malloced=0x20032) at
res_query.c:393
393 res_query.c: No such file or directory.

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

Bug#815974: Segmentation fault in libresolv triggered by php5-fpm

11 matches

Site Navigation

Mail list logo

Footer information