Ypserv mknetid BUG
Dear SL developers,
I have recently installed the package ypserv.x86_64, version 2.19-18.el6,
from repo. @sl/6.0. The same version is in the sl 6.1 repo.
When executing the command /usr/lib64/yp/mknetid , a segmentation fault
occurs.
Here there is some info:
[root@acuari ~]# /usr/lib64/yp/mknetid
Segmentation fault
[root@acuari ~]# strace /usr/lib64/yp/mknetid
execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid], [/* 30 vars */])
= 0
brk(0) = 0x2564000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f1d03292000
access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or
directory)
open(/etc/ld.so.cache, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0
mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1d0328
close(3)= 0
open(/lib64/libnsl.so.1, O_RDONLY)= 3
read(3,
\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360?\340\3607\0\0\0...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0
mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0x37f0e0
mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0
mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000
mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f1017000
close(3)= 0
open(/lib64/libc.so.6, O_RDONLY) = 3
read(3,
\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260\355\241\3437\0\0\0...,
832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0
mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE,
3, 0) = 0x37e3a0
mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0
mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000
mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000
close(3)= 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f1d0327f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f1d0327e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f1d0327d000
arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0
mprotect(0x37f1015000, 4096, PROT_READ) = 0
mprotect(0x37e3d85000, 16384, PROT_READ) = 0
mprotect(0x37e341f000, 4096, PROT_READ) = 0
munmap(0x7f1d0328, 71138) = 0
uname({sys=Linux, node=acuari, ...}) = 0
brk(0) = 0x2564000
brk(0x2585000) = 0x2585000
open(/etc/passwd, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3739, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x7f1d03291000
read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 3739
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
dmesg output:
mknetid[22013]: segfault at 0 ip 0037e3a371e2 sp 7fff19e13c80 error
4 in libc-2.12.so[37e3a0+186000]
It's an ugly problem and seems a simple out of bounds reading...
Is it possible to solve the problem?
Thank you,
great work with SL 6.1
Re: Ypserv mknetid BUG
Hello Mr Moll,
mknetid cores when it reads /etc/passwd.
I've noticed that the passwd file parser is very sensitive on
malformed lines, especially those with the wrong number of entries
(some : are missing, there must be exactly six of them)
If you work in compat mode (/etc/nsswitch.conf), uses:
(in /etc/passwd)
+::
to include the yp entries an *not*:
+
But it also may occurs on any normal line...
Regards,
On Wed, 2011-10-05 at 10:50 +0200, Felip Moll wrote:
Dear SL developers,
I have recently installed the package ypserv.x86_64, version
2.19-18.el6, from repo. @sl/6.0. The same version is in the sl 6.1
repo.
When executing the command /usr/lib64/yp/mknetid , a segmentation
fault occurs.
Here there is some info:
[root@acuari ~]# /usr/lib64/yp/mknetid
Segmentation fault
[root@acuari ~]# strace /usr/lib64/yp/mknetid
execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid], [/* 30 vars
*/]) = 0
brk(0) = 0x2564000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d03292000
access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or
directory)
open(/etc/ld.so.cache, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0
mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1d0328
close(3)= 0
open(/lib64/libnsl.so.1, O_RDONLY)= 3
read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360?\340\3607
\0\0\0..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0
mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x37f0e0
mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0
mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000
mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x37f1017000
close(3)= 0
open(/lib64/libc.so.6, O_RDONLY) = 3
read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260\355\241
\3437\0\0\0..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0
mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x37e3a0
mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0
mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000
mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000
close(3)= 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d0327f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d0327e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d0327d000
arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0
mprotect(0x37f1015000, 4096, PROT_READ) = 0
mprotect(0x37e3d85000, 16384, PROT_READ) = 0
mprotect(0x37e341f000, 4096, PROT_READ) = 0
munmap(0x7f1d0328, 71138) = 0
uname({sys=Linux, node=acuari, ...}) = 0
brk(0) = 0x2564000
brk(0x2585000) = 0x2585000
open(/etc/passwd, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3739, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d03291000
read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 3739
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
dmesg output:
mknetid[22013]: segfault at 0 ip 0037e3a371e2 sp 7fff19e13c80
error 4 in libc-2.12.so[37e3a0+186000]
It's an ugly problem and seems a simple out of bounds reading...
Is it possible to solve the problem?
Thank you,
great work with SL 6.1
--
.-. J e a n - P a u l C h a p u t / Administrateur Systeme
/v\ jean-paul.cha...@lip6.fr
/(___)\ work: (33) 01.44.27.53.99
^^ ^^cell: 06.66.25.35.55 home: 01.47.46.01.31
U P M C Universite Pierre Marie Curie
L I P 6 Laboratoire d'Informatique de Paris VI
S o C System On Chip
Re: Ypserv mknetid BUG
A lot of thanks Jean-Paul.
Following your indications I checked out the passwd file. All of the entries
had six : , but at the end of the file, there was a blank line!.
I deleted the blank line and the problem disappeared.
It's good to know this but the Ypserv developers should take care of these
cases and instead of generating a sigsegv, they should warn the user with an
error.
I will check new versions of Ypserv and report the bug to Ypserv developers
if it's still present.
Problem SOLVED.
Thank you.
Felip Moll
2011/10/5 Jean-Paul Chaput jean-paul.cha...@lip6.fr
Hello Mr Moll,
mknetid cores when it reads /etc/passwd.
I've noticed that the passwd file parser is very sensitive on
malformed lines, especially those with the wrong number of entries
(some : are missing, there must be exactly six of them)
If you work in compat mode (/etc/nsswitch.conf), uses:
(in /etc/passwd)
+::
to include the yp entries an *not*:
+
But it also may occurs on any normal line...
Regards,
On Wed, 2011-10-05 at 10:50 +0200, Felip Moll wrote:
Dear SL developers,
I have recently installed the package ypserv.x86_64, version
2.19-18.el6, from repo. @sl/6.0. The same version is in the sl 6.1
repo.
When executing the command /usr/lib64/yp/mknetid , a segmentation
fault occurs.
Here there is some info:
[root@acuari ~]# /usr/lib64/yp/mknetid
Segmentation fault
[root@acuari ~]# strace /usr/lib64/yp/mknetid
execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid], [/* 30 vars
*/]) = 0
brk(0) = 0x2564000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d03292000
access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or
directory)
open(/etc/ld.so.cache, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0
mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1d0328
close(3)= 0
open(/lib64/libnsl.so.1, O_RDONLY)= 3
read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360?\340\3607
\0\0\0..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0
mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x37f0e0
mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0
mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000
mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x37f1017000
close(3)= 0
open(/lib64/libc.so.6, O_RDONLY) = 3
read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260\355\241
\3437\0\0\0..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0
mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x37e3a0
mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0
mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000
mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000
close(3)= 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d0327f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d0327e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d0327d000
arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0
mprotect(0x37f1015000, 4096, PROT_READ) = 0
mprotect(0x37e3d85000, 16384, PROT_READ) = 0
mprotect(0x37e341f000, 4096, PROT_READ) = 0
munmap(0x7f1d0328, 71138) = 0
uname({sys=Linux, node=acuari, ...}) = 0
brk(0) = 0x2564000
brk(0x2585000) = 0x2585000
open(/etc/passwd, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=3739, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0x7f1d03291000
read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 3739
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Segmentation fault
dmesg output:
mknetid[22013]: segfault at 0 ip 0037e3a371e2 sp 7fff19e13c80
error 4 in libc-2.12.so[37e3a0+186000]
It's an ugly problem and seems a simple out of bounds reading...
Is it possible to solve the problem?
Thank you,
great work with SL 6.1
--
.-. J e a n - P a u l C h a p u t / Administrateur Systeme
/v\ jean-paul.cha...@lip6.fr
/(___)\ work: (33) 01.44.27.53.99
^^ ^^cell: 06.66.25.35.55 home: 01.47.46.01.31
U P M C Universite Pierre Marie Curie
L I P 6 Laboratoire d'Informatique de Paris VI
S o C System On Chip
Re: Ypserv mknetid BUG
You're welcome.
The lack of check is in the /etc/passwd parser file, so I don't think it
concerns the ypserv developers. I presume it's in the glibc.
Note that this core dump effect on malformed password lines affects
all programs using the parser. For myself I ran into the problem
while trying to uses finger...
Regards,
On Wed, 2011-10-05 at 12:00 +0200, Felip Moll wrote:
A lot of thanks Jean-Paul.
Following your indications I checked out the passwd file. All of the
entries had six : , but at the end of the file, there was a blank
line!.
I deleted the blank line and the problem disappeared.
It's good to know this but the Ypserv developers should take care of
these cases and instead of generating a sigsegv, they should warn the
user with an
error.
I will check new versions of Ypserv and report the bug to Ypserv
developers if it's still present.
Problem SOLVED.
Thank you.
Felip Moll
2011/10/5 Jean-Paul Chaput jean-paul.cha...@lip6.fr
Hello Mr Moll,
mknetid cores when it reads /etc/passwd.
I've noticed that the passwd file parser is very sensitive on
malformed lines, especially those with the wrong number of
entries
(some : are missing, there must be exactly six of them)
If you work in compat mode (/etc/nsswitch.conf), uses:
(in /etc/passwd)
+::
to include the yp entries an *not*:
+
But it also may occurs on any normal line...
Regards,
On Wed, 2011-10-05 at 10:50 +0200, Felip Moll wrote:
Dear SL developers,
I have recently installed the package ypserv.x86_64, version
2.19-18.el6, from repo. @sl/6.0. The same version is in the
sl 6.1
repo.
When executing the command /usr/lib64/yp/mknetid , a
segmentation
fault occurs.
Here there is some info:
[root@acuari ~]# /usr/lib64/yp/mknetid
Segmentation fault
[root@acuari ~]# strace /usr/lib64/yp/mknetid
execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid],
[/* 30 vars
*/]) = 0
brk(0) = 0x2564000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1,
0) = 0x7f1d03292000
access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such
file or
directory)
open(/etc/ld.so.cache, O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0
mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) =
0x7f1d0328
close(3)= 0
open(/lib64/libnsl.so.1, O_RDONLY)= 3
read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0
\360?\340\3607
\0\0\0..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0
mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC,
MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x37f0e0
mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0
mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|
MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000
mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x37f1017000
close(3)= 0
open(/lib64/libc.so.6, O_RDONLY) = 3
read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260
\355\241
\3437\0\0\0..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0
mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC,
MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x37e3a0
mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0
mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|
MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000
mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000
close(3)= 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1,
0) = 0x7f1d0327f000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1,
0) = 0x7f1d0327e000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|
MAP_ANONYMOUS, -1,
0) = 0x7f1d0327d000
arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0
mprotect(0x37f1015000, 4096, PROT_READ) = 0
mprotect(0x37e3d85000, 16384, PROT_READ) = 0
mprotect(0x37e341f000, 4096, PROT_READ) = 0
