Ypserv mknetid BUG
Dear SL developers, I have recently installed the package ypserv.x86_64, version 2.19-18.el6, from repo. @sl/6.0. The same version is in the sl 6.1 repo. When executing the command /usr/lib64/yp/mknetid , a segmentation fault occurs. Here there is some info: [root@acuari ~]# /usr/lib64/yp/mknetid Segmentation fault [root@acuari ~]# strace /usr/lib64/yp/mknetid execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid], [/* 30 vars */]) = 0 brk(0) = 0x2564000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d03292000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0 mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1d0328 close(3)= 0 open(/lib64/libnsl.so.1, O_RDONLY)= 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360?\340\3607\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0 mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37f0e0 mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0 mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000 mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37f1017000 close(3)= 0 open(/lib64/libc.so.6, O_RDONLY) = 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260\355\241\3437\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0 mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x37e3a0 mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0 mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000 mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327f000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327d000 arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0 mprotect(0x37f1015000, 4096, PROT_READ) = 0 mprotect(0x37e3d85000, 16384, PROT_READ) = 0 mprotect(0x37e341f000, 4096, PROT_READ) = 0 munmap(0x7f1d0328, 71138) = 0 uname({sys=Linux, node=acuari, ...}) = 0 brk(0) = 0x2564000 brk(0x2585000) = 0x2585000 open(/etc/passwd, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=3739, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d03291000 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 3739 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault dmesg output: mknetid[22013]: segfault at 0 ip 0037e3a371e2 sp 7fff19e13c80 error 4 in libc-2.12.so[37e3a0+186000] It's an ugly problem and seems a simple out of bounds reading... Is it possible to solve the problem? Thank you, great work with SL 6.1
Re: Ypserv mknetid BUG
Hello Mr Moll, mknetid cores when it reads /etc/passwd. I've noticed that the passwd file parser is very sensitive on malformed lines, especially those with the wrong number of entries (some : are missing, there must be exactly six of them) If you work in compat mode (/etc/nsswitch.conf), uses: (in /etc/passwd) +:: to include the yp entries an *not*: + But it also may occurs on any normal line... Regards, On Wed, 2011-10-05 at 10:50 +0200, Felip Moll wrote: Dear SL developers, I have recently installed the package ypserv.x86_64, version 2.19-18.el6, from repo. @sl/6.0. The same version is in the sl 6.1 repo. When executing the command /usr/lib64/yp/mknetid , a segmentation fault occurs. Here there is some info: [root@acuari ~]# /usr/lib64/yp/mknetid Segmentation fault [root@acuari ~]# strace /usr/lib64/yp/mknetid execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid], [/* 30 vars */]) = 0 brk(0) = 0x2564000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d03292000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0 mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1d0328 close(3)= 0 open(/lib64/libnsl.so.1, O_RDONLY)= 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360?\340\3607 \0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0 mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC, MAP_PRIVATE| MAP_DENYWRITE, 3, 0) = 0x37f0e0 mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0 mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000 mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x37f1017000 close(3)= 0 open(/lib64/libc.so.6, O_RDONLY) = 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260\355\241 \3437\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0 mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC, MAP_PRIVATE| MAP_DENYWRITE, 3, 0) = 0x37e3a0 mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0 mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000 mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327f000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327d000 arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0 mprotect(0x37f1015000, 4096, PROT_READ) = 0 mprotect(0x37e3d85000, 16384, PROT_READ) = 0 mprotect(0x37e341f000, 4096, PROT_READ) = 0 munmap(0x7f1d0328, 71138) = 0 uname({sys=Linux, node=acuari, ...}) = 0 brk(0) = 0x2564000 brk(0x2585000) = 0x2585000 open(/etc/passwd, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=3739, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d03291000 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 3739 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault dmesg output: mknetid[22013]: segfault at 0 ip 0037e3a371e2 sp 7fff19e13c80 error 4 in libc-2.12.so[37e3a0+186000] It's an ugly problem and seems a simple out of bounds reading... Is it possible to solve the problem? Thank you, great work with SL 6.1 -- .-. J e a n - P a u l C h a p u t / Administrateur Systeme /v\ jean-paul.cha...@lip6.fr /(___)\ work: (33) 01.44.27.53.99 ^^ ^^cell: 06.66.25.35.55 home: 01.47.46.01.31 U P M C Universite Pierre Marie Curie L I P 6 Laboratoire d'Informatique de Paris VI S o C System On Chip
Re: Ypserv mknetid BUG
A lot of thanks Jean-Paul. Following your indications I checked out the passwd file. All of the entries had six : , but at the end of the file, there was a blank line!. I deleted the blank line and the problem disappeared. It's good to know this but the Ypserv developers should take care of these cases and instead of generating a sigsegv, they should warn the user with an error. I will check new versions of Ypserv and report the bug to Ypserv developers if it's still present. Problem SOLVED. Thank you. Felip Moll 2011/10/5 Jean-Paul Chaput jean-paul.cha...@lip6.fr Hello Mr Moll, mknetid cores when it reads /etc/passwd. I've noticed that the passwd file parser is very sensitive on malformed lines, especially those with the wrong number of entries (some : are missing, there must be exactly six of them) If you work in compat mode (/etc/nsswitch.conf), uses: (in /etc/passwd) +:: to include the yp entries an *not*: + But it also may occurs on any normal line... Regards, On Wed, 2011-10-05 at 10:50 +0200, Felip Moll wrote: Dear SL developers, I have recently installed the package ypserv.x86_64, version 2.19-18.el6, from repo. @sl/6.0. The same version is in the sl 6.1 repo. When executing the command /usr/lib64/yp/mknetid , a segmentation fault occurs. Here there is some info: [root@acuari ~]# /usr/lib64/yp/mknetid Segmentation fault [root@acuari ~]# strace /usr/lib64/yp/mknetid execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid], [/* 30 vars */]) = 0 brk(0) = 0x2564000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d03292000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0 mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1d0328 close(3)= 0 open(/lib64/libnsl.so.1, O_RDONLY)= 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\360?\340\3607 \0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0 mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC, MAP_PRIVATE| MAP_DENYWRITE, 3, 0) = 0x37f0e0 mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0 mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000 mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x37f1017000 close(3)= 0 open(/lib64/libc.so.6, O_RDONLY) = 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260\355\241 \3437\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0 mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC, MAP_PRIVATE| MAP_DENYWRITE, 3, 0) = 0x37e3a0 mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0 mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000 mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327f000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d0327d000 arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0 mprotect(0x37f1015000, 4096, PROT_READ) = 0 mprotect(0x37e3d85000, 16384, PROT_READ) = 0 mprotect(0x37e341f000, 4096, PROT_READ) = 0 munmap(0x7f1d0328, 71138) = 0 uname({sys=Linux, node=acuari, ...}) = 0 brk(0) = 0x2564000 brk(0x2585000) = 0x2585000 open(/etc/passwd, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=3739, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f1d03291000 read(3, root:x:0:0:root:/root:/bin/bash\n..., 4096) = 3739 --- SIGSEGV (Segmentation fault) @ 0 (0) --- +++ killed by SIGSEGV +++ Segmentation fault dmesg output: mknetid[22013]: segfault at 0 ip 0037e3a371e2 sp 7fff19e13c80 error 4 in libc-2.12.so[37e3a0+186000] It's an ugly problem and seems a simple out of bounds reading... Is it possible to solve the problem? Thank you, great work with SL 6.1 -- .-. J e a n - P a u l C h a p u t / Administrateur Systeme /v\ jean-paul.cha...@lip6.fr /(___)\ work: (33) 01.44.27.53.99 ^^ ^^cell: 06.66.25.35.55 home: 01.47.46.01.31 U P M C Universite Pierre Marie Curie L I P 6 Laboratoire d'Informatique de Paris VI S o C System On Chip
Re: Ypserv mknetid BUG
You're welcome. The lack of check is in the /etc/passwd parser file, so I don't think it concerns the ypserv developers. I presume it's in the glibc. Note that this core dump effect on malformed password lines affects all programs using the parser. For myself I ran into the problem while trying to uses finger... Regards, On Wed, 2011-10-05 at 12:00 +0200, Felip Moll wrote: A lot of thanks Jean-Paul. Following your indications I checked out the passwd file. All of the entries had six : , but at the end of the file, there was a blank line!. I deleted the blank line and the problem disappeared. It's good to know this but the Ypserv developers should take care of these cases and instead of generating a sigsegv, they should warn the user with an error. I will check new versions of Ypserv and report the bug to Ypserv developers if it's still present. Problem SOLVED. Thank you. Felip Moll 2011/10/5 Jean-Paul Chaput jean-paul.cha...@lip6.fr Hello Mr Moll, mknetid cores when it reads /etc/passwd. I've noticed that the passwd file parser is very sensitive on malformed lines, especially those with the wrong number of entries (some : are missing, there must be exactly six of them) If you work in compat mode (/etc/nsswitch.conf), uses: (in /etc/passwd) +:: to include the yp entries an *not*: + But it also may occurs on any normal line... Regards, On Wed, 2011-10-05 at 10:50 +0200, Felip Moll wrote: Dear SL developers, I have recently installed the package ypserv.x86_64, version 2.19-18.el6, from repo. @sl/6.0. The same version is in the sl 6.1 repo. When executing the command /usr/lib64/yp/mknetid , a segmentation fault occurs. Here there is some info: [root@acuari ~]# /usr/lib64/yp/mknetid Segmentation fault [root@acuari ~]# strace /usr/lib64/yp/mknetid execve(/usr/lib64/yp/mknetid, [/usr/lib64/yp/mknetid], [/* 30 vars */]) = 0 brk(0) = 0x2564000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_ANONYMOUS, -1, 0) = 0x7f1d03292000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file or directory) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=71138, ...}) = 0 mmap(NULL, 71138, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f1d0328 close(3)= 0 open(/lib64/libnsl.so.1, O_RDONLY)= 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0 \360?\340\3607 \0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=116136, ...}) = 0 mmap(0x37f0e0, 2198192, PROT_READ|PROT_EXEC, MAP_PRIVATE| MAP_DENYWRITE, 3, 0) = 0x37f0e0 mprotect(0x37f0e16000, 2093056, PROT_NONE) = 0 mmap(0x37f1015000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_FIXED| MAP_DENYWRITE, 3, 0x15000) = 0x37f1015000 mmap(0x37f1017000, 6832, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x37f1017000 close(3)= 0 open(/lib64/libc.so.6, O_RDONLY) = 3 read(3, \177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0\0\1\0\0\0\260 \355\241 \3437\0\0\0..., 832) = 832 fstat(3, {st_mode=S_IFREG|0755, st_size=1904312, ...}) = 0 mmap(0x37e3a0, 3729576, PROT_READ|PROT_EXEC, MAP_PRIVATE| MAP_DENYWRITE, 3, 0) = 0x37e3a0 mprotect(0x37e3b86000, 2093056, PROT_NONE) = 0 mmap(0x37e3d85000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_FIXED| MAP_DENYWRITE, 3, 0x185000) = 0x37e3d85000 mmap(0x37e3d8a000, 18600, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_FIXED| MAP_ANONYMOUS, -1, 0) = 0x37e3d8a000 close(3)= 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_ANONYMOUS, -1, 0) = 0x7f1d0327f000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_ANONYMOUS, -1, 0) = 0x7f1d0327e000 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE| MAP_ANONYMOUS, -1, 0) = 0x7f1d0327d000 arch_prctl(ARCH_SET_FS, 0x7f1d0327e700) = 0 mprotect(0x37f1015000, 4096, PROT_READ) = 0 mprotect(0x37e3d85000, 16384, PROT_READ) = 0 mprotect(0x37e341f000, 4096, PROT_READ) = 0