SIGSEGV of useradd (from shadow package)

Done

Details

3 participants

Ludovic Courtès
Tomáš ?ech
Tomáš ?ech

Owner: unassigned

Submitted by: Tomáš ?ech

Severity: normal

Tomáš ?ech wrote on 3 Aug 2016 08:59

Recipients:(address . bug-guix@gnu.org)

Message-ID:20160803065906.tgckq77l7k6gqa4w@crashnator.suse.cz

It seems to be easy to crash useradd (from shadow package).

# ls -l $(which useradd)
lrwxrwxrwx 4 root guixbuild 69 Jan  1  1970 /root/.guix-profile/sbin/useradd -> /gnu/store/ylnc73apl1irl0s613rxjl445x2zx8a5-shadow-4.2.1/sbin/useradd


# useradd test
Neoprávn?ný p?ístup do pam?ti (SIGSEGV) (core dumped [obraz pam?ti ulo?en])

(139) # gdb $(which useradd) core
GNU gdb (GDB) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.html
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
http://www.gnu.org/software/gdb/bugs/.
Find the GDB manual and other documentation resources online at:
http://www.gnu.org/software/gdb/documentation/.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /root/.guix-profile/sbin/useradd...(no debugging symbols found)...done.
[New LWP 1603]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `useradd test'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f457ee6503c in call_init.part () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
(gdb) bt
#0  0x00007f457ee6503c in call_init.part () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#1  0x00007f457ee65205 in _dl_init () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#2  0x00007f457ee696a0 in dl_open_worker () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#3  0x00007f457ee64f34 in _dl_catch_error () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#4  0x00007f457ee68d33 in _dl_open () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#5  0x00007f457e841fb9 in dlopen_doit () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2
#6  0x00007f457ee64f34 in _dl_catch_error () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#7  0x00007f457e842589 in _dlerror_run () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2
#8  0x00007f457e842051 in dlopen@@GLIBC_2.2.5 () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2
#9  0x00007f457ea49e8d in _pam_load_module () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#10 0x00007f457ea4a4f9 in _pam_add_handler () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#11 0x00007f457ea4ad90 in _pam_parse_conf_file () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#12 0x00007f457ea4b395 in _pam_init_handlers () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#13 0x00007f457ea4cae1 in pam_start () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#14 0x0000000000403351 in main ()


Interesting information about module causing it would be in stackframe
#9 but there are no debugging information available. Adding debug
`output' to linux-pam would diverge me from GuixSD.

from strace:

read(3, "account required pam_deny.so \nau"..., 4096) = 223
open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0
mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000
mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0
mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000
close(5)                                = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---
+++ killed by SIGSEGV (core dumped) +++

# cat /etc/pam.d/useradd
account required pam_unix.so
auth sufficient pam_rootok.so
password required pam_unix.so
session required /gnu/store/4mmn5y6syzv7wwz1y6bl1ab4g0yvkdq1-elogind-219.14/lib/security/pam_elogind.so
session required pam_unix.so

# cat /etc/pam.d/other
account required pam_deny.so
auth required pam_deny.so
password required pam_deny.so
session required /gnu/store/4mmn5y6syzv7wwz1y6bl1ab4g0yvkdq1-elogind-219.14/lib/security/pam_elogind.so
session required pam_deny.so

Ludovic Courtès wrote on 3 Aug 2016 18:56

Recipients:(name . Tomáš ?ech)(address . sleep_walker@gnu.org)(address . 24138@debbugs.gnu.org)

Message-ID:87h9b123m4.fsf@gnu.org

Hello!

Tomáš ?ech <sleep_walker@gnu.org> skribis:

Toggle quote (2 lines)

> It seems to be easy to crash useradd (from shadow package).

Is it on GuixSD?

Toggle quote (12 lines)> from strace:
>
> read(3, "account required pam_deny.so \nau"..., 4096) = 223
> open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5
> read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832
> fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0
> mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000
> mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0
> mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000
> close(5)                                = 0
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---

Could you check in the ‘strace’ output whether PAM modules build with

another libc are being loaded?

Thanks for your report!

Ludo’.

Tomáš ?ech wrote on 4 Aug 2016 01:31

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24138@debbugs.gnu.org)

Message-ID:20160803233130.keci3q5l4llnfxta@crashnator.suse.cz

On Wed, Aug 03, 2016 at 06:56:19PM +0200, Ludovic Courtès wrote:

Toggle quote (8 lines)

>Hello!

>Tomáš ?ech <sleep_walker@gnu.org> skribis:

>> It seems to be easy to crash useradd (from shadow package).

>Is it on GuixSD?

Yes. \o/

Toggle quote (15 lines)>> from strace:
>>
>> read(3, "account required pam_deny.so \nau"..., 4096) = 223
>> open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5
>> read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832
>> fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0
>> mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000
>> mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0
>> mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000
>> close(5)                                = 0
>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---
>
>Could you check in the ‘strace’ output whether PAM modules build with
>another libc are being loaded?

It doesn't seem to be that case:

# grep linux-pam ~/useradd.strace  | grep -v ENOENT
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam_misc.so.0", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_unix.so", O_RDONLY|O_CLOEXEC) = 4
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_rootok.so", O_RDONLY|O_CLOEXEC) = 4
19555 stat("/gnu/store/m4xna3zq2il5an61wxbmfv82ndvz70f6-linux-pam-1.2.1/lib", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5

On the other hand it seems to load part of the libraries from 2.22,
part from 2.23 and that is not healthy.

# grep glibc ~/useradd.strace  | grep -v ENOENT
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 4
19555 stat("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
19555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 4
19555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/librt.so.1", O_RDONLY|O_CLOEXEC) = 4
19555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 4

It seems to be more serious than I thought:

# login
Neoprávn?ný p?ístup do pam?ti (SIGSEGV) (core dumped [obraz pam?ti ulo?en])

S_W

Ludovic Courtès wrote on 9 Sep 2016 16:29

Recipients:(name . Tomáš ?ech)(address . sleep_walker@gnu.org)(address . 24138@debbugs.gnu.org)

Message-ID:87oa3x5epl.fsf@gnu.org

Hi,

Tomáš ?ech <sleep_walker@gnu.org> skribis:

Toggle quote (3 lines)

> On the other hand it seems to load part of the libraries from 2.22,

> part from 2.23 and that is not healthy.

Indeed, this cannot work. Do you still have this problem? Do you know

why both libc versions were being used (LD_LIBRARY_PATH or some such?)?

TIA,

Ludo’.

Ludovic Courtès wrote on 9 Sep 2016 16:31

control message for bug #24138

Recipients:(address . control@debbugs.gnu.org)

Message-ID:87inu55elk.fsf@gnu.org

tags 24138 moreinfo

Ludovic Courtès wrote on 31 Jan 2017 23:25

Re: bug#24138: SIGSEGV of useradd (from shadow package)

Recipients:(name . Tomáš ?ech)(address . sleep_walker@gnu.org)(address . 24138@debbugs.gnu.org)

Message-ID:87d1f2eujn.fsf@gnu.org

Hi Tomáš,

Any updates on this bug, or should we close it?

https://bugs.gnu.org/24138

Thanks in advance! :-)

Ludo’.

ludo@gnu.org (Ludovic Courtès) skribis:

Toggle quote (12 lines)> Hi,
>
> Tomáš ?ech <sleep_walker@gnu.org> skribis:
>
>> On the other hand it seems to load part of the libraries from 2.22,
>> part from 2.23 and that is not healthy.
>
> Indeed, this cannot work.  Do you still have this problem?  Do you know
> why both libc versions were being used (LD_LIBRARY_PATH or some such?)?
>
> TIA,
> Ludo’.

Tomáš ?ech wrote on 4 Feb 2017 15:42

Recipients:(name . Ludovic Courtès)(address . ludo@gnu.org)

Message-ID:87shnuow48.wl-tcech@suse.com

On Tue, 31 Jan 2017 23:25:32 +0100,

Ludovic Courtès wrote:

Toggle quote (5 lines)

> Hi Tomáš,

> Any updates on this bug, or should we close it?

I haven't met this bug since. Let's close it.

Thanks.

S_W

Closed

Your comment

This issue is archived.

To comment on this conversation send an email to 24138@debbugs.gnu.org

is:open	open issues
is:done	closed issues
submitter:<who>	search issue submitter
author:<who>	search by message author
date:yesterday..now	search by issue date
mdate:3m..2d	search by message date