SIGSEGV of useradd (from shadow package)

DoneSubmitted by Tomáš Čech.
Details
3 participants
  • Ludovic Courtès
  • Tomáš Čech
  • Tomáš Čech
Owner
unassigned
Severity
normal
T
T
Tomáš Čech wrote on 3 Aug 2016 08:59
(address . bug-guix@gnu.org)
20160803065906.tgckq77l7k6gqa4w@crashnator.suse.cz
It seems to be easy to crash useradd (from shadow package).
# ls -l $(which useradd)lrwxrwxrwx 4 root guixbuild 69 Jan 1 1970 /root/.guix-profile/sbin/useradd -> /gnu/store/ylnc73apl1irl0s613rxjl445x2zx8a5-shadow-4.2.1/sbin/useradd

# useradd testNeoprávněný přístup do paměti (SIGSEGV) (core dumped [obraz paměti uložen])
(139) # gdb $(which useradd) coreGNU gdb (GDB) 7.11.1Copyright (C) 2016 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later http://gnu.org/licenses/gpl.htmlThis is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law. Type "show copying"and "show warranty" for details.This GDB was configured as "x86_64-unknown-linux-gnu".Type "show configuration" for configuration details.For bug reporting instructions, please see:http://www.gnu.org/software/gdb/bugs/.Find the GDB manual and other documentation resources online at:http://www.gnu.org/software/gdb/documentation/.For help, type "help".Type "apropos word" to search for commands related to "word"...Reading symbols from /root/.guix-profile/sbin/useradd...(no debugging symbols found)...done.[New LWP 1603]
warning: Could not load shared library symbols for linux-vdso.so.1.Do you need "set solib-search-path" or "set sysroot"?Core was generated by `useradd test'.Program terminated with signal SIGSEGV, Segmentation fault.#0 0x00007f457ee6503c in call_init.part () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2(gdb) bt#0 0x00007f457ee6503c in call_init.part () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2#1 0x00007f457ee65205 in _dl_init () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2#2 0x00007f457ee696a0 in dl_open_worker () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2#3 0x00007f457ee64f34 in _dl_catch_error () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2#4 0x00007f457ee68d33 in _dl_open () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2#5 0x00007f457e841fb9 in dlopen_doit () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2#6 0x00007f457ee64f34 in _dl_catch_error () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2#7 0x00007f457e842589 in _dlerror_run () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2#8 0x00007f457e842051 in dlopen@@GLIBC_2.2.5 () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2#9 0x00007f457ea49e8d in _pam_load_module () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0#10 0x00007f457ea4a4f9 in _pam_add_handler () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0#11 0x00007f457ea4ad90 in _pam_parse_conf_file () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0#12 0x00007f457ea4b395 in _pam_init_handlers () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0#13 0x00007f457ea4cae1 in pam_start () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0#14 0x0000000000403351 in main ()

Interesting information about module causing it would be in stackframe#9 but there are no debugging information available. Adding debug`output' to linux-pam would diverge me from GuixSD.
from strace:
read(3, "account required pam_deny.so \nau"..., 4096) = 223open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000close(5) = 0--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---+++ killed by SIGSEGV (core dumped) +++
# cat /etc/pam.d/useraddaccount required pam_unix.soauth sufficient pam_rootok.sopassword required pam_unix.sosession required /gnu/store/4mmn5y6syzv7wwz1y6bl1ab4g0yvkdq1-elogind-219.14/lib/security/pam_elogind.sosession required pam_unix.so
# cat /etc/pam.d/otheraccount required pam_deny.soauth required pam_deny.sopassword required pam_deny.sosession required /gnu/store/4mmn5y6syzv7wwz1y6bl1ab4g0yvkdq1-elogind-219.14/lib/security/pam_elogind.sosession required pam_deny.so
-----BEGIN PGP SIGNATURE-----Version: GnuPG v2
iQIcBAEBCAAGBQJXoZYvAAoJEEoj40+gM0NtdJMP/A669+FX2N2jWo8quOOtf362hp/fAGjaE/tAh3fU0CdFhIaTqQGloPd6v5ooJS2UtOWyeB3gzwfV/7bWPNosOxOxBPFcdrVdpy0Bwtym6XOlGtX+v0ETH+eOGFs/Q85MOAqcXS2Ww9Qy4z0xVkTWPelI9CrM0WI3hX4f3fO4lbp3bVdqkASvTUA9mDq91WyznZCnC/UY9q6g3fEf+wbB7Vqt3PCeYDnF11YeUN3CLP8+IQc50EXtjHXnfY+7I40+RM1dQUlQCQdLTeYvEA4aEQYmxm3K+4YQdfAYrEhCvin4OqqL46sU9Pn6YqlvxEGvlFn+qeitD2Ufxy7xj19g+b+PTiVhhMZLYh6/WM2V1XAwsIJZ48R3DjisuCmiDC7ymHqNs8fzt2bAVDWQSlACcTwsALw9Uwk0A1O4olDG5MD2T4QsAx7xNzaUg6/WUkzsMaye9wlHLfqEX1w1dGnGFpArXi/+nH3xXsj1ccPPKxj1vuKkOmvAuFV50D74CJnFOZKlQrwr6il28jMs9wyrcEEP4VB0vAdTHjHTJ8fgCxU72/3mJC0k/7M4PLifeuPsySPp1xYnjKvOGMEmzQTvrBhPzqtO2p+uaKPhpvP3uOq7ewipV+6PbnbGWS5XBppb0TUGGmbHIy1I/B3JCdtFujAU0urL0ynf5no53vkC/ni/=UGBs-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 3 Aug 2016 18:56
(name . Tomáš Čech)(address . sleep_walker@gnu.org)(address . 24138@debbugs.gnu.org)
87h9b123m4.fsf@gnu.org
Hello!
Tomáš Čech <sleep_walker@gnu.org> skribis:
Toggle quote (2 lines)> It seems to be easy to crash useradd (from shadow package).
Is it on GuixSD?
Toggle quote (12 lines)> from strace:>> read(3, "account required pam_deny.so \nau"..., 4096) = 223> open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5> read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832> fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0> mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000> mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0> mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000> close(5) = 0> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---
Could you check in the ‘strace’ output whether PAM modules build withanother libc are being loaded?
Thanks for your report!
Ludo’.
T
T
Tomáš Čech wrote on 4 Aug 2016 01:31
(name . Ludovic Courtès)(address . ludo@gnu.org)(address . 24138@debbugs.gnu.org)
20160803233130.keci3q5l4llnfxta@crashnator.suse.cz
On Wed, Aug 03, 2016 at 06:56:19PM +0200, Ludovic Courtès wrote:
Toggle quote (8 lines)>Hello!>>Tomáš Čech <sleep_walker@gnu.org> skribis:>>> It seems to be easy to crash useradd (from shadow package).>>Is it on GuixSD?
Yes. \o/
Toggle quote (15 lines)>> from strace:>>>> read(3, "account required pam_deny.so \nau"..., 4096) = 223>> open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5>> read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832>> fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0>> mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000>> mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0>> mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000>> close(5) = 0>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} --->>Could you check in the ‘strace’ output whether PAM modules build with>another libc are being loaded?
It doesn't seem to be that case:
# grep linux-pam ~/useradd.strace | grep -v ENOENT19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam_misc.so.0", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_unix.so", O_RDONLY|O_CLOEXEC) = 419555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_rootok.so", O_RDONLY|O_CLOEXEC) = 419555 stat("/gnu/store/m4xna3zq2il5an61wxbmfv82ndvz70f6-linux-pam-1.2.1/lib", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 019555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5
On the other hand it seems to load part of the libraries from 2.22,part from 2.23 and that is not healthy.
# grep glibc ~/useradd.strace | grep -v ENOENT19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 319555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 419555 stat("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 019555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 419555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/librt.so.1", O_RDONLY|O_CLOEXEC) = 419555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 4
It seems to be more serious than I thought:
# loginNeoprávněný přístup do paměti (SIGSEGV) (core dumped [obraz paměti uložen])
S_W
-----BEGIN PGP SIGNATURE-----Version: GnuPG v2
iQIcBAEBCAAGBQJXon7LAAoJEEoj40+gM0NtjZQP/jS3H8u5RlDnrf7CnnViDmPuikVlnQpkGpRiMHgrHG1DbyxGXGwXxN2mTkkk6fJsNlbuxslP71FLEyvOWRaUhlYsS3Rg9LB1+UmXyp2Ko/PrHgdkfPFCNplzJBBA8aRrzwr1imVsIcUTpudjVwIXTC1HYTyWW4snKLBsHTOo9/ZJF6zlBPEVnsYAEGwnI2j7aLgwE770pl7djuD2/u3otOeFzE/RwXWzBeLFHOvBhRBRQxxeM4AX59jqgiju77SviYyt3nLt8arbhDFaE47JUOFdK0ziwhmh/IMhEdYY6MmtptjT4184v8J99UOShGX/yJYqp7MekN+cPYWo9/KdRzoyQBzclo9+yhKCT2Q1xw8ZnqPZ7QP5iWjyNj3D65FUy3yq0aHD5y3tQkIXBYixq6De36iFewEtJOBOzdYCT4//MVQxXK82ax8FK6FDHprhtqzk34+ow/T5WLFE4K+FhT87ePtR+G3KjVssD3IOJCe1MLkMHQgg9vdTuRbJ8s1vGyqJlgN1dt8aM6JfLrTwXWtCnCKeho8hSzwSGm1NZLNf3vWjdz6rBCkrx54tzR/JYGMLYHrR2nhKNHtjcm6khsrgPJ47EAPD63XTEkJvEF8wMfw7I5E7/nPEL2ARDnWLXg+ryfD6IMZd5N3aNipoSbDB3kRHbwyo7wr/pKOpw+to=cM6c-----END PGP SIGNATURE-----

L
L
Ludovic Courtès wrote on 9 Sep 2016 16:29
(name . Tomáš Čech)(address . sleep_walker@gnu.org)(address . 24138@debbugs.gnu.org)
87oa3x5epl.fsf@gnu.org
Hi,
Tomáš Čech <sleep_walker@gnu.org> skribis:
Toggle quote (3 lines)> On the other hand it seems to load part of the libraries from 2.22,> part from 2.23 and that is not healthy.
Indeed, this cannot work. Do you still have this problem? Do you knowwhy both libc versions were being used (LD_LIBRARY_PATH or some such?)?
TIA,Ludo’.
L
L
Ludovic Courtès wrote on 9 Sep 2016 16:31
control message for bug #24138
(address . control@debbugs.gnu.org)
87inu55elk.fsf@gnu.org
tags 24138 moreinfo
L
L
Ludovic Courtès wrote on 31 Jan 2017 23:25
Re: bug#24138: SIGSEGV of useradd (from shadow package)
(name . Tomáš Čech)(address . sleep_walker@gnu.org)(address . 24138@debbugs.gnu.org)
87d1f2eujn.fsf@gnu.org
Hi Tomáš,
Any updates on this bug, or should we close it?
https://bugs.gnu.org/24138
Thanks in advance! :-)
Ludo’.
ludo@gnu.org (Ludovic Courtès) skribis:
Toggle quote (12 lines)> Hi,>> Tomáš Čech <sleep_walker@gnu.org> skribis:>>> On the other hand it seems to load part of the libraries from 2.22,>> part from 2.23 and that is not healthy.>> Indeed, this cannot work. Do you still have this problem? Do you know> why both libc versions were being used (LD_LIBRARY_PATH or some such?)?>> TIA,> Ludo’.
T
T
Tomáš Čech wrote on 4 Feb 2017 15:42
(name . Ludovic Courtès)(address . ludo@gnu.org)
87shnuow48.wl-tcech@suse.com
On Tue, 31 Jan 2017 23:25:32 +0100,Ludovic Courtès wrote:
Toggle quote (5 lines)> > Hi Tomáš,> > Any updates on this bug, or should we close it?
I haven't met this bug since. Let's close it.
Thanks.
S_W
Closed
?
Your comment

This issue is archived.

To comment on this conversation send email to 24138@debbugs.gnu.org