bug#24138: SIGSEGV of useradd (from shadow package)

bug#24138: SIGSEGV of useradd (from shadow package)

[Tomáš Čech]

[-- Attachment #1: Type: text/plain, Size: 4859 bytes --]

It seems to be easy to crash useradd (from shadow package).

# ls -l $(which useradd)
lrwxrwxrwx 4 root guixbuild 69 Jan  1  1970 /root/.guix-profile/sbin/useradd -> /gnu/store/ylnc73apl1irl0s613rxjl445x2zx8a5-shadow-4.2.1/sbin/useradd


# useradd test
Neoprávněný přístup do paměti (SIGSEGV) (core dumped [obraz paměti uložen])

(139) # gdb $(which useradd) core
GNU gdb (GDB) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /root/.guix-profile/sbin/useradd...(no debugging symbols found)...done.
[New LWP 1603]

warning: Could not load shared library symbols for linux-vdso.so.1.
Do you need "set solib-search-path" or "set sysroot"?
Core was generated by `useradd test'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f457ee6503c in call_init.part () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
(gdb) bt
#0  0x00007f457ee6503c in call_init.part () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#1  0x00007f457ee65205 in _dl_init () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#2  0x00007f457ee696a0 in dl_open_worker () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#3  0x00007f457ee64f34 in _dl_catch_error () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#4  0x00007f457ee68d33 in _dl_open () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#5  0x00007f457e841fb9 in dlopen_doit () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2
#6  0x00007f457ee64f34 in _dl_catch_error () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/ld-linux-x86-64.so.2
#7  0x00007f457e842589 in _dlerror_run () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2
#8  0x00007f457e842051 in dlopen@@GLIBC_2.2.5 () from /gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2
#9  0x00007f457ea49e8d in _pam_load_module () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#10 0x00007f457ea4a4f9 in _pam_add_handler () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#11 0x00007f457ea4ad90 in _pam_parse_conf_file () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#12 0x00007f457ea4b395 in _pam_init_handlers () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#13 0x00007f457ea4cae1 in pam_start () from /gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0
#14 0x0000000000403351 in main ()


Interesting information about module causing it would be in stackframe
#9 but there are no debugging information available. Adding debug
`output' to linux-pam would diverge me from GuixSD.

from strace:

read(3, "account required pam_deny.so \nau"..., 4096) = 223
open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5
read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832
fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0
mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000
mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0
mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000
close(5)                                = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---
+++ killed by SIGSEGV (core dumped) +++

# cat /etc/pam.d/useradd
account required pam_unix.so
auth sufficient pam_rootok.so
password required pam_unix.so
session required /gnu/store/4mmn5y6syzv7wwz1y6bl1ab4g0yvkdq1-elogind-219.14/lib/security/pam_elogind.so
session required pam_unix.so

# cat /etc/pam.d/other
account required pam_deny.so
auth required pam_deny.so
password required pam_deny.so
session required /gnu/store/4mmn5y6syzv7wwz1y6bl1ab4g0yvkdq1-elogind-219.14/lib/security/pam_elogind.so
session required pam_deny.so

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

bug#24138: SIGSEGV of useradd (from shadow package)

[Ludovic Courtès]

Hello!

Tomáš Čech <sleep_walker@gnu.org> skribis:

> It seems to be easy to crash useradd (from shadow package).

Is it on GuixSD?

> from strace:
>
> read(3, "account required pam_deny.so \nau"..., 4096) = 223
> open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5
> read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832
> fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0
> mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000
> mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0
> mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000
> close(5)                                = 0
> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---

Could you check in the ‘strace’ output whether PAM modules build with
another libc are being loaded?

Thanks for your report!

Ludo’.

bug#24138: SIGSEGV of useradd (from shadow package)

[Tomáš Čech]

[-- Attachment #1: Type: text/plain, Size: 3592 bytes --]

On Wed, Aug 03, 2016 at 06:56:19PM +0200, Ludovic Courtès wrote:
>Hello!
>
>Tomáš Čech <sleep_walker@gnu.org> skribis:
>
>> It seems to be easy to crash useradd (from shadow package).
>
>Is it on GuixSD?

Yes. \o/

>> from strace:
>>
>> read(3, "account required pam_deny.so \nau"..., 4096) = 223
>> open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5
>> read(5, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\340\6\0\0\0\0\0\0"..., 832) = 832
>> fstat(5, {st_mode=S_IFREG|0555, st_size=6728, ...}) = 0
>> mmap(NULL, 2100200, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 5, 0) = 0x7fb8b447c000
>> mprotect(0x7fb8b447d000, 2093056, PROT_NONE) = 0
>> mmap(0x7fb8b467c000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 5, 0) = 0x7fb8b467c000
>> close(5)                                = 0
>> --- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x7fb8b3d1bda8} ---
>
>Could you check in the ‘strace’ output whether PAM modules build with
>another libc are being loaded?

It doesn't seem to be that case:

# grep linux-pam ~/useradd.strace  | grep -v ENOENT
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam_misc.so.0", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/libpam.so.0", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_unix.so", O_RDONLY|O_CLOEXEC) = 4
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_rootok.so", O_RDONLY|O_CLOEXEC) = 4
19555 stat("/gnu/store/m4xna3zq2il5an61wxbmfv82ndvz70f6-linux-pam-1.2.1/lib", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
19555 open("/gnu/store/2xmwkq2ycwk89xlxnvib5wnjaacfy0rg-linux-pam-1.2.1/lib/security/pam_deny.so", O_RDONLY|O_CLOEXEC) = 5

On the other hand it seems to load part of the libraries from 2.22,
part from 2.23 and that is not healthy.

# grep glibc ~/useradd.strace  | grep -v ENOENT
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/share/locale/locale.alias", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_compat.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnsl.so.1", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_nis.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libnss_files.so.2", O_RDONLY|O_CLOEXEC) = 3
19555 open("/gnu/store/8m00x5x8ykmar27s9248cmhnkdb2n54a-glibc-2.22/lib/libcrypt.so.1", O_RDONLY|O_CLOEXEC) = 4
19555 stat("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib", {st_mode=S_IFDIR|0555, st_size=4096, ...}) = 0
19555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libm.so.6", O_RDONLY|O_CLOEXEC) = 4
19555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/librt.so.1", O_RDONLY|O_CLOEXEC) = 4
19555 open("/gnu/store/m9vxvhdj691bq1f85lpflvnhcvrdilih-glibc-2.23/lib/libpthread.so.0", O_RDONLY|O_CLOEXEC) = 4

It seems to be more serious than I thought:

# login
Neoprávněný přístup do paměti (SIGSEGV) (core dumped [obraz paměti uložen])

S_W

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

bug#24138: SIGSEGV of useradd (from shadow package)

[Ludovic Courtès]

Hi,

Tomáš Čech <sleep_walker@gnu.org> skribis:

> On the other hand it seems to load part of the libraries from 2.22,
> part from 2.23 and that is not healthy.

Indeed, this cannot work.  Do you still have this problem?  Do you know
why both libc versions were being used (LD_LIBRARY_PATH or some such?)?

TIA,
Ludo’.

bug#24138: SIGSEGV of useradd (from shadow package)

[Ludovic Courtès]

Hi Tomáš,

Any updates on this bug, or should we close it?

  https://bugs.gnu.org/24138

Thanks in advance!  :-)

Ludo’.

ludo@gnu.org (Ludovic Courtès) skribis:

> Hi,
>
> Tomáš Čech <sleep_walker@gnu.org> skribis:
>
>> On the other hand it seems to load part of the libraries from 2.22,
>> part from 2.23 and that is not healthy.
>
> Indeed, this cannot work.  Do you still have this problem?  Do you know
> why both libc versions were being used (LD_LIBRARY_PATH or some such?)?
>
> TIA,
> Ludo’.

bug#24138: SIGSEGV of useradd (from shadow package)

[Tomáš Čech]

On Tue, 31 Jan 2017 23:25:32 +0100,
Ludovic Courtès wrote:
> 
> Hi Tomáš,
> 
> Any updates on this bug, or should we close it?

I haven't met this bug since. Let's close it.

Thanks.

S_W