Bug 3084 - smbd crashes on startup on recent gentoo for amd64
Summary: smbd crashes on startup on recent gentoo for amd64
Status: CLOSED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Build environment (show other bugs)
Version: 3.0.20
Hardware: All Linux
: P3 critical
Target Milestone: none
Assignee: Tim Potter
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-09-11 07:45 UTC by jean.brefort
Modified: 2006-09-21 12:33 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jean.brefort 2005-09-11 07:45:57 UTC
I could trace that problem to printing/nt_printing.c: line 345:
	int32 sd_size, size_new_sec;
and things work if I replace by:
	size_t sd_size, size_new_sec;
becauze &size_new_sec is passed to make_sec_desc which needs a size_t* argument,
and size_t is uint64 for an amd64, so there is an overflow.
Reading the compilation traces, I see that the same and analog problems arise
elsewhere.
Comment 1 Guenther Deschner 2005-09-12 00:40:37 UTC
I've been working on fixing this last week (successfully tested on sles9 sp1
x86_64 and 9.3 x86_64). The fix is already in subversion:

http://build.samba.org/?function=text_diff;tree=samba_3_0;date=1126472001;author=gd;revision=10154

Please reopen if it is still an issue for you.
Comment 2 Fred 2006-03-26 10:02:06 UTC
I am running Linux kernel 2.6.15, glibc 2.4, samba (latest from CVS), tried various gcc flavors currently gcc 4.1.1. and I get this same bug on either nmbd or smbd.  Samba 4 does not have this bug, but I do not want to convert to it at the moment.  The machine is dual athlon-mp with 1GB Ram.

root@pc1lin:/root# gdb /usr/sbin/smbd
GNU gdb 6.4.50.20060311-cvs
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library
 "/lib/libthread_db.so.1".

(gdb) run
Starting program: /usr/sbin/smbd

Program received signal SIGABRT, Aborted.
0xffffe410 in __kernel_vsyscall ()
(gdb) list
726             {"daemon", 'D', POPT_ARG_VAL, &is_daemon, True, "Become a daemon
 (default)" },
727             {"interactive", 'i', POPT_ARG_VAL, &interactive, True, "Run inte
ractive (not a daemon)"},
728             {"foreground", 'F', POPT_ARG_VAL, &Fork, False, "Run daemon in f
oreground (for daemontools & etc)" },
729             {"no-process-group", 0, POPT_ARG_VAL, &no_process_group, True, "
Don't create a new process group" },
730             {"log-stdout", 'S', POPT_ARG_VAL, &log_stdout, True, "Log to std
out" },
731             {"build-options", 'b', POPT_ARG_NONE, NULL, 'b', "Print build op
tions" },
732             {"port", 'p', POPT_ARG_STRING, &ports, 0, "Listen on the specifi
ed ports"},
733             POPT_COMMON_SAMBA
734             { NULL }
735             };
(gdb) where
#0  0xffffe410 in __kernel_vsyscall ()
#1  0xb7cb576a in ?? ()
#2  0xb7da9ff4 in ?? ()
#3  0xbfb5b144 in ?? ()
#4  0xb78628c0 in ?? ()
#5  0xbfb5b1d0 in ?? ()
#6  0xb7cb7060 in ?? ()
#7  0x00000006 in ?? ()
#8  0xbfb5b144 in ?? ()
#9  0x00000000 in ?? ()
(gdb)

Part of strace:
open("/usr/lib/gconv/gconv-modules", O_RDONLY) = 4
fstat64(4, {st_mode=S_IFREG|0644, st_size=54543, ...}) = 0
old_mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0
xb7e96000
read(4, "# GNU libc iconv configuration.\n"..., 4096) = 4096
read(4, "as\tJS//\t\t\tJUS_I.B1.002//\nalias\tY"..., 4096) = 4096
read(4, "e\tINTERNAL\t\tISO-8859-3//\t\tISO885"..., 4096) = 4096
read(4, "as\tISO-IR-199//\t\tISO-8859-14//\na"..., 4096) = 4096
read(4, "to\t\t\tmodule\t\tcost\nalias\tCSEBCDIC"..., 4096) = 4096
read(4, "e\t\tcost\nalias\tCP284//\t\t\tIBM284//"..., 4096) = 4096
read(4, "as\tCP864//\t\t\tIBM864//\nalias\t864/"..., 4096) = 4096
read(4, "dule\tIBM937//\t\tINTERNAL\t\tIBM937\t"..., 4096) = 4096
read(4, "UC-JP//\nalias\tUJIS//\t\t\tEUC-JP//\n"..., 4096) = 4096
read(4, "dule\t\tcost\nalias\tISO-IR-143//\t\tI"..., 4096) = 4096
read(4, "OX//\nmodule\tISO_10367-BOX//\t\tINT"..., 4096) = 4096
read(4, "dule\tINTERNAL\t\tEUC-JISX0213//\t\tE"..., 4096) = 4096
read(4, "odule\tIBM1130//\t\tINTERNAL\t\tIBM11"..., 4096) = 4096
read(4, "804//\t\tIBM16804//\nalias\tCP16804/"..., 4096) = 1295
read(4, "", 4096)                       = 0
close(4)                                = 0
munmap(0xb7e96000, 4096)                = 0
futex(0xb7e09a4c, FUTEX_WAKE, 2147483647) = 0
open("/usr/lib/gconv/UTF-16.so", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0@\5\0\000"..., 512) = 51
2
fstat64(4, {st_mode=S_IFREG|0755, st_size=30517, ...}) = 0
old_mmap(NULL, 12328, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x
b7e93000
old_mmap(0xb7e95000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYW
RITE, 4, 0x1000) = 0xb7e95000
close(4)                                = 0
mprotect(0xb7e95000, 4096, PROT_READ)   = 0
brk(0x803a3000)                         = 0x803a3000
brk(0x8039b000)                         = 0x8039b000
open("/usr/lib/gconv/IBM850.so", O_RDONLY) = 4
read(4, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\200\4\0"..., 512) = 512
fstat64(4, {st_mode=S_IFREG|0755, st_size=22335, ...}) = 0
old_mmap(NULL, 12316, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 4, 0) = 0x
b789d000
old_mmap(0xb789f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYW
RITE, 4, 0x1000) = 0xb789f000
close(4)                                = 0
mprotect(0xb789f000, 4096, PROT_READ)   = 0
write(2, "smbd: gconv_db.c:232: __gconv_re"..., 95) = 95
rt_sigprocmask(SIG_UNBLOCK, [ABRT], NULL, 8) = 0
tgkill(30320, 30320, SIGABRT)           = 0
--- SIGABRT (Aborted) @ 0 (0) ---
time(NULL)                              = 1143387808
geteuid32()                             = 0
write(5, "[2006/03/26 10:43:28, 0] lib/fau"..., 54) = 54
geteuid32()                             = 0
write(5, "  =============================="..., 66) = 66
time(NULL)                              = 1143387808
geteuid32()                             = 0
write(5, "[2006/03/26 10:43:28, 0] lib/fau"..., 54) = 54
geteuid32()                             = 0
write(5, "  INTERNAL ERROR: Signal 6 in pi"..., 69) = 69
geteuid32()                             = 0
write(5, "  Please read the Trouble-Shooti"..., 63) = 63
time(NULL)                              = 1143387808
geteuid32()                             = 0
write(5, "[2006/03/26 10:43:28, 0] lib/fau"..., 54) = 54
geteuid32()                             = 0
write(5, "  \n", 3)                     = 3
geteuid32()                             = 0
write(5, "  From: http://www.samba.org/sam"..., 57) = 57
time(NULL)                              = 1143387808
geteuid32()                             = 0
write(5, "[2006/03/26 10:43:28, 0] lib/fau"..., 54) = 54
geteuid32()                             = 0
write(5, "  =============================="..., 66) = 66
time(NULL)                              = 1143387808
geteuid32()                             = 0
write(5, "[2006/03/26 10:43:28, 0] lib/uti"..., 53) = 53
geteuid32()                             = 0
.....

Comment 3 VOROSKOI Andras 2006-04-10 04:34:42 UTC
I have the problem similar to Fred's one. He also reported it in email: http://lists.samba.org/archive/samba/2006-March/118937.html

I'm using glibc 2.4, gcc 4.1.0. Samba version is 3.0.22.
Comment 4 Gerald (Jerry) Carter (dead mail address) 2006-04-10 07:09:41 UTC
There are two diferent bugs here.  The original one was fixed.
The second appears more ilke BUG 3655
Comment 5 VOROSKOI Andras 2006-04-12 11:30:09 UTC
(In reply to comment #4)
> There are two diferent bugs here.  The original one was fixed.
> The second appears more ilke BUG 3655

As both of these reports have been closed without fix i've opened #3678
Comment 6 Miyu 2006-09-21 12:33:04 UTC
I still get this bug on AMD64 machine with Gentoo. Samba version: 3.0.23a. glibc version: 2.4-r3