Bug 3642 - segfault on FD_SET() when we have an winbindd_fd of -1 in source/nsswitch/wb_common.c
Summary: segfault on FD_SET() when we have an winbindd_fd of -1 in source/nsswitch/wb_...
Status: RESOLVED LATER
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: winbind (show other bugs)
Version: 3.0.21c
Hardware: x86 Linux
: P3 normal
Target Milestone: none
Assignee: Jeremy Allison
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-03-29 07:26 UTC by Francesco Defilippo
Modified: 2006-04-20 07:55 UTC (History)
0 users

See Also:

Attachments
Proposed patch (332 bytes, patch)
2006-03-29 12:27 UTC, Jeremy Allison 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Francesco Defilippo 2006-03-29 07:26:09 UTC 
GNU gdb Red Hat Linux (6.1post-1.20040607.62rh)
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux-gnu"...Using host libthread_db library "/lib/tls/libthread_db.so.1".

Core was generated by `/usr/sbin/ss5 -s -t -u root'.
Program terminated with signal 11, Segmentation fault.

warning: svr4_current_sos: Can't read pathname for load map: Input/output error

Reading symbols from /lib/tls/libpthread.so.0...done.
Loaded symbols for /lib/tls/libpthread.so.0
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libldap-2.2.so.7...done.
Loaded symbols for /usr/lib/libldap-2.2.so.7
Reading symbols from /lib/libpam.so.0...done.
Loaded symbols for /lib/libpam.so.0
Reading symbols from /lib/libpam_misc.so.0...done.
Loaded symbols for /lib/libpam_misc.so.0
Reading symbols from /lib/tls/libc.so.6...done.
Loaded symbols for /lib/tls/libc.so.6
Reading symbols from /usr/lib/liblber-2.2.so.7...done.
Loaded symbols for /usr/lib/liblber-2.2.so.7
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
Reading symbols from /usr/lib/libsasl2.so.2...done.
Loaded symbols for /usr/lib/libsasl2.so.2
Reading symbols from /lib/libssl.so.4...done.
Loaded symbols for /lib/libssl.so.4
Reading symbols from /lib/libcrypto.so.4...done.
Loaded symbols for /lib/libcrypto.so.4
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /usr/lib/libgssapi_krb5.so.2...done.
Loaded symbols for /usr/lib/libgssapi_krb5.so.2
Reading symbols from /usr/lib/libkrb5.so.3...done.
Loaded symbols for /usr/lib/libkrb5.so.3
Reading symbols from /lib/libcom_err.so.2...done.
Loaded symbols for /lib/libcom_err.so.2
Reading symbols from /usr/lib/libk5crypto.so.3...done.
Loaded symbols for /usr/lib/libk5crypto.so.3
Reading symbols from /usr/lib/libz.so.1...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /usr/lib/ss5/mod_socks4.so...done.
Loaded symbols for /usr/lib/ss5/mod_socks4.so
Reading symbols from /usr/lib/ss5/mod_socks5.so...done.
Loaded symbols for /usr/lib/ss5/mod_socks5.so
Reading symbols from /usr/lib/ss5/mod_authentication.so...done.
Loaded symbols for /usr/lib/ss5/mod_authentication.so
Reading symbols from /usr/lib/ss5/mod_authorization.so...done.
Loaded symbols for /usr/lib/ss5/mod_authorization.so
Reading symbols from /usr/lib/ss5/mod_proxy.so...done.
Loaded symbols for /usr/lib/ss5/mod_proxy.so
Reading symbols from /usr/lib/ss5/mod_balance.so...done.
Loaded symbols for /usr/lib/ss5/mod_balance.so
Reading symbols from /usr/lib/ss5/mod_log.so...done.
Loaded symbols for /usr/lib/ss5/mod_log.so
Reading symbols from /usr/lib/ss5/mod_filter.so...done.
Loaded symbols for /usr/lib/ss5/mod_filter.so
Reading symbols from /usr/lib/ss5/mod_statistics.so...done.
Loaded symbols for /usr/lib/ss5/mod_statistics.so
Reading symbols from /usr/lib/ss5/mod_bandwidth.so...done.
Loaded symbols for /usr/lib/ss5/mod_bandwidth.so
Reading symbols from /usr/lib/ss5/mod_dump.so...done.
Loaded symbols for /usr/lib/ss5/mod_dump.so
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libgcc_s.so.1...done.
Loaded symbols for /lib/libgcc_s.so.1
Reading symbols from /lib/security/pam_winbind.so...Reading symbols from /usr/lib/debug/lib/security/pam_winbind.so.debug...done.
done.
Loaded symbols for /lib/security/pam_winbind.so
Reading symbols from /lib/security/pam_deny.so...done.
Loaded symbols for /lib/security/../../lib/security/pam_deny.so
#0  0x00f9196a in read_sock (buffer=0xb7d136d0, count=1300) at nsswitch/wb_common.c:423
423                     FD_SET(winbindd_fd, &r_fds);
(gdb) 
(gdb) 
(gdb) bt
#0  0x00f9196a in read_sock (buffer=0xb7d136d0, count=1300) at nsswitch/wb_common.c:423
#1  0x00f91a92 in read_reply (response=0xb7d136d0) at nsswitch/wb_common.c:481
#2  0x00f91b29 in winbindd_get_response (response=0xb7d136d0) at nsswitch/wb_common.c:572
#3  0x00f91bbc in winbindd_request_response (req_type=0, request=0xb7d13bf0, response=0xb7d136d0) at nsswitch/wb_common.c:602
#4  0x00f91dde in write_sock (buffer=0xb7d15500, count=1836, recursing=0) at nsswitch/wb_common.c:317
#5  0x00f9036d in pam_winbind_request_log (req_type=WINBINDD_PAM_AUTH, request=0xb7d15500, response=0xb7d14fe0, ctrl=1, 
    user=0x8b7e588 "ee06765") at nsswitch/pam_winbind.c:114
#6  0x00f9069a in winbind_auth_request (user=0x8b7e588 "xx43210", pass=0x8b76a28 "abcdefg01", member=0x0, ctrl=1)
    at nsswitch/pam_winbind.c:246
#7  0x00f90bf8 in pam_sm_authenticate (pamh=0x8b92840, flags=0, argc=1, argv=0x8b7d668) at nsswitch/pam_winbind.c:516
#8  0x00204a7a in _pam_dispatch () from /lib/libpam.so.0
#9  0x0020666b in pam_authenticate () from /lib/libpam.so.0
#10 0x0011337e in S5PamCheck (ai=0xb7d18370) at SS5Pam.c:97
#11 0x00112da3 in Authentication (mi=0xb7d183f0, ci=0xb7d18340, bd=0xb7d18210, ai=0xb7d18370) at SS5Mod_authentication.c:123
#12 0x0804bbff in S5Core (clientSocket=87) at SS5Core.c:225
#13 0x00bac341 in start_thread () from /lib/tls/libpthread.so.0
---Type <return> to continue, or q <return> to quit--- 
#14 0x00b05fee in clone () from /lib/tls/libc.so.6
(gdb)
Comment 1 Francesco Defilippo 2006-03-29 07:37:49 UTC 
Sorry, I made a mistake with my keyboard !

Following the bug description:

I'm using pam_winbind to authenticate socks clients with SS5 3.5.4-1 socks server on Linux platform (RH AS4.0).

Sometime, SS5 socks server crash (only in threaded mode) during authentication, and back trace on core file shows a SEGFault on read_sock call into wb_common.c source file.

It seams FD_SET call, is done with a file descriptor of -1. 

I found a similar bug on client.c fixed with a check (if ... == -1 return) on fd variable.

Tell me if you need more informations.

Thank you.
Comment 2 Jeremy Allison 2006-03-29 12:27:46 UTC 
Created attachment 1827 [details]
Proposed patch

Try this patch please.
Jeremy.
Comment 3 Matteo Ricchetti 2006-04-11 10:34:44 UTC 
Patch didn't resolve the problem. I think it is about a thread safe problem. Do you think pam_winbind is thread safe?
Comment 4 Jeremy Allison 2006-04-11 10:46:49 UTC 
Interesting - no I'm not sure pam_winbind is thread safe.
I'll look at this later on - we need to stabilize things before
release first.
Jeremy.
Comment 5 Matteo Ricchetti 2006-04-12 02:46:43 UTC 
Ok. I put a mutex into source code concerning pam authentication. I'm going to test it.

Bye
Comment 6 Gerald (Jerry) Carter (dead mail address) 2006-04-20 07:55:10 UTC 
Thread safety for pam_winbind comes later.