Bug 250864 - security/sssd crashes with SIGBUS in r545276
Summary: security/sssd crashes with SIGBUS in r545276
Status: New
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Only Me
Assignee: lukas.slebodnik
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-04 15:17 UTC by Joerg Wunsch
Modified: 2020-11-30 14:23 UTC (History)
3 users (show)

See Also:
bugzilla: maintainer-feedback? (lukas.slebodnik)


Attachments
Patch to security/sssd 1.16.5 with samba412 and option SMB (3.90 KB, patch)
2020-11-28 23:34 UTC, Richard Frewin
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Joerg Wunsch freebsd_committer 2020-11-04 15:17:07 UTC
After a recent upgrade of my system, sssd died during startup with SIGBUS.

This happens with our (realm specific) configuration. When using the default configuration, it just prints that it needs at least one configured domain, and exits.

The crash happens due to a memory corruption in realloc(), so the actual cause of the bug must be before that.

I tracked the memory corruption down (using a watchpoint in the debugger) to:

(gdb) bt
#0  0x00000000812bb50d in memcpy () from /lib/libc.so.7
#1  0x0000000081218df9 in ?? () from /lib/libc.so.7
#2  0x000000008121fabb in realloc () from /lib/libc.so.7
#3  0x0000000080371da4 in _talloc_realloc (context=<optimized out>, ptr=0x819d5100, size=18, name=0x802714ba "char") at ../../talloc.c:2040
#4  0x000000008027d188 in prepend_cn (str=<optimized out>, comp=<optimized out>, clen=4, slen=<optimized out>) at src/confdb/confdb.c:47
#5  parse_section (mem_ctx=0x819a34a0, section=0x203aaf "sssd", sec_dn=0x7fffffffe4e0, rdn_name=0x0) at src/confdb/confdb.c:85
#6  0x000000008027d631 in confdb_get_param (cdb=0x821c3460, mem_ctx=0x819e8060, section=0x203aa8 "config/sssd", attribute=0x204f84 "krb5_rcache_dir", values=0x7fffffffe558) at src/confdb/confdb.c:240
#7  0x000000008027da90 in confdb_get_string (cdb=0x821c3460, ctx=0x819e8060, section=0x203aa8 "config/sssd", attribute=0x204f84 "krb5_rcache_dir", defstr=0x20446d "__LIBKRB5_DEFAULTS__", result=0x7fffffffe5a8) at src/confdb/confdb.c:381
#8  0x0000000000208193 in monitor_process_init (ctx=0x819e8060, config_file=<optimized out>) at src/monitor/monitor.c:2123
#9  0x0000000000209dfa in main (argc=<optimized out>, argv=<optimized out>) at src/monitor/monitor.c:2868

If I back out r545276, it at least starts without crashing. I don't think it works as designed completely, e.g. I'm being asked for a password, rather than ssh using the pubkey stored on the IPA server. But at least, I can log in at all.
Comment 1 Rene Ladan freebsd_committer 2020-11-17 20:53:37 UTC
Can you retry this with version 1.16.5 which was committed in r555585 ?
Comment 2 Joerg Wunsch freebsd_committer 2020-11-17 21:05:19 UTC
Will take a moment, the entire machine (which runs in a VM on a larger server host) has just accidentally been damaged, and needs to be reinstalled from scratch. :(
Comment 3 Joerg Wunsch freebsd_committer 2020-11-24 16:34:56 UTC
(In reply to Rene Ladan from comment #1)

It references Samba 4.10 which has been dropped from the tree due to (apparently unfixable) security issues.

When I move the references to Samba 4.12 (port samba412), I get compile errors:

libtool: compile:  cc -DHAVE_CONFIG_H -I. -Wall -I.. -I./src/sss_client -I./src -I. -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/dbus-1.0 -I/usr/local/lib/dbus-1.0/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -DLIBDIR=\"/usr/local/lib\" -DVARDIR=\"/var\" -DSSS_STATEDIR=\"/var/db/sss\" -DSYSCONFDIR=\"/usr/local/etc\" -DSHLIBEXT=\"\" -DSSSDDATADIR=\"/usr/local/share/sssd/sssd\" -DSSSD_LIBEXEC_PATH=\"/usr/local/libexec/sssd\" -DSSSD_CONF_DIR=\"/usr/local/etc/sssd\" -DSSS_NSS_MCACHE_DIR=\"/var/db/sss/mc\" -DSSS_NSS_SOCKET_NAME=\"/var/run/sss/pipes/nss\" -DSSS_PAM_SOCKET_NAME=\"/var/run/sss/pipes/pam\" -DSSS_PAC_SOCKET_NAME=\"/var/run/sss/pipes/pac\" -DSSS_PAM_PRIV_SOCKET_NAME=\"/var/run/sss/pipes/private/pam\" -DSSS_SEC_SOCKET_NAME=\"/var/run/secrets.socket\" -DSSS_SUDO_SOCKET_NAME=\"/var/run/sss/pipes/sudo\" -DSSS_AUTOFS_SOCKET_NAME=\"/var/run/sss/pipes/autofs\" -DSSS_SSH_SOCKET_NAME=\"/var/run/sss/pipes/ssh\" -DLOCALEDIR=\"/usr/local/share/locale\" -DBASE_FILE_STEM=\"libsss_ad_la-ad_srv\" -DLIBICONV_PLUG -I/usr/local/include -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith -Wcast-qual -Wcast-align -Wwrite-strings -Wundef -Werror-implicit-function-declaration -Winit-self -Wmissing-include-dirs -fno-strict-aliasing -std=gnu99 -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include -I/usr/local/include/samba4 -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/local/include -I/usr/local/include/samba4 -I/usr/local/include -D_GNU_SOURCE=1 -DHAVE_IMMEDIATE_STRUCTURES=1 -I/usr/local/include/samba4 -O2 -pipe -fstack-protector-all -DLIBICONV_PLUG -fstack-protector-strong -DLDAP_DEPRECATED -fno-strict-aliasing -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -MT src/providers/ad/libsss_ad_la-ad_srv.lo -MD -MP -MF src/providers/ad/.deps/libsss_ad_la-ad_srv.Tpo -c src/providers/ad/ad_srv.c  -fPIC -DPIC -o src/providers/ad/.libs/libsss_ad_la-ad_srv.o
src/providers/ad/ad_gpo_ndr.c:108:13: error: implicit declaration of function 'ndr_pull_get_switch_value' is invalid in C99
      [-Werror,-Wimplicit-function-declaration]
    level = ndr_pull_get_switch_value(ndr, r);
            ^
src/providers/ad/ad_gpo_ndr.c:108:13: note: did you mean 'ndr_pull_set_switch_value'?
/usr/local/include/samba4/ndr.h:617:19: note: 'ndr_pull_set_switch_value' declared here
enum ndr_err_code ndr_pull_set_switch_value(struct ndr_pull *ndr, const void *p, uint32_t val);
                  ^
src/providers/ad/ad_gpo_ndr.c:138:13: error: implicit declaration of function 'ndr_pull_get_switch_value' is invalid in C99
      [-Werror,-Wimplicit-function-declaration]
    level = ndr_pull_get_switch_value(ndr, r);
            ^
src/providers/ad/ad_gpo_ndr.c:201:13: error: implicit declaration of function 'ndr_pull_get_switch_value' is invalid in C99
      [-Werror,-Wimplicit-function-declaration]
    level = ndr_pull_get_switch_value(ndr, r);
            ^
3 errors generated.

Apparently, Samba changes APIs occasionally ...
Comment 4 Joerg Wunsch freebsd_committer 2020-11-25 06:26:19 UTC
After reactivating samba-410, I get this one again:

root@daemon:/usr/ports/security/sssd # make install
===>  Installing for sssd-1.16.5
===>  Checking if sssd is already installed
===>   Registering installation for sssd-1.16.5
pkg-static: Unable to access file /usr/ports/security/sssd/work/stage/usr/local/lib/krb5/plugins/authdata/sssd_pac_plugin.so:No such file or directory
pkg-static: Unable to access file /usr/ports/security/sssd/work/stage/usr/local/libexec/sssd/sssd_pac:No such file or directory
*** Error code 74

Stop.
make[1]: stopped in /usr/ports/security/sssd
*** Error code 1

Stop.
make: stopped in /usr/ports/security/sssd

Investigating …
Comment 5 Richard Frewin 2020-11-25 15:00:53 UTC
Thanks for the updates Joerg - it will be the weekend before I get a chance to look at these ... hope someone else beats me to it ;-)

How are you building Samba ?  It was the case that one needed to build Samba with SAMBA4_BUNDLED_LDB=no so you could install a common ldb for sssd and samba .. I need to check if that's still true for samba412.
Comment 6 Rene Ladan freebsd_committer 2020-11-25 16:49:46 UTC
(In reply to Joerg Wunsch from comment #4)
Strange, it built fine in my poudriere jail using the default Samba version (4.12 I guess) on 12.2 amd64/i386. Aha, that is without the SMB option by default, which now points to net/samba410 which expired on 2020-11-08 and was removed then too. So the port Makefile is not correct at the moment :(
Comment 7 Joerg Wunsch freebsd_committer 2020-11-25 16:54:26 UTC
The point here is: configuring for Samba is crucial when trying to connect to an IPA server (which is the case for me).

The symptom with the missing sssd_pac stuff is the same as three revisions before, when there was a mismatch between the krb5 versions. However, I currently don't have the time to deeply investigate the details. If nobody else does, I'll try digging further as time permits.

At the very least, I'm more than happy that the port is no longer set for expiry due to the Python2.7 reference.
Comment 8 Richard Frewin 2020-11-28 23:34:39 UTC
Created attachment 220051 [details]
Patch to security/sssd 1.16.5 with samba412 and option SMB


This compiles for me with (the now default) net/samba412 and the security/sssd option SMB set.

I needed to compile samba412 with SAMBA4_BUNDLED_LDB=no otherwise databases/ldb21 and samba412 both try to install /usr/local/lib/python3.7/site-packages/_ldb_text.py

This patch uses a fix from up-stream for the missing ndr_pull_get_switch_value()  replacing it with ndr_token_peek().

Also adds Kerberos 1.18 to allowed versions.

Please test and comment.
Comment 9 Joerg Wunsch freebsd_committer 2020-11-29 09:31:17 UTC
Many thanks for the update. Builds and installs fine with Samba 4.12.

I'll test re-integration of that machine into the IPA soon, and will report here.
Comment 10 Rene Ladan freebsd_committer 2020-11-29 11:39:30 UTC
(In reply to Joerg Wunsch from comment #9)
It also still builds fine with the default options on 12.2-amd64.

Is there a reason to mention all these Samba LIB_DEPENDS or can we just depend on the package once (or just one Samba library)?
Comment 11 Richard Frewin 2020-11-29 12:10:02 UTC
(In reply to Rene Ladan from comment #10)
Looking at samba412's Makefile I don't think those libraries are dependent on any of samba's options, so I would assume they can be reduced to just:

SMB_LIB_DEPENDS=        libsamba-util.so.0:net/samba412

Will run some test builds.
Comment 12 Joerg Wunsch freebsd_committer 2020-11-30 14:23:51 UTC
We reintegrated our host into the IPA, and it appears to work now. Thanks to everybody involved!
Only thing: at start of sssd, I eventually get a SIGSEGV on sssd_be, dumping core. Strangely enough, afterwards sssd_be is actually running nevertheless.