[Nss-mysql-devel] [Bug #757] Segfault which appears to be in nss-mysql.

[nobody]

=================== BUG #757: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=757&group_id=443

Changes by: Kev Green <address@hidden>
Date: 2002-Jul-05 17:45 (GMT)

------------------ Additional Follow-up Comments ----------------------------
Guillaume,

Okay. In order to try and track this down, I recompiled nss-mysql (latest CVS) 
with some additional calls to _nss_mysql_log() in sensible places within lib.c 
and passwd.c

Using that method, I've tracked it down to lib.c, line 212, or there abouts, 
the call to:

 mysql_init(NULL);

Which causes a segfault.

Even replacing mysql_init(NULL) with mysql_init(tmp) [ tmp having been 
previously allocated(or was that just a pointer, and not an end structure?), 
also causes the same problem, so there seems to be little choice left but to 
blame the MySQL libraries themselves...

Although as a thought, I have both libmysqlclient.so.9, and 
libmysqlclient.so.10 installed, which might be a cause of problems at some 
stage?

The nss_mysql library is linked against libmysqlclient.so.10, as is my "mysql" 
command line client program, which works fine.

Curiouser and curiouser...

Although (and I should have mentioned this earlier no doubt), maybe this is 
related to the fact that I keep getting loads of messages thusly in my logs 
(about two per minute):

Aborted connection to db: 'xxxx' user: 'xxxx' host: 'localhost' (Got an error 
reading communication packets)

And MySQL is running out of connections and for some reason doesn't deal with 
it properly when mysql_init() is called... hence the crash?

K.



=================== BUG #757: FULL BUG SNAPSHOT ===================


Submitted by: kyrian                    Project: NSS MySQL                      
Submitted on: 2002-Jun-26 02:44
Category:  None                         Severity:  5 - Major                    
Bug Group:  None                        Resolution:  None                       
Assigned to:  gmorin                    Status:  Open                           

Summary:  Segfault which appears to be in nss-mysql.

Original Submission:  Hi,

This segfault problem comes about when using the frontpage extensions for 
linux, so it may well be a problem with that passing garbage to nss-mysql (even 
if that is the case, it's still a BAD problem!), or it could be a problem 
within nss-mysql itself, which is what I think is the case.

Basically what appears to be happening (guesswork, see the attached strace 
information - sorry about the format, daft X setup left me no choice - for more 
conclusive info) is that when the frontpage software attempts to look up a 
(non-existent in /etc/passwd, as per my /etc/nsswitch.conf configuration) UID 
to username mapping, in some cases, you get a segfault, whereas if I add the 
appropriate user line in /etc/passwd, I get no segfault, because I've 
circumvented nss-mysql...

Now, from the attached strace, I reckon that this is happening because when 
reading /etc/nss-mysql.conf, there is an old_mmap() call which gets a buffer 
space of 4096 (bytes, at address 0x40028000 in the strace)
to store the information that's read in.

This is then duplicate-freed with a munmap() towards the end of the strace, 
attempting which causes a segfault.

This is repeatable every time with the user inquestion without the 
aforementioned line in /etc/passwd (although I've made no mention of it, I'm 
also using shadow passwords, but no line in /etc/shadow is required to prevent 
this bug happening, thus implying that it's restricted to the UID->username 
mapping process...).

However, what (possibly) knackers my theory is that it only happens with this 
one user, and not other users with similar setups, on which I'm trying to do 
the same thing...

I've tried making the user that fails have the same user/group config, removing 
trailing slashes from home directory names, etc. all sorts of minor tweaks of 
both the frontpage and the nss-mysql side that might be different between 
working an non-working users, but the only one that works is the line in 
/etc/passwd with the right uid/gid/username.

More information is available on request, although I would like to maintain as 
much customer-information privacy as possible, obviously...

Hopefully someone can help with this, as it defeats the object of having 
nss-mysql in the first place if I still need users in /etc/password :(

K.

PS. With debug enabled, when I get the above segfault, I only get this in my 
logs:

Jun 26 02:31:38 lestat nss-mysql[560]: getpwuid called for 1004
Jun 26 02:31:38 lestat owsadm.exe[560]: _nss_mysql_read_conf_file: called for 
section users
Jun 26 02:31:38 lestat owsadm.exe[560]: _nss_mysql_read_conf_file ended for 
section users

Oh, and it's nss-mysql-0.37.1 ;-)

Follow-up Comments
*******************

-------------------------------------------------------
Date: 2002-Jul-05 17:45             By: kyrian
Guillaume,

Okay. In order to try and track this down, I recompiled nss-mysql (latest CVS) 
with some additional calls to _nss_mysql_log() in sensible places within lib.c 
and passwd.c

Using that method, I've tracked it down to lib.c, line 212, or there abouts, 
the call to:

 mysql_init(NULL);

Which causes a segfault.

Even replacing mysql_init(NULL) with mysql_init(tmp) [ tmp having been 
previously allocated(or was that just a pointer, and not an end structure?), 
also causes the same problem, so there seems to be little choice left but to 
blame the MySQL libraries themselves...

Although as a thought, I have both libmysqlclient.so.9, and 
libmysqlclient.so.10 installed, which might be a cause of problems at some 
stage?

The nss_mysql library is linked against libmysqlclient.so.10, as is my "mysql" 
command line client program, which works fine.

Curiouser and curiouser...

Although (and I should have mentioned this earlier no doubt), maybe this is 
related to the fact that I keep getting loads of messages thusly in my logs 
(about two per minute):

Aborted connection to db: 'xxxx' user: 'xxxx' host: 'localhost' (Got an error 
reading communication packets)

And MySQL is running out of connections and for some reason doesn't deal with 
it properly when mysql_init() is called... hence the crash?

K.

-------------------------------------------------------
Date: 2002-Jul-05 15:52             By: kyrian
Guillaume,

> This is very weird.
Yep :(

> All log entries you've given are completely normal.
> I really have no idea of what is going on.
I just looked at that strace again, and it's not because of a duplicate 
munmap(). The same address appears multiple times because it's reallocated 
multiple times, which is normal.

However I'm surprised to see that it crashes right after deallocating the 
buffer used to read /etc/nss-mysql.conf, and /etc/nsswitch.conf, rather than 
the strace/ltrace showing it crashing during a call to libmysqlclient.so.X...

I'd assumed it wasn't do do with the MySQL libraries as a result, and a problem 
was occuring before this happened.

> The frontpage extension is an apache module, right ?
Yes.

The source of it is available here: http://people.freebsd.org/~mbr/distfiles/

> If so, do you use any MySQL related modules with
> apache (like php4 with MySQL support) ?
I have PHP3 with MySQL support enabled in the server as a DSO, yes.

But the trouble with that theory is that the owsadm.exe program also crashes, 
and that program doesn't go anywhere near the apache executable, so I don't 
think it's apache related.

I'll have a look some more.

K.

-------------------------------------------------------
Date: 2002-Jul-05 14:57             By: gmorin
Hi,

This is very weird. All log entries you've given are completely normal.I really 
have no idea of what is going on.
The frontpage extension is an apache module, right ? If so,
do you use any MySQL related modules with apache (like php4 with MySQL support) 
?

TIA.

Guillaume.

-------------------------------------------------------
Date: 2002-Jul-04 17:30             By: kyrian
Running the CVS version, I get the same as above.

Aside from that the log message now shows as:

<date> nss-mysql[<pid>]: _nss_mysql_read_conf_file: etc...

[ excuse the abbreviation... ]

and that it now shows the following immediately after the above (don't know if 
it's related):

<date> nss-mysql[<pid>]: check_connection: opening a connection.

This is assuming that the owsadm program doesn't do a fork() and get a 
different PID, as I've only taken the entries with the same PID into 
consideration.

In case it does fork(), there's a series of these messages before the above, 
with a similar PID [which might indicate that it did fork() ]

<date> nss-mysql[<pid2>]: endent called for passwd(0)
<date> nss-mysql[<pid2>]: endend(0): ent was NULL
<date> nss-mysql[<pid2>]: endend(0) finished

That appears about 25 times under 1 pid, and once under a 3rd unique pid, prior 
to the above messages. May or may not be related.

K.

-------------------------------------------------------
Date: 2002-Jul-04 16:37             By: kyrian
An ltrace of the command which causes the segfault shows no extra information 
(beyond what is normally output by that command), so I assume that this must 
mean that it has been statically linked?

I'll get to trying it with the latest CVS shortly...


-------------------------------------------------------
Date: 2002-Jul-04 13:32             By: gmorin
Hi,

Sorry for the late response, the bug email notification did not work :-(. It 
should work now.

Could you try  to reproduce that problem with current CVS and
send me the debug log ?

I'd like to know if the frontpage software is linked dynamically with the mysql 
libraries too.

Could you try to run ltrace on the process when reproducing the bug, that would 
be helpful ?

Regards,

Guillaume.

-------------------------------------------------------
Date: 2002-Jun-28 07:50             By: kyrian
Hmmm... After a thought struck me, I tried changing the working user's username 
to the same length as the non-working one.

Lo and behold, I began to get segfaults on certain operations from the formerly 
working user when I made its username seven characters long (as opposed to its 
original four).

Maybe it has something to do with it, maybe not...



File Attachments
****************

-------------------------------------------------------
Date: 2002-Jun-26 02:44  Name: crud  Size: 8KB   By: kyrian
strace of bug.
http://savannah.gnu.org/bugs/download.php?group_id=443&bug_id=757&bug_file_id=42


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=757&group_id=443