Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 3762 - nscd receives SIGSEGV for certain domain lookups
Summary: nscd receives SIGSEGV for certain domain lookups
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: glibc
Version: 6.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Cristian Gafton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 1999-06-27 20:37 UTC by James Ralston
Modified: 2008-05-01 15:37 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 1999-07-28 05:34:59 UTC


Attachments (Terms of Use)

Description James Ralston 1999-06-27 20:37:29 UTC
[Note: this report is *not* really about bind, but the
Bugzilla system forced me to choose a component, and nscd
wasn't on the list.]

For the nscd-2.1.1-6 rpm, certain domain lookups
consistently crash the nscd daemon with SIGSEGV.

As of the time of this submission, a good demonstration of
this is to ensure nscd is running, and then point a web
browser at www.deja.com, which currently resolves as
follows:

$ host -a www.deja.com
rcode = 0 (Success), ancount=23
The following answer is not authoritative:
www.deja.com    530 IN  A       208.10.192.221
www.deja.com    530 IN  A       208.10.192.222
www.deja.com    530 IN  A       208.10.192.223
www.deja.com    530 IN  A       208.10.192.224
www.deja.com    530 IN  A       208.10.192.225
www.deja.com    530 IN  A       208.10.192.226
www.deja.com    530 IN  A       208.10.192.227
www.deja.com    530 IN  A       208.10.192.228
www.deja.com    530 IN  A       208.10.192.229
www.deja.com    530 IN  A       208.10.192.230
www.deja.com    530 IN  A       208.10.192.231
www.deja.com    530 IN  A       208.10.192.232
www.deja.com    530 IN  A       208.10.192.233
www.deja.com    530 IN  A       208.10.192.234
www.deja.com    530 IN  A       208.10.192.235
www.deja.com    530 IN  A       208.10.192.236
www.deja.com    530 IN  A       208.10.192.237
www.deja.com    530 IN  A       208.10.192.238
www.deja.com    530 IN  A       208.10.192.239
www.deja.com    530 IN  A       208.10.192.240
www.deja.com    530 IN  A       208.10.192.241
www.deja.com    530 IN  A       208.10.192.242
www.deja.com    530 IN  A       208.10.192.243
For authoritative answers, see:
DEJA.com        37247 IN        NS      ODNS1.DEJANEWS.com
DEJA.com        37247 IN        NS      ODNS2.DEJANEWS.com
DEJA.com        37247 IN        NS      NS.DEJANEWS.com
Additional information:
ODNS1.DEJANEWS.com      52407 IN        A
208.10.192.67

Here are my running nscd processes:

$ ps fax
 ...
 1099 ?        S      0:00 nscd
 1102 ?        S      0:00  \_ nscd
 1103 ?        S      0:00      \_ nscd
 1104 ?        S      0:00      \_ nscd
 1105 ?        S      0:00      \_ nscd
 1106 ?        S      0:00      \_ nscd
 1107 ?        S      0:00      \_ nscd

Now, use strace to watch the parent nscd process (1099, in
this example) as one points a web browser to www.deja.com:

SYS_168(0xbffffcec, 0x1, 0x3a98, 0x3a98, 0xbffffcec) = 1
accept(0, 0, NULL)                      = ? ERESTARTSYS (To
be restarted)
--- SIGSEGV (Segmentation fault) ---

So far, this is the only domain I've encountered that
crashes nscd, but the fact that this looks a lot like a
buffer overflow problem gives me very queasy feelings about
running nscd.  I have not yet looked at the source, but if
this indeed is a buffer overflow problem, then it *might* be
possible for a clever person to stack-smash nscd (which
normally runs as root) and eventually gain root privileges.

BTW, I run nscd using the default /etc/nscd.conf that comes
with nscd-2.1.1-6; I have not made any modifications.

Comment 1 Jeff Johnson 1999-06-27 21:04:59 UTC
I'm changing the component to glibc because that's the name of the
src.rpm from which the nscd package comes ...

Comment 2 Jeff Johnson 1999-06-27 21:08:59 UTC
You might also look at #3171 which is also nscd related. There
is a fix for that problem that will be in the next glibc errata
release.

Comment 3 James Ralston 1999-07-13 22:09:59 UTC
Ok, I will wait for the next glibc errata release to show up on
rawhide.redhat.com, and test it out then.

Comment 4 James Ralston 1999-07-21 21:03:59 UTC
Ok, I've grabbed glibc-2.1.2-1 and glibc-devel-2.1.2-1 from rawhide.
So far, so good; I haven't been able to get nscd to crash.  I'll
report back after a few days of regular use.

Comment 5 James Ralston 1999-07-27 19:26:59 UTC
I wasn't able to get nscd to crash even once with glibc-2.1.2-1.  As
far as I'm concerned, the problem is corrected; I'll wait for
glibc-2.1.2-1 to be released for Red Hat 6.0 before installing it on
my production machines.

Comment 6 Cristian Gafton 1999-07-28 05:34:59 UTC
Fixed in glibc-2.1.2-1 and later, available from rawhide.


Note You need to log in before you can comment on or make changes to this bug.