Ubuntu
acl package

Effective permissions and long group names - getfacl: malloc(): memory corruption

Bug #900304 reported by Helge Willum Thingvad on 2011-12-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	acl (Ubuntu)	Invalid	Undecided	Unassigned

Bug Description

I have found a combination of ACLs that, when set on a file on an Active Directory joined Ubuntu 10.04 server, will crash the getfacl program upon reading the ACL entries.

The crash appears under the following conditions:
1) getfacl is about to list effective permissions (i.e. limited by mask) for at least two ACL entries.
2) At least one of these entries has a user/group name longer than 32 characters.
3) The output of getfacl is not redirected nor piped to another program/file.

Normally, user/group names longer than 32 characters are prevented from being created on the local system, but they are possible when using central authentication tools such as Centrify DirectControl and Likewise Open.

The crash happens when effective permissions are to be listed, and only when the output of getfacl is written directly to terminal.
Running the test on a separate, non-AD joined host, using regular local users and groups of maximum 32 characters, does not yield any errors.

I have tested and confirmed this bug on two independent systems, both running Ubuntu 10.04 Server, with one using CentrifyDC Express 4.4.3 for AD integration and the other one using Likewise-Open 6.

=== HOW TO REPRODUCE ===
Since the bug does not appear when using locally valid names, it may be required to install centrifydc, likewise-open or another tool in order to create a test environment with user/group names longer than 32 characters. Perhaps LDAP can be used too?

This example uses Centrify DirectControl 4.4.3 Express for AD integration.

mkdir testdir
touch testdir/testfile
setfacl -Rd -m user:<email address hidden>:rwx -m group:<email address hidden>:rwx testdir/
setfacl -Rn -m user:<email address hidden>:rwx -m group:<email address hidden>:rwx testdir/
getfacl testdir # crash, getfacl_testdir_noredirect_crash.log
getfacl testdir > getfacl_testdir_redirect_nocrash.log
getfacl testdir/testfile # crash, getfacl_testfile_noredirect_crash.log
getfacl testdir/testfile > getfacl_testfile_redirect_nocrash.log

=== ATTACHED LOGS ===
getfacl_testdir_noredirect_crash.log (copied from terminal)
getfacl_testdir_redirect_nocrash.log (redirected to log file)
getfacl_testfile_noredirect_crash.log (copied from terminal)
getfacl_testfile_redirect_nocrash.log (redirected to log file)

ProblemType: Bug
DistroRelease: Ubuntu 10.04
Package: acl 2.2.49-2
ProcVersionSignature: Ubuntu 2.6.32-36.79-server 2.6.32.46+drm33.20
Uname: Linux 2.6.32-36-server x86_64
Architecture: amd64
Date: Mon Dec 5 14:43:30 2011
InstallationMedia: Ubuntu-Server 10.04 LTS "Lucid Lynx" - Release amd64 (20100427)
ProcEnviron:
PATH=(custom, no user)
LANG=en_DK.UTF-8
SHELL=/bin/bash
SourcePackage: acl

See original description

Tags:

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

getfacl_testdir_noredirect_crash.log Edit (6.1 KiB, text/plain)
Dependencies.txt Edit (497 bytes, text/plain; charset="utf-8")

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

getfacl_testdir_redirect_nocrash.log Edit (413 bytes, text/plain)

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

getfacl_testfile_noredirect_crash.log Edit (6.1 KiB, text/plain)

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

getfacl_testfile_redirect_nocrash.log Edit (241 bytes, text/plain)

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

Download full text (7.7 KiB)

I forgot to mention that I had setgid enabled on the parent directory (chmod g+s). Anyway, setting bit is not required to reproduce the bug.

CORRECTION: This bug also affects systems that use Likewise-Open 6.

Still, it only appears with certain combinations of user and group names.
I am not sure just yet what triggers the error, but these commands trigger the same thing (now, in a directory without setgid):

mkdir testdir
chown :CIVIL\\vhost_arch-civil-aau-dk_full testdir/
setfacl -Rd -m user:<email address hidden>:rwx -m group:CIVIL\\vhost_arch-civil-aau-dk_full:rwx testdir/
setfacl -Rn -m user:<email address hidden>:rwx -m group:CIVIL\\vhost_arch-civil-aau-dk_full:rwx testdir/
getfacl testdir/

Now testing on a server with Likewise-Open (using "DOMAIN\\name" format), this is the expected result:
------------
# file: testdir/
# owner: root
# group: CIVIL\134vhost_arch-civil-aau-dk_full
user::rwx
user:CIVIL\134phk:rwx #effective:r-x
group::r-x
group:CIVIL\134vhost_arch-civil-aau-dk_full:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:CIVIL\134phk:rwx
default:group::r-x
default:group:CIVIL\134vhost_arch-civil-aau-dk_full:rwx
default:mask::rwx
default:other::r-x
------------

I forgot to mention that I had setgid enabled on the parent directory (chmod g+s). Anyway, setting bit is not required to reproduce the bug.

CORRECTION: This bug also affects systems that use Likewise-Open 6.

mkdir testdir
chown :CIVIL\\vhost_arch-civil-aau-dk_full testdir/
setfacl -Rd -m user:phk@civil.aau.dk:rwx -m group:CIVIL\\vhost_arch-civil-aau-dk_full:rwx testdir/
setfacl -Rn -m user:phk@civil.aau.dk:rwx -m group:CIVIL\\vhost_arch-civil-aau-dk_full:rwx testdir/
getfacl testdir/

Now testing on a server with Likewise-Open (using "DOMAIN\\name" format), this is the expected result:
------------
# file: testdir/
# owner: root
# group: CIVIL\134vhost_arch-civil-aau-dk_full
user::rwx
user:CIVIL\134phk:rwx   #effective:r-x
group::r-x
group:CIVIL\134vhost_arch-civil-aau-dk_full:rwx #effective:r-x
mask::r-x
other::r-x
default:user::rwx
default:user:CIVIL\134phk:rwx
default:group::r-x
default:group:CIVIL\134vhost_arch-civil-aau-dk_full:rwx
default:mask::rwx
default:other::r-x
------------

This is the output on terminal (without redirection/piping):
------------
# file: testdir/
# owner: root
# group: CIVIL\134vhost_arch-civil-aau-dk_full
*** glibc detected *** getfacl: corrupted double-linked list: 0x00000000007577e0 ***
======= Backtrace: =========
/lib/libc.so.6(+0x775b6)[0x7f20a74f15b6]
/lib/libc.so.6(+0x7ddbb)[0x7f20a74f7dbb]
/lib/libc.so.6(realloc+0xf0)[0x7f20a74f80b0]
/lib/libacl.so.1(+0x3e46)[0x7f20a7a05e46]
getfacl[0x402a2c]
getfacl[0x4032f4]
getfacl(walk_tree+0x8b)[0x40386b]
getfacl[0x401df5]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f20a7498c4d]
getfacl[0x401859]
======= Memory map: ========
00400000-00405000 r-xp 00000000 fb:02 537184                             /usr/bin/getfacl
00604000-00605000 r--p 00004000 fb:02 537184                             /usr/bin/getfacl
00605000-00606000 rw-p 00005000 fb:02 537184                             /usr/bin/getfacl
0074c000-0076d000 rw-p 00000000 00:00 0                                  [heap]
7f20a0000000-7f20a0021000 rw-p 00000000 00:00 0
7f20a0021000-7f20a4000000 ---p 00000000 00:00 0
7f20a57b8000-7f20a57ce000 r-xp 00000000 fb:02 522011                     /lib/libgcc_s.so.1
7f20a57ce000-7f20a59cd000 ---p 00016000 fb:02 522011                     /lib/libgcc_s.so.1
7f20a59cd000-7f20a59ce000 r--p 00015000 fb:02 522011                     /lib/libgcc_s.so.1
7f20a59ce000-7f20a59cf000 rw-p 00016000 fb:02 522011                     /lib/libgcc_s.so.1
7f20a59cf000-7f20a59e7000 r-xp 00000000 fb:02 521878                     /lib/libpthread-2.11.1.so
7f20a59e7000-7f20a5be6000 ---p 00018000 fb:02 521878                     /lib/libpthread-2.11.1.so
7f20a5be6000-7f20a5be7000 r--p 00017000 fb:02 521878                     /lib/libpthread-2.11.1.so
7f20a5be7000-7f20a5be8000 rw-p 00018000 fb:02 521878                     /lib/libpthread-2.11.1.so
7f20a5be8000-7f20a5bec000 rw-p 00000000 00:00 0
7f20a5bec000-7f20a5bf3000 r-xp 00000000 fb:02 521881                     /lib/librt-2.11.1.so
7f20a5bf3000-7f20a5df2000 ---p 00007000 fb:02 521881                     /lib/librt-2.11.1.so
7f20a5df2000-7f20a5df3000 r--p 00006000 fb:02 521881                     /lib/librt-2.11.1.so
7f20a5df3000-7f20a5df4000 rw-p 00007000 fb:02 521881                     /lib/librt-2.11.1.so
7f20a5df4000-7f20a5ed3000 r-xp 00000000 fb:02 783174                     /opt/likewise/lib64/libiconv.so.2.4.0
7f20a5ed3000-7f20a5fd3000 ---p 000df000 fb:02 783174                     /opt/likewise/lib64/libiconv.so.2.4.0
7f20a5fd3000-7f20a5fd5000 rw-p 000df000 fb:02 783174                     /opt/likewise/lib64/libiconv.so.2.4.0
7f20a5fd5000-7f20a5fd7000 r-xp 00000000 fb:02 521866                     /lib/libdl-2.11.1.so
7f20a5fd7000-7f20a61d7000 ---p 00002000 fb:02 521866                     /lib/libdl-2.11.1.so
7f20a61d7000-7f20a61d8000 r--p 00002000 fb:02 521866                     /lib/libdl-2.11.1.so
7f20a61d8000-7f20a61d9000 rw-p 00003000 fb:02 521866                     /lib/libdl-2.11.1.so
7f20a61d9000-7f20a61f8000 r-xp 00000000 fb:02 783180                     /opt/likewise/lib64/liblwmsg_nothr.so.0.0.0
7f20a61f8000-7f20a62f7000 ---p 0001f000 fb:02 783180                     /opt/likewise/lib64/liblwmsg_nothr.so.0.0.0
7f20a62f7000-7f20a62fa000 rw-p 0001e000 fb:02 783180                     /opt/likewise/lib64/liblwmsg_nothr.so.0.0.0
7f20a62fa000-7f20a62fd000 r-xp 00000000 fb:02 783185                     /opt/likewise/lib64/libuuid.so.1.2.1
7f20a62fd000-7f20a63fc000 ---p 00003000 fb:02 783185                     /opt/likewise/lib64/libuuid.so.1.2.1
7f20a63fc000-7f20a63fd000 rw-p 00002000 fb:02 783185                     /opt/likewise/lib64/libuuid.so.1.2.1
7f20a63fd000-7f20a647e000 r-xp 00000000 fb:02 783178                     /opt/likewise/lib64/liblwbase_nothr.so.0.0.0
7f20a647e000-7f20a657d000 ---p 00081000 fb:02 783178                     /opt/likewise/lib64/liblwbase_nothr.so.0.0.0
7f20a657d000-7f20a65ab000 rw-p 00080000 fb:02 783178                     /opt/likewise/lib64/liblwbase_nothr.so.0.0.0
7f20a65ab000-7f20a65ce000 r-xp 00000000 fb:02 783176                     /opt/likewise/lib64/liblwadvapi_nothr.so.0.0.0
7f20a65ce000-7f20a66ce000 ---p 00023000 fb:02 783176                     /opt/likewise/lib64/liblwadvapi_nothr.so.0.0.0
7f20a66ce000-7f20a66d6000 rw-p 00023000 fb:02 783176                     /opt/likewise/lib64/liblwadvapi_nothr.so.0.0.0
7f20a66d6000-7f20a66ec000 r-xp 00000000 fb:02 521879                     /lib/libresolv-2.11.1.so
7f20a66ec000-7f20a68eb000 ---p 00016000 fb:02 521879                     /lib/libresolv-2.11.1.so
7f20a68eb000-7f20a68ec000 r--p 00015000 fb:02 521879                     /lib/libresolv-2.11.1.so
7f20a68ec000-7f20a68ed000 rw-p 00016000 fb:02 521879                     /lib/libresolv-2.11.1.so
7f20a68ed000-7f20a68ef000 rw-p 00000000 00:00 0
7f20a68ef000-7f20a6917000 r-xp 00000000 fb:02 783350                     /opt/likewise/lib64/liblsacommon.so.0.0.0
7f20a6917000-7f20a6a16000 ---p 00028000 fb:02 783350                     /opt/likewise/lib64/liblsacommon.so.0.0.0
7f20a6a16000-7f20a6a23000 rw-p 00027000 fb:02 783350                     /opt/likewise/lib64/liblsacommon.so.0.0.0
7f20a6a23000-7f20a6a3b000 r-xp 00000000 fb:02 783348                     /opt/likewise/lib64/liblsaclient.so.0.0.0
7f20a6a3b000-7f20a6b3a000 ---p 00018000 fb:02 783348                     /opt/likewise/lib64/liblsaclient.so.0.0.0
7f20a6b3a000-7f20a6b3b000 rw-p 00017000 fb:02 783348                     /opt/likewise/lib64/liblsaclient.so.0.0.0
7f20a6b3b000-7f20a6b3f000 r-xp 00000000 fb:02 783347                     /opt/likewise/lib64/liblsaauth.so.0.0.0
7f20a6b3f000-7f20a6c3e000 ---p 00004000 fb:02 783347                     /opt/likewise/lib64/liblsaauth.so.0.0.0
7f20a6c3e000-7f20a6c3f000 rw-p 00003000 fb:02 783347                     /opt/likewise/lib64/liblsaauth.so.0.0.0
7f20a6c3f000-7f20a6c4b000 r-xp 00000000 fb:02 521873                     /lib/libnss_files-2.11.1.so
7f20a6c4b000-7f20a6e4a000 ---p 0000c000 fb:02 521873                     /lib/libnss_files-2.11.1.so
7f20a6e4a000-7f20a6e4b000 r--p 0000b000 fb:02 521873                     /lib/libnss_files-2.11.1.so
7f20a6e4b000-7f20a6e4c000 rw-p 0000c000 fb:02 521873                     /lib/libnss_files-2.11.1.so
7f20a6e4c000-7f20a6e56000 r-xp 00000000 fb:02 521875                     /lib/libnss_nis-2.11.1.so
7f20a6e56000-7f20a7055000 ---p 0000a000 fb:02 521875                     /lib/libnss_nis-2.11.1.so
7f20a7055000-7f20a7056000 r--p 00009000 fb:02 521875                     /lib/libnss_nis-2.11.1.so
7f20a7056000-7f20a7057000 rw-p 0000a000 fb:02 521875                     /lib/libnss_nis-2.11.1.so
Aborted
------------

Helge Willum Thingvad (helgesdk) on 2011-12-05

description:	updated
description:	updated

Helge Willum Thingvad (helgesdk) on 2011-12-05

description:

updated

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

getfacl_testdir_crash_likewise-open.log Edit (6.4 KiB, text/plain)

Here's the same error using Likewise-Open 6 for AD integration.

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

MAJOR CLUE:
The crash only happens on files where the effective permissions are limited by the mask.
Using the option --no-effective, getfacl no longer crashes.

Oh, and using a shorter user/group names (still containing "unusual" characters) does not result in a crash.

So...

It seems that the conditions for triggering this bug is:
- getfacl is outputting to an interactive terminal (no pipes or redirects)
- long user or group names are present in the ACL
- the "#effective:..." string is to be outputted along with a long user/group entry

This has been testing on two separate systems using different solutions for Active Directory integration.

summary:	- getfacl: malloc(): memory corruption + Effective permissions and long names - getfacl: malloc(): memory + corruption
summary:	- Effective permissions and long names - getfacl: malloc(): memory + Effective permissions and long group names - getfacl: malloc(): memory corruption

Revision history for this message

Helge Willum Thingvad (helgesdk) wrote on 2011-12-05:

getfacl_gdb_backtrace.log Edit (16.8 KiB, text/plain)

I downloaded the source for package acl, disabled gcc compiler optimization (-O0), installed libc6-dbg, compiled the acl package and ran getfacl through gdb.

LD_LIBRARY_PATH=/root/acl/acl-2.2.49/libacl/.libs/ gdb /root/acl/acl-2.2.49/getfacl/.libs/getfacl
set args testdir/
run
bt full
bt

(see attached log)

Helge Willum Thingvad (helgesdk) on 2011-12-06

description:	updated
description:	updated

Revision history for this message

dino99 (9d9) wrote on 2015-08-01:

This version has expired

Changed in acl (Ubuntu):
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntuacl package

Effective permissions and long group names - getfacl: malloc(): memory corruption

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
acl package