nscd_getpw_r in libc6 crashes due to invalid free()
Bug #327705 reported by
gcc
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| GLibC |
Fix Released
|
Medium
|
|||
| glibc (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
There is a bug in libc6 in Dapper Drake (2.3.6) which causes applications that use nscd to crash eventually. A simple test is that this command crashes eventually:
perl -e 'while (1){getpwnam(
often with a glibc error about an invalid free(), or aborts for another reason. The bug was reported in redhat:
https:/
and fixed upstream:
http://
Please apply the patch to Dapper Drake.
Revision history for this message
|
|
#4 |
Revision history for this message
|
|
#5 |
Revision history for this message
|
|
#6 |
Revision history for this message
| C. Cooke (ccooke) wrote | #1 |
| Changed in glibc: | |
| status: | New → Confirmed |
| Changed in glibc: | |
| status: | Unknown → Fix Released |
Revision history for this message
| Rune Philosof (olberd) wrote | #2 |
Revision history for this message
| gcc (chris+ubuntu-qwirx) wrote | #3 |
| Changed in glibc: | |
| importance: | Unknown → Medium |
To post a comment you must log in.
nscd_getpw_r() will free() on a static buffer passed in to it when called by
getpwnam() and friends.
This can be seen by simple code inspection in nscd/nscd_
(discussion is based on CVS version 1.30 which is the current MAIN). The
following excerpt are a few lines of nscd/nscd_
86:nscd_getpw_r (...)
96: retry:;
142: resultbuf->pw_uid = pw_resp->pw_uid;
203: if (__nscd_
230: free (resultbuf);
232: goto retry;
The above shows that if there has been a GC cycle that resultbuf is freed and
then reused in the next retry. That's incorrect. It is also incorrect in that
resultbuf is passed in, and it can be a buffer that's not from the heap.
This turns up in a simple getpwnam() call made during a GC cycle. This tries to
free the resbuf in getpwnam and thus dumps core.
Suggested fix: remove free(resultbuf) (line 230).