Ubuntu
libnss-extrausers package

libvirtd crashes with double free or corruption (out)

Bug #1602264 reported by Tom Eichhorn
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
libnss-extrausers (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

I saw libvirtd crash with the attached error when someone tried to start a VM via openstack nova.

Anyone with hints howto debug this further?

Thanks,
Tom

Revision history for this message
Tom Eichhorn (tomeichhorn) wrote :
Revision history for this message
Maik Zumstrull (m-zumstrull) wrote :

I'm pretty sure this bug is actually in libnss-extrausers (see top of stack trace).

libvirtd is trying a getgrouplist, which is calling out to the various NSS modules through glibc.

In libnss-extrausers, this construct in group.c:

static FILE *groupsfile = NULL;

[...]

enum nss_status _nss_extrausers_endgrent(void) {
        if (groupsfile != NULL) {
                fclose(groupsfile);
                groupsfile = NULL;
        }
        return NSS_STATUS_SUCCESS;
}

is obviously not in any way thread safe, even though the module advertises itself as reentrant.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Given the pre-analysis I agree with Maik, reassigning to libnss-extrausers

affects: libvirt (Ubuntu) → libnss-extrausers (Ubuntu)
Revision history for this message
Maik Zumstrull (m-zumstrull) wrote : Re: [Bug 1602264] libvirtd crashes with double free or corruption (out)

Note that this is https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=831390.

We have been running with a custom build of the package, that adds __thread to the relevant variables as suggested in that bug, and haven't seen any crashes in this module since.

> On 13 Dec 2016, at 16:30, ChristianEhrhardt <email address hidden> wrote:
>
> Given the pre-analysis I agree with Maik, reassigning to libnss-
> extrausers
>
> ** Package changed: libvirt (Ubuntu) => libnss-extrausers (Ubuntu)
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1602264
>
> Title:
> libvirtd crashes with double free or corruption (out)
>
> Status in libnss-extrausers package in Ubuntu:
> New
>
> Bug description:
> I saw libvirtd crash with the attached error when someone tried to
> start a VM via openstack nova.
>
> Anyone with hints howto debug this further?
>
> Thanks,
> Tom
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/libnss-extrausers/+bug/1602264/+subscriptions

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libnss-extrausers (Ubuntu):
status: New → Confirmed
Revision history for this message
Olaf Seibert (oseibert-sys11) wrote :

It is my opinion at this time that the bug is really in glibc. These functions like _nss_extrausers_endgrent() must share state from call to call, and therefore cannot possibly be thread safe.

Unfortunately, the fix with making the shared state thread-local could probably make problems for callers which try to be careful when using these functions, but still take into account the globally shared state (which isn't global any more with the patch). For instance, if one thread calls _nss_extrausers_setgrent() under some lock, and another thread later calls _nss_extrausers_endgrent() under some lock, this would reasonably be expected to work, but it won't with the thread-local state.

The getgrouplist() is documented as thread safe, while it calls these functions without locking.
I think the fix should be made in glibc by adding appropriate locking there.

I have filed a report for glibc: https://bugs.launchpad.net/ubuntu/+source/glibc/+bug/1923738

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.