Ubuntu
libnss-mysql-bg package

getent segfault with bad libnss-mysql config

Bug #727192 reported by montjoie
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libnss-mysql-bg (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: libnss-mysql-bg

I have do an error with my config getspent SELECT userid,passwd,'12345','0','99999','7','',','' FROM user (see the ' alone)
But instead of exiting with an error, getent segfault

This is the result of valgrind getent shadow
==20700== Invalid read of size 8
==20700== at 0x60766B5: mysql_fetch_row (in /usr/lib/libmysqlclient.so.16.0.0)
==20700== by 0x5DED7FB: ??? (in /lib/libnss_mysql.so.2.0.0)
==20700== by 0x5DED20F: ??? (in /lib/libnss_mysql.so.2.0.0)
==20700== by 0x5DEE023: ??? (in /lib/libnss_mysql.so.2.0.0)
==20700== by 0x5DEE54B: _nss_mysql_getspent_r (in /lib/libnss_mysql.so.2.0.0)
==20700== by 0x4F2897D: __nss_getent_r (getnssent_r.c:171)
==20700== by 0x4F19395: getspent_r@@GLIBC_2.2.5 (getXXent_r.c:162)
==20700== by 0x4F2857A: __nss_getent (getnssent.c:38)
==20700== by 0x4F18951: getspent (getXXent.c:84)
==20700== by 0x40257C: shadow_keys (getent.c:799)
==20700== by 0x40360C: main (getent.c:972)
==20700== Address 0x10 is not stack'd, malloc'd or (recently) free'd

this is the the lucid packages affected
ii libnss-mysql-bg 1.5-2build1 NSS module for using MySQL as a naming servi
ii mysql-client-5.1 5.1.41-3ubuntu12.8 MySQL database client binaries
ii mysql-client-core-5.1 5.1.41-3ubuntu12.8 MySQL database core client binaries
ii mysql-common 5.1.41-3ubuntu12.8 MySQL database common files (e.g. /etc/mysql
ii mysql-server 5.1.41-3ubuntu12.8 MySQL database server (metapackage depending
ii mysql-server-5.1 5.1.41-3ubuntu12.8 MySQL database server binaries
ii mysql-server-core-5.1 5.1.41-3ubuntu12.8 MySQL database core server files

I have the same problem with an etch server

Revision history for this message
montjoie (codingmontjoie) wrote :

I have recompiled libnss-mysql-bg with debug symbols and so valgrind output is much usable

==27078== Invalid read of size 8
==27078== at 0x60766B5: mysql_fetch_row (in /usr/lib/libmysqlclient.so.16.0.0)
==27078== by 0x5DED7FB: _nss_mysql_fetch_row (mysql.c:318)
==27078== by 0x5DED20F: _nss_mysql_load_shadow (nss_support.c:189)
==27078== by 0x5DEE023: _nss_mysql_lookup (lookup.c:172)
==27078== by 0x5DEE54B: _nss_mysql_getspent_r (mysql-spwd.c:92)
==27078== by 0x4F2897D: __nss_getent_r (getnssent_r.c:171)
==27078== by 0x4F19395: getspent_r@@GLIBC_2.2.5 (getXXent_r.c:162)
==27078== by 0x4F2857A: __nss_getent (getnssent.c:38)
==27078== by 0x4F18951: getspent (getXXent.c:84)
==27078== by 0x40257C: shadow_keys (getent.c:799)
==27078== by 0x40360C: main (getent.c:972)
==27078== Address 0x10 is not stack'd, malloc'd or (recently) free'd

Revision history for this message
montjoie (codingmontjoie) wrote :

In mysql.c:299 the _nss_mysql_run_query function return retval without setting it to a value of nss_error.
mysql_query return a non zero value (1 in my case)
According to my debugs the NSS_SUCCESS is also equal to 1.
So _nss_mysql_run_query return success and libnss segfault when attenting to use mysql result which in this case is NULL.
(you could test also mresult for NULL value in _nss_mysql_load_shadow)

This is the patch for correcting these problems

--- src/mysql.c.orig 2011-03-01 17:04:42.000000000 +0100
+++ src/mysql.c 2011-03-01 17:06:01.000000000 +0100
@@ -296,7 +296,7 @@
         {
           _nss_mysql_log (LOG_ALERT, "mysql_query failed: %s",
                           mysql_error (&ci.link));
- DSRETURN (retval);
+ DSRETURN (NSS_UNAVAIL);
         }
     }

patch send upstream

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.