Bug 22530 - FAIL: nss/bug17079 due to _nss_sss_getpwuid_r
Summary: FAIL: nss/bug17079 due to _nss_sss_getpwuid_r
Alias: None
Product: glibc
Classification: Unclassified
Component: nss (show other bugs)
Version: 2.27
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2017-11-29 17:50 UTC by H.J. Lu
Modified: 2017-12-05 11:07 UTC (History)
1 user (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description H.J. Lu 2017-11-29 17:50:24 UTC
My /etc/nsswitch.conf has

passwd:      sss files systemd
shadow:     files sss
group:       sss files systemd

As the result, __getpwuid_r calls _nss_sss_getpwuid_r in
/lib64/libnss_sss.so.2 from sssd-client-1.16.0-2.fc27.x86_64 on Fedora 27.
_nss_sss_getpwuid_r in sssd-client-1.16.0 is incompatible with glibc 2.27
since it returns 34 which is well outside of

/* Possible results of lookup using a nss_* function.  */
enum nss_status

Change /etc/nsswitch.conf to

passwd:      files sss systemd
shadow:     files sss
group:       files sss systemd

makes the test to pass.
Comment 1 Carlos O'Donell 2017-11-29 18:25:42 UTC
241 enum nss_status _nss_sss_getpwuid_r(uid_t uid, struct passwd *result,
242                                     char *buffer, size_t buflen, int *errnop)
243 {
244     struct sss_cli_req_data rd;
245     struct sss_nss_pw_rep pwrep;
246     uint8_t *repbuf;
247     size_t replen, len;
248     uint32_t num_results;
249     enum nss_status nret;
250     uint32_t user_uid;
251     int ret;
253     /* Caught once glibc passing in buffer == 0x0 */
254     if (!buffer || !buflen) return ERANGE;

This is a bug in sssd. It can't return ERANGE since that's not a valid nss_status enumeration.
Comment 2 Carlos O'Donell 2017-11-29 18:27:11 UTC
(In reply to Carlos O'Donell from comment #1)
> This is a bug in sssd. It can't return ERANGE since that's not a valid
> nss_status enumeration.

I'm going to file a bug upstream, and with Fedora.

In the meantime the eventual solution here will be to move this test to the containerized testing we are putting together, at that point it will be distinct from the /etc/nsswitch.conf on your system.

Therefore I think that this test case is simply going to fail until you get a fixed sssd through your distribution.
Comment 3 Carlos O'Donell 2017-11-30 06:33:10 UTC
(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#1  0x00007ffff7a5a311 in __GI_abort () at abort.c:79
#2  0x00007ffff7a99c25 in __libc_message (action=action@entry=(do_abort | do_backtrace), 
    fmt=fmt@entry=0x7ffff7b9a3a1 "%s") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007ffff7a99c62 in __GI___libc_fatal (
    message=message@entry=0x7ffff7b9abef "illegal status in __nss_next")
    at ../sysdeps/posix/libc_fatal.c:191
#4  0x00007ffff7b36958 in __GI___nss_next2 (ni=ni@entry=0x7fffffffda70, 
    fct_name=fct_name@entry=0x7ffff7b98f7f "getpwuid_r", fct2_name=fct2_name@entry=0x0, 
    fctp=fctp@entry=0x7fffffffda78, status=status@entry=34, all_values=all_values@entry=0)
    at nsswitch.c:238
#5  0x00007ffff7ae3675 in __getpwuid_r (uid=0, resbuf=resbuf@entry=0x7fffffffdaf0, 
    buffer=buffer@entry=0x607c30 "", buflen=buflen@entry=0, result=result@entry=0x7fffffffdae8)
    at ../nss/getXXbyYY_r.c:385
#6  0x0000000000401742 in test_one (item=item@entry=0x6041a0 <test_items>, 
    buffer_size=buffer_size@entry=0, pad=pad@entry=0 '\000', padding_size=padding_size@entry=0)
    at bug17079.c:156
#7  0x000000000040195f in test_buffer_size (buffer_size=buffer_size@entry=0) at bug17079.c:202
#8  0x0000000000401b6c in do_test () at bug17079.c:221
#9  0x000000000040243b in support_test_main (argc=1, argv=0x7fffffffdd68, 
    config=config@entry=0x7fffffffdc30) at support_test_main.c:349
#10 0x0000000000401491 in main (argc=<optimized out>, argv=<optimized out>)
    at ../support/test-driver.c:164

So we abort with 'illegal status in __nss_next' which is OK, since it shows the NSS DSO is broken.

I have confirmed I can fix this by patching sssd's client NSS DSO, and I'm going to submit the pull request to fix this.
Comment 4 Carlos O'Donell 2017-11-30 07:02:02 UTC
Pull request filed with the fix.

Comment 5 Carlos O'Donell 2017-12-01 16:17:48 UTC
(In reply to Carlos O'Donell from comment #4)
> Pull request filed with the fix.
> https://pagure.io/SSSD/sssd/pull-request/3589

Now fixed in sssd master, and it should be going out to Fedora.


I'm marking this RESOLVED/INVALID since this is not a glibc bug, but an sssd bug in the handling of invalid buffer pointers and sizes.