[Bug nss/29862] New: Core dump in the nss module

[Bug nss/29862] New: Core dump in the nss module

[kircherlike at outlook dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=29862

            Bug ID: 29862
           Summary: Core dump in the nss module
           Product: glibc
           Version: 2.34
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: nss
          Assignee: unassigned at sourceware dot org
          Reporter: kircherlike at outlook dot com
  Target Milestone: ---

Hi ，maintainer of the community, I found that null pointers were not protected
in the following functions when I performed fault injection locally, causing
Program terminated with signal SIGSEGV, Segmentation fault.

【log】:
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f273d642e5d in __GI___nss_lookup_function (fct_name=0x7f273d6c54a1
"getpwuid_r", ni=<optimized out>) at nsswitch.c:136
136       if (ni->module == NULL)

【Here's my modified patch】:
diff --git a/nss/nss_module.c b/nss/nss_module.c
index b28cb94a..bb2807e9 100644
--- a/nss/nss_module.c
+++ b/nss/nss_module.c
@@ -352,7 +352,7 @@ nss_load_all_libraries (enum nss_database service)
 {
   nss_action_list ni = NULL;

-  if (__nss_database_get (service, &ni))
+  if (__nss_database_get (service, &ni) && ni != NULL)
     while (ni->module != NULL)
       {
         __nss_module_load (ni->module);
diff --git a/nss/nsswitch.c b/nss/nsswitch.c
index 6b7d4c78..c9d7e372 100644
--- a/nss/nsswitch.c
+++ b/nss/nsswitch.c
@@ -133,7 +133,7 @@ libc_hidden_def (__nss_next2)
 void *
 __nss_lookup_function (nss_action_list ni, const char *fct_name)
 {
-  if (ni->module == NULL)
+  if (ni == NULL || ni->module == NULL)
     return NULL;
   return __nss_module_get_function (ni->module, fct_name);
 }
-- 

Looking forward to your reply

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/29862] Core dump in the nss module

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29862

Andreas Schwab <schwab@linux-m68k.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2022-12-07
             Status|UNCONFIRMED                 |WAITING
     Ever confirmed|0                           |1

--- Comment #1 from Andreas Schwab <schwab@linux-m68k.org> ---
Where exactly does the failure happen?  When __nss_database_get returns
successfully, the resulting action list should never be null.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/29862] Core dump in the nss module

[kircherlike at outlook dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=29862

--- Comment #2 from kircher <kircherlike at outlook dot com> ---
(In reply to Andreas Schwab from comment #1)
> Where exactly does the failure happen?  When __nss_database_get returns
> successfully, the resulting action list should never be null.

【This is the complete gdb information】:
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-openEuler-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<https://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from kinit...
Reading symbols from
/usr/lib/debug//usr/bin/kinit-1.19.2-2.h11.eulerosv2r11.x86_64.debug...
[New LWP 52584]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib64/libthread_db.so.1".
Core was generated by `/usr/bin/kinit -R'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  0x00007f273d642e5d in __GI___nss_lookup_function (fct_name=0x7f273d6c54a1
"getpwuid_r", ni=<optimized out>) at nsswitch.c:136
136       if (ni->module == NULL)
(gdb) bt
#0  0x00007f273d642e5d in __GI___nss_lookup_function (fct_name=0x7f273d6c54a1
"getpwuid_r", ni=<optimized out>) at nsswitch.c:136
#1  __GI___nss_lookup (ni=ni@entry=0x7ffdfb77b698,
fct_name=fct_name@entry=0x7f273d6c54a1 "getpwuid_r",
fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0x7ffdfb77b6a0) at nsswitch.c:68
#2  0x00007f273d6440f7 in __GI___nss_passwd_lookup2
(ni=ni@entry=0x7ffdfb77b698, fct_name=fct_name@entry=0x7f273d6c54a1
"getpwuid_r", fct2_name=fct2_name@entry=0x0, fctp=fctp@entry=0x7ffdfb77b6a0)
    at XXX-lookup.c:58
#3  0x00007f273d5e4090 in __getpwuid_r (uid=uid@entry=0,
resbuf=resbuf@entry=0x7f273d705560 <resbuf>, buffer=0x55f15d3a90f0 "",
buflen=buflen@entry=1024, result=result@entry=0x7ffdfb77b6f0)
    at ../nss/getXXbyYY_r.c:265
#4  0x00007f273d5e39c3 in getpwuid (uid=0) at ../nss/getXXbyYY.c:134
#5  0x000055f15c043d55 in get_name_from_os () at kinit.c:52
#6  k5_begin (k5=0x7ffdfb77b780, opts=0x7ffdfb77b830) at kinit.c:539
#7  main (argc=<optimized out>, argv=0x7ffdfb77b780) at kinit.c:885


When locating the upper-layer function __nss_lookup_function, it is not found
that the input ni in the function is null.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug nss/29862] Core dump in the nss module

[sam at gentoo dot org]

https://sourceware.org/bugzilla/show_bug.cgi?id=29862

Sam James <sam at gentoo dot org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sam at gentoo dot org

-- 
You are receiving this mail because:
You are on the CC list for the bug.