Bug 34596 - ps segfaults when listing a process of a user with many groups
ps segfaults when listing a process of a user with many groups
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 3.2
Other Linux
: P5 normal (vote)
: UCS 3.2-2-errata
Assigned To: Philipp Hahn
Stefan Gohmann
https://bugs.debian.org/cgi-bin/bugre...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-17 13:59 CEST by Janis Meybohm
Modified: 2014-05-20 12:57 CEST (History)
2 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Janis Meybohm univentionstaff 2014-04-17 13:59:30 CEST
2014041421005138

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704041>

A buffer of 1024 byte is used to read the proc data. A process running as a user with many groups (201 in this case) can easily exceeded this limit:

13:55:47.458263 read(6, "Name:\tsu\nState:\tS (sleeping)\nTgid:\t2606\nPid:\t2606\nPPid:\t2551\nTracerPid:\t0\nUid:\t2009\t2009\t2009\t2009\nGid:\t5001\t5001\t5001\t5001\nFDSize:\t256\nGroups:\t5001 5011 5012 5013 5014 5015 5017 5018 5019 5020 5021 5022 5023 5024 5025 5026 5027 5028 5029 5030 5031 5032 5033 5034 5035 5036 5037 5038 5039 5040 5041 5042 5043 5044 5045 5046 5047 5048 5049 5050 5051 5052 5053 5054 5055 5056 5057 5058 5059 5060 5061 5062 5063 5064 5065 5066 5067 5068 5069 5070 5071 5072 5073 5074 5075 5076 5077 5078 5079 5080 5081 5082 5083 5084 5085 5086 5087 5088 5089 5090 5091 5092 5093 5094 5095 5096 5097 5098 5099 5100 5101 5102 5103 5104 5105 5106 5107 5108 5109 5110 5111 5112 5113 5114 5115 5116 5117 5118 5119 5120 5121 5122 5123 5124 5125 5126 5127 5128 5129 5130 5131 5132 5133 5134 5135 5136 5137 5138 5139 5140 5141 5142 5143 5144 5145 5146 5147 5148 5149 5150 5151 5152 5153 5154 5155 5156 5157 5158 5159 5160 5161 5162 5163 5164 5165 5166 5167 5168 5169 5170 5171 5172 5173 5174 5175 5176 5177 5178 5179 5180 5181 5182 5183 5184 5185 5186", 1023) = 1023 <0.000244>
13:55:47.459041 close(6)                = 0 <0.000028>
13:55:47.460856 mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f02e5883000 <0.000020>
13:55:47.461697 mremap(0x7f02e5883000, 135168, 266240, MREMAP_MAYMOVE) = 0x7f02e526a000 <0.000030>
13:55:47.462697 mremap(0x7f02e526a000, 266240, 528384, MREMAP_MAYMOVE) = 0x7f02e51e9000 <0.000080>
13:55:47.464282 mremap(0x7f02e51e9000, 528384, 1052672, MREMAP_MAYMOVE) = 0x7f02e50e8000 <0.000081>
13:55:47.467605 mremap(0x7f02e50e8000, 1052672, 2101248, MREMAP_MAYMOVE) = 0x7f02e4ee7000 <0.000107>
13:55:47.473907 mremap(0x7f02e4ee7000, 2101248, 4198400, MREMAP_MAYMOVE) = 0x7f02e4ae6000 <0.000134>
13:55:47.486377 mremap(0x7f02e4ae6000, 4198400, 8392704, MREMAP_MAYMOVE) = 0x7f02e42e5000 <0.000159>
13:55:47.510956 mremap(0x7f02e42e5000, 8392704, 16781312, MREMAP_MAYMOVE) = 0x7f02e32e4000 <0.000217>
13:55:47.560361 mremap(0x7f02e32e4000, 16781312, 33558528, MREMAP_MAYMOVE) = 0x7f02e12e3000 <0.000329>
13:55:47.657348 mremap(0x7f02e12e3000, 33558528, 67112960, MREMAP_MAYMOVE) = 0x7f02dd2e2000 <0.000470>
13:55:47.851333 mremap(0x7f02dd2e2000, 67112960, 134221824, MREMAP_MAYMOVE) = 0x7f02d52e1000 <0.000822>
13:55:48.234673 mremap(0x7f02d52e1000, 134221824, 268439552, MREMAP_MAYMOVE) = 0x7f02c52e0000 <0.001344>
13:55:49.012486 mremap(0x7f02c52e0000, 268439552, 536875008, MREMAP_MAYMOVE) = 0x7f02a52df000 <0.002152>
13:55:50.569735 mremap(0x7f02a52df000, 536875008, 1073745920, MREMAP_MAYMOVE) = 0x7f02652de000 <0.004032>
13:55:54.017684 mremap(0x7f02652de000, 1073745920, 2147487744, MREMAP_MAYMOVE) = 0x7f01e52dd000 <0.014993>
13:56:02.472332 mremap(0x7f01e52dd000, 2147487744, 4096, MREMAP_MAYMOVE) = 0x7f01e52dd000 <0.118143>
13:56:02.590854 --- SIGSEGV (Segmentation fault) @ 0 (0) ---


procps 3.3.3-3 (backport from wheezy) fixed this.
Comment 1 Janis Meybohm univentionstaff 2014-05-05 17:29:04 CEST
Reported again 2014050521012378
Comment 2 Stefan Gohmann univentionstaff 2014-05-13 08:12:00 CEST
We should release this update for 3.2-1-errata and 3.2-2-errata.
Comment 3 Philipp Hahn univentionstaff 2014-05-19 13:35:29 CEST
r13102: Backported 4 patches from procps-ng-3.3.3 to procps-3.2.8 used by Debian-Squeeze/UCS-3.x.
95d0136 library: dynamic buffer management even more efficient
526bc5d library: avoid SEGV if file2str should read zero bytes
6d605f5 library: make dynamic buffer management more efficient
a45dace library: utility buffers now immune to buffer overflow
(7933435 ps: allow large list of groups)

ucs-3.2-2/doc/errata/staging/2014-05-16-nfs-utils.yaml
r50382 | Bug #34596 procps: Fix user with many groups SIGSEGV

Please note: the packet was build in the older release errata3.2-*1* (to guarantee that it really works there too), but the YAML files is in the newer release ucs3.2-*2* (as a reference to future releases would look odd).

ucs-test case is WIP.
Comment 4 Philipp Hahn univentionstaff 2014-05-19 15:14:07 CEST
(In reply to Philipp Hahn from comment #3)
> ucs-test case is WIP.
r50389 | Bug #34596, Bug #34597 test: user with many groups
Comment 5 Stefan Gohmann univentionstaff 2014-05-20 08:24:17 CEST
YAML: OK

Tests: OK

Code: OK
Comment 6 Moritz Muehlenhoff univentionstaff 2014-05-20 12:57:07 CEST
http://errata.univention.de/ucs/3.2/113.html