Bug 44164 - crudesaml crashes slapd on i386
crudesaml crashes slapd on i386
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: SAML
UCS 4.2
i386 Linux
: P5 normal (vote)
: UCS 4.2
Assigned To: Philipp Hahn
Stefan Gohmann
: interim-4
Depends on: 43732 53448 53449
Blocks:
  Show dependency treegraph
 
Reported: 2017-03-30 16:18 CEST by Philipp Hahn
Modified: 2021-06-15 16:41 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 5: Blocking further progress on the daily work
User Pain: 0.600
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2017-03-30 16:18:53 CEST
+++ This bug was initially created as a clone of Bug #43732 +++slapd crashes on i386 @ billy:

(gdb) bt
#0  __strlen_sse2_bsf () at ../sysdeps/i386/i686/multiarch/strlen-sse2-bsf.S:50
#1  0xb7462bba in _sasl_add_string (out=0xadcee8f8, alloclen=0xadcee8fc, outlen=0xadcee900, 
    add=0x2 <error: Cannot access memory at address 0x2>) at ../../lib/common.c:193
#2  0xb7462fbd in _sasl_log (conn=0x971121f8, level=5, 
    fmt=0xb6be1c7c "SAML assertion condition NotBefore = %ld (%s)") at ../../lib/common.c:1961
#3  0xb6bdf269 in saml_log (params=0x971548d0, pri=<optimized out>, 
    fmt=0xb6be1c7c "SAML assertion condition NotBefore = %ld (%s)") at cy2_saml.c:89
#4  0xb6be02c8 in saml_check_assertion_dates (ctx=<optimized out>, lasso_assertion=<optimized out>, 
    params=<optimized out>) at saml.c:197
#5  saml_check_one_assertion (doc=<optimized out>, assertion=<optimized out>, userid=<optimized out>, 
    params=<optimized out>, ctx=<optimized out>) at saml.c:452
#6  saml_check_all_assertions (ctx=0xad7f3c30, params=0x971548d0, userid=0xadcfee78, 
    saml_msg=0x2 <error: Cannot access memory at address 0x2>, flags=0) at saml.c:562
#7  0xb6bdeb07 in saml_server_mech_step (conn_context=0xad7f3c30, params=0x971548d0, clientin=0x98b80ab2 "", 
    clientinlen=0, serverout=0x2, serveroutlen=0xadcfefac, oparams=0x97112a58) at cy2_saml.c:261
#8  0xb74694c0 in sasl_server_step (conn=0x971121f8, clientin=0x98b80ab2 "", clientinlen=10593, 
    serverout=0xadcfefb8, serveroutlen=0xadcfefac) at ../../lib/server.c:1618
#9  0xb74699cd in sasl_server_start (conn=0x971121f8, mech=0xad7b31f8 "SAML", clientin=0x98b80ab2 "", 
    clientinlen=10593, serverout=0xadcfefb8, serveroutlen=0xadcfefac) at ../../lib/server.c:1533
#10 0x8010d413 in slap_sasl_bind (op=0xad701e60, rs=0xadcff0c0) at ../../../../servers/slapd/sasl.c:1525
#11 0x800d7250 in fe_op_bind (op=0xad701e60, rs=0xadcff0c0) at ../../../../servers/slapd/bind.c:280
#12 0x800d6a91 in do_bind (op=0xad701e60, rs=0xadcff0c0) at ../../../../servers/slapd/bind.c:205
#13 0x800b85fc in connection_operation (ctx=0xadcff1b8, arg_v=0xad701e60)
    at ../../../../servers/slapd/connection.c:1155
#14 0x800b8a5c in connection_read_thread (ctx=0xadcff1b8, argv=0x38) at ../../../../servers/slapd/connection.c:1291
#15 0xb770b5e9 in ?? () from /usr/lib/i386-linux-gnu/libldap_r-2.4.so.2
#16 0xb7185ecb in start_thread (arg=0xadcffb40) at pthread_create.c:309
#17 0xb70bdd0e in clone () at ../sysdeps/unix/sysv/linux/i386/clone.S:129

(gdb) info all-registers
eax            0x0      0
ecx            0x2      2
edx            0x73     115
ebx            0xb7475dd4       -1220059692
esp            0xadcee890       0xadcee890
ebp            0x2c     0x2c
esi            0xadcee900       -1378948864
edi            0xb6be1c7c       -1229054852
eip            0xb7462bba       0xb7462bba <_sasl_add_string+42>
eflags         0x210287 [ CF PF SF IF RF ID ]
cs             0x73     115
ss             0x7b     123
ds             0x7b     123
es             0x7b     123
fs             0x0      0
gs             0x33     51
st0            -nan(0x000026c51)        (raw 0xffff0000000000026c51)
st1            -nan(0x00001ffff)        (raw 0xffff000000000001ffff)
st2            -nan(0x20249fffedb54)    (raw 0xffff00020249fffedb54)
st3            -nan(0x1ffffffff0b5a)    (raw 0xffff0001ffffffff0b5a)
st4            -nan(0xf17bfffdfdb6)     (raw 0xffff0000f17bfffdfdb6)
st5            -nan(0x062b7dd6c)        (raw 0xffff0000000062b7dd6c)
st6            -nan(0xf4a5ffff0e84)     (raw 0xffff0000f4a5ffff0e84)
st7            -nan(0x124abfffe8dc1)    (raw 0xffff000124abfffe8dc1)
fctrl          0x37f    895
fstat          0x4020   16416
ftag           0xffff   65535
fiseg          0x0      0
fioff          0xb72f488c       -1221638004
foseg          0x0      0
fooff          0xb7397e68       -1220968856
fop            0x0      0
mxcsr          0x1f80   [ IM DM ZM OM UM PM ]
ymm0           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000,
    0x00000000000000000000000000000000}}
ymm1           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0xff, 0x0 <repeats 31 times>}, v16_int16 = {0xff, 0x0 <repeats 15 times>}, v8_int32 = {0xff, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xff, 0x0, 0x0, 0x0}, v2_int128 = {0x000000000000000000000000000000ff,
    0x00000000000000000000000000000000}}
ymm2           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0xff, 0xff, 0x0 <repeats 20 times>}, v16_int16 = {0x0, 0x0,
    0x0, 0x0, 0xff00, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0xffffff00,
    0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xffffff00, 0x0, 0x0}, v2_int128 = {
    0x00000000ffffff000000000000000000, 0x00000000000000000000000000000000}}
ymm3           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000,
    0x00000000000000000000000000000000}}
ymm4           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000,
    0x00000000000000000000000000000000}}
ymm5           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000,
    0x00000000000000000000000000000000}}
ymm6           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000,
    0x00000000000000000000000000000000}}
ymm7           {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {
    0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
    0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000,
    0x00000000000000000000000000000000}}
mm0            {uint64 = 0x26c51, v2_int32 = {0x26c51, 0x0}, v4_int16 = {0x6c51, 0x2, 0x0, 0x0}, v8_int8 = {0x51,
    0x6c, 0x2, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0x1ffff, v2_int32 = {0x1ffff, 0x0}, v4_int16 = {0xffff, 0x1, 0x0, 0x0}, v8_int8 = {0xff,
    0xff, 0x1, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm2            {uint64 = 0x20249fffedb54, v2_int32 = {0xfffedb54, 0x20249}, v4_int16 = {0xdb54, 0xfffe, 0x249,
    0x2}, v8_int8 = {0x54, 0xdb, 0xfe, 0xff, 0x49, 0x2, 0x2, 0x0}}
mm3            {uint64 = 0x1ffffffff0b5a, v2_int32 = {0xffff0b5a, 0x1ffff}, v4_int16 = {0xb5a, 0xffff, 0xffff,
    0x1}, v8_int8 = {0x5a, 0xb, 0xff, 0xff, 0xff, 0xff, 0x1, 0x0}}
mm4            {uint64 = 0xf17bfffdfdb6, v2_int32 = {0xfffdfdb6, 0xf17b}, v4_int16 = {0xfdb6, 0xfffd, 0xf17b,
    0x0}, v8_int8 = {0xb6, 0xfd, 0xfd, 0xff, 0x7b, 0xf1, 0x0, 0x0}}
mm5            {uint64 = 0x62b7dd6c, v2_int32 = {0x62b7dd6c, 0x0}, v4_int16 = {0xdd6c, 0x62b7, 0x0, 0x0},
  v8_int8 = {0x6c, 0xdd, 0xb7, 0x62, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0xf4a5ffff0e84, v2_int32 = {0xffff0e84, 0xf4a5}, v4_int16 = {0xe84, 0xffff, 0xf4a5, 0x0},
  v8_int8 = {0x84, 0xe, 0xff, 0xff, 0xa5, 0xf4, 0x0, 0x0}}
mm7            {uint64 = 0x124abfffe8dc1, v2_int32 = {0xfffe8dc1, 0x124ab}, v4_int16 = {0x8dc1, 0xfffe, 0x24ab,
    0x1}, v8_int8 = {0xc1, 0x8d, 0xfe, 0xff, 0xab, 0x24, 0x1, 0x0}}

(gdb) disassemble
Dump of assembler code for function __strlen_sse2_bsf:
   0xb7055b70 <+0>:     push   %esi
   0xb7055b71 <+1>:     push   %edi
   0xb7055b72 <+2>:     mov    0xc(%esp),%edi
   0xb7055b76 <+6>:     xor    %eax,%eax
   0xb7055b78 <+8>:     mov    %edi,%ecx
   0xb7055b7a <+10>:    and    $0x3f,%ecx
   0xb7055b7d <+13>:    pxor   %xmm0,%xmm0
   0xb7055b81 <+17>:    cmp    $0x30,%ecx
   0xb7055b84 <+20>:    ja     0xb7055b9d <__strlen_sse2_bsf+45>
=> 0xb7055b86 <+22>:    movdqu (%edi),%xmm1
   0xb7055b8a <+26>:    pcmpeqb %xmm1,%xmm0
   0xb7055b8e <+30>:    pmovmskb %xmm0,%edx
   0xb7055b92 <+34>:    test   %edx,%edx
   0xb7055b94 <+36>:    jne    0xb7055c09 <__strlen_sse2_bsf+153>
   0xb7055b96 <+38>:    mov    %edi,%eax
   0xb7055b98 <+40>:    and    $0xfffffff0,%eax
   0xb7055b9b <+43>:    jmp    0xb7055bb7 <__strlen_sse2_bsf+71>
   0xb7055b9d <+45>:    mov    %edi,%eax
   0xb7055b9f <+47>:    and    $0xfffffff0,%eax
   0xb7055ba2 <+50>:    pcmpeqb (%eax),%xmm0
   0xb7055ba6 <+54>:    mov    $0xffffffff,%esi
   0xb7055bab <+59>:    sub    %eax,%ecx
   0xb7055bad <+61>:    shl    %cl,%esi
   0xb7055baf <+63>:    pmovmskb %xmm0,%edx
   0xb7055bb3 <+67>:    and    %esi,%edx
   0xb7055bb5 <+69>:    jne    0xb7055c07 <__strlen_sse2_bsf+151>
   0xb7055bb7 <+71>:    pxor   %xmm0,%xmm0
   0xb7055bbb <+75>:    pxor   %xmm1,%xmm1
   0xb7055bbf <+79>:    pxor   %xmm2,%xmm2
   0xb7055bc3 <+83>:    pxor   %xmm3,%xmm3
   0xb7055bc7 <+87>:    mov    %esi,%esi
   0xb7055bc9 <+89>:    lea    0x0(%edi,%eiz,1),%edi
   0xb7055bd0 <+96>:    pcmpeqb 0x10(%eax),%xmm0
   0xb7055bd5 <+101>:   pmovmskb %xmm0,%edx
   0xb7055bd9 <+105>:   test   %edx,%edx
   0xb7055bdb <+107>:   jne    0xb7055c11 <__strlen_sse2_bsf+161>
   0xb7055bdd <+109>:   pcmpeqb 0x20(%eax),%xmm1
   0xb7055be2 <+114>:   pmovmskb %xmm1,%edx
   0xb7055be6 <+118>:   test   %edx,%edx
   0xb7055be8 <+120>:   jne    0xb7055c1e <__strlen_sse2_bsf+174>
   0xb7055bea <+122>:   pcmpeqb 0x30(%eax),%xmm2
   0xb7055bef <+127>:   pmovmskb %xmm2,%edx
   0xb7055bf3 <+131>:   test   %edx,%edx
   0xb7055bf5 <+133>:   jne    0xb7055c2b <__strlen_sse2_bsf+187>
   0xb7055bf7 <+135>:   pcmpeqb 0x40(%eax),%xmm3
   0xb7055bfc <+140>:   pmovmskb %xmm3,%edx
   0xb7055c00 <+144>:   lea    0x40(%eax),%eax
   0xb7055c03 <+147>:   test   %edx,%edx
   0xb7055c05 <+149>:   je     0xb7055bd0 <__strlen_sse2_bsf+96>
   0xb7055c07 <+151>:   sub    %edi,%eax
   0xb7055c09 <+153>:   bsf    %edx,%edx
   0xb7055c0c <+156>:   add    %edx,%eax
   0xb7055c0e <+158>:   pop    %edi
   0xb7055c0f <+159>:   pop    %esi
   0xb7055c10 <+160>:   ret
   0xb7055c11 <+161>:   sub    %edi,%eax
   0xb7055c13 <+163>:   bsf    %edx,%edx
   0xb7055c16 <+166>:   add    %edx,%eax
   0xb7055c18 <+168>:   add    $0x10,%eax
   0xb7055c1b <+171>:   pop    %edi
   0xb7055c1c <+172>:   pop    %esi
   0xb7055c1d <+173>:   ret
   0xb7055c1e <+174>:   sub    %edi,%eax
   0xb7055c20 <+176>:   bsf    %edx,%edx
   0xb7055c23 <+179>:   add    %edx,%eax
   0xb7055c25 <+181>:   add    $0x20,%eax
   0xb7055c28 <+184>:   pop    %edi
   0xb7055c29 <+185>:   pop    %esi
   0xb7055c2a <+186>:   ret
   0xb7055c2b <+187>:   sub    %edi,%eax
   0xb7055c2d <+189>:   bsf    %edx,%edx
   0xb7055c30 <+192>:   add    %edx,%eax
   0xb7055c32 <+194>:   add    $0x30,%eax
   0xb7055c35 <+197>:   pop    %edi
   0xb7055c36 <+198>:   pop    %esi
   0xb7055c37 <+199>:   ret

The use if stdarg in cy2_saml.c is (probably) wrong.
Comment 1 Philipp Hahn univentionstaff 2017-03-31 15:38:45 CEST
* <http://c-faq.com/varargs/handoff.html>
* <https://www.gnu.org/software/gnulib/manual/html_node/Exported-Symbols-of-Shared-Libraries.html>
* <http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html>
* <http://www.sendmail.org/~ca/email/cyrus2/plugprog.html>

r78560 | Bug #44164 saml: Fix SEGV on i386
r78559 | Bug #44164 saml: Fix SEGV on i386
 saml_log() now does the vsnprintf() itself
 fixed lots of plugin issues, e.g. not hiding symbols, linkting to unneeded libraries, missing dependency information, using SONAME for PAM, FTBFS with new auto* tools, missing multi-arch awareness, ..

Package: crudesaml
Version: 1.5.0-5A~4.2.0.201703311449
Branch: ucs_4.2-0

IMPORTANT: crudesaml's upstream project is <https://ftp.espci.fr/pub/crudesaml/>; for UCS-4.2 the version was bumped; this has been reverted; so the correct version 1.5.0-x is lower than the interim version 2.0.0-y; you need to downgrade explicitly!
apt-get install {cy2-saml,pam-saml}{,-dbg}=1.5.0-5A~4.2.0.201703311449
Comment 2 Philipp Hahn univentionstaff 2017-03-31 17:19:05 CEST
r78563 | Bug #44164 saml: Re-add missing .so link

Package: crudesaml
Version: 1.5.0-6A~4.2.0.201703311555
Branch: ucs_4.2-0

apt-get install {cy2-saml,pam-saml}{,-dbg}=1.5.0-6*
saslpluginviewer -c -s -m SAML

# https://de.slideshare.net/gabturtle/bp104-saml
Comment 3 Stefan Gohmann univentionstaff 2017-03-31 21:09:51 CEST
The new version is installed on billy and it works. Great job!

SAML in my other test environments works as well.

Code review: OK
Comment 4 Stefan Gohmann univentionstaff 2017-03-31 21:10:28 CEST
@Timo: FYI

(In reply to Stefan Gohmann from comment #3)
> The new version is installed on billy and it works. Great job!
> 
> SAML in my other test environments works as well.
> 
> Code review: OK
Comment 5 Stefan Gohmann univentionstaff 2017-04-04 18:29:55 CEST
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".