On Wed, Oct 27, 2021 at 3:35 PM Richard W.M. Jones <rjones(a)redhat.com> wrote:
I have a habit of setting:
export GLIBC_TUNABLES=glibc.malloc.check=1:glibc.malloc.perturb=99
which causes glibc to do extra malloc integrity checks. In Rawhide at
the moment I'm seeing memory corruption in calls like getpwnam and
gethostbyname. Unfortunately I don't have a simple reproducer yet,
but two example stack traces are below. I have the latest glibc and
systemd.
Questions: Has anyone seen this before, and what component should I
file the bug against?
Rich.
Core was generated by `tar -C /var/tmp/supermin36875b.tmpdir/base.d -xf -'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 malloc_check_get_size (mem=0x0)
at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
39 magic = (((uintptr_t) p >> 3) ^ ((uintptr_t) p >> 11)) & 0xFF;
(gdb) bt
#0 malloc_check_get_size (mem=0x0)
at /usr/src/debug/glibc-2.34.9000-15.fc36.x86_64/malloc/malloc-check.c:39
#1 malloc_usable_size (mem=0x0) at malloc-debug.c:405
#2 0x00007f0eed847f1a in varlink_read (v=0x55c537e3e1c0)
at ../src/shared/varlink.c:508
#3 varlink_process.isra.0 (v=0x55c537e3e1c0) at ../src/shared/varlink.c:959
#4 0x00007f0eed83790a in defer_callback (s=<optimized out>,
userdata=<optimized out>) at ../src/shared/varlink.c:1862
#5 0x00007f0eed840e21 in source_dispatch (s=0x55c537e471c0)
at ../src/libsystemd/sd-event/sd-event.c:3544
#6 0x00007f0eed834d4c in sd_event_dispatch (e=<optimized out>)
at ../src/libsystemd/sd-event/sd-event.c:4078
#7 sd_event_run (timeout=18446744073709551615, e=<optimized out>)
at ../src/libsystemd/sd-event/sd-event.c:4139
#8 userdb_process.part.0.lto_priv.0 (iterator=0x55c537e3e410,
ret_user_record=0x7ffc22b7dd98, ret_group_record=0x0, ret_user_name=0x0,
ret_group_name=0x0) at ../src/shared/userdb.c:594
#9 0x00007f0eed836212 in userdb_process (ret_group_name=0x0,
ret_user_name=0x0, ret_group_record=0x0, ret_user_record=0x7ffc22b7dd98,
iterator=0x55c537e3e410) at ../src/shared/userdb.c:530
#10 userdb_by_name (name=0x55c537e39109 "mockbuild", flags=9,
ret=0x7ffc22b7dd98) at ../src/shared/userdb.c:640
#11 0x00007f0eed81cb2c in userdb_getpwnam (errnop=<synthetic pointer>,
buflen=1024, buffer=0x55c537e37370 "debuginfod",
pwd=0x7f0eee3ee520 <resbuf>, name=0x55c537e39109 "mockbuild")
at ../src/nss-systemd/userdb-glue.c:20
#12 _nss_systemd_getpwnam_r (name=0x55c537e39109 "mockbuild",
pwd=0x7f0eee3ee520 <resbuf>, buffer=0x55c537e37370 "debuginfod",
buflen=1024, errnop=0x7f0eee143690) at ../src/nss-systemd/nss-systemd.c:330
This is your culprit ^^
It appears to be happening in nss_systemd.so.2