Bug 24588

Summary: xdm-1.1.9 core dump: vfprintf.c: No such file or directory.
Product: xorg Reporter: Martin Mokrejs <mmokrejs>
Component: App/xdmAssignee: Xorg Project Team <xorg-team>
Status: RESOLVED FIXED QA Contact: Xorg Project Team <xorg-team>
Severity: normal    
Priority: medium CC: remi
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
crash-on-patch1.txt none

Description Martin Mokrejs 2009-10-17 04:01:19 UTC
I have xserver-1.6.3.901 and xdm-1.1.9. When I enter my kerberos password xdm session dies. Please see the bug report at http://bugs.gentoo.org/show_bug.cgi?id=286923 and its attachments with the substring kerberos. In brief, linux-2.6.30.9 kernel with glibc-2.10.1:

(gdb) where
#0  0xb7c72258 in _IO_vfprintf_internal (s=0x80cbd58, format=0xb7fe4e04 "LOGIN FAILURE ON %s, %s", ap=0xbff938ac "\230\203\006\b\001") at vfprintf.c:1580
#1  0xb7d122e0 in ___vfprintf_chk (fp=0x80cbd58, flag=1, format=0xb7fe4e04 "LOGIN FAILURE ON %s, %s", ap=0xbff938ac "\230\203\006\b\001") at vfprintf_chk.c:35
#2  0xb7cfa9ae in __vsyslog_chk (pri=85, flag=1, fmt=0xb7fe4e04 "LOGIN FAILURE ON %s, %s", ap=0xbff938ac "\230\203\006\b\001") at ../misc/syslog.c:224
#3  0xb7cfadb6 in __syslog_chk (pri=85, flag=1, fmt=0xb7fe4e04 "LOGIN FAILURE ON %s, %s") at ../misc/syslog.c:131
#4  0xb7fe341a in GreetUser (d=0x8068298, dpy=0xbff93bbc, verify=0x8060d48, greet=0x8060d30, dlfuncs=0x80608e0) at /usr/include/bits/syslog.h:32
#5  0x08053b96 in ManageSession (d=0x8068298) at session.c:320
#6  0x080506b0 in StartDisplay (d=0x8068298) at dm.c:762
#7  0x0804fbdc in ForEachDisplay (f=0x805079e <CheckDisplayStatus>) at dpylist.c:54
#8  0x08051267 in main (argc=1, argv=0xbff941a4) at dm.c:630
(gdb) bt full
#0  0xb7c72258 in _IO_vfprintf_internal (s=0x80cbd58, format=0xb7fe4e04 "LOGIN FAILURE ON %s, %s", ap=0xbff938ac "\230\203\006\b\001") at vfprintf.c:1580
        len = <value optimized out>
        string_malloced = -1208070541
[cut]
Comment 1 Alan Coopersmith 2009-10-17 12:06:11 UTC
This appears to be a call from the FailedLogin() function in greeter/greet.c
to log the failed login:

    syslog(LOG_AUTHPRIV|LOG_NOTICE,
           "LOGIN FAILURE ON %s, %s",
           d->name, greet->name);

commit 58021c21c28fdb4949d44aa92e68874155842ccc tried to make sure that
greet->name was set to a valid string before calling that routine, but
it seems in your case to still be invalid.  FailedLogin() itself should
probably check for NULL for non-PAM authentication anyway, or for failure
of PAM to fill in the string:

diff --git a/greeter/greet.c b/greeter/greet.c
index 17d21c8..17d67b8 100644
--- a/greeter/greet.c
+++ b/greeter/greet.c
@@ -415,9 +415,14 @@ static void
 FailedLogin (struct display *d, struct greet_info *greet)
 {
 #ifdef USE_SYSLOG
+    char *username = greet->name;
+
+    if (username == NULL)
+       username = "username unavailable";
+
     syslog(LOG_AUTHPRIV|LOG_NOTICE,
           "LOGIN FAILURE ON %s, %s",
-          d->name, greet->name);
+          d->name, username);
 #endif
     DrawFail (login);
 #ifndef USE_PAM
Comment 2 Martin Mokrejs 2009-10-17 13:26:03 UTC
Created attachment 30509 [details]
crash-on-patch1.txt

Sorry but that does not help on valid password. I will try wrong password next time as well. ;)

Oct 17 22:14:42 vrapenec xdm[13475]: pam_unix(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mmokrejs
Oct 17 22:14:44 vrapenec kernel: xdm[13475]: segfault at 1 ip b7bde258 sp bfd2684c error 4 in libc-2.10.1.so[b7b9e000+151000]



Login with valid local password results in

Oct 17 22:15:24 vrapenec xdm[13538]: pam_unix(xdm:session): session opened for user mmokrejs by mmokrejs(uid=0)
Comment 3 Daniel Stone 2009-10-17 22:09:47 UTC
On Sat, Oct 17, 2009 at 12:06:13PM -0700, bugzilla-daemon@freedesktop.org wrote:
> +    char *username = greet->name;
> +
> +    if (username == NULL)
> +       username = "username unavailable";

Won't this need to be a const char *, then?

Cheers,
Daniel
Comment 4 Alan Coopersmith 2010-03-16 08:54:21 UTC
(In reply to comment #2)
> Created an attachment (id=30509) [details]
> crash-on-patch1.txt
> 
> Sorry but that does not help on valid password. I will try wrong password next
> time as well. ;)

xdm doesn't call syslog on valid password - if it's crashing in that case,
then that's probably not the right stack trace (after all, if your password
is valid, why is it syslog'ing "LOGIN FAILURE ON...") or your kerberos/PAM
stack is broken.

I don't have a kerberos environment set up - if you want to solve this, 
you'll probably need to find someone who does have kerberos and can debug.
Comment 5 Alan Coopersmith 2010-03-16 11:24:40 UTC
(In reply to comment #3)
> On Sat, Oct 17, 2009 at 12:06:13PM -0700, bugzilla-daemon@freedesktop.org
> wrote:
> > +    char *username = greet->name;
> > +
> > +    if (username == NULL)
> > +       username = "username unavailable";
> 
> Won't this need to be a const char *, then?

Yeah, it should be.   I've fixed that and pushed this patch, since even
if it doesn't solve this bug, it protects against similar problems.

Comment 6 Martin Mokrejs 2010-03-16 12:37:56 UTC
(In reply to comment #4)
> (In reply to comment #2)
> > Created an attachment (id=30509) [details] [details]
> > crash-on-patch1.txt
> > 
> > Sorry but that does not help on valid password. I will try wrong password next
> > time as well. ;)
> 
> xdm doesn't call syslog on valid password - if it's crashing in that case,
> then that's probably not the right stack trace (after all, if your password
> is valid, why is it syslog'ing "LOGIN FAILURE ON...") or your kerberos/PAM
> stack is broken.
> 
> I don't have a kerberos environment set up - if you want to solve this, 
> you'll probably need to find someone who does have kerberos and can debug.
> 

Remember both passwords are tried (local and kerberos). The order is defined by /etc/pam.d/ files. If the first method fails, the other is tried.

Some startup where maybe some return values are listed ...
http://www.eyrie.org/~eagle/software/pam-krb5/


Install kerberos locally, it is easy. Just go for http://www.h5l.org/, ./configure, install into /usr/heimdal (default), create a master password for the password database, start kdc, install the pam module.

Comment 7 Alan Coopersmith 2010-03-16 12:47:46 UTC
(In reply to comment #6)
> Install kerberos locally, it is easy. Just go for http://www.h5l.org/,

Thanks, but the OS I use already has kerberos support built in.
I still don't have time to configure a server & client right now,
so will leave this for someone else who does to debug.
Comment 8 horst.wente 2010-03-24 12:44:34 UTC
On my Linux box xdm-1.1.9 crashes on _session exit_ , but with ( almost ) the same call stack so I assume there is some relation ...

I could not totally follow the events yet, but it seems that the culprit
is  the call to `openlog' in the greeter library:
The ident-string is a constant stored in the greeter library and the
reference is passed to the logger, who stores it for later use.
However, the greeter lib is unloaded shortly afterwards and the
pointer turns invalid.

The next call to a syslog ( after unloading the greeter lib ) then
seems only to happen from
      ManageSession->SessionExit->pam_close_session
and I constantly get a segfault with no xdm left.

In the glibc manual page for openlog(3) I found:

>     Please note that the string pointer IDENT will be retained
>     internally by the Syslog routines.  You must not free the memory
>     that IDENT points to.  It is also dangerous to pass a reference to
>     an automatic variable since leaving the scope would mean ending the
>     lifetime of the variable.  If you want to change the IDENT string,
>     you must call `openlog' again; overwriting the string pointed to by
>     IDENT is not thread-safe.
>
>      ...
>
> !!  In particular, if you are writing code for a shared library that
> !!  might get loaded and then unloaded (e.g. a PAM module), and you
> !!  use `openlog', you must call `closelog' before any point where
> !!  your library might get unloaded, as in this example:


Indeed all works fine after I moved the call to `openlog' from the
greeter lib to the main xdm part.

maybe this helps ?

horst wente


Configuration:
- Linux 2.6.27
- xdm 1.1.9
- Linux-PAM 1.1.1
- glibc 2.10.1
- gcc 4.4.2
Comment 9 Julien Cristau 2010-04-09 18:43:30 UTC
(In reply to comment #8)
> On my Linux box xdm-1.1.9 crashes on _session exit_ , but with ( almost ) the
> same call stack so I assume there is some relation ...
> 
> I could not totally follow the events yet, but it seems that the culprit
> is  the call to `openlog' in the greeter library:
> The ident-string is a constant stored in the greeter library and the
> reference is passed to the logger, who stores it for later use.
> However, the greeter lib is unloaded shortly afterwards and the
> pointer turns invalid.
> 
this one should be fixed by:

commit ecf015a4e78b96af913c1620d542c8e356f2a3d0
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Mon Jan 11 23:09:47 2010 +0000

    Call openlog(3) early
Comment 10 Julien Cristau 2010-04-10 05:55:33 UTC
Do you still get this crash with xdm 1.1.10?
Comment 11 Martin Mokrejs 2010-04-11 14:59:35 UTC
No, it seems to be fixed with 1.1.10. It seems I have some PAM issue, though as I cannot login using kerberos password.


Just as a note, maybe not always is the to be logged text flushed into the syslog? Below is the log generated for 3 attempts to login using kerberos password:

Apr 11 23:46:53 vrapenec xdm[8284]: pam_unix(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mmokrejs
Apr 11 23:46:55 vrapenec xdm[8284]: LOGIN FAILURE ON :0, mmokrejs
Apr 11 23:47:16 vrapenec xdm[8284]: pam_unix(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mmokrejs
Apr 11 23:47:18 vrapenec xdm[8284]: LOGIN FAILURE ON :0, 
Apr 11 23:48:40 vrapenec xdm[8284]: pam_unix(xdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mmokrejs
Apr 11 23:48:41 vrapenec xdm[8284]: LOGIN FAILURE ON :0, <B8>^CL<B7>

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.