Forum: >>> Magnum BBS <<<

Bug#1067639: sasl2-bin: terminates with smashed stack and kills qemu-us

From Thorsten Glaser@21:1/5 to All on Sun Mar 24 22:10:01 2024

XPost: linux.debian.ports.68k

Package: sasl2-bin
Version: 2.1.28+dfsg1-5
X-Debbugs-Cc: tg@mirbsd.de, debian-68k@lists.debian.org

The openldap build on an m68k qemu-user buildd cannot install sasl2-bin in the chroot:

[…]
Setting up pkg-config:m68k (1.8.1-1) ...
Setting up libsasl2-2:m68k (2.1.28+dfsg1-5) ...
Setting up libsasl2-modules-gssapi-mit:m68k (2.1.28+dfsg1-5) ...
Setting up unixodbc-dev:m68k (2.3.12-1+b1) ...
Setting up libgnutls28-dev:m68k (3.8.3-1.1+b2) ...
Setting up libhcrypto5t64-heimdal:m68k (7.8.git20221117.28daf24+dfsg-5+b2) ... Setting up libotp0t64-heimdal:m68k (7.8.git20221117.28daf24+dfsg-5+b2) ... Setting up db-util (5.3.3) ...
Setting up bind9-libs:m68k (1:9.19.21-1+b1) ...
Setting up libsl0t64-heimdal:m68k (7.8.git20221117.28daf24+dfsg-5+b2) ... Setting up sasl2-bin (2.1.28+dfsg1-5) ...
*** stack smashing detected ***: terminated
qemu: uncaught target signal 6 (Aborted) - core dumped
Aborted
dpkg: error processing package sasl2-bin (--configure):
installed sasl2-bin package post-installation script subprocess returned error exit status 134
Setting up libperl-dev:m68k (5.38.2-3.2+b1) ...
Setting up libsasl2-dev (2.1.28+dfsg1-5) ...
Setting up libgssrpc4t64:m68k (1.20.1-6+b1) ...
Setting up libhx509-5t64-heimdal:m68k (7.8.git20221117.28daf24+dfsg-5+b2) ... dpkg: dependency problems prevent configuration of sbuild-build-depends-main-dummy:
sbuild-build-depends-main-dummy depends on sasl2-bin; however:
Package sasl2-bin is not configured yet.

dpkg: error processing package sbuild-build-depends-main-dummy (--configure):
dependency problems - leaving unconfigured
[…]
Unpacking sbuild-build-depends-dose3-dummy (0.invalid.0) ...
Setting up sasl2-bin (2.1.28+dfsg1-5) ...
BDB0002 __fop_file_setup: Retry limit (100) exceeded
saslpasswd2: generic failure
dpkg: error processing package sasl2-bin (--configure):
installed sasl2-bin package post-installation script subprocess returned error exit status 1
[…]

See: https://buildd.debian.org/status/fetch.php?pkg=openldap&arch=m68k&ver=2.5.16%2Bdfsg-2%2Bb2&stamp=1711312418&raw=0

This does not seem to be specific to one buildd.
Any idea how this can be debugged?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Thorsten Glaser@21:1/5 to All on Sun Mar 24 22:40:01 2024

Dixi quod…

The openldap build on an m68k qemu-user buildd cannot install sasl2-bin in the chroot:

OK, it’s not qemu. On ARAnyM (Atari):

[…]
Setting up libldap-2.5-0:m68k (2.5.16+dfsg-2+b1) ...
Setting up sasl2-bin (2.1.28+dfsg1-5) ...
*** stack smashing detected ***: terminated
Aborted
dpkg: error processing package sasl2-bin (--configure):
installed sasl2-bin package post-installation script subprocess returned error exit status 134
Processing triggers for libc-bin (2.37-15.1+b1) ...
Processing triggers for man-db (2.12.0-3+b2) ...
Not building database; man-db/auto-update is not 'true'.
Errors were encountered while processing:
sasl2-bin
E: Sub-process /usr/bin/dpkg returned an error code (1)

bye,
//mirabilos
--
22:20⎜<asarch> The crazy that persists in his craziness becomes a master 22:21⎜<asarch> And the distance between the craziness and geniality is
only measured by the success 18:35⎜<asarch> "Psychotics are consistently inconsistent. The essence of sanity is to be inconsistently inconsistent

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Thorsten Glaser@21:1/5 to All on Sun Mar 24 22:50:01 2024

Dixi quod…

OK, it’s not qemu. On ARAnyM (Atari):

I was able to strace this:

(pbuild-31733)root@ara2:/# echo '!' | strace -f saslpasswd2 -c 'no:such:user' execve("/usr/sbin/saslpasswd2", ["saslpasswd2", "-c", "no:such:user"], 0xefd2a90c /* 52 vars */) = 0
brk(NULL) = 0xd0005000
openat(AT_FDCWD, "/usr/lib/libeatmydata/libeatmydata.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = -1 ENOENT (No such file or directory)
statx(AT_FDCWD, "/usr/lib/libeatmydata", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT, STATX_BASIC_STATS, 0xef935c28) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3 statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=6940, ...}) = 0
mmap2(NULL, 6940, PROT_READ, MAP_PRIVATE, 3, 0) = 0xc0024000
close(3) = 0
openat(AT_FDCWD, "/lib/m68k-linux-gnu/libeatmydata.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\0\0\0\0\0\0004"..., 512) = 512
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=9460, ...}) = 0
mmap2(NULL, 24584, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc0026000 mmap2(0xc0026000, 16392, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xc0026000
munmap(0xc002b000, 4104) = 0
mprotect(0xc0027000, 8192, PROT_NONE) = 0
mmap2(0xc0029000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0xc0029000
close(3) = 0
openat(AT_FDCWD, "/usr/lib/cowdancer/libcowdancer.so", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\0\34\4\0\0\0004"..., 512) = 512
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=25936, ...}) = 0
mmap2(NULL, 41044, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc002b000 mmap2(0xc002c000, 32852, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xc002c000
munmap(0xc002b000, 4096) = 0
munmap(0xc0035000, 84) = 0
mprotect(0xc0031000, 8192, PROT_NONE) = 0
mmap2(0xc0033000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x5000) = 0xc0033000
close(3) = 0
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory) openat(AT_FDCWD, "/lib/m68k-linux-gnu/libsasl2.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\0\0\0\0\0\0004"..., 512) = 512
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=91752, ...}) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc0035000
mmap2(NULL, 98724, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc0037000 mmap2(0xc0038000, 90532, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xc0038000
munmap(0xc0037000, 4096) = 0
munmap(0xc004f000, 420) = 0
mprotect(0xc004c000, 4096, PROT_NONE) = 0
mmap2(0xc004d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15000) = 0xc004d000
close(3) = 0
openat(AT_FDCWD, "/lib/m68k-linux-gnu/libc.so.6", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\2\320\210\0\0\0004"..., 512) = 512
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0755, stx_size=1535504, ...}) = 0
mmap2(NULL, 1585296, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc004f000 mmap2(0xc0050000, 1577104, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xc0050000
munmap(0xc004f000, 4096) = 0
munmap(0xc01d2000, 144) = 0
mprotect(0xc01c1000, 4096, PROT_NONE) = 0
mmap2(0xc01c2000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x170000) = 0xc01c2000
mmap2(0xc01c8000, 37008, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xc01c8000
close(3) = 0
openat(AT_FDCWD, "/lib/m68k-linux-gnu/libdl.so.2", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\0\0\0\0\0\0004"..., 512) = 512
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=9528, ...}) = 0
mmap2(NULL, 24636, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc01d2000 mmap2(0xc01d2000, 16444, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xc01d2000
munmap(0xc01d7000, 4156) = 0
mprotect(0xc01d3000, 8192, PROT_NONE) = 0
mmap2(0xc01d5000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1000) = 0xc01d5000
close(3) = 0
openat(AT_FDCWD, "/lib/m68k-linux-gnu/libcrypto.so.3", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\0\0\0\0\0\0004"..., 512) = 512
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=3233116, ...}) = 0
mmap2(NULL, 3257192, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc01d7000 mmap2(0xc01d8000, 3249000, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xc01d8000
munmap(0xc01d7000, 4096) = 0
munmap(0xc04f2000, 872) = 0
mprotect(0xc04b5000, 8192, PROT_NONE) = 0
mmap2(0xc04b7000, 229376, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2dd000) = 0xc04b7000
mmap2(0xc04ef000, 9064, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xc04ef000
close(3) = 0
openat(AT_FDCWD, "/lib/m68k-linux-gnu/libatomic.so.1", O_RDONLY|O_LARGEFILE|O_CLOEXEC) = 3
read(3, "\177ELF\1\2\1\0\0\0\0\0\0\0\0\0\0\3\0\4\0\0\0\1\0\0\0\0\0\0\0004"..., 512) = 512
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFREG|0644, stx_size=17684, ...}) = 0
mmap2(NULL, 36944, PROT_NONE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc04f2000 mmap2(0xc04f2000, 28752, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0xc04f2000
munmap(0xc04fa000, 4176) = 0
mprotect(0xc04f5000, 8192, PROT_NONE) = 0
mmap2(0xc04f7000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3000) = 0xc04f7000
mmap2(0xc04f9000, 80, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xc04f9000
close(3) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xc04fa000
set_thread_area(0xc0501500) = 0
get_thread_area() = 0xc0501500 set_tid_address(0xc04fa088) = 32759
set_robust_list(0xc04fa08c, 12) = 0
mprotect(0xc01c2000, 8192, PROT_READ) = 0
mprotect(0xc04f7000, 4096, PROT_READ) = 0
mprotect(0xc04b7000, 225280, PROT_READ) = 0
mprotect(0xc01d5000, 4096, PROT_READ) = 0
mprotect(0xc004d000, 4096, PROT_READ) = 0
mprotect(0xc0033000, 4096, PROT_READ) = 0
mprotect(0xc0029000, 4096, PROT_READ) = 0
mprotect(0xd0003000, 4096, PROT_READ) = 0
mprotect(0xc0021000, 4096, PROT_READ) = 0
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
ugetrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0 get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
munmap(0xc0024000, 6940) = 0
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500 getrandom("\xc8\xdc\x59\x4a", 4, GRND_NONBLOCK) = 4
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
brk(NULL) = 0xd0005000
brk(0xd0026000) = 0xd0026000
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
openat(AT_FDCWD, "/.ilist", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=155056, ...}) = 0
mmap2(NULL, 155056, PROT_READ, MAP_PRIVATE, 3, 0) = 0xc04fc000 get_thread_area() = 0xc0501500
close(3) = 0
sched_yield() = 0
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
uname({sysname="Linux", nodename="ara2.mirbsd.org", ...}) = 0
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
getuid32() = 0
geteuid32() = 0
getgid32() = 0
getegid32() = 0
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
openat(AT_FDCWD, "/etc/sasl2/saslpasswd.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
openat(AT_FDCWD, "/etc/sasl/saslpasswd.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
openat(AT_FDCWD, "/usr/lib/m68k-linux-gnu/sasl2/saslpasswd.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
openat(AT_FDCWD, "/usr/lib/sasl2/saslpasswd.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
getuid32() = 0
geteuid32() = 0
getgid32() = 0
getegid32() = 0
get_thread_area() = 0xc0501500
openat(AT_FDCWD, "/usr/lib/m68k-linux-gnu/sasl2", O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_CLOEXEC|O_DIRECTORY) = 3
statx(3, "", AT_STATX_SYNC_AS_STAT|AT_NO_AUTOMOUNT|AT_EMPTY_PATH, STATX_BASIC_STATS, {stx_mask=STATX_BASIC_STATS|STATX_MNT_ID, stx_attributes=0, stx_mode=S_IFDIR|0755, stx_size=4096, ...}) = 0
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
getdents64(3, 0xd0006644 /* 5 entries */, 32768) = 160
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500
get_thread_area() = 0xc0501500

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Bernhard =?UTF-8?Q?=C3=9Cbelacker?=@21:1/5 to Thorsten Glaser on Sat Apr 13 02:40:01 2024

Hello,
I tried to find some more information, with the help of a prebuilt full-system VM image.

On Thu, 4 Apr 2024 21:00:59 +0000 (UTC) Thorsten Glaser <tg@mirbsd.de> wrote:

Sometimes, it does not crash with a smashed stack but instead:

Setting up sasl2-bin (2.1.28+dfsg1-6+b1) ...
BDB0002 __fop_file_setup: Retry limit (100) exceeded
saslpasswd2: generic failure

This looks to be a result of the pre-existing /etc/__db.sasldb2.
If this file gets removed the stack smashing occurs again.

By some experimenting I could convince gdb to load the debug symbols.
And the stack seems to point into function __os_unique_id from libdb-5.3.so.

Unfortunately I am not sure where the canary gets overwritten.

Kind regards,
Bernhard

https://people.debian.org/~gio/dqib/ https://gitlab.com/giomasce/dqib/-/artifacts https://gitlab.com/giomasce/dqib/-/jobs/6565595565/artifacts/download?file_type=archive

apt install gdb sasl2-bin sasl2-bin-dbgsym libsasl2-2-dbgsym libsasl2-modules-db-dbgsym
apt install libc6-dbg libc6-dbgsym db-util db5.3-util libldap-2.5-0 libldap-common libsasl2-2 libsasl2-2-dbgsym libsasl2-modules libsasl2-modules-db

export DEBUGINFOD_URLS="https://debuginfod.debian.net"

rm /etc/__db.sasldb2
echo -e "test\ntest" > exclam

gdb -q
file /usr/sbin/saslpasswd2
run -c 'no:such:user' <exclam

root@debian:~# rm /etc/__db.sasldb2
root@debian:~# gdb -q
(gdb) file /usr/sbin/saslpasswd2
Reading symbols from /usr/sbin/saslpasswd2...

This GDB supports auto-downloading debuginfo from the following URLs:
<https://debuginfod.debian.net>
Enable debuginfod for this session? (y or [n]) y
Debuginfod has been enabled.
To make this setting permanent, add 'set debuginfod enabled on' to .gdbinit. Downloading separate debug info for /usr/sbin/saslpasswd2
(No debugging symbols found in /usr/sbin/saslpasswd2)
(gdb) run -c 'no:such:user' <exclam
Starting program: /usr/sbin/saslpasswd2 -c 'no:such:user' <exclam

*** stack smashing detected ***: terminated

Program received signal SIGABRT, Aborted.
0xc00c1a88 in ?? ()
(gdb) info inferior
Num Description Connection Executable
* 1 process 10276 1 (native) /usr/sbin/saslpasswd2
(gdb) shell cat /proc/10276/maps | grep -i -E "^c00c"
(gdb) shell cat /proc/10276/maps | grep -i -E "^c00"
c0000000-c0020000 r-xp 00000000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1
c0020000-c0021000 rw-p 00000000 00:00 0
c0021000-c0022000 r--p 00021000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1
c0022000-c0024000 rw-p 00022000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1
c0028000-c003c000 r-xp 00000000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c003c000-c003d000 ---p 00014000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c003d000-c003e000 r--p 00015000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c003e000-c003f000 rw-p 00016000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c0040000-c01b1000 r-xp 00000000 08:01 535733 /usr/lib/m68k-linux-gnu/libc.so.6
(gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/libc.so.6 | grep .text
12 .text 00113e10 0002cbd0 0002cbd0 0002cbd0 2**2
(gdb) print/x 0x2cbd0 + 0xc0040000
$1 = 0xc006cbd0
(gdb) add-symbol-file /usr/lib/m68k-linux-gnu/libc.so.6 0xc006cbd0
add symbol table from file "/usr/lib/m68k-linux-gnu/libc.so.6" at
.text_addr = 0xc006cbd0
(y or n) y
Reading symbols from /usr/lib/m68k-linux-gnu/libc.so.6...
Reading symbols from /usr/lib/debug/.build-id/5b/0cdf602093304a2dff92c43c45773f6114d4b6.debug...
warning: td_ta_new failed: generic error
warning: File "/usr/lib/m68k-linux-gnu/libthread_db.so.1" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
add-auto-load-safe-path /usr/lib/m68k-linux-gnu/libthread_db.so.1
line to your configuration file "/root/.config/gdb/gdbinit".
To completely disable this security protection add
set auto-load safe-path /
line to your configuration file "/root/.config/gdb/gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual. E.g., run from the shell:
info "(gdb)Auto-loading safe path"
warning: Unable to find libthread_db matching inferior's thread library, thread debugging will not be available.
(gdb) bt
...
#7 0xc0145524 in __stack_chk_fail () at stack_chk_fail.c:24
#8 0xc0755bd6 in ?? ()
#9 0x00000000 in ?? ()
(gdb) shell cat /proc/10276/maps | grep -i -E "^c07"
c0784000-c0788000 r--p 00178000 08:01 533929 /usr/lib/m68k-linux-gnu/libdb-5.3.so
c0788000-c078e000 rw-p 0017c000 08:01 533929 /usr/lib/m68k-linux-gnu/libdb-5.3.so
c078e000-c0796000 r-xp 00000000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25
c0796000-c0797000 ---p 00008000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25
c0797000-c0798000 r--p 00009000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25
c0798000-c0799000 rw-p 0000a000 08:01 539187 /usr/lib/m68k-linux-gnu/sasl2/libscram.so.2.0.25
(gdb) shell cat /proc/10276/maps | grep -i -E "^c06"
c0600000-c0601000 rw-p 00004000 08:01 539181 /usr/lib/m68k-linux-gnu/sasl2/libanonymous.so.2.0.25
c0602000-c0607000 r-xp 00000000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25
c0607000-c0609000 ---p 00005000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25
c0609000-c060a000 r--p 00005000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25
c060a000-c060b000 rw-p 00006000 08:01 539149 /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25
c060c000-c0784000 r-xp 00000000 08:01 533929 /usr/lib/m68k-linux-gnu/libdb-5.3.so
(gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/libdb-5.3.so | grep .text
12 .text 0012aef4 0003109c 0003109c 0003109c 2**2
(gdb) print/x 0x0003109c
$2 = 0x3109c
(gdb) print/x 0x0003109c + 0xc060c000
$3 = 0xc063d09c
(gdb) add-symbol-file /usr/lib/m68k-linux-gnu/libdb-5.3.so 0xc063d09c
add symbol table from file "/usr/lib/m68k-linux-gnu/libdb-5.3.so" at
.text_addr = 0xc063d09c
(y or n) y
Reading symbols from /usr/lib/m68k-linux-gnu/libdb-5.3.so...
Reading symbols from /usr/lib/debug/.build-id/6a/b236c10c2a7b9590b0403b5766904e0f4d324a.debug...
(gdb) bt
...
#12 0xc0703f86 in __db_open_pp (dbp=0xd00087b0, txn=<optimized out>, fname=0xc0605cb9 "/etc/sasldb2", dname=0x0, type=DB_HASH, flags=1, mode=432) at ../src/db/db_iface.c:1193
#13 0xc0604248 in ?? ()
#14 0xd00087b0 in ?? ()
#15 0x00000000 in ?? ()
(gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 | grep .text
11 .text 000027f0 0000138c 0000138c 0000138c 2**2
(gdb) print/x 0x0000138c + 0xc0602000
$4 = 0xc060338c

(gdb) add-symbol-file /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25 0xc060338c
add symbol table from file "/usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25" at
.text_addr = 0xc060338c
(y or n) y
Reading symbols from /usr/lib/m68k-linux-gnu/sasl2/libsasldb.so.2.0.25... Reading symbols from /usr/lib/debug/.build-id/29/c8e688eb61b57bcd21794b5403feefe1272dfd.debug...
(gdb) bt
...
#15 0xc0603572 in sasldb_auxprop_store (glob_context=0x0, sparams=0xd00077b8, ctx=0xd0007a58, user=0xeffffed9 "no:such:user", ulen=12) at ../../plugins/sasldb.c:258
#16 0xc002d26c in ?? ()
#17 0x00000000 in ?? ()
(gdb) shell cat /proc/10276/maps | grep -i -E "^c00"
c0000000-c0020000 r-xp 00000000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1
c0020000-c0021000 rw-p 00000000 00:00 0
c0021000-c0022000 r--p 00021000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1
c0022000-c0024000 rw-p 00022000 08:01 535730 /usr/lib/m68k-linux-gnu/ld.so.1
c0028000-c003c000 r-xp 00000000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c003c000-c003d000 ---p 00014000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c003d000-c003e000 r--p 00015000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c003e000-c003f000 rw-p 00016000 08:01 539155 /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25
c0040000-c01b1000 r-xp 00000000 08:01 535733 /usr/lib/m68k-linux-gnu/libc.so.6
(gdb) shell objdump --all-headers /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 | grep .text
12 .text 0000e284 00003db0 00003db0 00003db0 2**2
(gdb) print/x 0x00003db0 + 0xc0028000
$5 = 0xc002bdb0
(gdb) add-symbol-file /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25 0xc002bdb0
add symbol table from file "/usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25" at
.text_addr = 0xc002bdb0
(y or n) y
Reading symbols from /usr/lib/m68k-linux-gnu/libsasl2.so.2.0.25...
Reading symbols from /usr/lib/debug/.build-id/0f/8954c0644d1a9efec7973fb3198b8fd7649d5f.debug...
(gdb) set width 0
(gdb) set pagination off
(gdb) bt
...
#17 0xc00366dc in sasl_setpass (conn=0xd0006670, user=0xeffffed9 "no:such:user", pass=0xd0006608 "test\ntest", passlen=9, oldpass=0x0, oldpasslen=0, flags=1) at ../../lib/server.c:186
#18 0xd0001534 in ?? ()
...
(gdb) shell cat /proc/10276/maps | grep -i -E "^d00"
d0000000-d0002000 r-xp 00000000 08:01 539212 /usr/sbin/saslpasswd2 d0003000-d0004000 r--p 00003000 08:01 539212 /usr/sbin/saslpasswd2 d0004000-d0005000 rw-p 00004000 08:01 539212 /usr/sbin/saslpasswd2 d0005000-d0026000 rwxp 00000000 00:00 0 [heap]
(gdb) shell objdump --all-headers /usr/sbin/saslpasswd2 | grep .text
13 .text 00000950 000010b8 000010b8 000010b8 2**2
(gdb) print/x 0x000010b8 + 0xd0000000
$6 = 0xd00010b8

(gdb) add-symbol-file /usr/sbin/saslpasswd2 0xd00010b8
add symbol table from file "/usr/sbin/saslpasswd2" at
.text_addr = 0xd00010b8
(y or n) y
Reading symbols from /usr/sbin/saslpasswd2...
Reading symbols from /usr/lib/debug/.build-id/bb/e83c9ae2d4877c67bd5148237aa2c49c9a9be1.debug...
(gdb) bt
#0 __pthread_kill_implementation (threadid=3227271200, signo=6, no_tid=0) at pthread_kill.c:44
#1 0xc00c1ad4 in __pthread_kill_internal (signo=6, threadid=3227271200) at pthread_kill.c:78
#2 __GI___pthread_kill (threadid=3227271200, signo=6) at pthread_kill.c:89
#3 0xc007e91a in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26
#4 0xc006cc86 in __GI_abort () at abort.c:79
#5 0xc00b5716 in __libc_message (fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:150
#6 0xc014553c in __GI___fortify_fail (msg=0xc019e386 "stack smashing detected") at fortify_fail.c:24
#7 0xc0145524 in __stack_chk_fail () at stack_chk_fail.c:24
#8 0xc0755bd6 in __os_unique_id (env=0xd0007ad8, idp=0xeffff5fc) at ../src/os/os_uid.c:55
#9 0xc0753558 in __os_fileid (env=0xd0007ad8, fname=0xd0008bd8 "/etc/__db.sasldb2", unique_okay=1, fidp=<optimized out>) at ../src/os/os_fid.c:100
#10 0xc073295c in __fop_file_setup (dbp=0xd00087b0, ip=0x0, txn=<optimized out>, name=0xc0605cb9 "/etc/sasldb2", mode=432, flags=1, retidp=0xeffff984) at ../src/fileops/fop_util.c:639
#11 0xc070934a in __db_open (dbp=0xd00087b0, ip=0x0, txn=0x0, fname=0xc0605cb9 "/etc/sasldb2", dname=0x0, type=DB_HASH, flags=1, mode=432, meta_pgno=0) at ../src/db/db_open.c:187
#12 0xc0703f86 in __db_open_pp (dbp=0xd00087b0, txn=<optimized out>, fname=0xc0605cb9 "/etc/sasldb2", dname=0x0, type=DB_HASH, flags=1, mode=432) at ../src/db/db_iface.c:1193
#13 0xc0604248 in berkeleydb_open (utils=0xd0007990, conn=0xd0006670, rdwr=1, mbdb=0xeffffa94) at ../../sasldb/db_berkeley.c:107
#14 0xc0604604 in _sasldb_putdata (utils=0xd0007990, context=0xd0006670, authid=0xd0007a98 "no:such:user", realm=0xd0006618 "debian", propName=0xc003a2c2 "userPassword", data_in=0xd000832e "test\ntest", data_len=9) at ../../sasldb/db_berkeley.c:305
#15 0xc0603572 in sasldb_auxprop_store (glob_context=0x0, sparams=0xd00077b8, ctx=0xd0007a58, user=0xeffffed9 "no:such:user", ulen=12) at ../../plugins/sasldb.c:258
#16 0xc002d26c in sasl_auxprop_store (conn=0xd0006670, ctx=0xd0007a58, user=0xeffffed9 "no:such:user") at ../../lib/auxprop.c:1019
#17 0xc00366dc in sasl_setpass (conn=0xd0006670, user=0xeffffed9 "no:such:user", pass=0xd0006608 "test\ntest", passlen=9, oldpass=0x0, oldpasslen=0, flags=1) at ../../lib/server.c:186
#18 0xd0001534 in main (argc=3, argv=0xeffffdd4) at ../../utils/saslpasswd.c:419
#19 0xc006ceee in __libc_start_call_main (main=0xd00010b8 <main>, argc=3, argv=0xeffffdd4) at ../sysdeps/nptl/libc_start_call_main.h:58
#20 0xc006cf9c in __libc_start_main_impl (main=0xd00010b8 <main>, argc=3, argv=0xeffffdd4, init=0x0, fini=0x0, rtld_fini=0xc0005c2c, stack_end=0xeffffdd4) at libc-start.c:360
#21 0xd00016ac in _start ()
(gdb) directory /home/benutzer/source/libdb5.3/orig/db5.3-5.3.28+dfsg2/src Source directories searched: /home/benutzer/source/libdb5.3/orig/db5.3-5.3.28+dfsg2/src:$cdir:$cwd
(gdb) list __os_unique_id
18 */
19 void
20 __os_unique_id(env, idp)
21 ENV *env;
22 u_int32_t *idp;
23 {
24 DB_ENV *dbenv;
25 db_timespec v;
26 pid_t pid;
27 u_int32_t id;
28
29 *idp = 0;
30
31 dbenv = env == NULL ? NULL : env->dbenv;
32
33 /*
34 * Our randomized value is comprised of our process ID, the current
35 * time of day and a stack address, all XOR'd together.
36 */
37 __os_id(dbenv, &pid, NULL);
38 __os_gettime(env, &v, 1);
39
40 id = (u_int32_t)pid ^
41 (u_int32_t)v.tv_sec ^ (u_int32_t)v.tv_nsec ^ P_TO_UINT32(&pid);
42
43 /*
44 * We could try and find a reasonable random-number generator, but
45 * that's not all that easy to do. Seed and use srand()/rand(), if
46 * we can find them.
47 */
48 if (DB_GLOBAL(uid_init) == 0) {
49 DB_GLOBAL(uid_init) = 1;
50 srand((u_int)id);
51 }
52 id ^= (u_int)rand();
53
54 *idp = id;
55 }
(gdb) up
#1 0xc00c1ad4 in __pthread_kill_internal (signo=6, threadid=3227271200) at pthread_kill.c:78
(gdb)
#2 __GI___pthread_kill (threadid=3227271200, signo=6) at pthread_kill.c:89 (gdb)
#3 0xc007e91a in __GI_raise (sig=6) at ../sysdeps/posix/raise.c:26
(gdb)
#4 0xc006cc86 in __GI_abort () at abort.c:79
(gdb)
#5 0xc00b5716 in __libc_message (fmt=<optimized out>) at ../sysdeps/posix/libc_fatal.c:150
(gdb)
#6 0xc014553c in __GI___fortify_fail (msg=0xc019e386 "stack smashing detected") at fortify_fail.c:24
(gdb)
#7 0xc0145524 in __stack_chk_fail () at stack_chk_fail.c:24
(gdb)
#8 0xc0755bd6 in __os_unique_id (env=0xd0007ad8, idp=0xeffff5fc) at ../src/os/os_uid.c:55
55 }
(gdb) print sizeof(v)
$7 = 12
(gdb) print v
$8 = {tv_sec = 1712964817, tv_nsec = 0}
(gdb) ptype /o v
type = struct {
/* 0 | 8 */ time_t tv_sec;
/* 8 | 4 */ long tv_nsec;

/* total size (bytes): 12 */
}
(gdb) print id
$9 = <optimized out>
(gdb) print pid
$10 = 10276
(gdb) print dbenv
$11 = <optimized out>
(gdb) print sizeof(pid)
$12 = 4
(gdb) print &pid
$13 = (pid_t *) 0xeffff5b0
(gdb) print &v
$14 = (db_timespec *) 0xeffff5b4
(gdb)

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

From Thorsten Glaser@21:1/5 to All on Sat Apr 13 03:40:01 2024

Bernhard Übelacker dixit:

On Thu, 4 Apr 2024 21:00:59 +0000 (UTC) Thorsten Glaser <tg@mirbsd.de> wrote:

Sometimes, it does not crash with a smashed stack but instead:

Setting up sasl2-bin (2.1.28+dfsg1-6+b1) ...
BDB0002 __fop_file_setup: Retry limit (100) exceeded
saslpasswd2: generic failure

This looks to be a result of the pre-existing /etc/__db.sasldb2.
If this file gets removed the stack smashing occurs again.

Right, I got there as well but not any further.

By some experimenting I could convince gdb to load the debug symbols.

Massive detective work, thanks!

And the stack seems to point into function __os_unique_id from libdb-5.3.so.

Unfortunately I am not sure where the canary gets overwritten.

I had an immediate hunch as I saw this:

38 __os_gettime(env, &v, 1);

And:

(gdb) ptype /o v
type = struct {
/* 0 | 8 */ time_t tv_sec;
/* 8 | 4 */ long tv_nsec;

/* total size (bytes): 12 */
}

This is, in the source:

typedef struct {
time_t tv_sec; /* seconds */
#ifdef HAVE_MIXED_SIZE_ADDRESSING
int32_t tv_nsec;
#else
long tv_nsec; /* nanoseconds */
#endif
} db_timespec;

Compare the newer system header:

struct timespec
{
#ifdef __USE_TIME_BITS64
__time64_t tv_sec; /* Seconds. */
#else
__time_t tv_sec; /* Seconds. */
#endif
#if __WORDSIZE == 64 \
|| (defined __SYSCALL_WORDSIZE && __SYSCALL_WORDSIZE == 64) \
|| (__TIMESIZE == 32 && !defined __USE_TIME_BITS64)
__syscall_slong_t tv_nsec; /* Nanoseconds. */
#else
# if __BYTE_ORDER == __BIG_ENDIAN
int: 32; /* Padding. */
long int tv_nsec; /* Nanoseconds. */
# else
long int tv_nsec; /* Nanoseconds. */
int: 32; /* Padding. */
# endif
#endif
};

This is actually longer and (IMHO) really stupid. But Linux has:

struct __kernel_timespec {
__kernel_time64_t tv_sec; /* seconds */
long long tv_nsec; /* nanoseconds */
};

So this is actually expected. *checks POSIX* which says:

| The <time.h> header shall declare the timespec structure, which shall
| include at least the following members:
|
| time_t tv_sec Whole seconds.
| long tv_nsec Nanoseconds [0, 999 999 999].

So both the kernel definition (tv_nsec must be long, not long long,
which is incompatible on ILP32 big endian platforms) and the one by
db5.3 (struct timespec may include extra members and be in any order)
actually violate POSIX… *sigh*

And yes, it does cast to struct timespec and passes it
to clock_gettime().

But it does give us a possible fix, which I’ll be testing.

bye,
//mirabilos
--
22:20⎜<asarch> The crazy that persists in his craziness becomes a master 22:21⎜<asarch> And the distance between the craziness and geniality is
only measured by the success 18:35⎜<asarch> "Psychotics are consistently inconsistent. The essence of sanity is to be inconsistently inconsistent

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sysop:	Keyop
Location:	Huddersfield, West Yorkshire, UK
Users:	300
Nodes:	16 (2 / 14)
Uptime:	02:56:20
Calls:	6,706
Calls today:	6
Files:	12,235
Messages:	5,350,074

Bug#1067639: sasl2-bin: terminates with smashed stack and kills qemu-us

Who's Online

Recent Visitors

System Info