Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gsasl: don't check on linux either #81531

Closed
wants to merge 1 commit into from
Closed

Conversation

mdorman
Copy link
Contributor

@mdorman mdorman commented Mar 2, 2020

Recently (https://hydra.nixos.org/build/113717403) something has caused the linux version to start segfaulting in its test suite:

Header version 1.8.0 library version 1.8.0
/nix/store/8gy2bmpz3qawxr3g8hqhfgkf32wb0wfl-bash-4.4-p23/bin/bash: line 5: 28803 Segmentation fault      (core dumped) SHISHI_KEYS=./gssapi.key SHISHI_TICKETS=./gssapi.tkt SHISHI_CONFIG=./shishi.conf SHISHI_HOME=. SHISHI_USER=ignore-this-warning THREADSAFETY_FILES=`ls ../lib/*/*.c | /nix/store/8z2qcxbl9kfqhqqjm04lzlvvlwli4bw7-gnugrep-3.4/bin/grep -v -e lib/gl/vasnprintf.c -e lib/gl/getdelim.c` MD5FILE=./cram-md5.pwd EGREP="/nix/store/8z2qcxbl9kfqhqqjm04lzlvvlwli4bw7-gnugrep-3.4/bin/grep -E" GNUGSS=`if grep 'HAVE_LIBGSS 1' ../lib/config.h > /dev/null; then echo yes; else echo no; fi` ${dir}$tst
FAIL: old-simple

This library has been marked as don't-check on darwin for more than a
year---unfortunately that commit message didn't mention why, so it's
hard to say if linux has started seeing the same issue or a different
one.

Regardless, this is just a stopgap; the real solution is probably to
upgrade at least to 1.8.1 (a new stable release made last year), or
perhaps even to the 1.9 betas---but that seems like something that
should be the decision of the maintainer, @shlevy.

Motivation for this change

Wanted to get msmtp working again.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Recently something has caused the linux version to start segfaulting
in its test suite:
```
Header version 1.8.0 library version 1.8.0
/nix/store/8gy2bmpz3qawxr3g8hqhfgkf32wb0wfl-bash-4.4-p23/bin/bash: line 5: 28803 Segmentation fault      (core dumped) SHISHI_KEYS=./gssapi.key SHISHI_TICKETS=./gssapi.tkt SHISHI_CONFIG=./shishi.conf SHISHI_HOME=. SHISHI_USER=ignore-this-warning THREADSAFETY_FILES=`ls ../lib/*/*.c | /nix/store/8z2qcxbl9kfqhqqjm04lzlvvlwli4bw7-gnugrep-3.4/bin/grep -v -e lib/gl/vasnprintf.c -e lib/gl/getdelim.c` MD5FILE=./cram-md5.pwd EGREP="/nix/store/8z2qcxbl9kfqhqqjm04lzlvvlwli4bw7-gnugrep-3.4/bin/grep -E" GNUGSS=`if grep 'HAVE_LIBGSS 1' ../lib/config.h > /dev/null; then echo yes; else echo no; fi` ${dir}$tst
FAIL: old-simple
```
This library has been marked as don't-check on darwin for more than a
year---unfortunately that commit message didn't mention *why*, so it's
hard to say if linux has started seeing the same issue or a different
one.

Regardless, this is just a stopgap; the real solution is probably to
upgrade at least to 1.8.1 (a new stable release made last year), or
perhaps even to the 1.9 betas---but that seems like something that
should be the decision of the maintainer, @shlevy.
@dasJ
Copy link
Member

dasJ commented Mar 2, 2020

This is blocking the unstable-small channel

@andir
Copy link
Member

andir commented Mar 3, 2020

Interestingly this test doesn't fail outside of the build sandbox. Also upstream has recently released three new versions. Only 1.8.1 has made it to the ftp: http://git.savannah.gnu.org/gitweb/?p=gsasl.git;a=tags

Here is the backtrace of the segfaulting test:

0x00007ffff7f433c1 in __strlen_avx2 () from /nix/store/dp9nhj3ng2hw3cfn0x0w867z0d3kp0i7-glibc-2.30/lib/libc.so.6
#0  0x00007ffff7f433c1 in __strlen_avx2 () from /nix/store/dp9nhj3ng2hw3cfn0x0w867z0d3kp0i7-glibc-2.30/lib/libc.so.6
#1  0x00007ffff7e75a0e in strdup () from /nix/store/dp9nhj3ng2hw3cfn0x0w867z0d3kp0i7-glibc-2.30/lib/libc.so.6
#2  0x00007ffff7cf5f79 in k5_primary_domain () at dnsglue.c:506
#3  0x00007ffff7cff10b in qualify_shortname (context=context@entry=0x410be0, host=host@entry=0x410610 "") at sn2princ.c:74
#4  0x00007ffff7cff2c2 in k5_expand_hostname (context=context@entry=0x410be0, host=host@entry=0x410610 "", is_fallback=is_fallback@entry=0, canonhost_out=canonhost_out@entry=0x7fffffff8fc0) at sn2princ.c:128
#5  0x00007ffff7cff3a1 in krb5_expand_hostname (context=context@entry=0x410be0, host=host@entry=0x410610 "", canonhost_out=canonhost_out@entry=0x7fffffff8fc0) at sn2princ.c:164
#6  0x00007ffff7cff5f6 in krb5_sname_to_principal (context=0x410be0, hostname=0x410610 "", sname=0x40f5b0 "", type=type@entry=3, princ_out=princ_out@entry=0x7fffffff9088) at sn2princ.c:219
#7  0x00007ffff7d8d6a8 in krb5_gss_import_name (minor_status=0x7fffffffb2b4, input_name_buffer=0x40f480, input_name_type=0x40f640, output_name=0x7fffffffb1c0) at import_name.c:166
#8  0x00007ffff7d789bc in gssint_import_internal_name (minor_status=minor_status@entry=0x7fffffffb2b4, mech_type=0x40e290, union_name=union_name@entry=0x40fad0, internal_name=internal_name@entry=0x7fffffffb1c0) at g_glue.c:400
#9  0x00007ffff7d74661 in gss_add_cred_from (minor_status=minor_status@entry=0x7fffffffb2b4, input_cred_handle=0x410bb0, desired_name=desired_name@entry=0x40fad0, desired_mech=<optimized out>, cred_usage=cred_usage@entry=2, initiator_time_req=initiator_time_req@entry=0, acceptor_time_req=0, cred_store=0x0, output_cred_handle=0x0, actual_mechs=0x0, initiator_time_rec=0x0, acceptor_time_rec=0x0) at g_acquire_cred.c:512
#10 0x00007ffff7d74cbb in gss_acquire_cred_from (minor_status=minor_status@entry=0x7fffffffb394, desired_name=0x40fad0, time_req=time_req@entry=0, desired_mechs=desired_mechs@entry=0x0, cred_usage=cred_usage@entry=2, cred_store=cred_store@entry=0x0, output_cred_handle=0x40d740, actual_mechs=0x0, time_rec=0x0) at g_acquire_cred.c:190
#11 0x00007ffff7d74dd1 in gss_acquire_cred (minor_status=minor_status@entry=0x7fffffffb394, desired_name=<optimized out>, time_req=time_req@entry=0, desired_mechs=desired_mechs@entry=0x0, cred_usage=cred_usage@entry=2, output_cred_handle=output_cred_handle@entry=0x40d740, actual_mechs=0x0, time_rec=0x0) at g_acquire_cred.c:107
#12 0x00007ffff7fc32c6 in _gsasl_gssapi_server_start (sctx=<optimized out>, mech_data=0x40dfc8) at server.c:98
#13 0x00007ffff7fb317e in setup (ctx=ctx@entry=0x40a6b0, mech=mech@entry=0x7ffff7fc7445 "GSSAPI", sctx=sctx@entry=0x40dfb0, n_mechs=n_mechs@entry=13, mechs=mechs@entry=0x40d760, clientp=clientp@entry=0) at xstart.c:69
#14 0x00007ffff7fb31f2 in start (ctx=ctx@entry=0x40a6b0, mech=0x7ffff7fc7445 "GSSAPI", sctx=sctx@entry=0x7fffffffb480, n_mechs=13, mechs=0x40d760, clientp=clientp@entry=0) at xstart.c:94
#15 0x00007ffff7fb324f in gsasl_server_start (ctx=ctx@entry=0x40a6b0, mech=<optimized out>, sctx=sctx@entry=0x7fffffffb480) at xstart.c:139
#16 0x00007ffff7fb2fd2 in _gsasl_listmech (ctx=0x40a6b0, mechs=0x40d760, n_mechs=13, out=out@entry=0x7fffffffb4e0, clientp=clientp@entry=0) at listmech.c:44
#17 0x00007ffff7fb30b8 in gsasl_server_mechlist (ctx=<optimized out>, out=out@entry=0x7fffffffb4e0) at listmech.c:95
#18 0x00007ffff7fb3f39 in gsasl_server_listmech (ctx=<optimized out>, out=out@entry=0x7fffffffb540 "ANONYMOUS EXTERNAL LOGIN PLAIN SECURID DIGEST-MD5 CRAM-MD5 SCRAM-SHA-1 SAML20 OPENID20 GSSAPI GS2-KRB5", outlen=outlen@entry=0x7fffffffb538) at obsolete.c:94
#19 0x0000000000402dbf in doit () at old-simple.c:438
#20 0x0000000000403a7e in main (argc=<optimized out>, argv=0x7fffffffd668) at utils.c:140

@andir
Copy link
Member

andir commented Mar 3, 2020

The solution to the segfault is to do this before running the test:

export LOCALDOMAIN="foo.bar.baz"

res_init(3) " reads the configuration files (see resolv.conf(5)) to get the default domain name, search order and name server address(es). If no server is given, the local host is tried. If no domain is given, that associated with the local host is used. It can be overridden with the environment variable LOCALDOMAIN. res_init() is normally executed by the first call to one of the other functions."

The krb5 lib calls res_ninit(3) and uses the unchecked result as an argument to strdup(3).

The whole process happens within the k5_primary_domain function: https://github.com/krb5/krb5/blob/996353767fe8afa7f67a3b5b465e4d70e18bGad7c/src/lib/krb5/os/dnsglue.c#L92

I believe (given how recent that code is) that it is probably a bug in the kerberos library when executed in a very thing environment, like our build sandbox.

andir added a commit to andir/nixpkgs that referenced this pull request Mar 3, 2020
Recently kerberos added a code path that relies ont he local domain part
to be available. See [hydra] for the recent build failure and [github]
for a brief analysis of the error.

[hydra] https://hydra.nixos.org/build/113717403
[github]:
  - NixOS#81531 (comment)
  - NixOS#81531 (comment)
@vcunat vcunat closed this Mar 3, 2020
dtzWill pushed a commit to dtzWill/nixpkgs that referenced this pull request Mar 3, 2020
Recently kerberos added a code path that relies ont he local domain part
to be available. See [hydra] for the recent build failure and [github]
for a brief analysis of the error.

[hydra] https://hydra.nixos.org/build/113717403
[github]:
  - NixOS#81531 (comment)
  - NixOS#81531 (comment)

(cherry picked from commit 6eb3154)
@mdorman mdorman deleted the gsasl-fix branch March 5, 2023 01:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants