runtime error: initgroups(www-data, 33) failed (5: I/O error)

Submitted by Rich Felker on Oct. 9, 2020, 8:39 p.m.

Details

Message ID 20201009203919.GA17637@brightrain.aerifal.cx
State New
Series "runtime error: initgroups(www-data, 33) failed (5: I/O error)"
Headers show

Commit Message

Rich Felker Oct. 9, 2020, 8:39 p.m.
On Fri, Oct 02, 2020 at 10:37:03PM -0400, Rich Felker wrote:
> On Sat, Oct 03, 2020 at 09:06:50AM +0800, Static Php wrote:
> > I has this runtime error on Ubuntu 18.04.5 LTS, CPU is AMD EPYC Processor.
> > 
> > Kernel: 5.4.0-49-generic #53~18.04.1-Ubuntu (other kernel also has this
> > problem)
> > 
> > more details: https://github.com/richfelker/musl-cross-make/issues/107
> > 
> > strace:
> > 
> > execve("./a.out", ["./a.out"], 0x7fff12cd26d0 /* 20 vars */) = 0
> > >
> > > arch_prctl(ARCH_SET_FS, 0x7ff53bb3b618) = 0
> > >
> > > set_tid_address(0x7ff53bb3bbe8)         = 40778
> > >
> > > socket(AF_UNIX, SOCK_STREAM|SOCK_CLOEXEC, 0) = 3
> > >
> > > brk(NULL)                               = 0x555556f23000
> > >
> > > brk(0x555556f25000)                     = 0x555556f25000
> > >
> > > mmap(0x555556f23000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
> > > -1, 0) = 0x555556f23000
> > >
> > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> > > 0x7ff53bb39000
> > >
> > > connect(3, {sa_family=AF_UNIX, sun_path="/var/run/nscd/socket"}, 24) = 0
> > >
> > > sendmsg(3, {msg_name=NULL, msg_namelen=0,
> > > msg_iov=[{iov_base="\2\0\0\0\17\0\0\0\t\0\0\0", iov_len=12},
> > > {iov_base="www-data\0", iov_len=9}], msg_iovlen=2, msg_controllen=0,
> > > msg_flags=0}, MSG_NOSIGNAL) = 21
> > >
> > > readv(3, [{iov_base="\2\0\0\0\1\0\0\0\0\0\0", iov_len=11}, {iov_base="\0",
> > > iov_len=1024}], 2) = 12
> > >
> > > mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> > > 0x7ff53bb38000
> > >
> > > close(3)                                = 0
> > >
> > > munmap(0x7ff53bb39000, 4096)            = 0
> > >
> > > munmap(0x7ff53bb38000, 4096)            = 0
> > >
> > > ioctl(1, TIOCGWINSZ, {ws_row=59, ws_col=225, ws_xpixel=1575,
> > > ws_ypixel=826}) = 0
> > >
> > > writev(1, [{iov_base="err=-1, errno=5", iov_len=15}, {iov_base="\n",
> > > iov_len=1}], 2err=-1, errno=5
> > >
> > > ) = 16
> > >
> > > exit_group(0)                           = ?
> > >
> > > +++ exited with 0 +++
> > >
> 
> Ah, this looks like a bug in musl causing a zero-groups response from
> nscd to be interpreted as an error rather than success with no
> members:
> 
> 	if (!fread(nscdbuf, sizeof(*nscdbuf)*resp[INITGRNGRPS], 1, f)) {
> 		if (!ferror(f)) errno = EIO;
> 		goto cleanup;
> 	}
> 
> The problem is that this code was written assuming the fread call
> returns 1 on success, but fread has a stupid corner case (which we
> used to get wrong) where a zero-length read is required by the
> standard to return 0 even though logically it should return nmemb.
> 
> You can work around the problem by adding www-data to a useless dummy
> group. I'll prepare a patch for musl, though, and post it here as a
> follow-up soon.
> 
> Thanks for the report!

I think the attached patch should work, but it's not tested since I
dont have an environment with nscd handy.

Rich

Patch hide | download patch | download mbox

diff --git a/src/passwd/getgrouplist.c b/src/passwd/getgrouplist.c
index 43e51824..44785e10 100644
--- a/src/passwd/getgrouplist.c
+++ b/src/passwd/getgrouplist.c
@@ -31,12 +31,13 @@  int getgrouplist(const char *user, gid_t gid, gid_t *groups, int *ngroups)
 	if (resp[INITGRFOUND]) {
 		nscdbuf = calloc(resp[INITGRNGRPS], sizeof(uint32_t));
 		if (!nscdbuf) goto cleanup;
-		if (!fread(nscdbuf, sizeof(*nscdbuf)*resp[INITGRNGRPS], 1, f)) {
+		size_t ngrps = resp[INITGRNGRPS];
+		if (ngrps && !fread(nscdbuf, sizeof(*nscdbuf)*ngrps, 1, f)) {
 			if (!ferror(f)) errno = EIO;
 			goto cleanup;
 		}
 		if (swap) {
-			for (i = 0; i < resp[INITGRNGRPS]; i++)
+			for (i = 0; i < ngrps; i++)
 				nscdbuf[i] = bswap_32(nscdbuf[i]);
 		}
 	}