Ubuntu
accountsservice package

gdm-session-worker crashed with SIGSEGV in malloc_consolidate()

Bug #1255356 reported by Ryan Tandy on 2013-11-27

This bug report is a duplicate of: Bug #1004515: segfault in accounts-daemon when logging in / gdm crash if user account is added or deleted. Edit Remove

10

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	accountsservice (Ubuntu)	New	Undecided	Unassigned

Bug Description

On an otherwise clean and up-to-date precise installation, the conditions to reproduce this gdm crash seem to be:

* libnss-ldapd is installed and configured for at least passwd lookups in nsswitch.
* the LDAP user being tested is not in the gdm user list.

After filling in credentials and pressing Login, gdm-session-worker crashes and the login screen hangs waiting for it.

For a user who is already shown in the list, whether because of being present in /etc/passwd or the wtmp history, logging in seems to work normally.

I don't know whether this bug is in gdm, nss-pam-ldapd, accountsservice, or somewhere else, but gdm seems like a reasonable place to start.

ProblemType: Crash
DistroRelease: Ubuntu 12.04
Package: gdm 3.0.4-0ubuntu15.1
ProcVersionSignature: Ubuntu 3.8.0-33.48~precise1-generic 3.8.13.11
Uname: Linux 3.8.0-33-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.6
Architecture: amd64
Date: Tue Nov 26 15:46:58 2013
ExecutablePath: /usr/lib/gdm/gdm-session-worker
MarkForUpload: True
ProcCmdline: /usr/lib/gdm/gdm-session-worker
ProcEnviron:
LANG=en_CA.UTF-8
TERM=linux
LANGUAGE=en_CA:
PATH=(custom, no user)
SegvAnalysis:
Segfault happened at: 0x7f99dc051e08 <malloc_consolidate+232>: mov 0x8(%r12),%r15
PC (0x7f99dc051e08) ok
source "0x8(%r12)" (0x028e7388) not located in a known VMA region (needed readable region)!
destination "%r15" ok
SegvReason: reading unknown VMA
Signal: 11
SourcePackage: gdm
StacktraceTop:
malloc_consolidate (av=0x7f99dc38c720) at malloc.c:4272
malloc_consolidate (av=0x7f99dc38c720) at malloc.c:4247
_int_malloc (av=0x7f99dc38c720, bytes=1072) at malloc.c:3564
__GI___libc_malloc (bytes=1072) at malloc.c:2924
pam_modutil_getpwnam () from /lib/x86_64-linux-gnu/libpam.so.0
Title: gdm-session-worker crashed with SIGSEGV in malloc_consolidate()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

Tags:

Revision history for this message

Ryan Tandy (rtandy) wrote on 2013-11-27:

#1

Dependencies.txt Edit (5.9 KiB, text/plain; charset="utf-8")
Disassembly.txt Edit (1.1 KiB, text/plain; charset="utf-8")
ProcMaps.txt Edit (17.9 KiB, text/plain; charset="utf-8")
ProcStatus.txt Edit (798 bytes, text/plain; charset="utf-8")
Registers.txt Edit (811 bytes, text/plain; charset="utf-8")
Stacktrace.txt Edit (3.7 KiB, text/plain; charset="utf-8")
ThreadStacktrace.txt Edit (3.7 KiB, text/plain; charset="utf-8")

Revision history for this message

Apport retracing service (apport) wrote on 2013-11-27:

#2

StacktraceTop:
malloc_consolidate (av=0x7f99dc38c720 <main_arena>) at malloc.c:4272
malloc_consolidate (av=0x7f99dc38c720 <main_arena>) at malloc.c:4247
_int_malloc (av=0x7f99dc38c720 <main_arena>, bytes=1072) at malloc.c:3564
__GI___libc_malloc (bytes=1072) at malloc.c:2924
pam_modutil_getpwnam (pamh=0x1473b00, user=0x14976e0 "rtandy") at pam_modutil_getpwnam.c:41

Revision history for this message

Apport retracing service (apport) wrote on 2013-11-27: Stacktrace.txt

#3

Stacktrace.txt Edit (4.0 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2013-11-27: StacktraceSource.txt

#4

StacktraceSource.txt Edit (3.2 KiB, text/plain)

Revision history for this message

Apport retracing service (apport) wrote on 2013-11-27: ThreadStacktrace.txt

#5

ThreadStacktrace.txt Edit (4.0 KiB, text/plain)

Changed in gdm (Ubuntu):
importance:	Undecided → Medium
tags:	removed: need-amd64-retrace

Revision history for this message

Ryan Tandy (rtandy) wrote on 2013-11-27:

#6

gdb.txt Edit (11.0 KiB, text/plain)

On i386, gdm-session-worker hangs instead of crashing, and the following message is logged in /var/log/gdm/:0-slave.log:

*** glibc detected *** /usr/lib/gdm/gdm-session-worker: malloc(): memory corruption (fast): 0x094ca208 ***

The address is not the same every time. Attaching to the process with gdb I retrieved the attached backtrace.

Revision history for this message

Ryan Tandy (rtandy) wrote on 2013-11-27:

#7

:0-slave.log Edit (15.0 KiB, text/plain)

Still on i386, I added MALLOC_CHECK_=2 to the environment of gdm-session-worker to make it abort instead of printing a backtrace, and gdm's built-in crash handler logged the attached backtrace.

information type:

Private → Public

Revision history for this message

Ryan Tandy (rtandy) wrote on 2013-11-27:

#8

The problem seems to go away after backporting accountsservice from quantal.

Revision history for this message

Ryan Tandy (rtandy) wrote on 2013-11-27:

#9

Fixing the double free of user->language as per http://cgit.freedesktop.org/accountsservice/commit/?id=4399a03316bfc2b5a6f666b0606e5eece167d44a seems to be sufficient to fix this. I'll test this a few more times to convince myself of that.

no longer affects:

gdm (Ubuntu)

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1004515 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.