Ubuntu
subversion package

svn up Segmentation Fault with sasl enabled repositories

Bug #881862 reported by Marco Paolini
50
This bug affects 7 people
Affects Status Importance Assigned to Milestone
subversion (Debian)
Fix Released
Unknown
subversion (Ubuntu)
Fix Released
Undecided
Unassigned
Oneiric
Fix Released
Undecided
Unassigned

Bug Description

[impact]
svn crashes often when doing basic commands (checkout, update, ...) on repositories which use sasl authentification served with svnserve

[Development Fix]
the issue was fixed in 1.6.17dfsg-2ubuntu1 avaiable in precise by picking a patch from upstream vcs

[Stable Fix]
the same patch applies to the version in oneiric, according to upstream vcs no further corrections for this issue where applied between the version in oneiric and precise.

[Test Case]
create a repository with sasl authentification.
svnadm create repo
relevant contents of svnserve.conf:
[general]
anon-access = none
realm = test
[sasl]
use-sasl = true
min-encryption = 128
max-encryption = 256
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: DIGEST-MD5

create sasl account:
sudo saslpasswd2 -c -u test username

start svnserve:
sudo svnserve --daemon --root /path/to/repo

checkout and update:
svn co svn://repo wc
cd wc
svn up

expected result:
successful checkout and update

result:
sometimes segmentation faults.
if it does not crash run the checkout under valgrind and one will see many "Invalid read of size X" errors.

the patch fixes the crashes and the valgrind errors.

[regression impact]
low, the patch is small and simple. It has been released in precise and debian since a while with no regressions.
svn has a quite large testsuite which stillsucceeds with the patch.

original report:
after upgrade to ubuntu 11.10 svn up is segfaulting after updating local copy (svn up)

in one case the working copy was left in unclean state (some files locked) after svn up

everything was working fine in ubuntu 10.04

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: subversion 1.6.12dfsg-4ubuntu5
ProcVersionSignature: Ubuntu 3.0.0-12.20-generic 3.0.4
Uname: Linux 3.0.0-12-generic x86_64
ApportVersion: 1.23-0ubuntu3
Architecture: amd64
Date: Wed Oct 26 10:30:52 2011
InstallationMedia: Ubuntu 11.04 "Natty Narwhal" - Release amd64 (20110427.1)
SourcePackage: subversion
UpgradeStatus: Upgraded to oneiric on 2011-10-24 (1 days ago)

See original description

Related branches

lp:~jtaylor/ubuntu/oneiric/subversion/sasl-crash-881862
Serge Hallyn: Approve
Micah Gersten (community): Needs Fixing
Ubuntu branches: Pending requested
Diff: 62 lines (+42/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/sasl-mem-handling (+34/-0)
debian/patches/series (+1/-0)
lp:ubuntu/oneiric-proposed/subversion
Revision history for this message
Marco Paolini (mpaolini) wrote :
Revision history for this message
Marco Paolini (mpaolini) wrote :

Problem only appears in sasl-protected remote repositories served through svnserve.

It has something to do with libsasl2 on the client side.

I first tried by manually compiled form source subversion 1.6.17 and got same problem

then I managed to solve the issue:
 - manually compiled from source cyrus-sasl-2.1.25, then recompiled subversion
 - manually compiled form source subversion 1.6.17 using ./configure --with-sasl=/usr/local/lib/sasl2

nothing changed on server side (where I run subversion 1.6.17)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in subversion (Ubuntu):
status: New → Confirmed
Revision history for this message
Julian Taylor (jtaylor) wrote :

thanks for the report.
Can you provide a backtrace of the crash?
See this page for information on how to create them:
https://wiki.ubuntu.com/Backtrace

Revision history for this message
Marco Paolini (mpaolini) wrote :

the segfault happens in sasl library in file plugins/digestmd5.c digestmd5_client_mech_dispose when call to utils->log is made

same happens in digestmd5_common_mech_dispose whan utils->log is invoked

commenting out this two utils->log calls make the segfault disappear

link to thread in cyrus-sals delv list
http://asg.andrew.cmu.edu/archive/message.php?mailbox=archive.cyrus-devel&msg=3250

link to debian bug report
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=635588

Revision history for this message
Marco Paolini (mpaolini) wrote :

ops sorry for the noise, it turns out it is a subversion 1.6.17 bug (fixed in release 1.7.1 or maybe earlier):

subversion was using a local variable in stack for the callbacks argument of sasl_client_new

but sasl_dispose was called outside this function, so when utils->log went looking for log callbacks
it was accessing some bogus memory area

the bad code is in subversion lib_ra_svn/cyrus_auth.c svn_ra_svn__do_cyrus_auth:
callbacks is a function local variable while it should live until sasl_dispose is called

code in subversion 1.7.1 is correct: it allocates callbacks in heap

cheers,

Marco

Revision history for this message
Marco Paolini (mpaolini) wrote :

it was fixed in subversion on sept 8:

http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c?r1=1160604&r2=1166555

Fix a possible crash in ra_svn if SASL authentication is active.

* subversion/libsvn_ra_svn/cyrus_auth.c
  (svn_ra_svn__do_cyrus_auth): Give the auth callbacks sufficient
   lifetime to survive until connection pool cleanup. CyrusSASL
   needs the callbacks in the cleanup handler of this pool.

Found by: Dave Huang <email address hidden>

Julian Taylor (jtaylor)
Changed in subversion (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Marco Paolini (mpaolini) wrote :

the relevant debian bug is 631765

if was fixed in Debian on Sept 20, in 1.6.17dfsg-2, as noted in #631765

(thanks to Peter, debian package mantainer, for the info)

Bug Watch Updater (bug-watch-updater)
Changed in subversion (Debian):
status: Unknown → Fix Released
Julian Taylor (jtaylor)
Changed in subversion (Ubuntu):
status: Triaged → Fix Released
Julian Taylor (jtaylor)
description: updated
summary: - svn up Segmentation Fault
+ svn up Segmentation Fault with sasl enabled repositories
Julian Taylor (jtaylor)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Hello Marco, or anyone else affected,

Accepted subversion into oneiric-proposed. The package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in subversion (Ubuntu Oneiric):
status: New → Fix Committed
tags: added: verification-needed
Revision history for this message
Tristan Schmelcher (tschmelcher) wrote :

The update in oneiric-proposed fixed the problem for me. Thanks.

Clint Byrum (clint-fewbar)
tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package subversion - 1.6.12dfsg-4ubuntu5.1

---------------
subversion (1.6.12dfsg-4ubuntu5.1) oneiric-proposed; urgency=low

  * patches/sasl-mem-handling: patch from 1.6.17dfsg-2 to fix a crash with
    svn:// URLs and SASL authentication. (LP: #881862)
 -- Julian Taylor <email address hidden> Fri, 10 Feb 2012 12:39:33 -0800

Changed in subversion (Ubuntu Oneiric):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.