[Bug 1174444] Re: ps segfault when users have large numbers of group memberships (procps 3.2.8)

Javier Sánchez javier.sanchez at tmclick.com
Thu May 16 21:04:36 UTC 2013 

I've been using ISPConfig, a very good software to handle an small ISP, for quite a while. We inherit a couple thousand users from the closure of another partner. Since they had marginal traffic but a lot of legacy sites we used a dedicated web server with ubuntu 12.04 LTS LAMP and the standard ISPConfig setup.
ISPConfig configures an user for every web and a group for every client. The apache user belongs to every "client" group. I think this is the real life situation you were looking for in order to reproduce the bug.
ISPConfig has a php cron script which is used for internal tasks between main server and their slaves. One of the things the script does is checking there is no other instance running. The php code invokes "ps ax" and then searches for itself in the results.
It got us a little while to realize what was happening. Finally we disabled the cron process, so we were able to keep the system stable though not synchronized to user's petitions. After googling for several days since April 28th I started to see the launchpad bug report.

As you can imagine, the fix does not work for us (I wouldn't boring you
if so). We can agree that we have so many groups for a user to belong to
(exactly 1556) ... that our setup is a bit weird... that system limits
must be somewhere... and so on. But in any case I think "ps" should be
protected against issuing SEGV. We will be reviewing our configuration,
of course, but wouldn't it be right to avoid the SEGV?

We can provide if required strace, example /etc/group and
/proc/apache/stat files and, of course, testing as needed.

Thanks in advance

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to procps in Ubuntu.
https://bugs.launchpad.net/bugs/1174444

Title:
  ps segfault when users have large numbers of group memberships (procps
  3.2.8)

Status in “procps” package in Ubuntu:
  In Progress

Bug description:
  [Impact]

   * Users with large numbers of groups will cause ps to segfault.  This
  can happen when directory services such as Active directory or
  possibly others like ldap are in use.

   * The upload expands buffer sizes to be in line with upstream procps.

  [Test Case]

   * Using a directory service create a user that belongs to a very large number of groups.
   * run ps.  Which will segfault. 

   * these should allow someone who is not familiar with the affected
     package to reproduce the bug and verify that the updated package fixes
     the problem.

  [Regression Potential]

   * Regressions are highly unlikely as only buffer sizes were changed
  to be in line with commit 7933435584aa1fd75460f4c7715a3d4855d97c1c of
  upstream procps.

  [Other Info]
   
   * This fix is not in quantal or raring, but should be available in saucy assuming the version of procps in there is greater than 3.3.4
   

  
  When a user logs in via ssh with a large number of group memberships it causes a seg fault when running ps (procps version 3.2.8).

  Description:	Ubuntu 12.04.2 LTS
  Release:	12.04

  procps:
    Installed: 1:3.2.8-11ubuntu6
    Candidate: 1:3.2.8-11ubuntu6
    Version table:
   *** 1:3.2.8-11ubuntu6 0
          500 http://us.archive.ubuntu.com/ubuntu/ precise/main amd64 Packages
          100 /var/lib/dpkg/status

  Expected results: ps completes and returns to prompt

    PID TTY          TIME CMD
  12707 pts/1    00:00:00 sudo
  12708 pts/1    00:00:00 bash

  Actual results:

    PID TTY          TIME CMD
  12707 pts/1    00:00:00 sudo
  12708 pts/1    00:00:00 bash

  Signal 11 (SEGV) caught by ps (procps version 3.2.8).

  Here is the end of a strace on a ps:

  mmap(NULL, 135168, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f4da880e000
  mremap(0x7f4da880e000, 135168, 266240, MREMAP_MAYMOVE) = 0x7f4da87cd000
  mremap(0x7f4da87cd000, 266240, 528384, MREMAP_MAYMOVE) = 0x7f4da929d000
  mremap(0x7f4da929d000, 528384, 1052672, MREMAP_MAYMOVE) = 0x7f4da919c000
  mremap(0x7f4da919c000, 1052672, 2101248, MREMAP_MAYMOVE) = 0x7f4da862e000
  mremap(0x7f4da862e000, 2101248, 4198400, MREMAP_MAYMOVE) = 0x7f4da822d000
  mremap(0x7f4da822d000, 4198400, 8392704, MREMAP_MAYMOVE) = 0x7f4da7a2c000
  mremap(0x7f4da7a2c000, 8392704, 16781312, MREMAP_MAYMOVE) = 0x7f4da6a2b000
  mremap(0x7f4da6a2b000, 16781312, 33558528, MREMAP_MAYMOVE) = 0x7f4da4a2a000
  mremap(0x7f4da4a2a000, 33558528, 67112960, MREMAP_MAYMOVE) = 0x7f4da0a29000
  mremap(0x7f4da0a29000, 67112960, 134221824, MREMAP_MAYMOVE) = 0x7f4d98a28000
  mremap(0x7f4d98a28000, 134221824, 268439552, MREMAP_MAYMOVE) = 0x7f4d88a27000
  mremap(0x7f4d88a27000, 268439552, 536875008, MREMAP_MAYMOVE) = 0x7f4d68a26000
  mremap(0x7f4d68a26000, 536875008, 1073745920, MREMAP_MAYMOVE) = 0x7f4d28a25000
  mremap(0x7f4d28a25000, 1073745920, 2147487744, MREMAP_MAYMOVE) = 0x7f4ca8a24000
  mremap(0x7f4ca8a24000, 2147487744, 4096, MREMAP_MAYMOVE) = 0x7f4ca8a24000
  --- SIGSEGV (Segmentation fault) @ 0 (0) ---
  write(2, "\n\nSignal 11 (SEGV) caught by ps "..., 132

  Signal 11 (SEGV) caught by ps (procps version 3.2.8).
  Please send bug reports to <feedback at lists.sf.net> or <albert at users.sf.net>
  ) = 132
  exit_group(139)

  Here is the debian bug report on it.
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=702965

  It looks like the 12.10 repos have the newer version of the procps and
  libprocps0 packages which address the problem.

  My question being can these newer version be put into place for 12.04
  or am I stuck trying to manually intall a newer version fro the 12.10
  repos or something along those lines to fix this issue.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/procps/+bug/1174444/+subscriptions

More information about the foundations-bugs mailing list