#48132 modrdn crashes server (invalid read/writes)
Closed: wontfix None Opened 6 years ago by mreynolds.

#0  0x00007f7102540877 in raise () from /lib64/libc.so.6
#1  0x00007f7102541f68 in abort () from /lib64/libc.so.6
#2  0x00007f7102580a54 in __libc_message () from /lib64/libc.so.6
#3  0x00007f7102587d78 in _int_free () from /lib64/libc.so.6
#4  0x00007f7105175ee6 in slapi_ch_free (ptr=ptr@entry=0x7f708c0047d8)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/ch_malloc.c:363
#5  0x00007f710517e5c9 in slapi_sdn_done (sdn=0x7f708c0047d0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/dn.c:2332
#6  0x00007f7105184f7a in slapi_entry_free (e=0x7f708c0047d0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/entry.c:2046
#7  0x00007f70f9463a08 in ldbm_back_modrdn (pb=<optimized out>)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:295
#8  0x00007f71051b3047 in op_shared_rename (pb=pb@entry=0x7f70d8ff8ae0, passin_args=0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:652
#9  0x00007f71051b3885 in do_modrdn (pb=pb@entry=0x7f70d8ff8ae0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:256
#10 0x00000000004183b9 in connection_dispatch_operation (pb=0x7f70d8ff8ae0, op=0x205d1a0, conn=0x7f7105556bf0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:655
#11 connection_threadmain () at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:2534
#12 0x00007f7102f30c2b in _pt_root () from /lib64/libnspr4.so
#13 0x00007f71028d0ee5 in start_thread () from /lib64/libpthread.so.0
#14 0x00007f71025ffd1d in clone () from /lib64/libc.so.6



#0  0x00007fd144086877 in raise () from /lib64/libc.so.6
#1  0x00007fd144087f68 in abort () from /lib64/libc.so.6
#2  0x00007fd1440c6a54 in __libc_message () from /lib64/libc.so.6
#3  0x00007fd1440cc8a7 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007fd146cbbee6 in slapi_ch_free (ptr=ptr@entry=0x7fd09409b520)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/ch_malloc.c:363
#5  0x00007fd146cb4e23 in attr_done (a=0x7fd09409b520)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/attr.c:463
#6  0x00007fd146cb4e9b in slapi_attr_free (ppa=ppa@entry=0x7fd11cff6398)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/attr.c:451
#7  0x00007fd146cb601c in attrlist_free (alist=<optimized out>)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/attrlist.c:53
#8  0x00007fd146ccafc0 in slapi_entry_free (e=0x7fd09408cb30)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/entry.c:2052
#9  0x00007fd13afa9a08 in ldbm_back_modrdn (pb=<optimized out>)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:295
#10 0x00007fd146cf9047 in op_shared_rename (pb=pb@entry=0x7fd11cff8ae0, passin_args=0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:652
#11 0x00007fd146cf9885 in do_modrdn (pb=pb@entry=0x7fd11cff8ae0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:256
#12 0x00000000004183b9 in connection_dispatch_operation (pb=0x7fd11cff8ae0, op=0x1a2ffd0, conn=0x7fd147098aa0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:655
#13 connection_threadmain () at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:2534
#14 0x00007fd144a76c2b in _pt_root () from /lib64/libnspr4.so
#15 0x00007fd144416ee5 in start_thread () from /lib64/libpthread.so.0
#16 0x00007fd144145d1d in clone () from /lib64/libc.so.6

==18131== Invalid read of size 8
==18131==    at 0x4E8B4FD: slapi_sdn_done (dn.c:2299)
==18131==    by 0x4E91F79: slapi_entry_free (entry.c:2046)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x157e3990 is 16 bytes inside a block of size 184 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4E92023: slapi_entry_free (entry.c:2059)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)

==18131== Invalid write of size 8
==18131==    at 0x4EDECC3: slapi_rdn_init (rdn.c:92)
==18131==    by 0x4E91F87: slapi_entry_free (entry.c:2047)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x157e39b8 is 56 bytes inside a block of size 184 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4E92023: slapi_entry_free (entry.c:2059)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==



==18131== Invalid write of size 4
==18131==    at 0x4F037A8: slapi_valueset_done (valueset.c:619)
==18131==    by 0x4E7BE42: attr_done (attr.c:466)
==18131==    by 0x4E7BE9A: slapi_attr_free (attr.c:451)
==18131==    by 0x4E7D01B: attrlist_free (attrlist.c:53)
==18131==    by 0x4E91FBF: slapi_entry_free (entry.c:2052)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x2d5a4ad0 is 48 bytes inside a block of size 120 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4E7BEA4: slapi_attr_free (attr.c:452)
==18131==    by 0x4E7D01B: attrlist_free (attrlist.c:53)
==18131==    by 0x4E91FBF: slapi_entry_free (entry.c:2052)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)



==18131== Invalid read of size 4
==18131==    at 0x77AB5E8: pthread_rwlock_wrlock (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x4E91FE1: slapi_entry_free (entry.c:2054)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x2d217af4 is 4 bytes inside a block of size 56 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4EF123C: slapi_destroy_rwlock (slapi2nspr.c:237)
==18131==    by 0x4E92019: slapi_entry_free (entry.c:2058)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==

Reproducer lib389 test is attached (needs to be run from ds/dirsrvtests/tickets)


It looks to me a pretty safe fix. A great job!

f14fb8b..1d9ae0f master -> master
[mareynol@localhost ds]$ git log -1
commit 1d9ae0f
Author: Mark Reynolds mreynolds@redhat.com
Date: Thu Mar 19 09:58:53 2015 -0400

ff224e7..a6784c0 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit a6784c0

fac457e..1fbd914 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit 1fbd914

1508e72..7b37f77 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 7b37f771e016ec737c7a0a081d5c1120e94a2e9a

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: N/A

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1463

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

9 months ago

Login to comment on this ticket.

Metadata