#48132 modrdn crashes server (invalid read/writes)
Closed: Fixed None Opened 4 years ago by mreynolds.

#0  0x00007f7102540877 in raise () from /lib64/libc.so.6
#1  0x00007f7102541f68 in abort () from /lib64/libc.so.6
#2  0x00007f7102580a54 in __libc_message () from /lib64/libc.so.6
#3  0x00007f7102587d78 in _int_free () from /lib64/libc.so.6
#4  0x00007f7105175ee6 in slapi_ch_free (ptr=ptr@entry=0x7f708c0047d8)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/ch_malloc.c:363
#5  0x00007f710517e5c9 in slapi_sdn_done (sdn=0x7f708c0047d0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/dn.c:2332
#6  0x00007f7105184f7a in slapi_entry_free (e=0x7f708c0047d0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/entry.c:2046
#7  0x00007f70f9463a08 in ldbm_back_modrdn (pb=<optimized out>)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:295
#8  0x00007f71051b3047 in op_shared_rename (pb=pb@entry=0x7f70d8ff8ae0, passin_args=0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:652
#9  0x00007f71051b3885 in do_modrdn (pb=pb@entry=0x7f70d8ff8ae0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:256
#10 0x00000000004183b9 in connection_dispatch_operation (pb=0x7f70d8ff8ae0, op=0x205d1a0, conn=0x7f7105556bf0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:655
#11 connection_threadmain () at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:2534
#12 0x00007f7102f30c2b in _pt_root () from /lib64/libnspr4.so
#13 0x00007f71028d0ee5 in start_thread () from /lib64/libpthread.so.0
#14 0x00007f71025ffd1d in clone () from /lib64/libc.so.6



#0  0x00007fd144086877 in raise () from /lib64/libc.so.6
#1  0x00007fd144087f68 in abort () from /lib64/libc.so.6
#2  0x00007fd1440c6a54 in __libc_message () from /lib64/libc.so.6
#3  0x00007fd1440cc8a7 in malloc_printerr () from /lib64/libc.so.6
#4  0x00007fd146cbbee6 in slapi_ch_free (ptr=ptr@entry=0x7fd09409b520)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/ch_malloc.c:363
#5  0x00007fd146cb4e23 in attr_done (a=0x7fd09409b520)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/attr.c:463
#6  0x00007fd146cb4e9b in slapi_attr_free (ppa=ppa@entry=0x7fd11cff6398)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/attr.c:451
#7  0x00007fd146cb601c in attrlist_free (alist=<optimized out>)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/attrlist.c:53
#8  0x00007fd146ccafc0 in slapi_entry_free (e=0x7fd09408cb30)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/entry.c:2052
#9  0x00007fd13afa9a08 in ldbm_back_modrdn (pb=<optimized out>)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:295
#10 0x00007fd146cf9047 in op_shared_rename (pb=pb@entry=0x7fd11cff8ae0, passin_args=0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:652
#11 0x00007fd146cf9885 in do_modrdn (pb=pb@entry=0x7fd11cff8ae0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/modrdn.c:256
#12 0x00000000004183b9 in connection_dispatch_operation (pb=0x7fd11cff8ae0, op=0x1a2ffd0, conn=0x7fd147098aa0)
    at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:655
#13 connection_threadmain () at /home/mareynol/workspaces/389-ds-base/ds/ldap/servers/slapd/connection.c:2534
#14 0x00007fd144a76c2b in _pt_root () from /lib64/libnspr4.so
#15 0x00007fd144416ee5 in start_thread () from /lib64/libpthread.so.0
#16 0x00007fd144145d1d in clone () from /lib64/libc.so.6

==18131== Invalid read of size 8
==18131==    at 0x4E8B4FD: slapi_sdn_done (dn.c:2299)
==18131==    by 0x4E91F79: slapi_entry_free (entry.c:2046)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x157e3990 is 16 bytes inside a block of size 184 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4E92023: slapi_entry_free (entry.c:2059)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)

==18131== Invalid write of size 8
==18131==    at 0x4EDECC3: slapi_rdn_init (rdn.c:92)
==18131==    by 0x4E91F87: slapi_entry_free (entry.c:2047)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x157e39b8 is 56 bytes inside a block of size 184 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4E92023: slapi_entry_free (entry.c:2059)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==



==18131== Invalid write of size 4
==18131==    at 0x4F037A8: slapi_valueset_done (valueset.c:619)
==18131==    by 0x4E7BE42: attr_done (attr.c:466)
==18131==    by 0x4E7BE9A: slapi_attr_free (attr.c:451)
==18131==    by 0x4E7D01B: attrlist_free (attrlist.c:53)
==18131==    by 0x4E91FBF: slapi_entry_free (entry.c:2052)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x2d5a4ad0 is 48 bytes inside a block of size 120 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4E7BEA4: slapi_attr_free (attr.c:452)
==18131==    by 0x4E7D01B: attrlist_free (attrlist.c:53)
==18131==    by 0x4E91FBF: slapi_entry_free (entry.c:2052)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)



==18131== Invalid read of size 4
==18131==    at 0x77AB5E8: pthread_rwlock_wrlock (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x4E91FE1: slapi_entry_free (entry.c:2054)
==18131==    by 0x12445A07: ldbm_back_modrdn (ldbm_modrdn.c:295)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==  Address 0x2d217af4 is 4 bytes inside a block of size 56 free'd
==18131==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==18131==    by 0x4E82EE5: slapi_ch_free (ch_malloc.c:363)
==18131==    by 0x4EF123C: slapi_destroy_rwlock (slapi2nspr.c:237)
==18131==    by 0x4E92019: slapi_entry_free (entry.c:2058)
==18131==    by 0x123FDACD: backentry_free (backentry.c:57)
==18131==    by 0x123FF887: cache_return (cache.c:1157)
==18131==    by 0x124459BC: ldbm_back_modrdn (ldbm_modrdn.c:285)
==18131==    by 0x4EC0046: op_shared_rename.constprop.0 (modrdn.c:652)
==18131==    by 0x4EC0884: do_modrdn (modrdn.c:256)
==18131==    by 0x4183B8: connection_threadmain (connection.c:655)
==18131==    by 0x7168C2A: ??? (in /usr/lib64/libnspr4.so)
==18131==    by 0x77A7EE4: start_thread (in /usr/lib64/libpthread-2.18.so)
==18131==    by 0x7AB1D1C: clone (in /usr/lib64/libc-2.18.so)
==18131==

Reproducer lib389 test is attached (needs to be run from ds/dirsrvtests/tickets)


It looks to me a pretty safe fix. A great job!

f14fb8b..1d9ae0f master -> master
[mareynol@localhost ds]$ git log -1
commit 1d9ae0f
Author: Mark Reynolds mreynolds@redhat.com
Date: Thu Mar 19 09:58:53 2015 -0400

ff224e7..a6784c0 389-ds-base-1.3.3 -> 389-ds-base-1.3.3
commit a6784c0

fac457e..1fbd914 389-ds-base-1.3.2 -> 389-ds-base-1.3.2
commit 1fbd914

1508e72..7b37f77 389-ds-base-1.3.1 -> 389-ds-base-1.3.1
commit 7b37f771e016ec737c7a0a081d5c1120e94a2e9a

Metadata Update from @mreynolds:
- Issue assigned to mreynolds
- Issue set to the milestone: N/A

2 years ago

Login to comment on this ticket.

Metadata