#48395 ASAN - Use after free in uiduniq 7bit.c
Closed: wontfix None Opened 5 years ago by firstyear.

Asan detected a use after free in 7bit.c during a modrdn operation. This may cause the directory to crash if a specially crafted modrdn request is made, or may be exploitable in some other way. ================================================================= ==16004== ERROR: AddressSanitizer: heap-use-after-free on address 0x60040057d7d0 at pc 0x7f3493a27b21 bp 0x7f347237e4a0 sp 0x7f347237e470 READ of size 7 at 0x60040057d7d0 thread T27 #0 0x7f3493a27b20 in __interceptor_strlen /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cc:453 #1 0x7f3491109d96 in cvt_s /usr/src/debug/nspr-4.10.8/pr/src/io/../../../nspr/pr/src/io/prprf.c:370 #2 0x7f3491109d96 in dosprintf /usr/src/debug/nspr-4.10.8/pr/src/io/../../../nspr/pr/src/io/prprf.c:998 #3 0x7f349110a069 in PR_vsmprintf /usr/src/debug/nspr-4.10.8/pr/src/io/../../../nspr/pr/src/io/prprf.c:1145 #4 0x7f349359f50d in slapi_ch_smprintf /home/wibrown/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:362 #5 0x7f3489297f15 in issue_error /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:87 #6 0x7f3489298102 in preop_modrdn /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:661 #7 0x7f3493657dd4 in plugin_call_func /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:1920 #8 0x7f34936582b8 in plugin_call_list /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:1864 #9 0x7f34936582b8 in plugin_call_plugins /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:438 #10 0x7f34879572a9 in ldbm_back_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:986 #11 0x7f349362baab in op_shared_rename.constprop.0 /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:627 #12 0x7f349362c7cd in do_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:225 #13 0x42658a in connection_dispatch_operation /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:622 #14 0x42658a in connection_threadmain /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:1743 #15 0x7f34911207ba in _pt_root /usr/src/debug/nspr-4.10.8/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:212 #16 0x7f3493a31a97 in __asan::AsanThread::ThreadStart() /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_thread.cc:99 #17 0x7f3490ac1dc4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308 #18 0x7f34907ef21c in __clone (/lib64/libc.so.6+0xf621c) 0x60040057d7d0 is located 0 bytes inside of 7-byte region [0x60040057d7d0,0x60040057d7d7) freed by thread T27 here: #0 0x7f3493a2e009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61 #1 0x7f349359f37d in slapi_ch_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:292 #2 0x7f34936cd8f9 in ber_bvdone /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:31 #3 0x7f34936cd8f9 in value_done /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:229 #4 0x7f34936cd95d in slapi_value_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:212 #5 0x7f34936d010c in valuearray_free_ext /home/wibrown/development/389ds/ds/ldap/servers/slapd/valueset.c:294 #6 0x7f34936d1190 in slapi_valueset_done /home/wibrown/development/389ds/ds/ldap/servers/slapd/valueset.c:582 #7 0x7f349358e9bf in attr_done /home/wibrown/development/389ds/ds/ldap/servers/slapd/attr.c:434 #8 0x7f349358eadc in slapi_attr_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/attr.c:420 #9 0x7f349359144f in attrlist_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/attrlist.c:24 #10 0x7f34935bfba4 in slapi_entry_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:2021 #11 0x7f3489298311 in preop_modrdn /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:658 previously allocated by thread T27 here: #0 0x7f3493a2e129 in __interceptor_malloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:71 #1 0x7f349359ec57 in slapi_ch_malloc /home/wibrown/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:113 #2 0x7f34936cd622 in ber_bvcpy.part.0 /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:44 #3 0x7f34936cdb21 in ber_bvcpy /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:330 #4 0x7f34936cdb21 in slapi_value_set_berval /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:332 #5 0x7f34936cdbbd in value_init /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:178 #6 0x7f34936cdc52 in value_new /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:155 #7 0x7f34936cdcd2 in slapi_value_dup /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:143 #8 0x7f34936d34e4 in slapi_valueset_add_attr_valuearray_ext /home/wibrown/development/389ds/ds/ldap/servers/slapd/valueset.c:1097 #9 0x7f3493590855 in attr_add_valuearray /home/wibrown/development/389ds/ds/ldap/servers/slapd/attr.c:877 #10 0x7f34935c6b8d in slapi_entry_add_values_sv /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:3749 #11 0x7f34935c6c68 in slapi_entry_add_values /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:3720 #12 0x7f34935c7106 in slapi_entry_add_rdn_values /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:3302 #13 0x7f3489298214 in preop_modrdn /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:593 #14 0x7f34936582b8 in plugin_call_list /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:1864 #15 0x7f34936582b8 in plugin_call_plugins /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:438 #16 0x7f34879572a9 in ldbm_back_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:986 #17 0x7f349362baab in op_shared_rename.constprop.0 /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:627 #18 0x7f349362c7cd in do_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:225 #19 0x42658a in connection_dispatch_operation /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:622 #20 0x42658a in connection_threadmain /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:1743 #21 0x7f34911207ba in _pt_root /usr/src/debug/nspr-4.10.8/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:212 Thread T27 created by T0 here: #0 0x7f3493a22c3a in __interceptor_pthread_create /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cc:122 #1 0x7f349112048b in _PR_CreateThread /usr/src/debug/nspr-4.10.8/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:453 #2 0x0 SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cc:453 __interceptor_strlen Shadow bytes around the buggy address: 0x0c01000a7aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c01000a7af0: fa fa fa fa fa fa fa fa fa fa[fd]fa fa fa fd fa 0x0c01000a7b00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd 0x0c01000a7b10: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c01000a7b20: fa fa fd fd fa fa fd fd fa fa 00 03 fa fa 00 01 0x0c01000a7b30: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 03 fa 0x0c01000a7b40: fa fa 00 00 fa fa 00 fa fa fa 02 fa fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==16004== ABORTING

To ssh://git.fedorahosted.org/git/389/ds.git
27da34c..d07d1b5 master -> master

commit d07d1b5

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue set to the milestone: 1.3.5.0

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/1726

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: Fixed)

5 months ago

Login to comment on this ticket.

Metadata