389-ds-base

Clone
Source Code
GIT

#48395 ASAN - Use after free in uiduniq 7bit.c
Closed: Fixed None Opened 3 years ago by firstyear.

Closed: Fixed
Reopen Issue
Asan detected a use after free in 7bit.c during a modrdn operation. This may cause the directory to crash if a specially crafted modrdn request is made, or may be exploitable in some other way. ================================================================= ==16004== ERROR: AddressSanitizer: heap-use-after-free on address 0x60040057d7d0 at pc 0x7f3493a27b21 bp 0x7f347237e4a0 sp 0x7f347237e470 READ of size 7 at 0x60040057d7d0 thread T27 #0 0x7f3493a27b20 in __interceptor_strlen /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cc:453 #1 0x7f3491109d96 in cvt_s /usr/src/debug/nspr-4.10.8/pr/src/io/../../../nspr/pr/src/io/prprf.c:370 #2 0x7f3491109d96 in dosprintf /usr/src/debug/nspr-4.10.8/pr/src/io/../../../nspr/pr/src/io/prprf.c:998 #3 0x7f349110a069 in PR_vsmprintf /usr/src/debug/nspr-4.10.8/pr/src/io/../../../nspr/pr/src/io/prprf.c:1145 #4 0x7f349359f50d in slapi_ch_smprintf /home/wibrown/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:362 #5 0x7f3489297f15 in issue_error /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:87 #6 0x7f3489298102 in preop_modrdn /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:661 #7 0x7f3493657dd4 in plugin_call_func /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:1920 #8 0x7f34936582b8 in plugin_call_list /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:1864 #9 0x7f34936582b8 in plugin_call_plugins /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:438 #10 0x7f34879572a9 in ldbm_back_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:986 #11 0x7f349362baab in op_shared_rename.constprop.0 /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:627 #12 0x7f349362c7cd in do_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:225 #13 0x42658a in connection_dispatch_operation /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:622 #14 0x42658a in connection_threadmain /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:1743 #15 0x7f34911207ba in _pt_root /usr/src/debug/nspr-4.10.8/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:212 #16 0x7f3493a31a97 in __asan::AsanThread::ThreadStart() /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_thread.cc:99 #17 0x7f3490ac1dc4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308 #18 0x7f34907ef21c in __clone (/lib64/libc.so.6+0xf621c) 0x60040057d7d0 is located 0 bytes inside of 7-byte region [0x60040057d7d0,0x60040057d7d7) freed by thread T27 here: #0 0x7f3493a2e009 in __interceptor_free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:61 #1 0x7f349359f37d in slapi_ch_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:292 #2 0x7f34936cd8f9 in ber_bvdone /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:31 #3 0x7f34936cd8f9 in value_done /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:229 #4 0x7f34936cd95d in slapi_value_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:212 #5 0x7f34936d010c in valuearray_free_ext /home/wibrown/development/389ds/ds/ldap/servers/slapd/valueset.c:294 #6 0x7f34936d1190 in slapi_valueset_done /home/wibrown/development/389ds/ds/ldap/servers/slapd/valueset.c:582 #7 0x7f349358e9bf in attr_done /home/wibrown/development/389ds/ds/ldap/servers/slapd/attr.c:434 #8 0x7f349358eadc in slapi_attr_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/attr.c:420 #9 0x7f349359144f in attrlist_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/attrlist.c:24 #10 0x7f34935bfba4 in slapi_entry_free /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:2021 #11 0x7f3489298311 in preop_modrdn /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:658 previously allocated by thread T27 here: #0 0x7f3493a2e129 in __interceptor_malloc /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_malloc_linux.cc:71 #1 0x7f349359ec57 in slapi_ch_malloc /home/wibrown/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:113 #2 0x7f34936cd622 in ber_bvcpy.part.0 /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:44 #3 0x7f34936cdb21 in ber_bvcpy /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:330 #4 0x7f34936cdb21 in slapi_value_set_berval /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:332 #5 0x7f34936cdbbd in value_init /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:178 #6 0x7f34936cdc52 in value_new /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:155 #7 0x7f34936cdcd2 in slapi_value_dup /home/wibrown/development/389ds/ds/ldap/servers/slapd/value.c:143 #8 0x7f34936d34e4 in slapi_valueset_add_attr_valuearray_ext /home/wibrown/development/389ds/ds/ldap/servers/slapd/valueset.c:1097 #9 0x7f3493590855 in attr_add_valuearray /home/wibrown/development/389ds/ds/ldap/servers/slapd/attr.c:877 #10 0x7f34935c6b8d in slapi_entry_add_values_sv /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:3749 #11 0x7f34935c6c68 in slapi_entry_add_values /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:3720 #12 0x7f34935c7106 in slapi_entry_add_rdn_values /home/wibrown/development/389ds/ds/ldap/servers/slapd/entry.c:3302 #13 0x7f3489298214 in preop_modrdn /home/wibrown/development/389ds/ds/ldap/servers/plugins/uiduniq/7bit.c:593 #14 0x7f34936582b8 in plugin_call_list /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:1864 #15 0x7f34936582b8 in plugin_call_plugins /home/wibrown/development/389ds/ds/ldap/servers/slapd/plugin.c:438 #16 0x7f34879572a9 in ldbm_back_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:986 #17 0x7f349362baab in op_shared_rename.constprop.0 /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:627 #18 0x7f349362c7cd in do_modrdn /home/wibrown/development/389ds/ds/ldap/servers/slapd/modrdn.c:225 #19 0x42658a in connection_dispatch_operation /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:622 #20 0x42658a in connection_threadmain /home/wibrown/development/389ds/ds/ldap/servers/slapd/connection.c:1743 #21 0x7f34911207ba in _pt_root /usr/src/debug/nspr-4.10.8/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:212 Thread T27 created by T0 here: #0 0x7f3493a22c3a in __interceptor_pthread_create /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cc:122 #1 0x7f349112048b in _PR_CreateThread /usr/src/debug/nspr-4.10.8/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:453 #2 0x0 SUMMARY: AddressSanitizer: heap-use-after-free /usr/src/debug/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/x86_64-redhat-linux/libsanitizer/asan/../../../../libsanitizer/asan/asan_interceptors.cc:453 __interceptor_strlen Shadow bytes around the buggy address: 0x0c01000a7aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c01000a7ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c01000a7af0: fa fa fa fa fa fa fa fa fa fa[fd]fa fa fa fd fa 0x0c01000a7b00: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd 0x0c01000a7b10: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c01000a7b20: fa fa fd fd fa fa fd fd fa fa 00 03 fa fa 00 01 0x0c01000a7b30: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 03 fa 0x0c01000a7b40: fa fa 00 00 fa fa 00 fa fa fa 02 fa fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==16004== ABORTING

To ssh://git.fedorahosted.org/git/389/ds.git
27da34c..d07d1b5 master -> master

commit d07d1b5

Metadata Update from @firstyear:
- Issue assigned to firstyear
- Issue set to the milestone: 1.3.5.0
2 years ago

Login to comment on this ticket.

Metadata
None
None
None
major
ack
None
QE
Powered by Pagure 5.8.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© 2014-2019 Red Hat, Inc. and others.