#49284 DS crashes when trying to completely remove some optional memberOf attributes.
Closed: wontfix 4 years ago Opened 4 years ago by ilias95.

Issue Description

MemberOf plugin has 2 attributes that don't appear in its default configuration; memberOfEntryScope and memberOfEntryScopeExcludeSubtree. That means that they are not required for the plug-in to function. However, if we set either of those and then try to completely remove them, Directory Server will crash.

Package Version and Platform

Git master on Fedora 25.

Steps to reproduce

  1. Add some attribute to either memberOfEntryScope and memberOfEntryScopeExcludeSubtree.
  2. Delete this attribute (and any other if there are more than one) using dsconf for example.

The server will crash.

I'll promptly attach a reproducer.


Metadata Update from @ilias95:
- Custom field type adjusted to defect

4 years ago
=================================================================
==22850==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000402eb0 at pc 0x7f2081f18330 bp 0x7f20487643d0 sp 0x7f20487643c0
READ of size 8 at 0x602000402eb0 thread T40
llvm-symbolizer: for the -functions option: Cannot find option named 'true'!
    #0 0x7f2081f1832f in memberof_free_scope /home/william/development/389ds/ds/ldap/servers/plugins/memberof/memberof_config.c:76
    #1 0x7f2081f1b6f3 in memberof_apply_config /home/william/development/389ds/ds/ldap/servers/plugins/memberof/memberof_config.c:657
    #2 0x7f2081f0b98f in memberof_postop_modify /home/william/development/389ds/ds/ldap/servers/plugins/memberof/memberof.c:1205
    #3 0x7f209063d02d in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2099 (discriminator 1)
    #4 0x7f209063cc61 in plugin_call_list /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2041
    #5 0x7f2090634cf8 in plugin_call_plugins /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:452
    #6 0x7f209055a82b in dse_modify /home/william/development/389ds/ds/ldap/servers/slapd/dse.c:2034
    #7 0x7f20905f08d7 in op_shared_modify /home/william/development/389ds/ds/ldap/servers/slapd/modify.c:1064
    #8 0x7f20905ec489 in do_modify /home/william/development/389ds/ds/ldap/servers/slapd/modify.c:391
    #9 0x4234ed in connection_dispatch_operation /home/william/development/389ds/ds/ldap/servers/slapd/connection.c:631
    #10 0x429853 in connection_threadmain /home/william/development/389ds/ds/ldap/servers/slapd/connection.c:1766
    #11 0x7f208e27bfca in PR_Select ??:?
    #12 0x7f208e03b368 in start_thread pthread_create.c:?
    #13 0x7f208d913d0e in __GI___clone :?

0x602000402eb0 is located 0 bytes inside of 16-byte region [0x602000402eb0,0x602000402ec0)
freed by thread T40 here:
    #0 0x7f2090f434b8 in __interceptor_free ??:?
    #1 0x7f2090530a0e in slapi_ch_free /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:271
    #2 0x7f2081f18343 in memberof_free_scope /home/william/development/389ds/ds/ldap/servers/plugins/memberof/memberof_config.c:80
    #3 0x7f2081f1b6f3 in memberof_apply_config /home/william/development/389ds/ds/ldap/servers/plugins/memberof/memberof_config.c:657
    #4 0x7f209055e526 in dse_call_callback /home/william/development/389ds/ds/ldap/servers/slapd/dse.c:2640
    #5 0x7f209055a5b6 in dse_modify /home/william/development/389ds/ds/ldap/servers/slapd/dse.c:2022
    #6 0x7f20905f08d7 in op_shared_modify /home/william/development/389ds/ds/ldap/servers/slapd/modify.c:1064
    #7 0x7f20905ec489 in do_modify /home/william/development/389ds/ds/ldap/servers/slapd/modify.c:391
    #8 0x4234ed in connection_dispatch_operation /home/william/development/389ds/ds/ldap/servers/slapd/connection.c:631
    #9 0x429853 in connection_threadmain /home/william/development/389ds/ds/ldap/servers/slapd/connection.c:1766
    #10 0x7f208e27bfca in PR_Select ??:?

previously allocated by thread T38 here:
    #0 0x7f2090f43a38 in calloc ??:?
    #1 0x7f20905305cc in slapi_ch_calloc /home/william/development/389ds/ds/ldap/servers/slapd/ch_malloc.c:182
    #2 0x7f2081f1b7a2 in memberof_apply_config /home/william/development/389ds/ds/ldap/servers/plugins/memberof/memberof_config.c:663
    #3 0x7f2081f0b98f in memberof_postop_modify /home/william/development/389ds/ds/ldap/servers/plugins/memberof/memberof.c:1205
    #4 0x7f209063d02d in plugin_call_func /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2099 (discriminator 1)
    #5 0x7f209063cc61 in plugin_call_list /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:2041
    #6 0x7f2090634cf8 in plugin_call_plugins /home/william/development/389ds/ds/ldap/servers/slapd/plugin.c:452
    #7 0x7f209055a82b in dse_modify /home/william/development/389ds/ds/ldap/servers/slapd/dse.c:2034
    #8 0x7f20905f08d7 in op_shared_modify /home/william/development/389ds/ds/ldap/servers/slapd/modify.c:1064
    #9 0x7f20905ec489 in do_modify /home/william/development/389ds/ds/ldap/servers/slapd/modify.c:391
    #10 0x4234ed in connection_dispatch_operation /home/william/development/389ds/ds/ldap/servers/slapd/connection.c:631
    #11 0x429853 in connection_threadmain /home/william/development/389ds/ds/ldap/servers/slapd/connection.c:1766
    #12 0x7f208e27bfca in PR_Select ??:?

Thread T40 created by T0 here:
    #0 0x7f2090e9ca2f in pthread_create ??:?
    #1 0x7f208e27bca9 in PR_Select ??:?

Thread T38 created by T0 here:
    #0 0x7f2090e9ca2f in pthread_create ??:?
    #1 0x7f208e27bca9 in PR_Select ??:?

SUMMARY: AddressSanitizer: heap-use-after-free (/opt/dirsrv/lib/dirsrv/plugins/libmemberof-plugin.so+0x1a32f)
Shadow bytes around the buggy address:
  0x0c0480078580: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
  0x0c0480078590: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c04800785a0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c04800785b0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c04800785c0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
=>0x0c04800785d0: fa fa fd fd fa fa[fd]fd fa fa fd fa fa fa fd fa
  0x0c04800785e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800785f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480078600: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c0480078610: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
  0x0c0480078620: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22850==ABORTING

Metadata Update from @firstyear:
- Custom field reviewstatus adjusted to review

4 years ago

Metadata Update from @firstyear:
- Issue assigned to firstyear

4 years ago

The fix looks valid.
Just a remark should not it be the job of memberof_free_scope to reset entryScope* like it does for the count ?

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.3.7.0

4 years ago

While I agree that that should be the case, I think that free_scope is being given the Slapi_DN **scopes, not a scopes. As a result, we can't NULL the reference the caller is holding. So i think this fix is correct. Alternately, we can change free_scope to take a scopes, put the NULL there, and then just fixup all the calls to it. What do you think? It's a static void inside of memberof_config.c, so should be a pretty safe change.

You are correct, making memberof_free_scope the place where scopes are freed and reset requires to change the interface.
I have no strong opinion on the current fix or the alternative.
Some free routines (slapi_ch_free, slapi_sdn_free...) reset the pointer, but others (slapi_entry_free,..) do not. So it is up to you knowing you have my ack for the current patch.

Metadata Update from @mreynolds:
- Custom field reviewstatus adjusted to ack (was: review)

4 years ago

commit c9151c2
To ssh://git@pagure.io/389-ds-base.git
0548490..c9151c2 master -> master

Metadata Update from @firstyear:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2343

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

2 years ago

Login to comment on this ticket.

Metadata