Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1518069
Description of problem: ================================================================= ==21829== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6004009380b6 at pc 0x7f9979a37d62 bp 0x7f9929d5a610 sp 0x7f9929d5a600 READ of size 1 at 0x6004009380b6 thread T57 #0 0x7f9979a37d61 in ss_unescape /usr/src/debug/389-ds-base-1.3.7.5/ldap/se rvers/plugins/collation/orfilter.c:316 #1 0x7f9979a37eed in ss_filter_value /usr/src/debug/389-ds-base-1.3.7.5/lda p/servers/plugins/collation/orfilter.c:351 #2 0x7f9979a3a164 in ss_filter_values /usr/src/debug/389-ds-base-1.3.7.5/ld ap/servers/plugins/collation/orfilter.c:411 #3 0x7f99809d963b in attempt_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:590 #4 0x7f99809da6fe in plugin_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:616 #5 0x7f998094706d in get_filter_internal /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:310 #6 0x7f998094a701 in get_filter /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:56 #7 0x55c62bcd5378 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:184 #8 0x55c62bcaf15a in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648 #9 0x7f997eab1c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/. ./../../nspr/pr/src/pthreads/ptthread.c:216 #10 0x7f9980fa6867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_ #11 0x7f997e451dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308 #12 0x7f997daff9bc in __clone /usr/src/debug////////glibc-2.17-c758a686/mis c/../sysdeps/unix/sysv/linux/x86_64/clone.S:113 0x6004009380b6 is located 0 bytes to the right of 6-byte region [0x6004009380b0,0x6004009380b6) allocated by thread T57 here: #0 0x7f9980fa2ef9 in malloc _asan_rtl_ #1 0x7f9980910f07 in slapi_ch_malloc /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:95 #2 0x7f9979a3a069 in ss_filter_values /usr/src/debug/389-ds-base-1.3.7.5/ld ap/servers/plugins/collation/orfilter.c:405 #3 0x7f99809d963b in attempt_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:590 #4 0x7f99809da6fe in plugin_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:616 #5 0x7f998094706d in get_filter_internal /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:310 #6 0x7f998094a701 in get_filter /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:56 #7 0x55c62bcd5378 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:184 #8 0x55c62bcaf15a in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648 #9 0x7f997eab1c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/. ./../../nspr/pr/src/pthreads/ptthread.c:216 Thread T57 created by T0 here: #0 0x7f9980f97a0a in __interceptor_pthread_create _asan_rtl_ #1 0x7f997eab195b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/. ./../../nspr/pr/src/pthreads/ptthread.c:457 #2 0x0 Shadow bytes around the buggy address: 0x0c010011efc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c010011efd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c010011efe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c010011eff0: fa fa fa fa fa fa fd fa fa fa fd fa fa fa fd fa 0x0c010011f000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa =>0x0c010011f010: fa fa 00 00 fa fa[06]fa fa fa 00 04 fa fa 03 fa 0x0c010011f020: fa fa 03 fa fa fa 03 fa fa fa fd fd fa fa 00 01 0x0c010011f030: fa fa 00 04 fa fa fd fd fa fa 07 fa fa fa fd fa 0x0c010011f040: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c010011f050: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c010011f060: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==21829== ABORTING Version-Release number of selected component (if applicable): 389-ds-base-1.3.7.5-10.el7.x86_64
Metadata Update from @firstyear: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1518069
Search with filter '(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)' generates this trace with ASAN build.
'(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)'
Metadata Update from @vashirov: - Custom field component adjusted to None - Custom field origin adjusted to None - Custom field reviewstatus adjusted to None - Custom field type adjusted to None - Custom field version adjusted to None
Thanks mate! I'll add this to a test case and reproduce. Thanks!
Using the following test case
provision
dn: cn=user10,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: inetuser objectClass: userSecurityInformation sn: _user10 description: added on MUX cn: user10
Then run the command
ldapsearch -LLL -o ldif-wrap=no -D "cn=directory manager" -W -b "dc=example,dc=com" '(description:2.16.840.1.113730.3.3.2.1.1.6:=\*on\*)'
ASAN build instance exits with
======================================================= ==32011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200045fe12 at pc 0x7fa2eeea3aa6 bp 0x7fa29a1a18b0 sp 0x7fa29a1a1058 READ of size 3 at 0x60200045fe12 thread T71 #0 0x7fa2eeea3aa5 in memcmp (/lib64/libasan.so.2+0x77aa5) #1 0x7fa2e6b8c657 in ss_unescape 389-ds-base/ldap/servers/plugins/collation/orfilter.c:316 #2 0x7fa2e6b8ca15 in ss_filter_value 389-ds-base/ldap/servers/plugins/collation/orfilter.c:351 #3 0x7fa2e6b8cf67 in ss_filter_values 389-ds-base/ldap/servers/plugins/collation/orfilter.c:411 #4 0x7fa2e6b8de24 in or_filter_create 389-ds-base/ldap/servers/plugins/collation/orfilter.c:554 #5 0x7fa2ee876824 in attempt_mr_filter_create 389-ds-base/ldap/servers/slapd/plugin_mr.c:590 #6 0x7fa2ee8769b5 in plugin_mr_filter_create 389-ds-base/ldap/servers/slapd/plugin_mr.c:616 #7 0x7fa2ee7c5c8a in get_filter_internal 389-ds-base/ldap/servers/slapd/filter.c:314 #8 0x7fa2ee7c4a34 in get_filter 389-ds-base/ldap/servers/slapd/filter.c:55 #9 0x457bf0 in do_search 389-ds-base/ldap/servers/slapd/search.c:184 #10 0x41d1d1 in connection_dispatch_operation 389-ds-base/ldap/servers/slapd/connection.c:648 #11 0x422053 in connection_threadmain 389-ds-base/ldap/servers/slapd/connection.c:1760 #12 0x7fa2ec4dc68a (/lib64/libnspr4.so+0x2968a) #13 0x7fa2ebe78619 in start_thread (/lib64/libpthread.so.0+0x7619) #14 0x7fa2eb9695fc in clone (/lib64/libc.so.6+0x1025fc) ================================================================= ==15540==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000461d4f at pc 0x7f3071276eec bp 0x7f302b75f420 sp 0x7f302b75f410 READ of size 1 at 0x602000461d4f thread T42 #0 0x7f3071276eeb in ldap_utf8prev 389-ds-base/ldap/servers/slapd/utf8.c:110 #1 0x7f30695880d6 in SetUnicodeStringFromUTF_8 389-ds-base/ldap/servers/plugins/collation/collate.c:260 #2 0x7f30695887b9 in collation_index 389-ds-base/ldap/servers/plugins/collation/collate.c:313 #3 0x7f306958d326 in ss_filter_key 389-ds-base/ldap/servers/plugins/collation/orfilter.c:437 #4 0x7f306958d661 in ss_filter_keys 389-ds-base/ldap/servers/plugins/collation/orfilter.c:470 #5 0x7f306958e0f4 in or_filter_create 389-ds-base/ldap/servers/plugins/collation/orfilter.c:570 #6 0x7f3071203824 in attempt_mr_filter_create 389-ds-base/ldap/servers/slapd/plugin_mr.c:590 #7 0x7f30712039b5 in plugin_mr_filter_create 389-ds-base/ldap/servers/slapd/plugin_mr.c:616 #8 0x7f3071152c8a in get_filter_internal 389-ds-base/ldap/servers/slapd/filter.c:314 #9 0x7f3071151a34 in get_filter 389-ds-base/ldap/servers/slapd/filter.c:55 #10 0x457bf0 in do_search 389-ds-base/ldap/servers/slapd/search.c:184 #11 0x41d1d1 in connection_dispatch_operation 389-ds-base/ldap/servers/slapd/connection.c:648 #12 0x422053 in connection_threadmain 389-ds-base/ldap/servers/slapd/connection.c:1760 #13 0x7f306ee6968a (/lib64/libnspr4.so+0x2968a) #14 0x7f306e805619 in start_thread (/lib64/libpthread.so.0+0x7619) #15 0x7f306e2f65fc in clone (/lib64/libc.so.6+0x1025fc)
<img alt="0001-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch" src="/389-ds-base/issue/raw/files/ecc408e387272119699fa6ed94d4fbc41802b2c0affed5513ae562832d7fbadb-0001-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch" />
@tbordaz Can we get a lib389 test too in the filter suite for this? I think it would be realively easy to add :)
Can you please put braces:
64 + if (p >= plimit) 65 + break;
Because it's a bit nicer if we do for clarity,
Otherwise I think this is okay :)
<img alt="0002-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch" src="/389-ds-base/issue/raw/files/9e137d0a0dbde125b73a798cbe5444b735214fa9eb831ed230b86b828e4b5157-0002-Ticket-49471-heap-buffer-overflow-in-ss_unescape.patch" />
Metadata Update from @tbordaz: - Custom field reviewstatus adjusted to review (was: None)
Looks great! The test is python 2 only, but I'll help fix that later no pressure now :) ack from me.
Metadata Update from @firstyear: - Custom field reviewstatus adjusted to ack (was: review)
@firstyear thanks for the review and the grace period for python2 stuff ;)
To ssh://git@pagure.io/389-ds-base.git 1418fc3..5991388 master -> master
Metadata Update from @tbordaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
9109af6..3fb1c40 389-ds-base-1.3.7 -> 389-ds-base-1.3.7
3e19256..40e9fa1 389-ds-base-1.3.6 -> 389-ds-base-1.3.6
Metadata Update from @vashirov: - Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)
389-ds-base is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in 389-ds-base's github repository.
This issue has been cloned to Github and is available here: - https://github.com/389ds/389-ds-base/issues/2530
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Metadata Update from @spichugi: - Issue close_status updated to: wontfix (was: fixed)
Log in to comment on this ticket.