#49472 heap-buffer-overflow in slapi_dn_find_parent_ext
Opened 2 years ago by firstyear. Modified 3 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1517979

Description of problem:
=================================================================
==7125== ERROR: AddressSanitizer: heap-buffer-overflow on address
0x600400511edb at pc 0x7f46b06bd758 bp 0x7f467b9ce590 sp 0x7f467b9ce580
READ of size 1 at 0x600400511edb thread T31
==7125== WARNING: Trying to symbolize code, but external symbolizer is not
initialized!
    #0 0x7f46b06bd757 in slapi_dn_find_parent_ext
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dn.c:1633
    #1 0x7f46b06bd8d8 in slapi_dn_parent
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dn.c:1668
    #2 0x7f46b0738753 in do_modrdn
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/modrdn.c:175
    #3 0x5633f97c0e54 in ??
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:619
    #4 0x7f46ae84bc8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:216
    #5 0x7f46b0d40867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #6 0x7f46ae1ebdd4 in start_thread
/usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
    #7 0x7f46ad8999bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc
/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x600400511edb is located 0 bytes to the right of 11-byte region
[0x600400511ed0,0x600400511edb)
allocated by thread T31 here:
    #0 0x7f46b0d3cef9 in malloc _asan_rtl_
    #1 0x7f46ad8276e9 in __GI___strdup
/usr/src/debug/glibc-2.17-c758a686/string/strdup.c:42
Thread T31 created by T0 here:
    #0 0x7f46b0d31a0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f46ae84b95b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:457
    #2 0x0
Shadow bytes around the buggy address:
  0x0c010009a380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c010009a390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c010009a3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c010009a3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c010009a3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c010009a3d0: fa fa fa fa fa fa fa fa fa fa 00[03]fa fa fd fd
  0x0c010009a3e0: fa fa 00 03 fa fa 00 03 fa fa fd fd fa fa 00 03
  0x0c010009a3f0: fa fa 00 02 fa fa 00 03 fa fa 07 fa fa fa fd fa
  0x0c010009a400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c010009a410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c010009a420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==7125== ABORTING


Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-10.el7.x86_64

Metadata Update from @firstyear:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1517979

2 years ago

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 1.3.7.0 (was: 0.0 NEEDS_TRIAGE)

2 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.2 (was: 1.3.7.0)

3 months ago

Login to comment on this ticket.

Metadata