#49473 heap-use-after-free in slapi_sdn_common_ancestor
Opened 2 years ago by firstyear. Modified 4 months ago

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1517968

Description of problem:
=================================================================
==12884== ERROR: AddressSanitizer: heap-use-after-free on address
0x600e0014cb70 at pc 0x7f36c786e615 bp 0x7f3680ed4c70 sp 0x7f3680ed4c60
READ of size 8 at 0x600e0014cb70 thread T35
    #0 0x7f36c786e614 in slapi_sdn_common_ancestor
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2523
    #1 0x7f36c7874937 in dse_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2431
    #2 0x7f36c785f486 in op_shared_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:324
    #3 0x7f36c785fa1a in do_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:97
    #4 0x55d6ad486e38 in ??
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:614
    #5 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:216
    #6 0x7f36c7eec867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #7 0x7f36c5397dd4 in start_thread
/usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
    #8 0x7f36c4a459bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc
/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x600e0014cb70 is located 64 bytes inside of 72-byte region
[0x600e0014cb30,0x600e0014cb78)
freed by thread T35 here:
    #0 0x7f36c7ee8dd9 in __interceptor_free _asan_rtl_
    #1 0x7f36c78576c8 in slapi_ch_free
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:270
    #2 0x7f36c78751e7 in dse_remove_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:321
    #3 0x7f36c7875639 in slapi_config_remove_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2618
    #4 0x7f36bc4b890c in cb_delete_monitor_callback /usr/src/debug/389-ds-base-
1.3.7.5/ldap/servers/plugins/chainingdb/cb_monitor.c:236
    #5 0x7f36bc4b32ec in cb_instance_delete_config_callback /usr/src/debug/389-
ds-base-1.3.7.5/ldap/servers/plugins/chainingdb/cb_instance.c:1759
    #6 0x7f36c786e520 in slapi_sdn_common_ancestor
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2543
    #7 0x7f36c7874937 in dse_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2431
    #8 0x7f36c785f486 in op_shared_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:324
    #9 0x7f36c785fa1a in do_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:97
    #10 0x55d6ad486e38 in ??
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:614
    #11 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/
../../../nspr/pr/src/pthreads/ptthread.c:216
previously allocated by thread T33 here:
    #0 0x7f36c7ee8ff5 in calloc _asan_rtl_
    #1 0x7f36c7857288 in slapi_ch_calloc
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:180
    #2 0x7f36c7874bd2 in dse_register_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:214
    #3 0x7f36c787546a in slapi_config_register_callback_plugin
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2597
    #4 0x7f36c787551d in slapi_config_register_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2567
    #5 0x7f36bc4afb97 in cb_instance_add_monitor_later /usr/src/debug/389-ds-ba
se-1.3.7.5/ldap/servers/plugins/chainingdb/cb_instance.c:1788
    #6 0x7f36c7888544 in slapd_versatile_strerror
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/eventq.c:278
    #7 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:216
Thread T35 created by T0 here:
    #0 0x7f36c7edda0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f36c59f795b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:457
    #2 0x0
Thread T33 created by T0 here:
    #0 0x7f36c7edda0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f36c59f795b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:457
Shadow bytes around the buggy address:
  0x0c0240021910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021940: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c0240021950: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0240021960: fd fa fa fa fa fa fd fd fd fd fd fd fd fd[fd]fa
  0x0c0240021970: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0240021980: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0240021990: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c02400219a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c02400219b0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==12884== ABORTING


Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-10.el7.x86_64

Problem has occurred in chainingdb test suite in TET.

Metadata Update from @firstyear:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1517968

2 years ago

Metadata Update from @mreynolds:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 1.3.7.0 (was: 0.0 NEEDS_TRIAGE)

2 years ago

Metadata Update from @mreynolds:
- Issue set to the milestone: 1.4.2 (was: 1.3.7.0)

4 months ago

Login to comment on this ticket.

Metadata