389-ds-base

Clone
Source Code
GIT

#49493 heap-use-after-free in csn_as_string
Closed: wontfix 7 years ago Opened 7 years ago by lkrispen.

Closed: wontfix
Reopen Issue

When running ASAN tests QE found a heap-use-after-free:

Description of problem:

 ==25932== ERROR: AddressSanitizer: heap-use-after-free on address 0x600400d68df0 at pc    0x7f8ecdf7f062 bp 0x7f8e8f8e8100 sp 0x7f8e8f8e80f0
 READ of size 8 at 0x600400d68df0 thread T45                                    
     #0 0x7f8ecdf7f061 in csn_as_string /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/csn.c:208
     #1 0x7f8ec1413f3c in csnpldata_free /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/csnpl.c:428
     #2 0x7f8ec14145c9 in csnplInsert /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/csnpl.c:142
     #3 0x7f8ec146dadc in ruv_add_csn_inprogress /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/repl5_ruv.c:1540
     #4 0x7f8ec1441295 in replica_get_for_backend /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/repl5_plugins.c:1398
     #5 0x7f8ec1443bb7 in multimaster_preop_modify /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/repl5_plugins.c:343
     #6 0x7f8ece0381e3 in slapi_plugin_op_finished /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin.c:2028 (discriminator 1)
     #7 0x7f8ece038658 in plugin_call_plugins /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin.c:1972
     #8 0x7f8ece003718 in slapi_matchingrule_can_use_compare_fn /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/modify.c:993
     #9 0x7f8ece006776 in do_modify /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/modify.c:383
     #10 0x55a7ab7d3e1c in ?? /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:624
     #11 0x7f8ecc11bc8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
     #12 0x7f8ece610867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_     
     #13 0x7f8ecbabbdd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
     #14 0x7f8ecb1699bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
 0x600400d68df0 is located 0 bytes inside of 16-byte region [0x600400d68df0,0x600400d68e00)
 freed by thread T45 here:              
     #0 0x7f8ece60cdd9 in __interceptor_free _asan_rtl_                         
     #1 0x7f8ecdf7b6c8 in slapi_ch_free /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:270
     #2 0x7f8ec14155cf in csnplFreeCSNPL_CTX /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/csnpl.c:442
     #3 0x7f8ecc1073f5 in PR_SetThreadPrivate /usr/src/debug/nspr-4.17.0/pr/src/threads/../../../nspr/pr/src/threads/prtpd.c:184
 previously allocated by thread T45 here:                                       
     #0 0x7f8ece60cff5 in calloc _asan_rtl_                                     
     #1 0x7f8ecdf7b288 in slapi_ch_calloc /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:180
     #2 0x7f8ecdf7ec93 in csn_dup /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/csn.c:118
     #3 0x7f8ec144014b in set_thread_primary_csn /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/repl5_init.c:156
     #4 0x7f8ec146dc12 in ruv_add_csn_inprogress /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/repl5_ruv.c:1532
    #5 0x7f8ec1441295 in replica_get_for_backend /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/repl5_plugins.c:1398
     #6 0x7f8ec14438ef in multimaster_preop_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/replication/repl5_plugins.c:269
     #7 0x7f8ece0381e3 in slapi_plugin_op_finished /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin.c:2028 (discriminator 1)
     #8 0x7f8ece038658 in plugin_call_plugins /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin.c:1972
     #9 0x7f8ecdf833f5 in op_shared_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:318
    #10 0x7f8ecdf83a1a in do_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:97
     #11 0x55a7ab7d3e38 in ?? /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:614
     #12 0x7f8ecc11bc8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
 Thread T45 created by T0 here:                             
    #0 0x7f8ece601a0a in __interceptor_pthread_create _asan_rtl_                                                       
    #1 0x7f8ecc11b95b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457
     #2 0x0

Metadata Update from @lkrispen:
- Custom field component adjusted to None
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1518287
- Custom field type adjusted to None
- Custom field version adjusted to None
7 years ago

AutoMembers stress test passed 100% without crash in ASAN, ack from me.

The patch looks good and you have my ACK.
Note the I wonder some part of code can be grouped in add/mod/modrdn or delete like the attached sample patch

0001-merging-postop-calls.patch

Metadata Update from @tbordaz:
- Custom field reviewstatus adjusted to ack (was: None)
7 years ago

The patch looks good and you have my ACK.
Note the I wonder some part of code can be grouped in add/mod/modrdn or delete like the attached sample patch

I was thinking about something similar, to replace the error handling for normal plugins by calls to ldbm_set_error() but there were slight differences in handling of opreturn (and would have to be passed as well, otehrwise you miss the potential change of opreturn) and in your suggestion you sacrifice the error message that a plugin hadn't set the error code. So I decided not to further investigate the difference in handling opreturn and submit my working version.
But if we have some time we can re-review this and test

Metadata Update from @lkrispen:
- Custom field reviewstatus adjusted to None (was: ack)
7 years ago

To ssh://git@pagure.io/389-ds-base.git
5f3e4be..c68eaed master -> master

To ssh://git@pagure.io/389-ds-base.git
4b8fc4b..b8f1b19 389-ds-base-1.3.7 -> 389-ds-base-1.3.7

committed the original patch, will work on Thierry's suggestions

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue set to the milestone: 1.3.7.0
- Issue status updated to: Closed (was: Open)
7 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/2552

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)
4 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
Attachments 2
0001-Ticket-49493-heap-use-after-free-in-csn_as_st...
Attached 7 years ago View Comment
0001-merging-postop-calls.patch
Attached 7 years ago View Comment
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.