#50646 AddressSanitizer: heap-use-after-free in import_free_job
Closed: fixed 3 months ago by mreynolds. Opened 3 months ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla: Bug 1758109

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
The ASAN error was reported during the execution of
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export

=================================================================
==1150== ERROR: AddressSanitizer: heap-use-after-free on address 0x602a0006a828
at pc 0x7f414d09aef9 bp 0x7f40b0ee1780 sp 0x7f40b0ee1770
READ of size 8 at 0x602a0006a828 thread T73
    #0 0x7f414d09aef8 in import_free_job
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:155
    #1 0x7f414d09c35f in import_main_offline
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:1611
    #2 0x7f4159857bfa in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:201
    #3 0x7f415bd61867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #4 0x7f41591f7ea4 in start_thread
/usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:307
    #5 0x7f41588a38dc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc
/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
0x602a0006a828 is located 232 bytes inside of 328-byte region
[0x602a0006a740,0x602a0006a888)
freed by thread T0 here:
    #0 0x7f415bd5ddd9 in __interceptor_free _asan_rtl_
    #1 0x7f415b6c7588 in slapi_ch_free
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/ch_malloc.c:265
    #2 0x7f414d099af9 in idl_iterator_dereference_decrement
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:255
    #3 0x7f415b7e179f in destroy_task
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:649
    #4 0x7f415b7edf56 in task_shutdown
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:3020
    #5 0x55f28b15dac7 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/daemon.c:1275
    #6 0x55f28b13cde3 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/main.c:1204
    #7 0x7f41587c7554 in __libc_start_main
/usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:266
previously allocated by thread T16 here:
    #0 0x7f415bd5dff5 in calloc _asan_rtl_
    #1 0x7f415b6c7148 in slapi_ch_calloc
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/ch_malloc.c:175
    #2 0x7f414d09fa5b in ldbm_back_ldif2ldbm_deluxe
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:1648
    #3 0x7f414d10e425 in ldbm_back_ldif2ldbm /usr/src/debug/389-ds-base-1.3.10.
1/ldap/servers/slapd/back-ldbm/ldif2ldbm.c:809
    #4 0x7f415b7e668d in task_import_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:1041
    #5 0x7f415b6de430 in dse_call_callback
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/dse.c:2553
    #6 0x7f415b6e3b49 in dse_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/dse.c:2250
    #7 0x7f415b6b160b in op_shared_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/add.c:679
    #8 0x7f415b6b328f in do_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/add.c:236
    #9 0x55f28b151797 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/connection.c:610
    #10 0x7f4159857bfa in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/..
/../../nspr/pr/src/pthreads/ptthread.c:201
Thread T73 created by T16 here:
    #0 0x7f415bd52a0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f41598578cb in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:433
    #2 0x0
Thread T16 created by T0 here:
    #0 0x7f415bd52a0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f41598578cb in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:433
    #2 0x0
Shadow bytes around the buggy address:
  0x0c05c00054b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c05c00054f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c05c0005500: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c05c0005510: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==1150== ABORTING

Version-Release number of selected component (if applicable):
389-ds-base-1.3.10.1-2


How reproducible:
1 out of 10 runs

Steps to Reproduce:

Run dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758109

3 months ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

3 months ago

4673148 - 1.4.1

6304942..4898470 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

e185f7c..9e88768 389-ds-base-1.3.10 -> 389-ds-base-1.3.10

Going to work on front-port to 1.4.2 (master branch) next...

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

3 months ago

Commit 7a0a090 relates to this ticket

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 months ago

Login to comment on this ticket.

Metadata
Related Pull Requests