#50646 AddressSanitizer: heap-use-after-free in import_free_job
Closed: wontfix a year ago by mreynolds. Opened a year ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla: Bug 1758109

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
The ASAN error was reported during the execution of
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export

=================================================================
==1150== ERROR: AddressSanitizer: heap-use-after-free on address 0x602a0006a828
at pc 0x7f414d09aef9 bp 0x7f40b0ee1780 sp 0x7f40b0ee1770
READ of size 8 at 0x602a0006a828 thread T73
    #0 0x7f414d09aef8 in import_free_job
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:155
    #1 0x7f414d09c35f in import_main_offline
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:1611
    #2 0x7f4159857bfa in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:201
    #3 0x7f415bd61867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #4 0x7f41591f7ea4 in start_thread
/usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:307
    #5 0x7f41588a38dc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc
/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
0x602a0006a828 is located 232 bytes inside of 328-byte region
[0x602a0006a740,0x602a0006a888)
freed by thread T0 here:
    #0 0x7f415bd5ddd9 in __interceptor_free _asan_rtl_
    #1 0x7f415b6c7588 in slapi_ch_free
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/ch_malloc.c:265
    #2 0x7f414d099af9 in idl_iterator_dereference_decrement
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:255
    #3 0x7f415b7e179f in destroy_task
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:649
    #4 0x7f415b7edf56 in task_shutdown
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:3020
    #5 0x55f28b15dac7 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/daemon.c:1275
    #6 0x55f28b13cde3 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/main.c:1204
    #7 0x7f41587c7554 in __libc_start_main
/usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:266
previously allocated by thread T16 here:
    #0 0x7f415bd5dff5 in calloc _asan_rtl_
    #1 0x7f415b6c7148 in slapi_ch_calloc
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/ch_malloc.c:175
    #2 0x7f414d09fa5b in ldbm_back_ldif2ldbm_deluxe
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:1648
    #3 0x7f414d10e425 in ldbm_back_ldif2ldbm /usr/src/debug/389-ds-base-1.3.10.
1/ldap/servers/slapd/back-ldbm/ldif2ldbm.c:809
    #4 0x7f415b7e668d in task_import_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:1041
    #5 0x7f415b6de430 in dse_call_callback
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/dse.c:2553
    #6 0x7f415b6e3b49 in dse_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/dse.c:2250
    #7 0x7f415b6b160b in op_shared_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/add.c:679
    #8 0x7f415b6b328f in do_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/add.c:236
    #9 0x55f28b151797 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/connection.c:610
    #10 0x7f4159857bfa in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/..
/../../nspr/pr/src/pthreads/ptthread.c:201
Thread T73 created by T16 here:
    #0 0x7f415bd52a0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f41598578cb in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:433
    #2 0x0
Thread T16 created by T0 here:
    #0 0x7f415bd52a0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f41598578cb in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:433
    #2 0x0
Shadow bytes around the buggy address:
  0x0c05c00054b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c05c00054f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c05c0005500: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c05c0005510: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==1150== ABORTING

Version-Release number of selected component (if applicable):
389-ds-base-1.3.10.1-2


How reproducible:
1 out of 10 runs

Steps to Reproduce:

Run dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758109

a year ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None

a year ago

4673148 - 1.4.1

6304942..4898470 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

e185f7c..9e88768 389-ds-base-1.3.10 -> 389-ds-base-1.3.10

Going to work on front-port to 1.4.2 (master branch) next...

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

a year ago

Commit 7a0a090 relates to this ticket

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @vashirov:
- Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)

7 months ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3701

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

14 days ago

Login to comment on this ticket.

Metadata
Related Pull Requests