#50829 AddressSanitizer: heap-use-after-free in log_get_loglist
Closed: wontfix 8 months ago by mreynolds. Opened 8 months ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1758473

Description of problem:

=================================================================
==4241==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003238c8
at pc 0x7f45b443389a bp 0x7f458d2e2a40 sp 0x7f458d2e2a30
READ of size 8 at 0x6030003238c8 thread T23
    #0 0x7f45b4433899 in log_get_loglist
(/usr/lib64/dirsrv/libslapd.so.0+0x16a899)
    #1 0x7f45b441f16a in config_set_entry
(/usr/lib64/dirsrv/libslapd.so.0+0x15616a)
    #2 0x7f45b43a9b68 in read_config_dse
(/usr/lib64/dirsrv/libslapd.so.0+0xe0b68)
    #3 0x7f45b43c4f19  (/usr/lib64/dirsrv/libslapd.so.0+0xfbf19)
    #4 0x7f45b43c9181 in dse_search (/usr/lib64/dirsrv/libslapd.so.0+0x100181)
    #5 0x7f45b445c6ec in op_shared_search
(/usr/lib64/dirsrv/libslapd.so.0+0x1936ec)
    #6 0x7f45b44921e9  (/usr/lib64/dirsrv/libslapd.so.0+0x1c91e9)
    #7 0x7f45b44928f6  (/usr/lib64/dirsrv/libslapd.so.0+0x1c98f6)
    #8 0x7f45b449315f in slapi_search_internal_get_entry
(/usr/lib64/dirsrv/libslapd.so.0+0x1ca15f)
    #9 0x7f45b44aef6e in get_entry (/usr/lib64/dirsrv/libslapd.so.0+0x1e5f6e)
    #10 0x7f45b4446dd6  (/usr/lib64/dirsrv/libslapd.so.0+0x17ddd6)
    #11 0x7f45b444bc8b in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x182c8b)
    #12 0x556c81c64916  (/usr/sbin/ns-slapd+0x45916)
    #13 0x7f45b1c91567  (/lib64/libnspr4.so+0x2b567)
    #14 0x7f45b162c2dd in start_thread (/lib64/libpthread.so.0+0x82dd)
    #15 0x7f45b0e60132 in __GI___clone (/lib64/libc.so.6+0xfc132)

0x6030003238c8 is located 8 bytes inside of 24-byte region
[0x6030003238c0,0x6030003238d8)
freed by thread T25 here:
    #0 0x7f45b4b3d720 in __interceptor_free (/lib64/libasan.so.5+0xef720)
    #1 0x7f45b43a5a8c in slapi_ch_free
(/usr/lib64/dirsrv/libslapd.so.0+0xdca8c)
    #2 0x7f45b4432dd9 in log__delete_rotated_logs
(/usr/lib64/dirsrv/libslapd.so.0+0x169dd9)
    #3 0x556c81c6ad2f  (/usr/sbin/ns-slapd+0x4bd2f)
    #4 0x7f45b1c91567  (/lib64/libnspr4.so+0x2b567)

previously allocated by thread T0 here:
    #0 0x7f45b4b3dae8 in __interceptor_malloc (/lib64/libasan.so.5+0xefae8)
    #1 0x7f45b43a5297 in slapi_ch_malloc
(/usr/lib64/dirsrv/libslapd.so.0+0xdc297)
    #2 0x7f45b4432589 in access_log_openf
(/usr/lib64/dirsrv/libslapd.so.0+0x169589)
    #3 0x7f45b4432b29 in log_update_accesslogdir
(/usr/lib64/dirsrv/libslapd.so.0+0x169b29)
    #4 0x7f45b441105d in config_set_accesslog
(/usr/lib64/dirsrv/libslapd.so.0+0x14805d)
    #5 0x7f45b441e847 in config_set (/usr/lib64/dirsrv/libslapd.so.0+0x155847)
    #6 0x7f45b43aa0af in load_config_dse
(/usr/lib64/dirsrv/libslapd.so.0+0xe10af)
    #7 0x7f45b43c4f19  (/usr/lib64/dirsrv/libslapd.so.0+0xfbf19)
    #8 0x7f45b43c7f4e  (/usr/lib64/dirsrv/libslapd.so.0+0xfef4e)
    #9 0x7f45b43c85c1 in dse_read_file
(/usr/lib64/dirsrv/libslapd.so.0+0xff5c1)
    #10 0x556c81c77f8b  (/usr/sbin/ns-slapd+0x58f8b)
    #11 0x556c81c4aec1  (/usr/sbin/ns-slapd+0x2bec1)
    #12 0x7f45b0d87872 in __libc_start_main (/lib64/libc.so.6+0x23872)

Thread T23 created by T0 here:
    #0 0x7f45b4aa0e73 in __interceptor_pthread_create
(/lib64/libasan.so.5+0x52e73)
    #1 0x7f45b1c9123e  (/lib64/libnspr4.so+0x2b23e)

Thread T25 created by T0 here:
    #0 0x7f45b4aa0e73 in __interceptor_pthread_create
(/lib64/libasan.so.5+0x52e73)
    #1 0x7f45b1c9123e  (/lib64/libnspr4.so+0x2b23e)

SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/lib64/dirsrv/libslapd.so.0+0x16a899) in log_get_loglist
Shadow bytes around the buggy address:
  0x0c068005c6c0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068005c6d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068005c6e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068005c6f0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068005c700: fd fd fd fd fa fa fd fd fd fa fa fa 00 00 00 06
=>0x0c068005c710: fa fa fd fd fd fa fa fa fd[fd]fd fa fa fa 00 00
  0x0c068005c720: 05 fa fa fa 00 00 05 fa fa fa 00 00 02 fa fa fa
  0x0c068005c730: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068005c740: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068005c750: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c068005c760: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4241==ABORTING

Version-Release number of selected component (if applicable):
389-ds-base-1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f.x86_64


How reproducible:
always

Steps to Reproduce:
1. Rebuild 389-ds-base with ASAN
2. Run tests/suites/disk_monitoring/disk_monitoring_test.py::test_operation_wit
h_nsslapd_disk_monitoring_logging_critical_off_below_half_of_the_threshold


Actual results:
ASAN reports heap-use-after-free

Expected results:
No errors from ASAN

Additional info:

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758473

8 months ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

8 months ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue set to the milestone: 1.3.10 (was: 0.0 NEEDS_TRIAGE)

8 months ago

Commit bb3ac59 relates to this ticket

Commit bb3ac59 relates to this ticket

b05c86d..d4702b5 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

1d748c5..16f7b52 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

89422c6..da26367 389-ds-base-1.3.10 -> 389-ds-base-1.3.10

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3883

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

12 days ago

Login to comment on this ticket.

Metadata
Related Pull Requests