#50829 AddressSanitizer: heap-use-after-free in log_get_loglist
Closed: fixed a month ago by mreynolds. Opened a month ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1758473

Description of problem:

=================================================================
==4241==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003238c8
at pc 0x7f45b443389a bp 0x7f458d2e2a40 sp 0x7f458d2e2a30
READ of size 8 at 0x6030003238c8 thread T23
    #0 0x7f45b4433899 in log_get_loglist
(/usr/lib64/dirsrv/libslapd.so.0+0x16a899)
    #1 0x7f45b441f16a in config_set_entry
(/usr/lib64/dirsrv/libslapd.so.0+0x15616a)
    #2 0x7f45b43a9b68 in read_config_dse
(/usr/lib64/dirsrv/libslapd.so.0+0xe0b68)
    #3 0x7f45b43c4f19  (/usr/lib64/dirsrv/libslapd.so.0+0xfbf19)
    #4 0x7f45b43c9181 in dse_search (/usr/lib64/dirsrv/libslapd.so.0+0x100181)
    #5 0x7f45b445c6ec in op_shared_search
(/usr/lib64/dirsrv/libslapd.so.0+0x1936ec)
    #6 0x7f45b44921e9  (/usr/lib64/dirsrv/libslapd.so.0+0x1c91e9)
    #7 0x7f45b44928f6  (/usr/lib64/dirsrv/libslapd.so.0+0x1c98f6)
    #8 0x7f45b449315f in slapi_search_internal_get_entry
(/usr/lib64/dirsrv/libslapd.so.0+0x1ca15f)
    #9 0x7f45b44aef6e in get_entry (/usr/lib64/dirsrv/libslapd.so.0+0x1e5f6e)
    #10 0x7f45b4446dd6  (/usr/lib64/dirsrv/libslapd.so.0+0x17ddd6)
    #11 0x7f45b444bc8b in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x182c8b)
    #12 0x556c81c64916  (/usr/sbin/ns-slapd+0x45916)
    #13 0x7f45b1c91567  (/lib64/libnspr4.so+0x2b567)
    #14 0x7f45b162c2dd in start_thread (/lib64/libpthread.so.0+0x82dd)
    #15 0x7f45b0e60132 in __GI___clone (/lib64/libc.so.6+0xfc132)

0x6030003238c8 is located 8 bytes inside of 24-byte region
[0x6030003238c0,0x6030003238d8)
freed by thread T25 here:
    #0 0x7f45b4b3d720 in __interceptor_free (/lib64/libasan.so.5+0xef720)
    #1 0x7f45b43a5a8c in slapi_ch_free
(/usr/lib64/dirsrv/libslapd.so.0+0xdca8c)
    #2 0x7f45b4432dd9 in log__delete_rotated_logs
(/usr/lib64/dirsrv/libslapd.so.0+0x169dd9)
    #3 0x556c81c6ad2f  (/usr/sbin/ns-slapd+0x4bd2f)
    #4 0x7f45b1c91567  (/lib64/libnspr4.so+0x2b567)

previously allocated by thread T0 here:
    #0 0x7f45b4b3dae8 in __interceptor_malloc (/lib64/libasan.so.5+0xefae8)
    #1 0x7f45b43a5297 in slapi_ch_malloc
(/usr/lib64/dirsrv/libslapd.so.0+0xdc297)
    #2 0x7f45b4432589 in access_log_openf
(/usr/lib64/dirsrv/libslapd.so.0+0x169589)
    #3 0x7f45b4432b29 in log_update_accesslogdir
(/usr/lib64/dirsrv/libslapd.so.0+0x169b29)
    #4 0x7f45b441105d in config_set_accesslog
(/usr/lib64/dirsrv/libslapd.so.0+0x14805d)
    #5 0x7f45b441e847 in config_set (/usr/lib64/dirsrv/libslapd.so.0+0x155847)
    #6 0x7f45b43aa0af in load_config_dse
(/usr/lib64/dirsrv/libslapd.so.0+0xe10af)
    #7 0x7f45b43c4f19  (/usr/lib64/dirsrv/libslapd.so.0+0xfbf19)
    #8 0x7f45b43c7f4e  (/usr/lib64/dirsrv/libslapd.so.0+0xfef4e)
    #9 0x7f45b43c85c1 in dse_read_file
(/usr/lib64/dirsrv/libslapd.so.0+0xff5c1)
    #10 0x556c81c77f8b  (/usr/sbin/ns-slapd+0x58f8b)
    #11 0x556c81c4aec1  (/usr/sbin/ns-slapd+0x2bec1)
    #12 0x7f45b0d87872 in __libc_start_main (/lib64/libc.so.6+0x23872)

Thread T23 created by T0 here:
    #0 0x7f45b4aa0e73 in __interceptor_pthread_create
(/lib64/libasan.so.5+0x52e73)
    #1 0x7f45b1c9123e  (/lib64/libnspr4.so+0x2b23e)

Thread T25 created by T0 here:
    #0 0x7f45b4aa0e73 in __interceptor_pthread_create
(/lib64/libasan.so.5+0x52e73)
    #1 0x7f45b1c9123e  (/lib64/libnspr4.so+0x2b23e)

SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/lib64/dirsrv/libslapd.so.0+0x16a899) in log_get_loglist
Shadow bytes around the buggy address:
  0x0c068005c6c0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068005c6d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068005c6e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068005c6f0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068005c700: fd fd fd fd fa fa fd fd fd fa fa fa 00 00 00 06
=>0x0c068005c710: fa fa fd fd fd fa fa fa fd[fd]fd fa fa fa 00 00
  0x0c068005c720: 05 fa fa fa 00 00 05 fa fa fa 00 00 02 fa fa fa
  0x0c068005c730: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068005c740: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068005c750: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c068005c760: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4241==ABORTING

Version-Release number of selected component (if applicable):
389-ds-base-1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f.x86_64


How reproducible:
always

Steps to Reproduce:
1. Rebuild 389-ds-base with ASAN
2. Run tests/suites/disk_monitoring/disk_monitoring_test.py::test_operation_wit
h_nsslapd_disk_monitoring_logging_critical_off_below_half_of_the_threshold


Actual results:
ASAN reports heap-use-after-free

Expected results:
No errors from ASAN

Additional info:

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758473

a month ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

a month ago

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue set to the milestone: 1.3.10 (was: 0.0 NEEDS_TRIAGE)

a month ago

Commit bb3ac59 relates to this ticket

Commit bb3ac59 relates to this ticket

b05c86d..d4702b5 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

1d748c5..16f7b52 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

89422c6..da26367 389-ds-base-1.3.10 -> 389-ds-base-1.3.10

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a month ago

Login to comment on this ticket.

Metadata
Related Pull Requests