Issue #50829: AddressSanitizer: heap-use-after-free in log_get_loglist - 389-ds-base

389-ds-base

#50829 AddressSanitizer: heap-use-after-free in log_get_loglist

Closed: wontfix 5 years ago by mreynolds. Opened 5 years ago by mreynolds.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 1758473

Description of problem:

=================================================================
==4241==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030003238c8
at pc 0x7f45b443389a bp 0x7f458d2e2a40 sp 0x7f458d2e2a30
READ of size 8 at 0x6030003238c8 thread T23
    #0 0x7f45b4433899 in log_get_loglist
(/usr/lib64/dirsrv/libslapd.so.0+0x16a899)
    #1 0x7f45b441f16a in config_set_entry
(/usr/lib64/dirsrv/libslapd.so.0+0x15616a)
    #2 0x7f45b43a9b68 in read_config_dse
(/usr/lib64/dirsrv/libslapd.so.0+0xe0b68)
    #3 0x7f45b43c4f19  (/usr/lib64/dirsrv/libslapd.so.0+0xfbf19)
    #4 0x7f45b43c9181 in dse_search (/usr/lib64/dirsrv/libslapd.so.0+0x100181)
    #5 0x7f45b445c6ec in op_shared_search
(/usr/lib64/dirsrv/libslapd.so.0+0x1936ec)
    #6 0x7f45b44921e9  (/usr/lib64/dirsrv/libslapd.so.0+0x1c91e9)
    #7 0x7f45b44928f6  (/usr/lib64/dirsrv/libslapd.so.0+0x1c98f6)
    #8 0x7f45b449315f in slapi_search_internal_get_entry
(/usr/lib64/dirsrv/libslapd.so.0+0x1ca15f)
    #9 0x7f45b44aef6e in get_entry (/usr/lib64/dirsrv/libslapd.so.0+0x1e5f6e)
    #10 0x7f45b4446dd6  (/usr/lib64/dirsrv/libslapd.so.0+0x17ddd6)
    #11 0x7f45b444bc8b in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x182c8b)
    #12 0x556c81c64916  (/usr/sbin/ns-slapd+0x45916)
    #13 0x7f45b1c91567  (/lib64/libnspr4.so+0x2b567)
    #14 0x7f45b162c2dd in start_thread (/lib64/libpthread.so.0+0x82dd)
    #15 0x7f45b0e60132 in __GI___clone (/lib64/libc.so.6+0xfc132)

0x6030003238c8 is located 8 bytes inside of 24-byte region
[0x6030003238c0,0x6030003238d8)
freed by thread T25 here:
    #0 0x7f45b4b3d720 in __interceptor_free (/lib64/libasan.so.5+0xef720)
    #1 0x7f45b43a5a8c in slapi_ch_free
(/usr/lib64/dirsrv/libslapd.so.0+0xdca8c)
    #2 0x7f45b4432dd9 in log__delete_rotated_logs
(/usr/lib64/dirsrv/libslapd.so.0+0x169dd9)
    #3 0x556c81c6ad2f  (/usr/sbin/ns-slapd+0x4bd2f)
    #4 0x7f45b1c91567  (/lib64/libnspr4.so+0x2b567)

previously allocated by thread T0 here:
    #0 0x7f45b4b3dae8 in __interceptor_malloc (/lib64/libasan.so.5+0xefae8)
    #1 0x7f45b43a5297 in slapi_ch_malloc
(/usr/lib64/dirsrv/libslapd.so.0+0xdc297)
    #2 0x7f45b4432589 in access_log_openf
(/usr/lib64/dirsrv/libslapd.so.0+0x169589)
    #3 0x7f45b4432b29 in log_update_accesslogdir
(/usr/lib64/dirsrv/libslapd.so.0+0x169b29)
    #4 0x7f45b441105d in config_set_accesslog
(/usr/lib64/dirsrv/libslapd.so.0+0x14805d)
    #5 0x7f45b441e847 in config_set (/usr/lib64/dirsrv/libslapd.so.0+0x155847)
    #6 0x7f45b43aa0af in load_config_dse
(/usr/lib64/dirsrv/libslapd.so.0+0xe10af)
    #7 0x7f45b43c4f19  (/usr/lib64/dirsrv/libslapd.so.0+0xfbf19)
    #8 0x7f45b43c7f4e  (/usr/lib64/dirsrv/libslapd.so.0+0xfef4e)
    #9 0x7f45b43c85c1 in dse_read_file
(/usr/lib64/dirsrv/libslapd.so.0+0xff5c1)
    #10 0x556c81c77f8b  (/usr/sbin/ns-slapd+0x58f8b)
    #11 0x556c81c4aec1  (/usr/sbin/ns-slapd+0x2bec1)
    #12 0x7f45b0d87872 in __libc_start_main (/lib64/libc.so.6+0x23872)

Thread T23 created by T0 here:
    #0 0x7f45b4aa0e73 in __interceptor_pthread_create
(/lib64/libasan.so.5+0x52e73)
    #1 0x7f45b1c9123e  (/lib64/libnspr4.so+0x2b23e)

Thread T25 created by T0 here:
    #0 0x7f45b4aa0e73 in __interceptor_pthread_create
(/lib64/libasan.so.5+0x52e73)
    #1 0x7f45b1c9123e  (/lib64/libnspr4.so+0x2b23e)

SUMMARY: AddressSanitizer: heap-use-after-free
(/usr/lib64/dirsrv/libslapd.so.0+0x16a899) in log_get_loglist
Shadow bytes around the buggy address:
  0x0c068005c6c0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068005c6d0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068005c6e0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068005c6f0: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068005c700: fd fd fd fd fa fa fd fd fd fa fa fa 00 00 00 06
=>0x0c068005c710: fa fa fd fd fd fa fa fa fd[fd]fd fa fa fa 00 00
  0x0c068005c720: 05 fa fa fa 00 00 05 fa fa fa 00 00 02 fa fa fa
  0x0c068005c730: 00 00 00 00 fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c068005c740: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c068005c750: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x0c068005c760: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==4241==ABORTING

Version-Release number of selected component (if applicable):
389-ds-base-1.4.1.3-7.module+el8.1.0+4150+5b8c2c1f.x86_64


How reproducible:
always

Steps to Reproduce:
1. Rebuild 389-ds-base with ASAN
2. Run tests/suites/disk_monitoring/disk_monitoring_test.py::test_operation_wit
h_nsslapd_disk_monitoring_logging_critical_off_below_half_of_the_threshold


Actual results:
ASAN reports heap-use-after-free

Expected results:
No errors from ASAN

Additional info:

Metadata Update from @mreynolds:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758473

5 years ago

Metadata Update from @mreynolds:
- Issue assigned to mreynolds

5 years ago

mreynolds commented 5 years ago

https://pagure.io/389-ds-base/pull-request/50830

Metadata Update from @mreynolds:
- Custom field origin adjusted to None
- Custom field reviewstatus adjusted to None
- Issue set to the milestone: 1.3.10 (was: 0.0 NEEDS_TRIAGE)

5 years ago

mreynolds commented 5 years ago

Commit bb3ac59 relates to this ticket

mreynolds commented 5 years ago

Commit bb3ac59 relates to this ticket

b05c86d..d4702b5 389-ds-base-1.4.2 -> 389-ds-base-1.4.2

1d748c5..16f7b52 389-ds-base-1.4.1 -> 389-ds-base-1.4.1

89422c6..da26367 389-ds-base-1.3.10 -> 389-ds-base-1.3.10

Metadata Update from @mreynolds:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

spichugi commented 4 years ago

389-ds-base is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in 389-ds-base's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/389ds/389-ds-base/issues/3883

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Metadata Update from @spichugi:
- Issue close_status updated to: wontfix (was: fixed)

4 years ago

Metadata

Assignee

mreynolds

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

1.3.10

reviewstatus

None

rhbz

https://bugzilla.redhat.com/show_bug.cgi?id=1758473

origin

None

Related Pull Requests

#50830 Closed 4 years ago

389-ds-base

Source Code

#50829 AddressSanitizer: heap-use-after-free in log_get_loglist Closed: wontfix 5 years ago by mreynolds. Opened 5 years ago by mreynolds.

Metadata

Related Pull Requests

#50829 AddressSanitizer: heap-use-after-free in log_get_loglist

Closed: wontfix 5 years ago by mreynolds. Opened 5 years ago by mreynolds.