#1930 Crash with negative values in ldap_idmap_range_size
Closed: Fixed None Opened 5 years ago by kaushikub.

While running negative tests on idmap options, sssd_be crashed. The version of sssd used is sssd-1.10.0-6.fc20.beta1

The domain section in sssd.conf has:

[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://example.adserver.com
ldap_schema = ad
ldap_id_mapping = True
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com
ldap_default_authtok = XXXXX
ldap_idmap_range_size=-1000
ldap_idmap_range_min=
ldap_idmap_range_max=

Looking up a user(getent passwd idmapuser01) crashed sssd_be and the
following backtrace was generated:

Core was generated by `/usr/libexec/sssd/sssd_be --domain ADTEST
--debug-to-files'.
Program terminated with signal 8, Arithmetic exception.
#0  0xb6801489 in sss_idmap_calculate_range (ctx=0xb8d71f38,
dom_sid=dom_sid@entry=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434",
slice_num=slice_num@entry=0xbfd86fec, _range=_range@entry=0xbfd86f98) at
src/lib/idmap/sss_idmap.c:284
284                new_slice = hash_val % max_slices;

Thread 1 (Thread 0xb6ec0900 (LWP 19691)):
#0  0xb6801489 in sss_idmap_calculate_range (ctx=0xb8d71f38,
dom_sid=dom_sid@entry=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434",
slice_num=slice_num@entry=0xbfd86fec, _range=_range@entry=0xbfd86f98) at
src/lib/idmap/sss_idmap.c:284
        max_slices = <optimized out>
        orig_slice = <optimized out>
        new_slice = 0
        min = <optimized out>
        max = <optimized out>
        idmap_lower = 4293967296
        idmap_upper = <optimized out>
        rangesize = 4294958296
        autorid_mode = <optimized out>
        hash_val = 93103853
        dom = <optimized out>
#1  0xb688c1ad in sdap_idmap_add_domain
(idmap_ctx=idmap_ctx@entry=0xb8d731d8, dom_name=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434", dom_sid=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434", slice=slice@entry=4294967295)
at src/providers/ldap/sdap_idmap.c:237
        ret = <optimized out>
        range = {min = 41, max = 3070701858}
        err = <optimized out>
        idmap_upper = 4294966296
        __FUNCTION__ = "sdap_idmap_add_domain"
#2  0xb688dc86 in sdap_idmap_sid_to_unix (idmap_ctx=0xb8d731d8,
sid_str=0xb8d7eba8 "S-1-5-21-2153326666-2176343378-3404031434-42668",
id=id@entry=0xbfd87108) at src/providers/ldap/sdap_idmap.c:348
        ret = 0
        err = <optimized out>
        dom_sid_str = 0xb8d8b998 "S-1-5-21-2153326666-2176343378-3404031434"
        __FUNCTION__ = "sdap_idmap_sid_to_unix"
#3  0xb6840d2c in sdap_save_user (memctx=memctx@entry=0xb8d8bce0,
ctx=ctx@entry=0xb8d61870, opts=opts@entry=0xb8d669a8,
dom=dom@entry=0xb8d62730, attrs=0xb8d7ec78, is_initgr=is_initgr@entry=false,
_usn_value=_usn_value@entry=0xbfd871bc, now=now@entry=1368694481) at
src/providers/ldap/sdap_async_users.c:171
        el = 0xb8d8a028
        ret = <optimized out>
        name = 0xb8d8c5c0 "idmapuser01"
        fullname = 0xb8d8bad8 "idmapuser01"
        pwd = 0x0
        gecos = 0xb8d8bad8 "idmapuser01"
        homedir = 0x0
        shell = 0x0
        orig_dn = 0x0
        uid = 48
        gid = 3070502865
        primary_gid = 1363757772
        user_attrs = 0xb8d87ce8
        upn = 0x0
        i = <optimized out>
        cache_timeout = <optimized out>
        usn_value = 0x0
        missing = 0x0
        tmpctx = 0xb8d8bd98
        use_id_mapping = true
        __FUNCTION__ = "sdap_save_user"
        sid_str = 0xb8d7eba8
"S-1-5-21-2153326666-2176343378-3404031434-42668"
        dom_sid_str = 0x0
        group_sid_str = <optimized out>
#4  0xb6843947 in sdap_save_users (memctx=memctx@entry=0xb8d8c100,
sysdb=0xb8d61870, dom=0xb8d62730, opts=0xb8d669a8, users=0xb8d89518,
num_users=1, _usn_value=_usn_value@entry=0xb8d8c128) at
src/providers/ldap/sdap_async_users.c:463
        tmpctx = 0xb8d8bce0
        higher_usn = 0x0
        usn_value = 0x0
        ret = <optimized out>
        sret = <optimized out>
        i = 0
        now = 1368694481
        in_transaction = true
        __FUNCTION__ = "sdap_save_users"
#5  0xb6844347 in sdap_get_users_process (subreq=0x0) at
src/providers/ldap/sdap_async_users.c:695
        req = 0xb8d87fc0
        state = 0xb8d8c100
        ret = <optimized out>
        count = 1
        i = <optimized out>
        users = 0xb8d8c4f0
        next_base = <optimized out>
        __FUNCTION__ = "sdap_get_users_process"
#6  0xb76a447b in _tevent_req_notify_callback () from /lib/libtevent.so.0
No symbol table info available.
#7  0xb76a466b in _tevent_req_done () from /lib/libtevent.so.0
No symbol table info available.
#8  0xb68348ca in sdap_get_generic_done (subreq=0x0) at
src/providers/ldap/sdap_async.c:1558
        req = 0xb8d89768
        ret = 0
        __FUNCTION__ = "sdap_get_generic_done"
#9  0xb76a447b in _tevent_req_notify_callback () from /lib/libtevent.so.0
No symbol table info available.
#10 0xb76a466b in _tevent_req_done () from /lib/libtevent.so.0
No symbol table info available.
#11 0xb683a631 in sdap_get_generic_ext_done (op=0xb8d8a230,
reply=0xb8d8c1d8, error=0, pvt=0xb8d8a310) at
src/providers/ldap/sdap_async.c:1407
        req = 0xb8d8a310
        state = <optimized out>
        errmsg = 0x0
        result = 0
        ret = <optimized out>
        lret = <optimized out>
        total_count = -1224464505
        cookie = {bv_len = 3077140201, bv_val = 0xb771f000 "\334\r\a"}
        returned_controls = 0x0
        page_control = <optimized out>
        __FUNCTION__ = "sdap_get_generic_ext_done"
#12 0xb6838875 in sdap_process_message (ev=<optimized out>, sh=<optimized
out>, msg=0xb8d7f438) at src/providers/ldap/sdap_async.c:366
        msgtype = <optimized out>
        ret = <optimized out>
        reply = 0xb8d8c1d8
        op = 0xb8d8a230
        msgid = <optimized out>
#13 sdap_process_result (ev=<optimized out>, pvt=<optimized out>) at
src/providers/ldap/sdap_async.c:209
        sh = <optimized out>
        no_timeout = {tv_sec = 0, tv_usec = 0}
        te = <optimized out>
        msg = 0xb8d7f438
        ret = 101
        __FUNCTION__ = "sdap_process_result"
#14 0xb76a702b in std_event_loop_once () from /lib/libtevent.so.0
No symbol table info available.
#15 0xb76a32d8 in _tevent_loop_once () from /lib/libtevent.so.0
No symbol table info available.
#16 0xb76a34cc in tevent_common_loop_wait () from /lib/libtevent.so.0
No symbol table info available.
#17 0xb76a3568 in _tevent_loop_wait () from /lib/libtevent.so.0
No symbol table info available.
#18 0xb76fd0e9 in server_loop (main_ctx=0xb8d5e718) at src/util/server.c:602
No locals.
#19 0xb777c7bc in main (argc=4, argv=0xbfd87784) at
src/providers/data_provider_be.c:2771
        opt = <optimized out>
        pc = <optimized out>
        be_domain = 0xb8d5d218 "ADTEST"
        srv_name = <optimized out>
        main_ctx = 0xb8d5e718
        confdb_path = <optimized out>
        ret = <optimized out>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4,
arg = 0xb7691120 <poptHelpOptions>, val = 0, descrip = 0xb77ae4cb "Help
options:", argDescrip = 0x0}, {longName = 0xb77ae4d9 "debug-level",
shortName = 100 'd', argInfo = 2, arg = 0xb718c094 <debug_level>, val = 0,
descrip = 0xb77ae4e5 "Debug level", argDescrip = 0x0}, {longName =
0xb77ae4f1 "debug-to-files", shortName = 102 'f', argInfo = 0, arg =
0xb718c090 <debug_to_file>, val = 0, descrip = 0xb77afa28 "Send the debug
output to files instead of stderr", argDescrip = 0x0}, {longName =
0xb77ae500 "debug-timestamps", shortName = 0 '\000', argInfo = 2, arg =
0xb718c07c <debug_timestamps>, val = 0, descrip = 0xb77ae511 "Add debug
timestamps", argDescrip = 0x0}, {longName = 0xb77ae526 "debug-microseconds",
shortName = 0 '\000', argInfo = 2, arg = 0xb718c078 <debug_microseconds>,
val = 0, descrip = 0xb77afa5c "Show timestamps with microseconds",
argDescrip = 0x0}, {longName = 0xb77aff8c "domain", shortName = 0 '\000',
argInfo = 1, arg = 0xbfd875e4, val = 0, descrip = 0xb77afa80 "Domain of the
information provider (mandatory)", argDescrip = 0x0}, {longName = 0x0,
shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0,
argDescrip = 0x0}}
        __FUNCTION__ = "main"

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0
rhbz: => 0

Fields changed

owner: somebody => okos
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Moving to 1.10 beta where the ticket was actually fixed.

changelog: =>
milestone: SSSD 1.10.0 => SSSD 1.10 beta

Metadata Update from @kaushikub:
- Issue assigned to okos
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata