#1930 Crash with negative values in ldap_idmap_range_size
Closed: Fixed None Opened 7 years ago by kaushikub.

While running negative tests on idmap options, sssd_be crashed. The version of sssd used is sssd-1.10.0-6.fc20.beta1

The domain section in sssd.conf has:

[domain/ADTEST]
debug_level = 0xFFF0
id_provider = ldap
ldap_uri = ldap://example.adserver.com
ldap_schema = ad
ldap_id_mapping = True
ldap_default_bind_dn = cn=Administrator,cn=Users,dc=sssdad,dc=com
ldap_default_authtok = XXXXX
ldap_idmap_range_size=-1000
ldap_idmap_range_min=
ldap_idmap_range_max=

Looking up a user(getent passwd idmapuser01) crashed sssd_be and the
following backtrace was generated:

Core was generated by `/usr/libexec/sssd/sssd_be --domain ADTEST
--debug-to-files'.
Program terminated with signal 8, Arithmetic exception.
#0  0xb6801489 in sss_idmap_calculate_range (ctx=0xb8d71f38,
dom_sid=dom_sid@entry=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434",
slice_num=slice_num@entry=0xbfd86fec, _range=_range@entry=0xbfd86f98) at
src/lib/idmap/sss_idmap.c:284
284                new_slice = hash_val % max_slices;

Thread 1 (Thread 0xb6ec0900 (LWP 19691)):
#0  0xb6801489 in sss_idmap_calculate_range (ctx=0xb8d71f38,
dom_sid=dom_sid@entry=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434",
slice_num=slice_num@entry=0xbfd86fec, _range=_range@entry=0xbfd86f98) at
src/lib/idmap/sss_idmap.c:284
        max_slices = <optimized out>
        orig_slice = <optimized out>
        new_slice = 0
        min = <optimized out>
        max = <optimized out>
        idmap_lower = 4293967296
        idmap_upper = <optimized out>
        rangesize = 4294958296
        autorid_mode = <optimized out>
        hash_val = 93103853
        dom = <optimized out>
#1  0xb688c1ad in sdap_idmap_add_domain
(idmap_ctx=idmap_ctx@entry=0xb8d731d8, dom_name=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434", dom_sid=0xb8d8b998
"S-1-5-21-2153326666-2176343378-3404031434", slice=slice@entry=4294967295)
at src/providers/ldap/sdap_idmap.c:237
        ret = <optimized out>
        range = {min = 41, max = 3070701858}
        err = <optimized out>
        idmap_upper = 4294966296
        __FUNCTION__ = "sdap_idmap_add_domain"
#2  0xb688dc86 in sdap_idmap_sid_to_unix (idmap_ctx=0xb8d731d8,
sid_str=0xb8d7eba8 "S-1-5-21-2153326666-2176343378-3404031434-42668",
id=id@entry=0xbfd87108) at src/providers/ldap/sdap_idmap.c:348
        ret = 0
        err = <optimized out>
        dom_sid_str = 0xb8d8b998 "S-1-5-21-2153326666-2176343378-3404031434"
        __FUNCTION__ = "sdap_idmap_sid_to_unix"
#3  0xb6840d2c in sdap_save_user (memctx=memctx@entry=0xb8d8bce0,
ctx=ctx@entry=0xb8d61870, opts=opts@entry=0xb8d669a8,
dom=dom@entry=0xb8d62730, attrs=0xb8d7ec78, is_initgr=is_initgr@entry=false,
_usn_value=_usn_value@entry=0xbfd871bc, now=now@entry=1368694481) at
src/providers/ldap/sdap_async_users.c:171
        el = 0xb8d8a028
        ret = <optimized out>
        name = 0xb8d8c5c0 "idmapuser01"
        fullname = 0xb8d8bad8 "idmapuser01"
        pwd = 0x0
        gecos = 0xb8d8bad8 "idmapuser01"
        homedir = 0x0
        shell = 0x0
        orig_dn = 0x0
        uid = 48
        gid = 3070502865
        primary_gid = 1363757772
        user_attrs = 0xb8d87ce8
        upn = 0x0
        i = <optimized out>
        cache_timeout = <optimized out>
        usn_value = 0x0
        missing = 0x0
        tmpctx = 0xb8d8bd98
        use_id_mapping = true
        __FUNCTION__ = "sdap_save_user"
        sid_str = 0xb8d7eba8
"S-1-5-21-2153326666-2176343378-3404031434-42668"
        dom_sid_str = 0x0
        group_sid_str = <optimized out>
#4  0xb6843947 in sdap_save_users (memctx=memctx@entry=0xb8d8c100,
sysdb=0xb8d61870, dom=0xb8d62730, opts=0xb8d669a8, users=0xb8d89518,
num_users=1, _usn_value=_usn_value@entry=0xb8d8c128) at
src/providers/ldap/sdap_async_users.c:463
        tmpctx = 0xb8d8bce0
        higher_usn = 0x0
        usn_value = 0x0
        ret = <optimized out>
        sret = <optimized out>
        i = 0
        now = 1368694481
        in_transaction = true
        __FUNCTION__ = "sdap_save_users"
#5  0xb6844347 in sdap_get_users_process (subreq=0x0) at
src/providers/ldap/sdap_async_users.c:695
        req = 0xb8d87fc0
        state = 0xb8d8c100
        ret = <optimized out>
        count = 1
        i = <optimized out>
        users = 0xb8d8c4f0
        next_base = <optimized out>
        __FUNCTION__ = "sdap_get_users_process"
#6  0xb76a447b in _tevent_req_notify_callback () from /lib/libtevent.so.0
No symbol table info available.
#7  0xb76a466b in _tevent_req_done () from /lib/libtevent.so.0
No symbol table info available.
#8  0xb68348ca in sdap_get_generic_done (subreq=0x0) at
src/providers/ldap/sdap_async.c:1558
        req = 0xb8d89768
        ret = 0
        __FUNCTION__ = "sdap_get_generic_done"
#9  0xb76a447b in _tevent_req_notify_callback () from /lib/libtevent.so.0
No symbol table info available.
#10 0xb76a466b in _tevent_req_done () from /lib/libtevent.so.0
No symbol table info available.
#11 0xb683a631 in sdap_get_generic_ext_done (op=0xb8d8a230,
reply=0xb8d8c1d8, error=0, pvt=0xb8d8a310) at
src/providers/ldap/sdap_async.c:1407
        req = 0xb8d8a310
        state = <optimized out>
        errmsg = 0x0
        result = 0
        ret = <optimized out>
        lret = <optimized out>
        total_count = -1224464505
        cookie = {bv_len = 3077140201, bv_val = 0xb771f000 "\334\r\a"}
        returned_controls = 0x0
        page_control = <optimized out>
        __FUNCTION__ = "sdap_get_generic_ext_done"
#12 0xb6838875 in sdap_process_message (ev=<optimized out>, sh=<optimized
out>, msg=0xb8d7f438) at src/providers/ldap/sdap_async.c:366
        msgtype = <optimized out>
        ret = <optimized out>
        reply = 0xb8d8c1d8
        op = 0xb8d8a230
        msgid = <optimized out>
#13 sdap_process_result (ev=<optimized out>, pvt=<optimized out>) at
src/providers/ldap/sdap_async.c:209
        sh = <optimized out>
        no_timeout = {tv_sec = 0, tv_usec = 0}
        te = <optimized out>
        msg = 0xb8d7f438
        ret = 101
        __FUNCTION__ = "sdap_process_result"
#14 0xb76a702b in std_event_loop_once () from /lib/libtevent.so.0
No symbol table info available.
#15 0xb76a32d8 in _tevent_loop_once () from /lib/libtevent.so.0
No symbol table info available.
#16 0xb76a34cc in tevent_common_loop_wait () from /lib/libtevent.so.0
No symbol table info available.
#17 0xb76a3568 in _tevent_loop_wait () from /lib/libtevent.so.0
No symbol table info available.
#18 0xb76fd0e9 in server_loop (main_ctx=0xb8d5e718) at src/util/server.c:602
No locals.
#19 0xb777c7bc in main (argc=4, argv=0xbfd87784) at
src/providers/data_provider_be.c:2771
        opt = <optimized out>
        pc = <optimized out>
        be_domain = 0xb8d5d218 "ADTEST"
        srv_name = <optimized out>
        main_ctx = 0xb8d5e718
        confdb_path = <optimized out>
        ret = <optimized out>
        long_options = {{longName = 0x0, shortName = 0 '\000', argInfo = 4,
arg = 0xb7691120 <poptHelpOptions>, val = 0, descrip = 0xb77ae4cb "Help
options:", argDescrip = 0x0}, {longName = 0xb77ae4d9 "debug-level",
shortName = 100 'd', argInfo = 2, arg = 0xb718c094 <debug_level>, val = 0,
descrip = 0xb77ae4e5 "Debug level", argDescrip = 0x0}, {longName =
0xb77ae4f1 "debug-to-files", shortName = 102 'f', argInfo = 0, arg =
0xb718c090 <debug_to_file>, val = 0, descrip = 0xb77afa28 "Send the debug
output to files instead of stderr", argDescrip = 0x0}, {longName =
0xb77ae500 "debug-timestamps", shortName = 0 '\000', argInfo = 2, arg =
0xb718c07c <debug_timestamps>, val = 0, descrip = 0xb77ae511 "Add debug
timestamps", argDescrip = 0x0}, {longName = 0xb77ae526 "debug-microseconds",
shortName = 0 '\000', argInfo = 2, arg = 0xb718c078 <debug_microseconds>,
val = 0, descrip = 0xb77afa5c "Show timestamps with microseconds",
argDescrip = 0x0}, {longName = 0xb77aff8c "domain", shortName = 0 '\000',
argInfo = 1, arg = 0xbfd875e4, val = 0, descrip = 0xb77afa80 "Domain of the
information provider (mandatory)", argDescrip = 0x0}, {longName = 0x0,
shortName = 0 '\000', argInfo = 0, arg = 0x0, val = 0, descrip = 0x0,
argDescrip = 0x0}}
        __FUNCTION__ = "main"

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.10.0
rhbz: => 0

Fields changed

owner: somebody => okos
status: new => assigned

Fields changed

patch: 0 => 1

resolution: => fixed
status: assigned => closed

Moving to 1.10 beta where the ticket was actually fixed.

changelog: =>
milestone: SSSD 1.10.0 => SSSD 1.10 beta

Metadata Update from @kaushikub:
- Issue assigned to okos
- Issue set to the milestone: SSSD 1.10 beta

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2972

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata