==1750==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400023de90 at pc 0x7f642534efe3 bp 0x7f63fdc8a5d0 sp 0x7f63fdc89d78 READ of size 2 at 0x60400023de90 thread T34 #0 0x7f642534efe2 (/lib64/libasan.so.3+0x3cfe2) #1 0x7f6424eedc95 in slapi_dn_issuffix (/usr/lib64/dirsrv/libslapd.so.0+0xdbc95) #2 0x7f64162b8051 (/usr/lib64/dirsrv/plugins/libipa_uuid.so+0x3051) #3 0x7f6424f8cd38 (/usr/lib64/dirsrv/libslapd.so.0+0x17ad38) #3 0x7f6424f8cd38 (/usr/lib64/dirsrv/libslapd.so.0+0x17ad38) #4 0x7f6424f8d1a3 in plugin_call_plugins (/usr/lib64/dirsrv/libslapd.so.0+0x17b1a3) #5 0x7f6424ec3d93 (/usr/lib64/dirsrv/libslapd.so.0+0xb1d93) #6 0x7f6424ec5b33 in do_add (/usr/lib64/dirsrv/libslapd.so.0+0xb3b33) #7 0x55908b1ff80f (/usr/sbin/ns-slapd+0x4380f) #8 0x7f642307a5cb (/lib64/libnspr4.so+0x295cb) #9 0x7f6422a195c9 in start_thread (/lib64/libpthread.so.0+0x75c9) #10 0x7f64227530ec in __clone (/lib64/libc.so.6+0x1030ec) 0x60400023de90 is located 0 bytes inside of 41-byte region [0x60400023de90,0x60400023deb9) freed by thread T34 here: #0 0x7f64253d8b00 in free (/lib64/libasan.so.3+0xc6b00) #1 0x7f6424edab88 in slapi_ch_free (/usr/lib64/dirsrv/libslapd.so.0+0xc8b88) #2 0x7f6424eee947 in slapi_sdn_done (/usr/lib64/dirsrv/libslapd.so.0+0xdc947) #3 0x7f6424eef631 in slapi_sdn_free (/usr/lib64/dirsrv/libslapd.so.0+0xdd631) #4 0x7f6424f7e85b in slapi_pblock_set (/usr/lib64/dirsrv/libslapd.so.0+0x16c85b) #5 0x7f64162b85ed (/usr/lib64/dirsrv/plugins/libipa_uuid.so+0x35ed) previously allocated by thread T34 here: #0 0x7f64253d8e60 in malloc (/lib64/libasan.so.3+0xc6e60) #1 0x7f64226d8079 in strdup (/lib64/libc.so.6+0x88079) Thread T34 created by T0 here: #0 0x7f6425343498 in pthread_create (/lib64/libasan.so.3+0x31498) #1 0x7f642307a2aa (/lib64/libnspr4.so+0x292aa) SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.3+0x3cfe2) Shadow bytes around the buggy address: 0x0c088003fb80: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd 0x0c088003fb90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c088003fba0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 05 fa 0x0c088003fbb0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c088003fbc0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd =>0x0c088003fbd0: fa fa[fd]fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c088003fbe0: fa fa 00 00 00 00 04 fa fa fa fd fd fd fd fd fa 0x0c088003fbf0: fa fa 00 00 00 00 04 fa fa fa 00 00 00 00 00 01 0x0c088003fc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088003fc10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088003fc20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb
Despite the lack of debug symbols, this heap use after free is easy to track down.
static int ipauuid_dn_is_config(char *dn) { int ret = 0; LOG_TRACE("--in-->\n"); if (slapi_dn_issuffix(dn, getPluginDN())) { ret = 1; } LOG_TRACE("<--out--\n"); return ret; }
This is the offending line. This is based on:
void setPluginDN(char *pluginDN) { _PluginDN = pluginDN; } char *getPluginDN(void) { return _PluginDN; }
This value is set:
static int ipauuid_start(Slapi_PBlock * pb) { .... slapi_pblock_get(pb, SLAPI_TARGET_DN, &plugindn); if (NULL == plugindn || 0 == strlen(plugindn)) { LOG("had to use hard coded config dn\n"); plugindn = IPAUUID_DN; } else { LOG("config at %s\n", plugindn); } setPluginDN(plugindn);
The issue is that you are not copying the sdn with slapi_sdn_dup into _PluginDN. When ipauuid_start returns, the Slapi_PBlock is disposed of, which means that _PluginDN is left dangling to a now freed address.
This could cause stability issue in IPA.
You can test this IPA using the Address Sanitised build of DS here:
https://copr.fedoraproject.org/coprs/firstyear/ds/
PS: _PluginDN should be a Slapi_DN *sdn not a char * if you want to fix that at the same time.
Actually, the use of SLAPI_TARGET_DN is deprecated too, perhaps try SLAPI_TARGET_SDN in your pblock call. It has the same semantics.
@firstyear, I heard that you'll send a patch is that correct? If so, it would be triaged in 4.5 (current release) if not, then most likely later.
Yes I have a patch in the works. We are just dealing with some freeipa build env issues so we can test and supply it to you.
Hi,
This is too hard to build and fix.
The main issue is that with ASAN enabled, many other parts of IPA break also. I can't test this module in isolation.
As well, the build and test turn around time and process is so long, and fragile that I can't dedicate the time to this.
There are other strategies we can employ to correct this situation, but for now, this is not possible to be resolved in a reasonable time frame by me.
Sorry, I hope that I can fix this soon using a different approach.
Is there a way how we can help?
Metadata Update from @firstyear: - Issue assigned to firstyear - Issue set to the milestone: FreeIPA 4.5
Metadata Update from @mbasti: - Issue close_status updated to: None - Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)
Metadata Update from @pvoborni: - Issue set to the milestone: FreeIPA 4.7 (was: FreeIPA 4.5.1)
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Other modules with similar code are ipa-lockout and ipa-modrdn.
Login to comment on this ticket.