Bug 1118048

Summary: If be_txn plugin fails in ldbm_back_add, adding entry is double freed.
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: nkinder, rmeggins, vashirov
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.3.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 09:37:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Noriko Hosoi 2014-07-09 22:04:42 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47808

Thanks to Mark for finding out this problem.  (Note: 1.2.11 does not have this bug.)
{{{
Mark Reynolds wrote:
> steps to reproduce:
>
> ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w $PW -a <<EOF
> dn: cn=attribute uniqueness,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> -
> replace: nsslapd-pluginarg0
> nsslapd-pluginarg0: sn
> -
> replace: nsslapd-pluginarg1
> nsslapd-pluginarg1: dc=example,dc=com
> EOF
>
> 3. Add user:
> ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w $PW -a <<EOF
> dn: cn=tuser1,ou=people,dc=example,dc=com
> objectclass: person
> objectclass: top
> sn: tuser1
> cn: tuser1
> EOF
>
> 4. Restart server
>
> 5. Add user with value 'sn' equal to value of sn of cn=tuser1:
> ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w $PW -a <<EOF
> dn: cn=tuser2,ou=people,dc=example,dc=com
> objectclass: person
> objectclass: top
> sn: tuser1
> cn: tuser2
>
> --> Add is rejected by the attr uniqueness plugin
>
> Crash!  
>
> #0  0x00007f605b554c39 in __GI_raise (sig=sig@entry=6)
>     at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00007f605b556348 in __GI_abort () at abort.c:89
> #2  0x00007f605b594d04 in __libc_message (do_abort=do_abort@entry=2, 
>     fmt=fmt@entry=0x7f605b69b528 "*** Error in `%s': %s: 0x%s ***\n")
>     at ../sysdeps/posix/libc_fatal.c:175
> #3  0x00007f605b59bff8 in malloc_printerr (ptr=<optimized out>, 
>     str=0x7f605b698cd7 "free(): invalid pointer", action=3) at malloc.c:4930
> #4  _int_free (av=0x7f605b8d7760 <main_arena>, p=<optimized out>, have_lock=0)
>     at malloc.c:3782
> #5  0x00007f605dd41302 in slapi_ch_free (ptr=0x7f6028001198)
>     at ../ds/ldap/servers/slapd/ch_malloc.c:363
> #6  0x00007f605dd4cc3d in slapi_sdn_done (sdn=0x7f6028001190)
>     at ../ds/ldap/servers/slapd/dn.c:2332
> #7  0x00007f605dd58be3 in slapi_entry_free (e=0x7f6028001190)
>     at ../ds/ldap/servers/slapd/entry.c:2044
> #8  0x00007f605dd3606d in op_shared_add (pb=0x7f60467fbb10)
>     at ../ds/ldap/servers/slapd/add.c:800
> #9  0x00007f605dd34d2e in do_add (pb=0x7f60467fbb10)
>     at ../ds/ldap/servers/slapd/add.c:258
> #10 0x0000000000416034 in connection_dispatch_operation (conn=0x7f605e167410, 
>     op=0xb36330, pb=0x7f60467fbb10) at ../ds/ldap/servers/slapd/connection.c:645
> #11 0x0000000000418043 in connection_threadmain ()
>     at ../ds/ldap/servers/slapd/connection.c:2534
> #12 0x00007f605c15be2b in _pt_root (arg=0x8acae0)
>     at ../../../nspr/pr/src/pthreads/ptthread.c:212
> #13 0x00007f605bafbf33 in start_thread (arg=0x7f60467fc700) at pthread_create.c:309
> #14 0x00007f605b613ded in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>
>
> valgrind(also attached):
>
> ==14540== Invalid read of size 8
> ==14540==    at 0x4EA581F: factory_destroy_extension (factory.c:367)
> ==14540==    by 0x4E9CBD6: slapi_entry_free (entry.c:2043)
> ==14540==    by 0x4E7A06C: op_shared_add (add.c:800)
> ==14540==    by 0x4E78D2D: do_add (add.c:258)
> ==14540==    by 0x416033: connection_dispatch_operation (connection.c:645)
> ==14540==    by 0x418042: connection_threadmain (connection.c:2534)
> ==14540==    by 0x6B2FE2A: _pt_root (ptthread.c:212)
> ==14540==    by 0x716EF32: start_thread (pthread_create.c:309)
> ==14540==    by 0x768EDEC: clone (clone.S:111)
> ==14540==  Address 0xeb85910 is 160 bytes inside a block of size 184 free'd
> ==14540==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==14540==    by 0x4E85301: slapi_ch_free (ch_malloc.c:363)
> ==14540==    by 0x4E9CCA6: slapi_entry_free (entry.c:2057)
> ==14540==    by 0x10BE7225: backentry_free (backentry.c:57)
> ==14540==    by 0x10BE9801: entrycache_return (cache.c:1159)
> ==14540==    by 0x10BE96A7: cache_return (cache.c:1132)
> ==14540==    by 0x10C25E65: ldbm_back_add (ldbm_add.c:1268)
> ==14540==    by 0x4E79E09: op_shared_add (add.c:735)
> ==14540==    by 0x4E78D2D: do_add (add.c:258)
> ==14540==    by 0x416033: connection_dispatch_operation (connection.c:645)
> ==14540==    by 0x418042: connection_threadmain (connection.c:2534)
> ==14540==    by 0x6B2FE2A: _pt_root (ptthread.c:212)
> ==14540==    by 0x716EF32: start_thread (pthread_create.c:309)
> ==14540==    by 0x768EDEC: clone (clone.S:111)
}}}
Comment 2 Viktor Ashirov 2014-12-01 17:09:03 UTC 
$ rpm -qa  | grep 389
389-ds-base-1.3.3.1-9.el7.x86_64
389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64
389-ds-base-libs-1.3.3.1-9.el7.x86_64

I went through verification steps mentioned in description. On last step add is rejected by the attr uniqueness plugin, but server didn't crash: 
$ ldapmodify -h localhost -p 389 -D 'cn=directory manager' -w Secret123 [snip]
adding new entry "cn=tuser2,ou=people,dc=example,dc=com"
ldap_add: Constraint violation (19)
	additional info: Another entry with the same attribute value already exists (attribute: "sn")

$ pgrep ns-slapd
13263

Hence marking as VERIFIED
Comment 4 errata-xmlrpc 2015-03-05 09:37:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html