Bug 1132361

Summary:	use-after-free in dyndns code
Product:	Red Hat Enterprise Linux 6	Reporter:	Jakub Hrozek <jhrozek>
Component:	sssd	Assignee:	Jakub Hrozek <jhrozek>
Status:	CLOSED ERRATA	QA Contact:	Kaushik Banerjee <kbanerje>
Severity:	high	Docs Contact:
Priority:	high
Version:	6.6	CC:	dlavu, dpal, grajaiya, jgalipea, lslebodn, mkosek, pbrezina, preichl, tlavigne
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:	sssd-1.11.6-24.el6	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-10-14 04:49:34 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jakub Hrozek 2014-08-21 08:38:28 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/2405

We have a use-after-free situation in the dyndns code, found by Chris Hartman and reported on sssd-users:

{{{
==13038== 1 errors in context 9 of 14:
==13038== Invalid read of size 1
==13038==    at 0x807C747: resolv_get_string_ptr_address (async_resolv.c:1442)
==13038==    by 0x8069777: be_nsupdate_create_ptr_msg (dp_dyndns.c:366)
==13038==    by 0x54F824E: sdap_dyndns_update_ptr_step (sdap_dyndns.c:402)
==13038==    by 0x54F8663: sdap_dyndns_update_done (sdap_dyndns.c:378)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x8067CF3: be_nsupdate_done (dp_dyndns.c:1093)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x8068347: nsupdate_child_handler (dp_dyndns.c:915)
==13038==    by 0x4197163: child_invoke_callback (child_common.c:603)
==13038==    by 0x4051577: tevent_common_loop_immediate (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==  Address 0x6b086af is 55 bytes inside a block of size 176 free'd
==13038==    at 0x402B3D8: free (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==13038==    by 0x40622B2: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x406223E: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x406223E: ??? (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x405EA0E: _talloc_free (in /usr/lib/i386-linux-gnu/libtalloc.so.2.1.0)
==13038==    by 0x54F7101: sdap_dyndns_dns_addrs_done (sdap_dyndns.c:207)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x8067483: nsupdate_get_addrs_done (dp_dyndns.c:726)
==13038==    by 0x4051D7A: _tevent_req_notify_callback (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x4051DB9: _tevent_req_done (in /usr/lib/i386-linux-gnu/libtevent.so.0.9.19)
==13038==    by 0x807A079: resolv_gethostbyname_done (async_resolv.c:1367)
==13038== 
==13038==
}}}

Comment 2 Lukas Slebodnik 2014-08-21 09:04:41 UTC

The crash can be reproduced if ip addresses are obtained from network interface
e.g.
   dyndns_iface = eth0

and an interface should have assigned at least two IP addresses (IPv4, IPv6) 

It needn't crash every time; therefore it is better to export environment variable TALLOC_FREE_FILL

man talloc says:
       If TALLOC_FREE_FILL environment variable is set, the memory occupied by
       the context is filled with the value of this variable; when memory is
       freed. The value should be a numeric representation of the character
       you want to use.

For example:
echo "TALLOC_FREE_FILL=253" >> /etc/sysconfig/sssd

Environment variables from file /etc/sysconfig/sssd are used also on rhel7,
because sssd.service file contains option EnvironmentFile option in Service section

bash-4.2# grep -C1 EnvironmentFile /usr/lib/systemd/system/sssd.service
[Service]
EnvironmentFile=-/etc/sysconfig/sssd
ExecStart=/usr/sbin/sssd -D -f

Comment 3 Jakub Hrozek 2014-08-22 15:22:47 UTC

master:
    f55d45b931ce6c01e005ae94a69e93abda0d2f1c
    1a783fb0be9a48a0abdfe8b52fce551d530487ce
    0060992d68ba843d4d90b491a1500b6290789a5c
    24000ed5b08499b49595436b8a3b348fcd4012de
    12e7e87ccbae0d5c2f338cd019ca51556cbcd3ae
    bf65fbdd8c3fecd38a66363c3517e7a2679b8186
    e210ed5da220acebb6751db4466fe352de08eaeb 
sssd-1-11:
    5446f2a749d3e641b3ffc9feb3240a9b0f4b0598
    79d007fa5776849ab556571faef411b478c6970d
    03cfd27286a77fc991fca7ba68dee36084cfc2d9
    103f2f305ba073f9e9399cac10eefd3685bb291c
    d111a01626bfe1ec468a2f6e01e6a237286481d8
    5b8ed5702b38c2bd39e9c9a44d94ad7dac3040a1
    0789077faa81113e3e6ef46f71bde878d8c58023

Comment 5 Dan Lavu 2014-09-15 06:02:11 UTC

Unable to reproduce the bug using sssd-1.11.6-28.el6.x86_64 on RHEL6. Followed the steps adding TALLOC_FREE_FILL=253 to /etc/sysconfig/sssd and environment variable on a host with two interfaces, eth0:ipv4:ipv6. 

Marking this fix as verified.

Comment 6 errata-xmlrpc 2014-10-14 04:49:34 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1375.html