Bug 1243970

Summary: In MMR, double free could occur under some special condition
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.0CC: amsharma, ekeck, gparente, mreynolds, msauton, nhosoi, nkinder, rmeggins, sramling
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.4.0-16.el7 Doc Type: Bug Fix
Doc Text:
When a replication is configured, an authenticated user who has a write access on an entry can send a series of operations that crash the server. The crash is caused by accessing already freed memory. The bug was fixed.
 Story Points: ---
Clone Of:
: 1262363 (view as bug list) Environment:
Last Closed: 2015-11-19 11:43:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1262363    

Description Noriko Hosoi 2015-07-16 17:47:37 UTC 
Symptom:
    In a replicated topology, a authenticated user that have write access on an entry 
    can send a series of operations that crash the server.
    The crash is due to an access to a already freed buffer.

Impact:
    If the user can reproduce the series of operations the crash is systematic.
Comment 2 Sankar Ramalingam 2015-07-30 09:29:29 UTC 
Hi Noriko,
 Can I request you to add steps to verify this bug?
Comment 3 Noriko Hosoi 2015-07-30 16:02:22 UTC 
The upstream ticket has a CI test script:
> https://fedorahosted.org/389/attachment/ticket/48226/0002-Ticket-48226-CI-test-added-test-cases-for-ticket-482.patch
Comment 6 Marc Sauton 2015-09-10 19:38:44 UTC 
*** Bug 1261218 has been marked as a duplicate of this bug. ***
Comment 10 Viktor Ashirov 2015-09-21 17:05:02 UTC 
Updating on behalf of Sankar (bz was down)

Crashes observed with the latest builds. There are about 24 test cases FAIL out of 67 tests. Hence, changing the status to Assigned.

Build: 389-ds-base-1.3.4.0-15
    2% FAIL - http://wiki.idm.lab.bos.redhat.com/qa/archive/beaker/x86_64/389-ds-base-1.3.4.0-15.el7.x86_64/Linux/20150916-040108.html

Build: 389-ds-base-1.3.4.0-17
    35% FAIL - http://wiki.idm.lab.bos.redhat.com/qa/archive/beaker/x86_64/389-ds-base-1.3.4.0-17.el7.x86_64/Linux/20150919-143020.html
Comment 11 Noriko Hosoi 2015-09-22 15:48:17 UTC 
Hi Viktor,

Could you do us a favor?  This regression was introduced by the fix for this bug:
  1259949 Fractional replication evaluates several times the same CSN

Could you please leave this bug ON_QA and change the status of 1259949 to ASSIGNED/FailedQA?

Sorry & Thanks!
--noriko
Comment 12 Viktor Ashirov 2015-09-22 15:49:39 UTC 
Hi Noriko,

sure, will do.
Comment 13 Sankar Ramalingam 2015-09-23 11:12:13 UTC 
I ran the upstream test scripts on RHEL7.2 latest:

I was initially getting valgrind not found error. Then, I added in the PYHTONPATH and it went ahead. However, the execution fails with SERVER_DOWN: {'desc': "Can't contact LDAP server"} error.

dirsrvtests/tickets/ticket48226_test.py:193: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
../lib389/lib389/__init__.py:952: in start
    self.open()
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <lib389.DirSrv instance at 0x1469908>

    def open(self):
        '''
                It opens a ldap bound connection to dirsrv so that online administrative tasks are possible.
                It binds with the binddn property, then it initializes various fields from DirSrv (via __initPart2)
    
                The state changes  -> DIRSRV_STATE_ONLINE
    
                @param self
    
                @return None
    
                @raise ValueError - if can not find the binddn to bind
            '''
    
        uri = self.toLDAPURL()
    
        SimpleLDAPObject.__init__(self, uri)
    
        # see if binddn is a dn or a uid that we need to lookup
        if self.binddn and not is_a_dn(self.binddn):
            self.simple_bind_s("", "")  # anon
            ent = self.getEntry(CFGSUFFIX, ldap.SCOPE_SUBTREE,
                                "(uid=%s)" % self.binddn,
                                ['uid'])
            if ent:
                self.binddn = ent.dn
            else:
                raise ValueError("Error: could not find %s under %s" % (
                    self.binddn, CFGSUFFIX))
    
        needtls = False
        while True:
            try:
                if needtls:
                    self.start_tls_s()
                try:
                    self.simple_bind_s(self.binddn, self.bindpw)
                except ldap.SERVER_DOWN, e:
                    # TODO add server info in exception
                    log.debug("Cannot connect to %r" % uri)
>                   raise e
E                   SERVER_DOWN: {'desc': "Can't contact LDAP server"}

../lib389/lib389/__init__.py:903: SERVER_DOWN
======================================================== 1 failed, 1 passed in 262.05 seconds ====


[root@dhcp35-196 export]# rpm -qa |grep -i 389-ds-base
389-ds-base-libs-1.3.4.0-18.el7.x86_64
389-ds-base-1.3.4.0-18.el7.x86_64
Comment 14 Sankar Ramalingam 2015-09-23 11:57:01 UTC 
Second attempt succeeded :)

[root@dhcp35-196 export]# rm -rf /etc/dirsrv/slapd-*.removed ; for i in `ls /etc/dirsrv |grep -i "slapd-*"`; do remove-ds.pl -i $i ; done ; yum -y remove 389-ds-base-libs ; yum -y install 389-ds-base ; ./run_dirsrv.sh ticket48226_test.py


INFO:lib389:list instance {'RUN_DIR': '/var/run/dirsrv', 'SERVER_ID': 'master_2', 'hostname': 'localhost.localdomain', 'ldap-port': 42389, 'ldap-secureport': None, 'DS_ROOT': '', 'deployed-dir': '/', 'INST_DIR': '/usr/lib64/dirsrv/slapd-master_2', 'SERVER_DIR': '/usr/lib64/dirsrv', 'server-id': 'master_2', 'SERVERBIN_DIR': '/usr/sbin', 'root-dn': 'cn=Directory Manager', 'user-id': 'dirsrv', 'CONFIG_DIR': '/etc/dirsrv/slapd-master_2', 'PRODUCT_NAME': 'slapd', 'suffix': 'dc=example,dc=com'}

INFO:lib389:dir (sys) : //etc/sysconfig
INFO:lib389:dir (priv): /tmp/RHDS/.dirsrv
/tmp/RHDS/.dirsrv/dirsrv-*
//etc/sysconfig/dirsrv-*
INFO:lib389:List from /tmp/RHDS/.dirsrv
INFO:lib389:list instance {'RUN_DIR': '/var/run/dirsrv', 'SERVER_ID': 'master_2', 'hostname': 'localhost.localdomain', 'ldap-port': 42389, 'ldap-secureport': None, 'DS_ROOT': '', 'deployed-dir': '/', 'INST_DIR': '/usr/lib64/dirsrv/slapd-master_2', 'SERVER_DIR': '/usr/lib64/dirsrv', 'server-id': 'master_2', 'SERVERBIN_DIR': '/usr/sbin', 'root-dn': 'cn=Directory Manager', 'user-id': 'dirsrv', 'CONFIG_DIR': '/etc/dirsrv/slapd-master_2', 'PRODUCT_NAME': 'slapd', 'suffix': 'dc=example,dc=com'}

DEBUG:lib389:running: /usr/sbin/remove-ds.pl -i slapd-master_2 
Instance slapd-master_2 removed.
INFO:lib389.utils:Valgrind is now disabled.


======================================= 2 passed in 144.20 seconds =======================================


Hence, marking the bug as Verified.
Comment 15 Noriko Hosoi 2015-09-23 17:44:58 UTC 
Thanks, Sankar.  Removing NI.
Comment 16 errata-xmlrpc 2015-11-19 11:43:09 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2351.html