Bug 1268772

Summary: ns-slapd crash double free in pagedresults_cleanup
Product: Red Hat Enterprise Linux 6 Reporter: Jan Kurik <jkurik>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 6.8CC: ekeck, gparente, jgalipea, nhosoi, nkinder, rmeggins, salmy, sramling
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.11.15-65.el6_7 Doc Type: Bug Fix
Doc Text:
Cause: When a search results object was freed, there was a window until the freed information was set to the pagedresults handle. If the paged-results handle was released due to a timeout in the window, double free occurred. Fix: The window is eliminated and there is no chance for the double free now.
Story Points: ---
Clone Of: 1267296 Environment:
Last Closed: 2015-11-10 09:15:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1267296    
Bug Blocks:    

Description Jan Kurik 2015-10-05 08:30:11 UTC
This bug has been copied from bug #1267296 and has been proposed
to be backported to 6.7 z-stream (EUS).

Comment 4 Noriko Hosoi 2015-10-07 00:16:59 UTC
For verification...
It is extremely hard to reproduce the bug with the standalone 389-ds-base.
I recommend to run
1) tet simple paged results test suite
2) upstream simple paged results related test cases.
3) run ldapsearch -E pr=<page_size> -l <timelimit>
   and wait longer than <timelimit> in the middle of the paging.
   If the connection is closed with T2 (SLAPD_DISCONNECT_IO_TIMEOUT) without any problem, test is passed.

Ideally, set up IPA/SSSD and stress DS with short timelimit (nsslapd-timelimit in cn=config in dse.ldif) and short client_idle_timeout in sssd.conf.  Then, stress the DS via SSSD.  If it runs fine with no crash for long enough (one day?), we are confident to say verified.

Comment 5 Sankar Ramalingam 2015-10-21 17:27:29 UTC
1. Executed simplepaged acceptance tests. No regression found.

############## Result  for  backend test :   SIMPLEPAGED run
    SIMPLEPAGED run elapse time : 00:04:57
    SIMPLEPAGED run Tests PASS      : 100% (17/17)

2. Executed simplepaged search with -E pr=15 -l 9 and waited for more than the timelimit. nsslapd-timelimit is set to 7, cn=config in dse.ldif.
The connection got closed without any problem.

3. Currently, I am stressing the server with add/modify/delete/search in an IPA environment to check if there are crashes. nsslapd-timelimit value in cn=config is set to 7 and value for client_idle_timeout in sssd.conf is set 9. I will observe the setup for about 24hrs and then update the bug with my findings.

Comment 6 Sankar Ramalingam 2015-10-22 17:08:29 UTC
Stressed directory sever for 24hrs and I observed no crashes. Hence, marking the bug as Verified.

[root@vm-idm-004 ~]# rpm -qa |egrep 'ipa-|389-ds-'
ipa-server-3.0.0-47.el6.x86_64
ipa-python-3.0.0-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
ipa-client-3.0.0-47.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-65.el6_7.x86_64
ipa-admintools-3.0.0-47.el6.x86_64
389-ds-base-debuginfo-1.2.11.15-65.el6_7.x86_64
389-ds-base-libs-1.2.11.15-65.el6_7.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-selinux-3.0.0-47.el6.x86_64

Comment 8 errata-xmlrpc 2015-11-10 09:15:20 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1998.html