Bug 1419162

Summary: A filtered nsrole that specifies an empty nsrole in its nsRoleFilter will result in a segfault.
Product: Red Hat Enterprise Linux 7 Reporter: Noriko Hosoi <nhosoi>
Component: 389-ds-baseAssignee: Noriko Hosoi <nhosoi>
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 7.3CC: gparente, jamespfinn, mreynolds, msauton, nkinder, rmeggins, sramling
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.6.1-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1429498 (view as bug list) Environment:
Last Closed: 2017-08-01 21:14:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1429498    

Description Noriko Hosoi 2017-02-03 18:14:19 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/49122

Adding a filtered role that includes a filter similar to the one below will result in a segfault upon a subsequent search of the directory that requests the nsrole attribute from any entry. 

'(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,o=Intra,dc=mycorp,dc=com)'

Example: 

[root@98efc6936cc6 ~]# time ldapsearch -x -LLL -h localhost -s sub -b dc=mycorp,dc=com -D"cn=directory manager" -wpassword uid=jfinn nsrole
dn: uid=jfinn,ou=People,o=Intra,dc=mycorp,dc=com
nsrole: cn=adm-approved-email,o=intra,dc=mycorp,dc=com
nsrole: cn=adm-approved-mycorp,o=intra,dc=mycorp,dc=com
nsrole: cn=arb-user,o=intra,dc=mycorp,dc=com
nsrole: cn=ldap-adm-tools,o=intra,dc=mycorp,dc=com
nsrole: cn=ldap-dsts,o=intra,dc=mycorp,dc=com
nsrole: cn=myc-myc-assoc,o=intra,dc=mycorp,dc=com
nsrole: cn=myc-myc-corp,o=intra,dc=mycorp,dc=com
nsrole: cn=myc-sys-it,o=intra,dc=mycorp,dc=com
nsrole: cn=sig-preview,o=intra,dc=mycorp,dc=com
nsrole: cn=sys-has-email,o=intra,dc=mycorp,dc=com
nsrole: cn=sys-has-mycorp,o=intra,dc=mycorp,dc=com
nsrole: cn=unix-admins,o=intra,dc=mycorp,dc=com
nsrole: cn=unix-solaris-admins,o=intra,dc=mycorp,dc=com
nsrole: cn=vpn-remoteaccess,o=intra,dc=mycorp,dc=com


real    0m0.035s
user    0m0.002s
sys     0m0.003s



[root@98efc6936cc6 ~]# cat /tmp/filtered_role_that_includes_empty_role.ldif 
dn: cn=Filtered_Role_That_Includes_Empty_Role,o=Intra,dc=mycorp,dc=com
nsRoleFilter: (|(!(nsrole=cn=This_Is_An_Empty_Managed_NsRoleDefinition,o=Intra,dc=mycorp,dc=com)))
description: A filtered role with filter that will crash the server 
objectClass: top
objectClass: ldapsubentry
objectClass: nsroledefinition
objectClass: nscomplexroledefinition
objectClass: nsfilteredroledefinition
cn: Filtered_Role_That_Includes_Empty_Role



[root@98efc6936cc6 ~]# ldapadd -x -h localhost -D"cn=directory manager" -wpassword -f /tmp/filtered_role_that_includes_empty_role.ldif
adding new entry "cn=Filtered_Role_That_Includes_Empty_Role,o=Intra,dc=mycorp,dc=com"



[root@98efc6936cc6 ~]# time ldapsearch -x -LLL -h localhost -s sub -b dc=mycorp,dc=com -D"cn=directory manager" -wpassword uid=jfinn nsrole
ldap_result: Can't contact LDAP server (-1)

real    0m12.590s
user    0m13.091s
sys     0m0.184s


This has been tested on versions ranging from 1.2.11.32 up to 1.3.5.10

When the problematic role is written to a master that isn't immediately queried, it has the ability to replicate to all other servers and result in a wide-spread outage.
Comment 1 Jim Finn 2017-02-06 17:52:26 UTC 
I have created a Docker container that can be used to easily demo & reproduce the bug.

https://github.com/jamespfinn/389Bug49122
Comment 2 mreynolds 2017-02-27 13:20:08 UTC 
Fixed upstream.
Comment 10 Sankar Ramalingam 2017-05-22 17:17:52 UTC 
[0 root@qeos-110 tickets]# py.test -v ticket49122_test.py 
======================== test session starts =======================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-14.el7
nss: 3.28.4-8.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests/tests/tickets, inifile:
plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1
collected 1 items 

ticket49122_test.py::test_ticket49122 PASSED

================= 1 passed in 15.72 seconds =============

Based on upstream tests, marking the bug as Verified.
Comment 11 errata-xmlrpc 2017-08-01 21:14:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086