Bug 1426626
| Summary: | The named-sdb utility raises an abort() within ldapdb_getconn() due to a double-free | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Kyle Walker <kwalker> |
| Component: | bind | Assignee: | Petr Menšík <pemensik> |
| Status: | CLOSED ERRATA | QA Contact: | Andrej Dzilský <adzilsky> |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | 6.10 | CC: | adzilsky, azone, cww, jkurik, psklenar, tbowling, thozza |
| Target Milestone: | rc | Keywords: | Patch |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | bind-9.8.2-0.67.rc1.el6 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-06-19 05:10:38 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 1374441, 1461138, 1494484 | ||
Potential upstream fix - https://source.isc.org/cgi-bin/gitweb.cgi?p=bind9.git;a=patch;h=1c182f1516d3d14de6df81f4103ebfe538a519f6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1866 |
Description of problem: The named-sdb utility can raise an abort within ldapdb_getconn() due to a seeming double-free condition. This only occurs on process stop. The representative backtrace for this failure is: #0 0x00007fa5c9e275e5 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #1 0x00007fa5c9e28dc5 in abort () at abort.c:92 #2 0x00007fa5c9e654f7 in __libc_message (do_abort=2, fmt=0x7fa5c9f4da60 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198 #3 0x00007fa5c9e6af3e in malloc_printerr (action=3, str=0x7fa5c9f4ddd0 "double free or corruption (out)", ptr=<value optimized out>, ar_ptr=<value optimized out>) at malloc.c:6360 #4 0x00007fa5c9e6ddd0 in _int_free (av=0x7fa5ca183120, p=0x7fa5cd461060, have_lock=0) at malloc.c:4846 #5 0x00007fa5cd565a68 in ldapdb_getconn (data=0x0) at ldapdb.c:137 #6 0x00007fa5cd565ba5 in ldapdb_clear () at ldapdb.c:665 #7 0x00007fa5cd51e22f in cleanup (argc=<value optimized out>, argv=0x7fff03fb7308) at ./main.c:1010 #8 main (argc=<value optimized out>, argv=0x7fff03fb7308) at ./main.c:1198 The relevant source snippet is: 132 while (allthreadsdata != NULL) { 133 threaddata = allthreadsdata; 134 free(threaddata->index); 135 while (threaddata->data != NULL) { 136 conndata = threaddata->data; 137 free(conndata->index); # This operation 138 if (conndata->data != NULL) 139 ldap_unbind((LDAP *)conndata->data); 140 threaddata->data = conndata->next; 141 free(conndata); Version-Release number of selected component (if applicable): bind-9.8.2-0.47.rc1.el6_8.3.x86_64 How reproducible: Everytime for the end system impacted. Unable to reproduce the same condition Steps to Reproduce: 1. On a system susceptible to the issue, start named-sdb 2. Stop named-sdb 3. Actual results: The application exits with an abort() related to a glibc detected double-free Expected results: Exits successfully Additional info: