Bug 1441519
| Summary: | AddressSanitizer: stack-buffer-overflow in libmemberof-plugin.so | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Viktor Ashirov <vashirov> |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED DUPLICATE | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.4 | CC: | nkinder, rmeggins, tbordaz, vashirov |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-04-20 15:15:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This is possibly a duplicate of 1438029. Would it be possible to run the same test on a fix for 1438029, in order to confirm it is a duplicate ? Yes, I will do that. Thanks! Symbolized output:
=================================================================
==1488== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fb76247d6c8 at pc 0x7fb790f25e44 bp 0x7fb76247d130 sp 0x7fb76247d120
READ of size 4 at 0x7fb76247d6c8 thread T32
#0 0x7fb790f25e43 in memberof_get_plugin_id /usr/src/debug/389-ds-base-1.3.6.1/ldap/servers/plugins/memberof/memberof.c:811
#1 0x7fb790f2d10a in memberof_unlock /usr/src/debug/389-ds-base-1.3.6.1/ldap/servers/plugins/memberof/memberof.c:1107
#2 0x7fb79d2d4ec2 in slapi_plugin_op_finished /usr/src/debug/389-ds-base-1.3.6.1/ldap/servers/slapd/plugin.c:2072 (discriminator 1)
#3 0x7fb79d2d5348 in plugin_call_plugins /usr/src/debug/389-ds-base-1.3.6.1/ldap/servers/slapd/plugin.c:2014
#4 0x7fb7919f5cc3 in ldbm_back_modrdn /usr/src/debug/389-ds-base-1.3.6.1/ldap/servers/slapd/back-ldbm/ldbm_modrdn.c:1238
#5 0x7fb79d2a7e70 in op_shared_rename /usr/src/debug/389-ds-base-1.3.6.1/ldap/servers/slapd/modrdn.c:625
#6 0x7fb79d2a8912 in do_modrdn ??:?
#7 0x5598cdeb98e7 in ?? /usr/src/debug/389-ds-base-1.3.6.1/ldap/servers/slapd/connection.c:628
#8 0x7fb79b7f29ba in PR_Select /usr/src/debug/nspr-4.13.1/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
#9 0x7fb79dacda97 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
#10 0x7fb79b192dc4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
#11 0x7fb79aa7434c in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
Address 0x7fb76247d6c8 is located at offset 776 in frame <memberof_postop_modrdn> of T32's stack:
This frame has 13 object(s):
[32, 36) 'ret'
[96, 100) 'cached'
[160, 168) 'caller_id'
[224, 232) 'pre_e'
[288, 296) 'post_e'
[352, 360) 'attr'
[416, 424) 'val'
[480, 488) 'last_str'
[544, 552) 'sdn'
[608, 624) 'del_data'
[672, 688) 'groupattrs'
[736, 768) 'data'
[800, 888) 'configCopy'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
Thread T32 created by T0 here:
#0 0x7fb79dabec3a in __interceptor_pthread_create _asan_rtl_
#1 0x7fb79b7f268b in PR_Select /usr/src/debug/nspr-4.13.1/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457
#2 0x0
Shadow bytes around the buggy address:
0x0ff76c487a80: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
0x0ff76c487a90: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
0x0ff76c487aa0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
0x0ff76c487ab0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
0x0ff76c487ac0: f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4
=>0x0ff76c487ad0: f2 f2 f2 f2 00 00 00 00 f2[f2]f2 f2 00 00 00 00
0x0ff76c487ae0: 00 00 00 00 00 00 00 f4 00 00 00 00 00 00 00 00
0x0ff76c487af0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x0ff76c487b00: 00 f4 f4 f4 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff76c487b10: f1 f1 f1 f1 00 f4 f4 f4 00 00 00 00 00 00 00 00
0x0ff76c487b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==1488== ABORTING
Running the same test with the fix for 1438029 it does not crash. Closing that bug as duplicate of 1438029. *** This bug has been marked as a duplicate of bug 1438029 *** |
Description of problem: Issue was found during stress test from TET AutoMembers test suite. ================================================================= ==1488== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fb76247d6c8 at pc 0x7fb790f25e44 bp 0x7fb76247d130 sp 0x7fb76247d120 READ of size 4 at 0x7fb76247d6c8 thread T32 #0 0x7fb790f25e43 (/usr/lib64/dirsrv/plugins/libmemberof-plugin.so+0x8e43) #1 0x7fb790f2d10a (/usr/lib64/dirsrv/plugins/libmemberof-plugin.so+0x1010a) #2 0x7fb79d2d4ec2 (/usr/lib64/dirsrv/libslapd.so.0.1.0+0x160ec2) #3 0x7fb79d2d5348 (/usr/lib64/dirsrv/libslapd.so.0.1.0+0x161348) #4 0x7fb7919f5cc3 (/usr/lib64/dirsrv/plugins/libback-ldbm.so+0xe0cc3) #5 0x7fb79d2a7e70 (/usr/lib64/dirsrv/libslapd.so.0.1.0+0x133e70) #6 0x7fb79d2a8912 (/usr/lib64/dirsrv/libslapd.so.0.1.0+0x134912) #7 0x5598cdeb98e7 (/usr/sbin/ns-slapd+0x3b8e7) #8 0x7fb79b7f29ba (/usr/lib64/libnspr4.so+0x289ba) #9 0x7fb79dacda97 (/usr/lib64/libasan.so.0.0.0+0x19a97) #10 0x7fb79b192dc4 (/usr/lib64/libpthread-2.17.so+0x7dc4) #11 0x7fb79aa7434c (/usr/lib64/libc-2.17.so+0xf834c) Address 0x7fb76247d6c8 is located at offset 776 in frame <memberof_postop_modrdn> of T32's stack: This frame has 13 object(s): [32, 36) 'ret' [96, 100) 'cached' [160, 168) 'caller_id' [224, 232) 'pre_e' [288, 296) 'post_e' [352, 360) 'attr' [416, 424) 'val' [480, 488) 'last_str' [544, 552) 'sdn' [608, 624) 'del_data' [672, 688) 'groupattrs' [736, 768) 'data' [800, 888) 'configCopy' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) Thread T32 created by T0 here: #0 0x7fb79dabec3a (/usr/lib64/libasan.so.0.0.0+0xac3a) #1 0x7fb79b7f268b (/usr/lib64/libnspr4.so+0x2868b) #2 0x0 Shadow bytes around the buggy address: 0x0ff76c487a80: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff76c487a90: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff76c487aa0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff76c487ab0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff76c487ac0: f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 =>0x0ff76c487ad0: f2 f2 f2 f2 00 00 00 00 f2[f2]f2 f2 00 00 00 00 0x0ff76c487ae0: 00 00 00 00 00 00 00 f4 00 00 00 00 00 00 00 00 0x0ff76c487af0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 0x0ff76c487b00: 00 f4 f4 f4 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff76c487b10: f1 f1 f1 f1 00 f4 f4 f4 00 00 00 00 00 00 00 00 0x0ff76c487b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==1488== ABORTING Version-Release number of selected component (if applicable): 389-ds-base-1.3.6.1-6.el7.x86_64 How reproducible: Deterministically