Bug 1449098

Summary: ns-slapd crashes in role cache creation.
Product: Red Hat Enterprise Linux 7 Reporter: German Parente <gparente>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: nkinder, rmeggins
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.6.1-14.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-01 21:16:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
full st. none

Description German Parente 2017-05-09 08:40:35 UTC 
Created attachment 1277312 [details]
full st.

Description of problem:

there's a directory crash while creating role cache. At first I thought it could be "bug 1419162 A filtered nsrole that specifies an empty nsrole in its nsRoleFilter will result in a segfault." but this bug is fixed in customer version: 389-ds-base-1.3.5.10-20

The problem is that customer cannot give us the core file because of confidentiality.

We see in the stack trace:

Thread 1 (Thread 0x7ff7502478c0 (LWP 6591)):
#0  0x00007ff7427c4d68 in strcmpi_fast (src=0x7ff7427c6fe3 "nsRole", dst=0x1 <Address 0x1 out of bounds>) at ldap/servers/slapd/intrinsics.h:29
        f = <optimized out>
        l = <optimized out>
#1  roles_check_filter (filter_list=0x7ff76fcbbb80) at ldap/servers/plugins/roles/roles_cache.c:1089
        f = 0x7ff76fcbbc80
        type = 0x0
#2  roles_cache_create_object_from_entry (hint=0, result=<synthetic pointer>, role_entry=0x7ff76fb992c0) at ldap/servers/plugins/roles/roles_cache.c:1277
        filter = 0x7ff76fcbbb80
        filter_attr_value = 0x7ff751828640 "(&(|(objectclass=govermentalapplicationprocess)(networkuser=app::*))(userpassword=*))"
        pb = <optimized out>
        parent = 0x0
        rc = 0
        type = <optimized out>
        this_role = 0x7ff76fc5aac0
        rolescopeDN = <optimized out>


So, we can deduce that in 

static int roles_check_filter(Slapi_Filter *filter_list)
{
        Slapi_Filter  *f;
        char *type = NULL;

        for ( f = slapi_filter_list_first( filter_list );
                  f != NULL;
                  f = slapi_filter_list_next( filter_list, f ) )
        {
                slapi_filter_get_attribute_type(f, &type);
                if (strcasecmp(type, NSROLEATTR) == 0){
                        return -1;
                }
        }

        return 0;
}

while browsing the Slapi_Filter object that was built from:

"(&(|(objectclass=govermentalapplicationprocess)(networkuser=app::*))(userpassword=*))"

one of the attribute types is corrupted.

I could try to ask the customer to run gdb and get more information if needed.

I will attach full pstack.

Version-Release number of selected component (if applicable): 389-ds-base-1.3.5.10-20
Comment 2 mreynolds 2017-05-09 16:10:59 UTC 
I could reproduce the crash using dirsrvtests/tests/tickets/ticket49122_test.py and replacing the nsrole filter with:

"(&(|(objectclass=govermentalapplicationprocess)(networkuser=app::*))(userpassword=*))"
Comment 4 mreynolds 2017-05-09 18:37:06 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/49246
Comment 5 mreynolds 2017-05-10 15:34:08 UTC 
Fixed upstream
Comment 7 Viktor Ashirov 2017-05-20 13:40:13 UTC 
========================================================== test session starts ==========================================================
platform linux2 -- Python 2.7.5, pytest-3.0.7, py-1.4.33, pluggy-0.4.0 -- /usr/bin/python
cachedir: .cache
metadata: {'Python': '2.7.5', 'Platform': 'Linux-3.10.0-663.el7.x86_64-x86_64-with-redhat-7.4-Maipo', 'Packages': {'py': '1.4.33', 'pytest': '3.0.7', 'pluggy': '0.4.0'}, 'Plugins': {'beakerlib': '0.7.1', 'html': '1.14.2', 'cov': '2.5.1', 'metadata': '1.5.0'}}
DS build: 1.3.6.1
389-ds-base: 1.3.6.1-14.el7
nss: 3.28.4-6.el7
nspr: 4.13.1-1.0.el7_3
openldap: 2.4.44-4.el7
svrcore: 4.1.3-2.el7

rootdir: /export/tests, inifile:
plugins: metadata-1.5.0, html-1.14.2, cov-2.5.1, beakerlib-0.7.1
collected 1 items 

tickets/ticket49122_test.py::test_ticket49122 PASSED

======================================================= 1 passed in 15.47 seconds =======================================================

No crash during the test run, marking as VERIFIED.
Comment 8 errata-xmlrpc 2017-08-01 21:16:38 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2086