Bug 1517980
| Summary: | stack-buffer-overflow in slapi_pblock_get | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Viktor Ashirov <vashirov> |
| Component: | 389-ds-base | Assignee: | mreynolds |
| Status: | CLOSED ERRATA | QA Contact: | Viktor Ashirov <vashirov> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.5 | CC: | nkinder, nsoman, rmeggins |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | 389-ds-base-1.3.7.5-11.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-10 14:22:34 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Upstream ticket: https://pagure.io/389-ds-base/issue/49470 Build tested: 389-ds-base-1.3.7.5-14.el7.x86_64 (rebuilt with ASAN) This crash didn't occur in acceptance tests, marking as VERIFIED, SanityOnly. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:0811 |
Description of problem: ================================================================= ==26004== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fa0f0db93e0 at pc 0x7fa12a5fcfd2 bp 0x7fa0f0db9330 sp 0x7fa0f0db9320 WRITE of size 8 at 0x7fa0f0db93e0 thread T40 #0 0x7fa12a5fcfd1 in slapi_pblock_get /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/pblock.c:415 #1 0x7fa12a5df9a7 in do_modify /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/modify.c:285 #2 0x56102e132e1c in ?? /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:624 #3 0x7fa1286f4c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216 #4 0x7fa12abe9867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_ #5 0x7fa128094dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308 #6 0x7fa1277429bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113 Address 0x7fa0f0db93e0 is located at offset 32 in frame <do_modify> of T40's stack: This frame has 13 object(s): [32, 36) 'connid' [96, 100) 'opid' [160, 168) 'operation' [224, 232) 'pb_conn' [288, 296) 'len' [352, 360) 'normalized_mods' [416, 424) 'mod' [480, 488) 'last' [544, 552) 'type' [608, 616) 'old_pw' [672, 680) 'rawdn' [736, 760) 'smods' [800, 1312) 'ebuf' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) Thread T40 created by T0 here: #0 0x7fa12abdaa0a in __interceptor_pthread_create _asan_rtl_ #1 0x7fa1286f495b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457 #2 0x0 Shadow bytes around the buggy address: 0x0ff49e1af220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff49e1af230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff49e1af240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff49e1af250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff49e1af260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0ff49e1af270: 00 00 00 00 00 00 00 00 f1 f1 f1 f1[04]f4 f4 f4 0x0ff49e1af280: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff49e1af290: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff49e1af2a0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff49e1af2b0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 0x0ff49e1af2c0: f2 f2 f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==26004== ABORTING Version-Release number of selected component (if applicable): 389-ds-base-1.3.7.5-10.el7.x86_64