Bug 1518069

Summary: heap-buffer-overflow in ss_unescape
Product: Red Hat Enterprise Linux 7 Reporter: Viktor Ashirov <vashirov>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: high    
Version: 7.5CC: lmiksik, nkinder, rmeggins, tbordaz
Target Milestone: rcKeywords: Regression
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.3.7.5-11.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 14:22:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Viktor Ashirov 2017-11-28 06:46:19 UTC 
Description of problem:
=================================================================                                                              
==21829== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6004009380b6 at pc 0x7f9979a37d62 bp 0x7f9929d5a610 sp 0x7f9929d5a600
READ of size 1 at 0x6004009380b6 thread T57                    
    #0 0x7f9979a37d61 in ss_unescape /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:316          
    #1 0x7f9979a37eed in ss_filter_value /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:351      
    #2 0x7f9979a3a164 in ss_filter_values /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:411     
    #3 0x7f99809d963b in attempt_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:590        
    #4 0x7f99809da6fe in plugin_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:616         
    #5 0x7f998094706d in get_filter_internal /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:310                
    #6 0x7f998094a701 in get_filter /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:56                          
    #7 0x55c62bcd5378 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:184                          
    #8 0x55c62bcaf15a in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648  
    #9 0x7f997eab1c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216     
    #10 0x7f9980fa6867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_                                                     
    #11 0x7f997e451dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308                            
    #12 0x7f997daff9bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113 
0x6004009380b6 is located 0 bytes to the right of 6-byte region [0x6004009380b0,0x6004009380b6)                                
allocated by thread T57 here:  
    #0 0x7f9980fa2ef9 in malloc _asan_rtl_                     
    #1 0x7f9980910f07 in slapi_ch_malloc /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:95                  
    #2 0x7f9979a3a069 in ss_filter_values /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:405     
    #3 0x7f99809d963b in attempt_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:590        
    #4 0x7f99809da6fe in plugin_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:616         
    #5 0x7f998094706d in get_filter_internal /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:310                
    #6 0x7f998094a701 in get_filter /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:56                          
    #7 0x55c62bcd5378 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:184                          
    #8 0x55c62bcaf15a in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648  
    #9 0x7f997eab1c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216     
Thread T57 created by T0 here: 
    #0 0x7f9980f97a0a in __interceptor_pthread_create _asan_rtl_                                                               
    #1 0x7f997eab195b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457     
    #2 0x0                     
Shadow bytes around the buggy address:                         
  0x0c010011efc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                              
  0x0c010011efd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                              
  0x0c010011efe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                              
  0x0c010011eff0: fa fa fa fa fa fa fd fa fa fa fd fa fa fa fd fa                                                              
  0x0c010011f000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa                                                              
=>0x0c010011f010: fa fa 00 00 fa fa[06]fa fa fa 00 04 fa fa 03 fa                                                              
  0x0c010011f020: fa fa 03 fa fa fa 03 fa fa fa fd fd fa fa 00 01                                                              
  0x0c010011f030: fa fa 00 04 fa fa fd fd fa fa 07 fa fa fa fd fa                                                              
  0x0c010011f040: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd                                                              
  0x0c010011f050: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd                                                              
  0x0c010011f060: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                           
  Addressable:           00    
  Partially addressable: 01 02 03 04 05 06 07                  
  Heap left redzone:     fa    
  Heap righ redzone:     fb    
  Freed Heap region:     fd    
  Stack left redzone:    f1    
  Stack mid redzone:     f2    
  Stack right redzone:   f3    
  Stack partial redzone: f4    
  Stack after return:    f5    
  Stack use after scope: f8    
  Global redzone:        f9    
  Global init order:     f6    
  Poisoned by user:      f7    
  ASan internal:         fe    
==21829== ABORTING           

Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-10.el7.x86_64
Comment 2 wibrown@redhat.com 2017-11-28 14:52:42 UTC 
Hmm again. I don't understand this issue. I think I need to see the filter that caused the crash to really understand this ....
Comment 3 wibrown@redhat.com 2017-11-28 14:58:17 UTC 
I think it's a filter with an or and a wild card in it if that helps ....
Comment 4 wibrown@redhat.com 2017-11-28 15:37:23 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/49471
Comment 5 Viktor Ashirov 2017-11-29 17:19:56 UTC 
'(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)'
Comment 7 thierry bordaz 2017-12-08 10:46:42 UTC 
Fix pushed upstream -> POST
Comment 9 Viktor Ashirov 2018-01-10 13:51:40 UTC 
Build tested:
389-ds-base-1.3.7.5-11.el7.x86_64 (rebuilt with ASAN)

[root@qeos-46 tests]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com '(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[root@qeos-46 tests]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com '(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (description:2.16.840.1.113730.3.3.2.1.1.6:=\*German)
# requesting: ALL
#


# numResponses: 0
ldap_result: Can't contact LDAP server (-1)


Server crashes with the following ASAN backtrace:
=================================================================
==12186== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006008de8bf at pc 0x7f2c9dcc39b8 bp 0x7f2c7b70df00 sp 0x7f2c7b70def0
READ of size 1 at 0x6006008de8bf thread T32
    #0 0x7f2c9dcc39b7 in ?? ldap/servers/plugins/collation/collate.c:259
    #1 0x7f2c9dcca21d in ss_filter_match ldap/servers/plugins/collation/orfilter.c:196
    #2 0x7f2ca4df3e0d in test_ava_filter ldap/servers/slapd/filterentry.c:521
    #3 0x7f2ca4df469a in test_ava_filter ldap/servers/slapd/filterentry.c:879
    #4 0x7f2ca4df6426 in slapi_vattr_filter_test_ext ldap/servers/slapd/filterentry.c:771
    #5 0x7f2c98cc050e in ldbm_back_next_search_entry_ext ldap/servers/slapd/back-ldbm/ldbm_search.c:1669
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
    #6 0x7f2ca4e4bec2 in iterate ldap/servers/slapd/opshared.c:1221
    #7 0x7f2ca4e4f2f2 in op_shared_search ldap/servers/slapd/opshared.c:811
    #8 0x5625a1eebc52 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:332
    #9 0x5625a1ec50aa in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648
    #10 0x7f2ca2f56c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
    #11 0x7f2ca544c867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #12 0x7f2ca28f6dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
    #13 0x7f2ca1fa494c in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x6006008de8bf is located 1 bytes to the left of 24-byte region [0x6006008de8c0,0x6006008de8d8)
allocated by thread T32 here:
    #0 0x7f2ca5448ef9 in malloc _asan_rtl_
    #1 0x7f2ca4db6f07 in slapi_ch_malloc ldap/servers/slapd/ch_malloc.c:95
    #2 0x7f2c9dccb320 in ss_filter_keys ldap/servers/plugins/collation/orfilter.c:470
addr2line: Dwarf Error: Unable to read alt ref 25981.
    #3 0x7f2ca4e7f63b in attempt_mr_filter_create ldap/servers/slapd/plugin_mr.c:590
    #4 0x7f2ca4e8059b in plugin_mr_filter_create ldap/servers/slapd/plugin_mr.c:612
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
    #5 0x7f2ca4deab45 in slapi_filter_dup ldap/servers/slapd/filter.c:699
    #6 0x7f2c98cbd447 in ldbm_back_search ldap/servers/slapd/back-ldbm/ldbm_search.c:891
    #7 0x7f2ca4e4ecfb in op_shared_search ldap/servers/slapd/opshared.c:755
    #8 0x5625a1eebc52 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:332
    #9 0x5625a1ec50aa in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648
    #10 0x7f2ca2f56c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
Thread T32 created by T0 here:
    #0 0x7f2ca543da0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f2ca2f5695b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457
    #2 0x0
Shadow bytes around the buggy address:
  0x0c0140113cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0140113d10: fa fa 00 00 00 00 fa[fa]00 00 00 fa fa fa 00 00
  0x0c0140113d20: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
  0x0c0140113d30: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 06
  0x0c0140113d40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0140113d50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0140113d60: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==12186== ABORTING

Marking as ASSIGNED.
Comment 10 thierry bordaz 2018-01-10 14:15:29 UTC 
I think https://bugzilla.redhat.com/show_bug.cgi?id=1518069#c0 and https://bugzilla.redhat.com/show_bug.cgi?id=1518069#c9 could be different bug.

The first one was a crash when parsing a filter, ss_unescape was assuming the remaining part of a buffer was >= 3.

The second crash looks to be when evaluating a filter but not sure the condition of the crash.
Comment 11 thierry bordaz 2018-01-10 18:00:51 UTC 
Just a note: I think the crashing routine is not in collate.c
Looking at the process and the offset in the loaded libraries, I think we are in libicu

==11599== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600600a7508f at pc 0x7fc0b2ad99b8 bp 0x7fc08b0d0f00 sp 0x7fc08b0d0ef0
READ of size 1 at 0x600600a7508f thread T40
    #0 0x7fc0b2ad99b7 in ?? ldap/servers/plugins/collation/collate.c:259 << OR libICU
    #1 0x7fc0b2ae021d in ss_filter_match ldap/servers/plugins/collation/orfilter.c:196
    #2 0x7fc0b9c09e0d in test_ava_filter ldap/servers/slapd/filterentry.c:521
    #3 0x7fc0b9c0a69a in test_ava_filter ldap/servers/slapd/filterentry.c:879
    #4 0x7fc0b9c0c426 in slapi_vattr_filter_test_ext ldap/servers/slapd
Comment 12 thierry bordaz 2018-01-11 11:54:10 UTC 
I was wrong, the head of the stack is in SetUnicodeStringFromUTF_8 (collate.c).
I initially thought symbols were broken because the stack is weird for example ss_filter_match does call collation_index (not inlined) that later calls SetUnicodeStringFromUTF_8. But others functions of the backstack are missing.


I think I identified the reason of the violation and will prepare a patch.
It is a different issue that this current bug. Could you open a separated bug to handle it ?
Comment 13 Viktor Ashirov 2018-01-11 12:11:08 UTC 
Thank you for your investigation, Thierry!
Sure, I will open a new bugzilla. And since original bug is fixed, I'm marking this as VERIFIED.
Comment 14 Viktor Ashirov 2018-01-11 12:15:27 UTC 
New bug: https://bugzilla.redhat.com/show_bug.cgi?id=1533458
Comment 17 errata-xmlrpc 2018-04-10 14:22:34 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811