Bug 1553594

Summary: ldappasswd cause the IPA embedded Directory server to SIGSEGV
Product: Red Hat Enterprise Linux 7 Reporter: Ming Davies <minyu>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: frenaud, ipa-maint, myusuf, ndehadra, nkinder, pasik, pvoborni, rcritten, rmeggins, sumenon, tscherf
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.6.4-1.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-10-30 10:57:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ming Davies 2018-03-09 07:15:42 UTC 
Description of problem:
ldappasswd cause the IPA embedded Directory server to SIGSEGV when changing a sysaccount user's password. The issue doesn't happen if it was done via ldapmodify.


Version-Release number of selected component (if applicable):
I have managed to reproduce the issue on two different versions of IPA:
Customer's version:
ipa-server-4.4.0-12.el7.x86_64
389-ds-base-libs-1.3.5.10-21.el7_3.x86_64


My test env:
ipa-server-4.5.0-22.el7_4.x86_64
389-ds-base-1.3.6.1-24.el7_4.x86_64


How reproducible:
The issue can be easily reproduced.


Steps to Reproduce:
1. Create a test sysaccount user:
# ldapsearch -x -H ldaps://dell-per510-3.linux.testrealm.local -D "cn=Directory manager" -W -b "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local"
# extended LDIF
#
# LDAPv3
# base <uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# xxxxx, sysaccounts, etc, linux.testrealm.local
dn: uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
uid: bnpsasle
objectClass: inetUser
objectClass: simpleSecurityObject
objectClass: account
objectClass: top
memberOf: cn=System: Change User password,cn=permissions,cn=pbac,cn=etc,dc=lin
 ux,dc=testrealm,dc=local
userPassword:: e1NTSEF9ZG5lUkdXV3JTeTc2ODJncHdNNGg5NzhQVmZ1cG5Uc1pBaEoyNGc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

2. Attempt to change the user's password as herself/himself via ldapmodify
# ldapmodify -h dell-per510-3.linux.testrealm.local -p 389 -D "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W << EOF
dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
changetype: modify
replace: userpassword
userpassword: @\g/G8U;
EOF

3. "ps -ef |grep ns-slapd" shows that ns-slapd is still listening.

4. Change the ""uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" user's password back to "password" as "cn=Directory manager":
# ldapmodify -D "cn=Directory manager" -W << EOF
dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
changetype: modify
replace: userpassword
userpassword: password
EOF

5. Verify that ns-slapd is still listening.

6. Attempt to change the user's password with ldappasswd:
# ldappasswd -H ldaps://dell-per510-3.linux.testrealm.local -D "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W -a password -s "@\g/G8U;" "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local"
Enter LDAP Password: 
ldap_result: Can't contact LDAP server (-1)


Corresponding /var/log/messages:
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: dirsrv: main process exited, code=killed, status=11/SEGV
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: Unit dirsrv entered failed state.
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: dirsrv failed.


stacktrace
#0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
#1  0x00007f697dfcdcb1 in ipapwd_set_extradata (dn=0x7f68fc000f50 "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local", principal=0x0, unixtime=1520548630)
    at common.c:966
#2  0x00007f697dfd4c7c in ipapwd_chpwop (krbcfg=0x7f68fc004dd0, pb=0x7f695aff4a90) at ipa_pwd_extop.c:589
#3  ipapwd_extop (pb=0x7f695aff4a90) at ipa_pwd_extop.c:1761
#4  0x00007f698bcd2ed4 in do_extended (pb=pb@entry=0x7f695aff4a90) at ldap/servers/slapd/extendop.c:354
#5  0x00007f698bccbada in connection_dispatch_operation (pb=0x7f695aff4a90, op=0x7f698cb0f710, conn=0x7f69740be710) at ldap/servers/slapd/connection.c:680
#6  connection_threadmain () at ldap/servers/slapd/connection.c:1759
#7  0x00007f69899c19bb in _pt_root (arg=0x7f698ca59260) at ../../../nspr/pr/src/pthreads/ptthread.c:216
#8  0x00007f6989361dc5 in start_thread (arg=0x7f695aff5700) at pthread_create.c:308
#9  0x00007f698909073d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113


Actual results:
ldappasswd cause the IPA embedded Directory server to SIGSEGV

Expected results:
ldappasswd  should not cause the IPA embedded Directory server to SIGSEGV

Additional info:
Comment 3 mreynolds 2018-03-12 14:44:04 UTC 
I'm not sure this a DS problem as it's crashing in an IPA plugin when checking the str length of a NULL pointer:


daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

    592     if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
    593         principal = slapi_entry_attr_get_charptr(pwdata.target,
    594                                                  "krbPrincipalName");
    595     } else {
    596         principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
    597     }
    598     ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);

"principle" is NULL, as the pwdata.target does not have the attribute "krbPrincipalName".  I don't see how DS or ldappasswd is at fault here, but I could easily be missing something.
Comment 4 Rob Crittenden 2018-03-12 14:48:26 UTC 
Sorry, you're right. I read the stack too quickly, moving back to ipa.
Comment 5 Ming Davies 2018-04-03 16:27:30 UTC 
Hi,

Any updates please?

Thanks and regards,
Ming
Comment 6 Rob Crittenden 2018-04-03 18:47:15 UTC 
Mark has it right. The IPA password plugin isn't taking into consideration changing the password of a system account (which doesn't have Kerberos attributes) .
Comment 8 Rob Crittenden 2018-05-23 20:22:19 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/7561
Comment 9 Florence Blanc-Renaud 2018-05-29 06:55:16 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/45d776a7bf05f3495dee078c7dd58ed0db13f64a
https://pagure.io/freeipa/c/7c5ecb8d08827a60f77eda0911a6b39db5badf82

ipa-4-5:
https://pagure.io/freeipa/c/4065b9978d6da5dc950ed2f1ac27e35c36195162


ipa-4-6:
https://pagure.io/freeipa/c/92595cc36b89c06b419299d923e630fb94b4d42a
Comment 11 Rob Crittenden 2018-06-29 14:33:53 UTC 
Backported test to ipa-4-6:
https://pagure.io/freeipa/c/6652eb088e87cd3f74bd58be3ccda89ec0a46664
Comment 13 Mohammad Rizwan 2018-08-24 07:24:52 UTC 
version:
ipa-server-4.6.4-6.el7.x86_64
389-ds-base-1.3.8.4-11.el7.x86_64
openldap-2.4.44-18.el7.x86_64

Steps:

Execute upstream test_commands testsuite:

IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_commands.py::TestIPACommand::test_change_sysaccount_password_issue7561 --logging-level=DEBUG


Actual result:

[..]
[ipatests.pytest_plugins.integration.host.Host.master.cmd47] RUN ['cat', '/root/ipatests/backup_hostname']
[ipatests.pytest_plugins.integration.host.Host.master.cmd47] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['hostname', u'master.testrelm.test']
[ipatests.pytest_plugins.integration.host.Host.master.cmd48] RUN ['hostname', u'master.testrelm.test']
[ipatests.pytest_plugins.integration.host.Host.master.cmd48] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['rm', '/root/ipatests/backup_hostname']
[ipatests.pytest_plugins.integration.host.Host.master.cmd49] RUN ['rm', '/root/ipatests/backup_hostname']
[ipatests.pytest_plugins.integration.host.Host.master.cmd49] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['kdestroy', '-A']
[ipatests.pytest_plugins.integration.host.Host.master.cmd50] RUN ['kdestroy', '-A']
[ipatests.pytest_plugins.integration.host.Host.master.cmd50] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['rm', '-rvf', '/root/ipatests']
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] RUN ['rm', '-rvf', '/root/ipatests']
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] removed ‘/root/ipatests/env.sh’
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] removed directory: ‘/root/ipatests’
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] Exit code: 0


------------------------------------------- generated xml file: /root/nosetests.xml -------------------------------------------
================================================= 1 passed in 442.83 seconds ==================================================

Full console logs provided.

Based on above observations, marking the bug as verified.
Comment 16 errata-xmlrpc 2018-10-30 10:57:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187