Bug 1582598

Summary: Reference counting bug in python-ldap causes segfault
Product: [Fedora] Fedora Reporter: Christian Heimes <cheimes>
Component: python-ldapAssignee: John (J5) Palmieri <john.j5live>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: caillon+fedoraproject, john.j5live, pviktori, rhughes, rstrode, sandmann, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-ldap-3.1.0-1.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1582600 1582786 (view as bug list) Environment:
Last Closed: 2018-05-27 19:32:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1582600, 1582786    

Description Christian Heimes 2018-05-25 17:16:06 UTC 
Description of problem:
python-ldap has a reference counting bug that causes a reproducible segfault in FreeIPA.

It's is only triggered when an LDAP server returns multiple attribute entries with the same name. An LDAP result contains a sequence of attributes, each item has an attribute name entry and a sequence of values. python-ldap code has extra code to handle a sequence with more than one attribute with the same name. However the code for this special case was both buggy and never triggered in any test case.

When python-ldap iterates over the attributes, it checks if an attribute name is already in the result dict. That was never the case before. In this special case, ipaAllowedToPerform;write_keys was already in the dict. The code retrieves the result list with PyDict_GetItem and later decreases the reference counter of the list. But that is wrong. PyDict_GetItem returns a borrowed reference, not a new reference. The ref count of the list dropped to zero and a broken object was returned to Python space. Later on when the object was accessed and the memory location was modified in the mean time, the interpreter crashed with a segfault.

Version-Release number of selected component (if applicable):
all versions before 3.1.0

How reproducible:
always with FreeIPA

Steps to Reproduce:
1. ipa host-allow-create-keytab $(hostname) --users=admin
2. repeat "ipa host-show $(hostname) --all" multiple times

Actual results:
segfault in HTTPD error log

Expected results:
No segfault
Comment 1 Christian Heimes 2018-05-25 17:17:42 UTC 
Fixed in release 3.1.0 by commit https://github.com/python-ldap/python-ldap/commit/77e934e88766002e77462d541b6e9c9599c7d410
Comment 2 Christian Heimes 2018-05-25 17:24:57 UTC 
Neither F27 nor RHEL are affected. The bug was introduced when python-ldap was ported to Python 3, see commit https://github.com/python-ldap/python-ldap/commit/fa35757fa2a425784676a91909b8f721cf13c095#diff-7edf3a425345c27675d056757a6a04c3R103

PyMapping_GetItemString() returns a new reference, PyDict_GetItem() a borrowed reference.
Comment 3 Fedora Update System 2018-05-25 18:04:44 UTC 
python-ldap-3.1.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-196e3ee42f
Comment 4 Fedora Update System 2018-05-26 23:30:54 UTC 
python-ldap-3.1.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-196e3ee42f
Comment 5 Fedora Update System 2018-05-27 19:32:17 UTC 
python-ldap-3.1.0-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.