Bug 644013

Summary: uniqueness plugin segfault bug
Product: [Retired] 389 Reporter: Simo Sorce <ssorce>
Component: Server - PluginsAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: urgent Docs Contact:
Priority: high    
Version: 1.2.6CC: amsharma
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:49:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 576869, 639035    

Description Simo Sorce 2010-10-18 18:40:52 UTC 
In the uniqueness plugin the addMod() function is buggy and will modify arbitrary memory if more then one mod is added to the array passed to the function.

The error is in servers/plugins/uiquniq/uid.c at line 650

*modary[*nmods] = toadd;

this is incorrect and wors only for element [0] of the array.
the correct code reads:
(*modary)[*nmods] = toadd;

The segfault happens later on when the modify_preop() code will try to dereference the second element of the array finding a pointer to 0.
The stack of the modify_preop is probably also compromised because the next address after the checkmods array has been changed.

Note that the servers/plugins/uiquniq/7bit.c file has the same addMod() function, but the code is correct there. Yay for code duplication :-/
Comment 1 Rich Megginson 2010-10-18 18:46:27 UTC 
To ssh://git.fedorahosted.org/git/389/ds.git
   52632d7..f4c6760  master -> master
commit f4c6760ea5da7849e5b1f3b2f8d08bd7f6eedd1a
Author: Rich Megginson <rmeggins>
Date:   Mon Oct 18 12:47:14 2010 -0600
    Reviewed by: self - one liner
    Branch: master
    Fix Description: Access the array pointer correctly
    Platforms tested: RHEL5 x86_64
    Flag Day: no
    Doc impact: no
Comment 2 Amita Sharma 2011-05-16 11:20:24 UTC 
Seems to be a code issue in addMod().
Can I verify/Test this? 
If yes, then please add the steps.

Thanks,
ami
Comment 3 Rich Megginson 2011-05-16 15:01:46 UTC 
(In reply to comment #2)
> Seems to be a code issue in addMod().
> Can I verify/Test this? 
> If yes, then please add the steps.
> 
> Thanks,
> ami

Submit a modify operation that has more than one uid value in it.  For example:
       changetype: modify
       delete: uid
       uid: balster1950
       -
       add: uid
       uid: scottg
the server should not crash
Comment 4 Amita Sharma 2011-05-17 09:29:14 UTC 
No crash found.