Bug 700557

Summary: Linked attributes callbacks access free'd pointers after close
Product: [Retired] 389 Reporter: Nathan Kinder <nkinder>
Component: Server - PluginsAssignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.2.8CC: amsharma
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 700665 (view as bug list) Environment:
Last Closed: 2015-12-07 16:34:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 639035, 700665    
Attachments:
Description Flags
Patch
nkinder: review?, rmeggins: review+
Additional patch rmeggins: review+

Description Nathan Kinder 2011-04-28 16:35:37 UTC 
The linked attributes plug-in callbacks can still try to access free'd resources after it's close callback has been called.  This can cause ns-slapd to crash.

This issue was found by kicking off a long-running memberOf fixup task with linked attributes configured, then immediately stopping ns-slapd.  This caused the linked attributes close function to be called, which releases it's resources, yet the server still calls the linked attributes callbacks for internal operations done by the memberOf fixup task.

The linked attributes close callback needs to unset the started flag that is used to determine if the plug-in resources are currently allocated and ready for service.
Comment 1 Nathan Kinder 2011-04-28 17:39:49 UTC 
This same issue actually applies to the following plug-ins:

- DNA
- Linked Attributes
- Managed Entries
- Auto Membership

We should address this issue in all of these plug-ins.  We need to unset the started flag in the close() callbacks, which needs to be done with the write lock on the config held.  To prevent problems with waiting readers, we need to make all readers check if the started flag is set after they obtain a reader lock.  This will deal with the case where the plug-in was stopped while a thread was waiting on a reader lock.  We also need to be sure to NOT free the lock in the close() function so that these waiting readers don't crash the server.
Comment 2 Rich Megginson 2011-04-28 17:46:50 UTC 
What is the scope of this work?
Comment 3 Nathan Kinder 2011-04-28 17:53:31 UTC 
Created attachment 495618 [details]
Patch
Comment 4 Nathan Kinder 2011-04-28 22:17:57 UTC 
Pushed patch to master.  Thanks to Rich for his review!

Counting objects: 25, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 3.44 KiB, done.
Total 13 (delta 8), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   c2c82cb..2210765  master -> master
Comment 5 Nathan Kinder 2011-04-28 22:20:22 UTC 
Pushed to 389-ds-base-1.2.8 branch.

Counting objects: 21, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.90 KiB, done.
Total 11 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   3bb70c1..ef51110  128-local -> 389-ds-base-1.2.8
Comment 6 Nathan Kinder 2011-04-29 15:59:00 UTC 
Created attachment 495807 [details]
Additional patch

Fixes a minor leak introduced in the precious patch.
Comment 7 Nathan Kinder 2011-04-29 16:15:48 UTC 
Pushed additional patch to master.  Thanks to Rich for his review!

Counting objects: 13, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 725 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   2210765..c74a13d  master -> master
Comment 9 Amita Sharma 2011-05-05 11:10:24 UTC 
Tested :

- Configure the linked attributes plug-in (attributes themselves don't matter).

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxx -p 389 << EOF
dn: cn=Linked Attributes,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on


- Enable the memberOf plug-in.

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxxx -p 389 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxxxxx -p 389 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: memberofattr
memberofattr: memberOf

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxxx -p 389 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: memberofgroupattr
memberofgroupattr: uniqueMember

service dirsrv restart

- Import a sizeable database with many group memberships. 100 group entries
with 5000 users should be sufficient if you have some of the groups have many
members and have some groups be members of other groups (nested grouping).

- Run the fixup-memberof.pl script to fire of a fixup task on the entire
database, then immediately run 'service dirsrv stop'.

/usr/lib64/dirsrv/slapd-rheltest/fixup-memberof.pl -v -D "cn=Directory Manager"
-w xxxxx -b "ou=unix,dc=corp,dc=example,dc=com"

No Crash found.