Bug 731112
| Summary: | NSS_Init* functions are not thread safe | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Rich Megginson <rmeggins> | ||||
| Component: | openldap | Assignee: | Jan Vcelak <jvcelak> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | high | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | rawhide | CC: | georgi.georgiev, jvcelak, rmeggins, tsmetana | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | openldap-2.4.24-5.fc15 | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 731168 (view as bug list) | Environment: | |||||
| Last Closed: | 2011-11-17 23:41:35 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 731168 | ||||||
| Attachments: |
|
||||||
Steps to reproduce:
set up 2 openldap servers - one as a syncrepl provider, and the other as a syncrepl consumer, doing replication over TLS, for example:
olcSyncrepl: {0}rid=1 provider=ldap://localhost.localdomain:1389 searchbase=dc
=example,dc=com bindmethod=simple binddn=cn=manager,dc=example,dc=com credent
ials=secret type=refreshAndPersist retry="1 +" starttls=critical tls_cacert=/
share/junk/cacert.pem
where the provider is listening to ldap://localhost.localdomain:1389/ and has a database with a suffix dc=example,dc=com. In my testing, I also had a
olcRootDN: cn=Manager,dc=example,dc=com
for this database which I also used for syncrepl.
Run a client that adds entries to the provider, and run an ldapsearch (using TLS) on the consumer to check that the entries are synced to the consumer.
You should notice the crash on the consumer soon after enabling syncrepl to use TLS on the consumer.
Created attachment 518654 [details]
backported patch for F14
LDAP_MUTEX_LOCK -> ldap_pvt_thread_mutex_lock
LDAP_MUTEX_UNLOCK -> ldap_pvt_thread_mutex_unlock
openldap-2.4.26-2.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/openldap-2.4.26-2.fc16 openldap-2.4.24-4.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/openldap-2.4.24-4.fc15 Package openldap-2.4.24-4.fc15: * should fix your issue, * was pushed to the Fedora 15 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing openldap-2.4.24-4.fc15' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/openldap-2.4.24-4.fc15 then log in and leave karma (feedback). openldap-2.4.26-3.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/openldap-2.4.26-3.fc16 openldap-2.4.24-5.fc15 has been submitted as an update for Fedora 15. https://admin.fedoraproject.org/updates/openldap-2.4.24-5.fc15 openldap-2.4.26-5.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. openldap-2.4.24-5.fc15 has been pushed to the Fedora 15 stable repository. If problems still persist, please make note of it in this bug report. |
Description of problem: The NSS_InitContext et. al, and their corresponding shutdown functions, are not thread safe. There can only be one thread at a time calling these functions. Protect the calls with a mutex. Create the mutex using a PR_CallOnce to ensure that the mutex is only created once and not used before created. Move the registration of the nss shutdown callback to also use a PR_CallOnce. Removed the call to SSL_ClearSessionCache() because it is always called at shutdown, and we must not call it more than once. Fixed upstream: http://www.openldap.org/its/index.cgi?findid=7022