Bug 756783

Summary: nss_ldap segfaults because of memory corruption
Product: Red Hat Enterprise Linux 5 Reporter: Ondrej Moriš <omoris>
Component: nss_ldapAssignee: Jakub Hrozek <jhrozek>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: urgent Docs Contact:
Priority: high    
Version: 5.8CC: amarecek, azelinka, dpal, dspurek, jhrozek, jplans, prc, psplicha
Target Milestone: betaKeywords: Regression, TestBlocker
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss_ldap-253-49.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-02-21 06:38:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 741419, 758797    

Description Ondrej Moriš 2011-11-24 14:31:13 UTC 
Description of problem:

nss_ldap currently segfaults immediately after first query (probably) because of referencing already freed memory, this is (probably) caused by memory clean-up in biparse.patch. This issue has quite small priority (since it can be fixed easily - in the worst case, memory cleaning will be disable), but it has quite serious impact.

Version-Release number of selected component (if applicable):

nss_ldap-253-47.el5

How reproducible:

See comments.

Steps to Reproduce:

1. setup slapd with posixAccount ldapuser
2. setup nss_ldap to lookup configures LDAP server
3. getent -s 'passwd:ldap' passwd ldapuser
  
Actual results:

ldapuser1:*:1001:1000:ldapuser1:/home/ldapuser1:/bin/bash
*** glibc detected *** getent: free(): invalid pointer: 0x08376498 ***
======= Backtrace: =========
/lib/libc.so.6[0x5ec6d5]
/lib/libc.so.6(cfree+0x59)[0x5ecb19]
/lib/libnss_ldap.so.2[0xb51647]
/lib/libnss_ldap.so.2[0xb5167e]
/lib/libnss_ldap.so.2(_nss_ldap_db_close+0x18)[0xb516b8]
/lib/libnss_ldap.so.2(_nss_ldap_free_config+0x64)[0xb51734]
/lib/libnss_ldap.so.2(_nss_ldap_leave+0x47)[0xb49f97]
/lib/libnss_ldap.so.2(_nss_ldap_getent+0x6b)[0xb4a58b]
/lib/libnss_ldap.so.2(_nss_ldap_getpwent_r+0x58)[0xb4a9f8]
/lib/libc.so.6[0x66782e]
/lib/libc.so.6(getpwent_r+0xad)[0x613dfd]
/lib/libc.so.6[0x6673f6]
/lib/libc.so.6(getpwent+0x71)[0x613a61]
getent[0x804abbb]
getent[0x804a6c2]
/lib/libc.so.6(__libc_start_main+0xdc)[0x598eac]
getent[0x8049741]
======= Memory map: ========
...

Expected results:

ldapuser1:*:1001:1000:ldapuser1:/home/ldapuser1:/bin/bash

Additional info:

Reproducer will be added shortly.
Comment 2 Jakub Hrozek 2011-11-24 15:10:50 UTC 
This issue is indeed caused by the parsing patch.

Historically, nss_ldap never freed memory. In the patch, I attempted to free /all/ allocated memory, not just the allocations I did in the patch. 

Please dev_ack+ - I'll either fix the free calls or revert to the old behavior of not freeing memory. Any case, we won't be worse than what nss_ldap did in 5.7
Comment 3 Ondrej Moriš 2011-11-24 15:22:28 UTC 
Testing instructions:

* install bind-utils, bind-chroot, latest openldap*, latest nss_ldap
* wget http://nest.test.redhat.com/mnt/qa/scratch/omoris/reproducer/
* make -C reproducer run
* when prompt "[test] " will pop-up, your testing environment is ready
* when you finish testing, just exist spawned shell (C-D / logout)
* test will bring a system into previous state
Comment 5 Jakub Hrozek 2011-11-28 09:19:35 UTC 
*** Bug 757172 has been marked as a duplicate of this bug. ***
Comment 6 Ondrej Moriš 2011-11-29 21:56:43 UTC 
This should better be included in nss_ldap 5.8 errata as soon as possible since it is blocking DNS SRV support which is claimed to appear in Beta (12-07?).
Comment 10 errata-xmlrpc 2012-02-21 06:38:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0268.html