Bug 788728

Summary: Invalid read reported by valgrind
Product: Red Hat Enterprise Linux 6 Reporter: Rich Megginson <rmeggins>
Component: 389-ds-baseAssignee: Rich Megginson <rmeggins>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.3CC: amsharma, jgalipea, mreynolds, nhosoi
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 389-ds-base-1.2.10.0-1.el6 Doc Type: Bug Fix
Doc Text:
This is not a bug that could have been seen by a customer. This fix improves the server robustness.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 07:13:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rich Megginson 2012-02-08 22:03:05 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/275

==30265== Invalid read of size 1
==30265==    at 0x4C4DAE4: comp_cmp (attr.c:98)
==30265==    by 0x4C4DBED: slapi_attr_type_cmp (attr.c:131)
==30265==    by 0x4CAF1C7: default_mr_filter_match (plugin_mr.c:391)
==30265==    by 0x4C7589B: test_extensible_filter (filterentry.c:588)
==30265==    by 0x4C763F1: slapi_vattr_filter_test_ext_internal (filterentry.c:953)
==30265==    by 0x4C75EB7: slapi_vattr_filter_test_ext (filterentry.c:842)
==30265==    by 0x4C75DEE: slapi_vattr_filter_test (filterentry.c:790)
==30265==    by 0x9A43860: ldbm_back_next_search_entry_ext (ldbm_search.c:1598)
==30265==    by 0x9A42CA6: ldbm_back_next_search_entry (ldbm_search.c:1309)
==30265==    by 0x4C9ECE8: iterate (opshared.c:1183)
==30265==    by 0x4C9F5E8: send_results_ext (opshared.c:1580)
==30265==    by 0x4C9E3F9: op_shared_search (opshared.c:764)
==30265==    by 0x42CACA: do_search (search.c:397)
==30265==    by 0x414089: connection_dispatch_operation (connection.c:619)
==30265==    by 0x4158F4: connection_threadmain (connection.c:2336)
==30265==    by 0x36C3628442: ??? (in /lib64/libnspr4.so)
==30265==    by 0x3936C07B40: start_thread (pthread_create.c:305)
==30265==    by 0x39360DF49C: clone (clone.S:115)
==30265==  Address 0x5123ae0 is 0 bytes inside a block of size 19 free'd
==30265==    at 0x4A055FE: free (vg_replace_malloc.c:366)
==30265==    by 0x4C5552D: slapi_ch_free (ch_malloc.c:363)
==30265==    by 0x4C72530: filter_normalize_ext (filter.c:1163)
==30265==    by 0x4C725CD: slapi_filter_normalize (filter.c:1189)
==30265==    by 0x9A42281: ldbm_back_search (ldbm_search.c:882)
==30265==    by 0x4C9E30D: op_shared_search (opshared.c:714)
==30265==    by 0x42CACA: do_search (search.c:397)
==30265==    by 0x414089: connection_dispatch_operation (connection.c:619)
==30265==    by 0x4158F4: connection_threadmain (connection.c:2336)
==30265==    by 0x36C3628442: ??? (in /lib64/libnspr4.so)
==30265==    by 0x3936C07B40: start_thread (pthread_create.c:305)
==30265==    by 0x39360DF49C: clone (clone.S:115)

==13399== Thread 41:
==13399== Invalid read of size 8
==13399==    at 0x4CA061D: slapi_pblock_get (pblock.c:153)
==13399==    by 0x53A09DF: ces_filter_ava (ces.c:305)
==13399==    by 0x4CAF218: default_mr_filter_match (plugin_mr.c:398)
==13399==    by 0x4C7589B: test_extensible_filter (filterentry.c:588)
==13399==    by 0x4C763F1: slapi_vattr_filter_test_ext_internal (filterentry.c:953)
==13399==    by 0x4C75EB7: slapi_vattr_filter_test_ext (filterentry.c:842)
==13399==    by 0x4C75DEE: slapi_vattr_filter_test (filterentry.c:790)
==13399==    by 0x9A43860: ldbm_back_next_search_entry_ext (ldbm_search.c:1598)
==13399==    by 0x9A42CA6: ldbm_back_next_search_entry (ldbm_search.c:1309)
==13399==    by 0x4C9ECE8: iterate (opshared.c:1183)
==13399==    by 0x4C9F5E8: send_results_ext (opshared.c:1580)
==13399==    by 0x4C9E3F9: op_shared_search (opshared.c:764)
==13399==    by 0x42CAEF: do_search (search.c:400)
==13399==    by 0x414089: connection_dispatch_operation (connection.c:619)
==13399==    by 0x4158F4: connection_threadmain (connection.c:2336)
==13399==    by 0x36C3628442: ??? (in /lib64/libnspr4.so)
==13399==    by 0x3936C07B40: start_thread (pthread_create.c:305)
==13399==    by 0x39360DF49C: clone (clone.S:115)
==13399==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Comment 1 Noriko Hosoi 2012-02-14 00:57:21 UTC 
Steps to verify.
Run valgrind with the filter test case.
If the valgrind output files do not contain "Invalid read", the bug was verified.
Comment 5 Noriko Hosoi 2012-05-24 22:38:59 UTC 
    Technical note added. If any revisions are required, please edit the
"Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content
Services team.

    New Contents:
Cause: Passed memory which could be modified in an API.
Consequence: Possible invalid memory access.
Fix: Duplicated memory is passed to the API.
Result: The memory check tool shows no invalid read.
Comment 6 Rich Megginson 2012-05-24 23:26:45 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
This is not a bug that could have been seen by a customer.  This fix improves the server robustness.
Comment 7 Amita Sharma 2012-05-30 08:08:37 UTC 
Marking the bugs Verified, sanity only.
Comment 8 errata-xmlrpc 2012-06-20 07:13:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html