Bug 1118048 – If be_txn plugin fails in ldbm_back_add, adding entry is double freed.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1118048 - If be_txn plugin fails in ldbm_back_add, adding entry is double freed.

Summary:	If be_txn plugin fails in ldbm_back_add, adding entry is double freed.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2014-07-09 18:04 EDT by Noriko Hosoi
Modified:	2015-03-05 04:37 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	389-ds-base-1.3.3.1-1.el7
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2015-03-05 04:37:14 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0416	normal	SHIPPED_LIVE	Important: 389-ds-base security, bug fix, and enhancement update	2015-03-05 09:26:33 EST

Groups: None (edit)

Description Noriko Hosoi 2014-07-09 18:04:42 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47808

Thanks to Mark for finding out this problem.  (Note: 1.2.11 does not have this bug.)
{{{
Mark Reynolds wrote:
> steps to reproduce:
>
> ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w $PW -a <<EOF
> dn: cn=attribute uniqueness,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> -
> replace: nsslapd-pluginarg0
> nsslapd-pluginarg0: sn
> -
> replace: nsslapd-pluginarg1
> nsslapd-pluginarg1: dc=example,dc=com
> EOF
>
> 3. Add user:
> ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w $PW -a <<EOF
> dn: cn=tuser1,ou=people,dc=example,dc=com
> objectclass: person
> objectclass: top
> sn: tuser1
> cn: tuser1
> EOF
>
> 4. Restart server
>
> 5. Add user with value 'sn' equal to value of sn of cn=tuser1:
> ldapmodify -h $HOST -p $PORT -D "cn=directory manager" -w $PW -a <<EOF
> dn: cn=tuser2,ou=people,dc=example,dc=com
> objectclass: person
> objectclass: top
> sn: tuser1
> cn: tuser2
>
> --> Add is rejected by the attr uniqueness plugin
>
> Crash!  
>
> #0  0x00007f605b554c39 in __GI_raise (sig=sig@entry=6)
>     at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
> #1  0x00007f605b556348 in __GI_abort () at abort.c:89
> #2  0x00007f605b594d04 in __libc_message (do_abort=do_abort@entry=2, 
>     fmt=fmt@entry=0x7f605b69b528 "*** Error in `%s': %s: 0x%s ***\n")
>     at ../sysdeps/posix/libc_fatal.c:175
> #3  0x00007f605b59bff8 in malloc_printerr (ptr=<optimized out>, 
>     str=0x7f605b698cd7 "free(): invalid pointer", action=3) at malloc.c:4930
> #4  _int_free (av=0x7f605b8d7760 <main_arena>, p=<optimized out>, have_lock=0)
>     at malloc.c:3782
> #5  0x00007f605dd41302 in slapi_ch_free (ptr=0x7f6028001198)
>     at ../ds/ldap/servers/slapd/ch_malloc.c:363
> #6  0x00007f605dd4cc3d in slapi_sdn_done (sdn=0x7f6028001190)
>     at ../ds/ldap/servers/slapd/dn.c:2332
> #7  0x00007f605dd58be3 in slapi_entry_free (e=0x7f6028001190)
>     at ../ds/ldap/servers/slapd/entry.c:2044
> #8  0x00007f605dd3606d in op_shared_add (pb=0x7f60467fbb10)
>     at ../ds/ldap/servers/slapd/add.c:800
> #9  0x00007f605dd34d2e in do_add (pb=0x7f60467fbb10)
>     at ../ds/ldap/servers/slapd/add.c:258
> #10 0x0000000000416034 in connection_dispatch_operation (conn=0x7f605e167410, 
>     op=0xb36330, pb=0x7f60467fbb10) at ../ds/ldap/servers/slapd/connection.c:645
> #11 0x0000000000418043 in connection_threadmain ()
>     at ../ds/ldap/servers/slapd/connection.c:2534
> #12 0x00007f605c15be2b in _pt_root (arg=0x8acae0)
>     at ../../../nspr/pr/src/pthreads/ptthread.c:212
> #13 0x00007f605bafbf33 in start_thread (arg=0x7f60467fc700) at pthread_create.c:309
> #14 0x00007f605b613ded in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>
>
> valgrind(also attached):
>
> ==14540== Invalid read of size 8
> ==14540==    at 0x4EA581F: factory_destroy_extension (factory.c:367)
> ==14540==    by 0x4E9CBD6: slapi_entry_free (entry.c:2043)
> ==14540==    by 0x4E7A06C: op_shared_add (add.c:800)
> ==14540==    by 0x4E78D2D: do_add (add.c:258)
> ==14540==    by 0x416033: connection_dispatch_operation (connection.c:645)
> ==14540==    by 0x418042: connection_threadmain (connection.c:2534)
> ==14540==    by 0x6B2FE2A: _pt_root (ptthread.c:212)
> ==14540==    by 0x716EF32: start_thread (pthread_create.c:309)
> ==14540==    by 0x768EDEC: clone (clone.S:111)
> ==14540==  Address 0xeb85910 is 160 bytes inside a block of size 184 free'd
> ==14540==    at 0x4C28577: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
> ==14540==    by 0x4E85301: slapi_ch_free (ch_malloc.c:363)
> ==14540==    by 0x4E9CCA6: slapi_entry_free (entry.c:2057)
> ==14540==    by 0x10BE7225: backentry_free (backentry.c:57)
> ==14540==    by 0x10BE9801: entrycache_return (cache.c:1159)
> ==14540==    by 0x10BE96A7: cache_return (cache.c:1132)
> ==14540==    by 0x10C25E65: ldbm_back_add (ldbm_add.c:1268)
> ==14540==    by 0x4E79E09: op_shared_add (add.c:735)
> ==14540==    by 0x4E78D2D: do_add (add.c:258)
> ==14540==    by 0x416033: connection_dispatch_operation (connection.c:645)
> ==14540==    by 0x418042: connection_threadmain (connection.c:2534)
> ==14540==    by 0x6B2FE2A: _pt_root (ptthread.c:212)
> ==14540==    by 0x716EF32: start_thread (pthread_create.c:309)
> ==14540==    by 0x768EDEC: clone (clone.S:111)
}}}

Comment 2 Viktor Ashirov 2014-12-01 12:09:03 EST

$ rpm -qa  | grep 389
389-ds-base-1.3.3.1-9.el7.x86_64
389-ds-base-debuginfo-1.3.3.1-9.el7.x86_64
389-ds-base-libs-1.3.3.1-9.el7.x86_64

I went through verification steps mentioned in description. On last step add is rejected by the attr uniqueness plugin, but server didn't crash: 
$ ldapmodify -h localhost -p 389 -D 'cn=directory manager' -w Secret123 [snip]
adding new entry "cn=tuser2,ou=people,dc=example,dc=com"
ldap_add: Constraint violation (19)
	additional info: Another entry with the same attribute value already exists (attribute: "sn")

$ pgrep ns-slapd
13263

Hence marking as VERIFIED

Comment 4 errata-xmlrpc 2015-03-05 04:37:14 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html

Note You need to log in before you can comment on or make changes to this bug.