Red Hat Bugzilla – Bug 1156607
Crash in entry_add_present_values_wsi_multi_valued
Last modified: 2015-03-05 04:36:55 EST
This bug is created as a clone of upstream ticket: https://fedorahosted.org/389/ticket/47937 entry_add_present_values_wsi_multi_valued() crashes when "type" is in invalid attribute name: "cn " {{{ Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fef867fc700 (LWP 16374)] 0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548 548 a_flags_orig = a->a_flags; 546 int attr_state = entry_attr_find_wsi(e, type, &a); 547 548 a_flags_orig = a->a_flags; --> "a" is NULL and then dereferenced (gdb) where #0 0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548 #1 0x00007fefa64a3e7f in entry_add_present_values_wsi (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:446 #2 0x00007fefa64a4da8 in entry_replace_present_values_wsi (e=0x7fef68003ac0, type=0x7fef68005ff0 "cn ", vals=0x7fef68006010, csn=0x7fef867f75b0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:912 #3 0x00007fefa64a4f35 in entry_apply_mod_wsi (e=0x7fef68003ac0, mod=0x7fef68005fb0, csn=0x7fef867f75b0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:940 #4 0x00007fefa64a51bd in entry_apply_mods_wsi (e=0x7fef68003ac0, smods=0x7fef867f7630, csn=0x7fef680029c0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:1010 #5 0x00007fef9bfd6ca5 in modify_apply_check_expand (pb=0x7fef867fbb10, operation=0x25c4110, mods=0x7fef68001910, e=0x7fef64002260, ec=0x7fef68003a50, postentry=0x7fef867f7718, ldap_result_code=0x7fef867f76a4, ldap_result_message=0x7fef867f7738) at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:276 #6 0x00007fef9bfd7ada in ldbm_back_modify (pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:654 #7 0x00007fefa64d4717 in op_shared_modify (pb=0x7fef867fbb10, pw_change=0, old_pw=0x0) at ../ds/ldap/servers/slapd/modify.c:1081 #8 0x00007fefa64d2d31 in do_modify (pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/modify.c:419 #9 0x0000000000415f1f in connection_dispatch_operation (conn=0x7fefa680d560, op=0x25c4110, pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/connection.c:660 #10 0x0000000000417e87 in connection_threadmain () at ../ds/ldap/servers/slapd/connection.c:2534 #11 0x00007fefa48c2e3b in _pt_root (arg=0x25a97a0) at ../../../nspr/pr/src/pthreads/ptthread.c:212 #12 0x00007fefa4262ee5 in start_thread (arg=0x7fef867fc700) at pthread_create.c:309 #13 0x00007fefa3f91b8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 }}}
Verification script: https://fedorahosted.org/389/attachment/ticket/47937/0002-lib389-testcase-for-ticket-47937.patch
Verification steps [1] Install DS using "dc=example,dc=com" [2] Create two "ou" branches, and a entry: ou=people,dc=example,dc=com ou=ranges,dc=example,dc=com cn=entry,ou=people,dc=example,dc=com [3] Configure the dna plugin # ldapmodify ... dn: cn=Distributed Numeric Assignment Plugin,cn=plugins changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: add objectClass: top objectClass: dnaPluginConfig cn: dnaConfig dnaType: description dnaMaxValue: 10000 dnaMagicRegen: 0 dnaFilter: (objectclass=top) dnaScope: ou=people,dc=example,dc=com dnaNextValue: 500 dnaSharedCfgDN: ou=ranges,dc=example,dc=com dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com changetype: add objectClass: dnaSharedConfig objectClass: top dnaHostname: localhost.localdomain dnaPortNum: 389 dnaSecurePortNum: 636 dnaRemainingValues: 9501 [4] Restart the server [5] Change dnaType to use a attribute with a trailing space: "description " or an invalid attribute "foo" # ldapmodify... dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaType dnaType: foo This ldapmodify should fail with an error 53. This prevents the invalid attribute from being processed internally - which is what lead to the crash in the first place. [6] Done!
Fixed upstream.
Executed all steps given above. No Crash found. [root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: cn=Distributed Numeric Assignment Plugin,cn=config > changetype: modify > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: on > EOF modifying entry "cn=Distributed Numeric Assignment Plugin,cn=config" ldap_modify: No such object (32) [root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: nsslapd-pluginEnabled > nsslapd-pluginEnabled: on > EOF modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" [root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: add > objectClass: top > objectClass: dnaPluginConfig > cn: dnaConfig > dnaType: description > dnaMaxValue: 10000 > dnaMagicRegen: 0 > dnaFilter: (objectclass=top) > dnaScope: ou=people,dc=example,dc=com > dnaNextValue: 500 > dnaSharedCfgDN: ou=ranges,dc=example,dc=com > EOF adding new entry "cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" [root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com > changetype: add > objectClass: dnaSharedConfig > objectClass: top > dnaHostname: localhost.localdomain > dnaPortNum: 389 > dnaSecurePortNum: 636 > dnaRemainingValues: 9501 > EOF adding new entry "dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com" [root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF > dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > changetype: modify > replace: dnaType > dnaType: foo > EOF modifying entry "cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Changes result in an invalid DNA configuration. [root@dhcp201-126 ~]# systemctl status dirsrv@dhcp201-126 dirsrv@dhcp201-126.service - 389 Directory Server dhcp201-126. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Mon 2014-12-15 13:41:32 IST; 53s ago Process: 8251 ExecStopPost=/bin/rm -f /var/run/dirsrv/slapd-%i.pid (code=exited, status=0/SUCCESS) Process: 8253 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 8254 (ns-slapd) CGroup: /system.slice/system-dirsrv.slice/dirsrv@dhcp201-126.service └─8254 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-126 -i /var/run/dirsrv/slapd-dhcp201-126.pid -w /var/run/dirsrv/slapd-dhcp201-126... Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Starting 389 Directory Server dhcp201-126.... Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Started 389 Directory Server dhcp201-126.. [root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123 << EOF dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config changetype: modify replace: dnaType dnaType: 0 EOF modifying entry "cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config" ldap_modify: Server is unwilling to perform (53) additional info: Changes result in an invalid DNA configuration. [root@dhcp201-126 ~]# systemctl status dirsrv@dhcp201-126 dirsrv@dhcp201-126.service - 389 Directory Server dhcp201-126. Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled) Active: active (running) since Mon 2014-12-15 13:41:32 IST; 1min 4s ago Process: 8251 ExecStopPost=/bin/rm -f /var/run/dirsrv/slapd-%i.pid (code=exited, status=0/SUCCESS) Process: 8253 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS) Main PID: 8254 (ns-slapd) CGroup: /system.slice/system-dirsrv.slice/dirsrv@dhcp201-126.service └─8254 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-126 -i /var/run/dirsrv/slapd-dhcp201-126.pid -w /var/run/dirsrv/slapd-dhcp201-126... Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Starting 389 Directory Server dhcp201-126.... Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Started 389 Directory Server dhcp201-126.. [root@dhcp201-126 ~]# Marking bug as VERIFIED.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-0416.html