Bug 1156607 - Crash in entry_add_present_values_wsi_multi_valued
Summary: Crash in entry_add_present_values_wsi_multi_valued
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-10-24 18:27 UTC by Noriko Hosoi
Modified: 2015-03-05 09:36 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.3.3.1-8.el7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-03-05 09:36:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:0416 normal SHIPPED_LIVE Important: 389-ds-base security, bug fix, and enhancement update 2015-03-05 14:26:33 UTC

Description Noriko Hosoi 2014-10-24 18:27:58 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47937

entry_add_present_values_wsi_multi_valued() crashes when "type" is in invalid attribute name:  "cn "

{{{
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fef867fc700 (LWP 16374)]
0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548
548			a_flags_orig = a->a_flags;


546   int attr_state = entry_attr_find_wsi(e, type, &a);
547	
548   a_flags_orig = a->a_flags;  -->  "a" is NULL and then dereferenced

(gdb) where
#0  0x00007fefa64a4204 in entry_add_present_values_wsi_multi_valued (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:548
#1  0x00007fefa64a3e7f in entry_add_present_values_wsi (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", bervals=0x7fef68006010, csn=0x7fef867f75b0, urp=0, 
    flags=0) at ../ds/ldap/servers/slapd/entrywsi.c:446
#2  0x00007fefa64a4da8 in entry_replace_present_values_wsi (e=0x7fef68003ac0, 
    type=0x7fef68005ff0 "cn ", vals=0x7fef68006010, csn=0x7fef867f75b0, urp=0)
    at ../ds/ldap/servers/slapd/entrywsi.c:912
#3  0x00007fefa64a4f35 in entry_apply_mod_wsi (e=0x7fef68003ac0, mod=0x7fef68005fb0, 
    csn=0x7fef867f75b0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:940
#4  0x00007fefa64a51bd in entry_apply_mods_wsi (e=0x7fef68003ac0, smods=0x7fef867f7630, 
    csn=0x7fef680029c0, urp=0) at ../ds/ldap/servers/slapd/entrywsi.c:1010
#5  0x00007fef9bfd6ca5 in modify_apply_check_expand (pb=0x7fef867fbb10, 
    operation=0x25c4110, mods=0x7fef68001910, e=0x7fef64002260, ec=0x7fef68003a50, 
    postentry=0x7fef867f7718, ldap_result_code=0x7fef867f76a4, 
    ldap_result_message=0x7fef867f7738)
    at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:276
#6  0x00007fef9bfd7ada in ldbm_back_modify (pb=0x7fef867fbb10)
    at ../ds/ldap/servers/slapd/back-ldbm/ldbm_modify.c:654
#7  0x00007fefa64d4717 in op_shared_modify (pb=0x7fef867fbb10, pw_change=0, old_pw=0x0)
    at ../ds/ldap/servers/slapd/modify.c:1081
#8  0x00007fefa64d2d31 in do_modify (pb=0x7fef867fbb10)
    at ../ds/ldap/servers/slapd/modify.c:419
#9  0x0000000000415f1f in connection_dispatch_operation (conn=0x7fefa680d560, 
    op=0x25c4110, pb=0x7fef867fbb10) at ../ds/ldap/servers/slapd/connection.c:660
#10 0x0000000000417e87 in connection_threadmain ()
    at ../ds/ldap/servers/slapd/connection.c:2534
#11 0x00007fefa48c2e3b in _pt_root (arg=0x25a97a0)
    at ../../../nspr/pr/src/pthreads/ptthread.c:212
#12 0x00007fefa4262ee5 in start_thread (arg=0x7fef867fc700) at pthread_create.c:309
#13 0x00007fefa3f91b8d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
}}}

Comment 2 mreynolds 2014-10-24 18:50:02 UTC
Verification steps

[1] Install DS using "dc=example,dc=com"
[2] Create two "ou" branches, and a entry:

    ou=people,dc=example,dc=com
    ou=ranges,dc=example,dc=com
    cn=entry,ou=people,dc=example,dc=com

[3] Configure the dna plugin

# ldapmodify ...
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: dnaPluginConfig
cn: dnaConfig
dnaType: description
dnaMaxValue: 10000
dnaMagicRegen: 0
dnaFilter: (objectclass=top)
dnaScope: ou=people,dc=example,dc=com
dnaNextValue: 500
dnaSharedCfgDN: ou=ranges,dc=example,dc=com

dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com
changetype: add
objectClass: dnaSharedConfig
objectClass: top
dnaHostname: localhost.localdomain
dnaPortNum: 389
dnaSecurePortNum: 636
dnaRemainingValues: 9501

[4] Restart the server

[5] Change dnaType to use a attribute with a trailing space: "description " or an invalid attribute "foo"

# ldapmodify...
dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaType
dnaType: foo 

This ldapmodify should fail with an error 53.  This prevents the invalid attribute from being processed internally - which is what lead to the crash in the first place.

[6] Done!

Comment 3 mreynolds 2014-10-24 18:51:59 UTC
Fixed upstream.

Comment 5 Amita Sharma 2014-12-15 08:15:01 UTC
Executed all steps given above. No Crash found.

[root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: cn=Distributed Numeric Assignment Plugin,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> EOF
modifying entry "cn=Distributed Numeric Assignment Plugin,cn=config"
ldap_modify: No such object (32)

[root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> changetype: modify
> replace: nsslapd-pluginEnabled
> nsslapd-pluginEnabled: on
> EOF
modifying entry "cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

[root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> changetype: add
> objectClass: top
> objectClass: dnaPluginConfig
> cn: dnaConfig
> dnaType: description
> dnaMaxValue: 10000
> dnaMagicRegen: 0
> dnaFilter: (objectclass=top)
> dnaScope: ou=people,dc=example,dc=com
> dnaNextValue: 500
> dnaSharedCfgDN: ou=ranges,dc=example,dc=com
> EOF
adding new entry "cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"

[root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com
> changetype: add
> objectClass: dnaSharedConfig
> objectClass: top
> dnaHostname: localhost.localdomain
> dnaPortNum: 389
> dnaSecurePortNum: 636
> dnaRemainingValues: 9501
> EOF
adding new entry "dnaHostname=localhost.localdomain+dnaPortNum=389,ou=ranges,dc=example,dc=com"

[root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
> dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> changetype: modify
> replace: dnaType
> dnaType: foo 
> EOF
modifying entry "cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
	additional info: Changes result in an invalid DNA configuration.

[root@dhcp201-126 ~]# systemctl status dirsrv@dhcp201-126
dirsrv@dhcp201-126.service - 389 Directory Server dhcp201-126.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
   Active: active (running) since Mon 2014-12-15 13:41:32 IST; 53s ago
  Process: 8251 ExecStopPost=/bin/rm -f /var/run/dirsrv/slapd-%i.pid (code=exited, status=0/SUCCESS)
  Process: 8253 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)
 Main PID: 8254 (ns-slapd)
   CGroup: /system.slice/system-dirsrv.slice/dirsrv@dhcp201-126.service
           └─8254 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-126 -i /var/run/dirsrv/slapd-dhcp201-126.pid -w /var/run/dirsrv/slapd-dhcp201-126...

Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Starting 389 Directory Server dhcp201-126....
Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Started 389 Directory Server dhcp201-126..
[root@dhcp201-126 ~]# ldapmodify -x -h localhost -p 389 -D "cn=Directory Manager" -w Secret123  << EOF
dn: cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
changetype: modify
replace: dnaType
dnaType: 0   
EOF

modifying entry "cn=dna config,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config"
ldap_modify: Server is unwilling to perform (53)
	additional info: Changes result in an invalid DNA configuration.

[root@dhcp201-126 ~]# systemctl status dirsrv@dhcp201-126
dirsrv@dhcp201-126.service - 389 Directory Server dhcp201-126.
   Loaded: loaded (/usr/lib/systemd/system/dirsrv@.service; enabled)
   Active: active (running) since Mon 2014-12-15 13:41:32 IST; 1min 4s ago
  Process: 8251 ExecStopPost=/bin/rm -f /var/run/dirsrv/slapd-%i.pid (code=exited, status=0/SUCCESS)
  Process: 8253 ExecStart=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-%i -i /var/run/dirsrv/slapd-%i.pid -w /var/run/dirsrv/slapd-%i.startpid (code=exited, status=0/SUCCESS)
 Main PID: 8254 (ns-slapd)
   CGroup: /system.slice/system-dirsrv.slice/dirsrv@dhcp201-126.service
           └─8254 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dhcp201-126 -i /var/run/dirsrv/slapd-dhcp201-126.pid -w /var/run/dirsrv/slapd-dhcp201-126...

Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Starting 389 Directory Server dhcp201-126....
Dec 15 13:41:32 dhcp201-126.englab.pnq.redhat.com systemd[1]: Started 389 Directory Server dhcp201-126..
[root@dhcp201-126 ~]# 

Marking bug as VERIFIED.

Comment 7 errata-xmlrpc 2015-03-05 09:36:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0416.html


Note You need to log in before you can comment on or make changes to this bug.