Bug 1158005 – OpenLDAP crash in NSS shutdown handling

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1158005 - OpenLDAP crash in NSS shutdown handling

Summary:	OpenLDAP crash in NSS shutdown handling

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	openldap (Show other bugs)
Sub Component:
Version:	7.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Matus Honek
QA Contact:	Patrik Kis
Docs Contact:	Milan Navratil

URL:
Whiteboard:
Keywords:	Patch

Depends On:
Blocks:	1205796 1373222
	Show dependency tree / graph

Reported:	2014-10-28 05:15 EDT by Hisanobu Okuda
Modified:	2016-09-05 10:09 EDT (History)
CC List:	6 users (show)

See Also:	1231228
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	The httpd service sometimes terminated unexpectedly with a segmentation fault on the libldap library unload. The underlying source code has been modified to prevent a bad memory access error that caused the bug to occur. As a result, httpd no longer crashes in this situation.
Story Points:	---
Clone Of:
Clones:	1373222 (view as bug list)
Environment:
Last Closed:	2015-11-19 03:52:35 EST
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
installed-rpms (71.00 KB, text/plain) 2014-10-28 05:42 EDT, Hisanobu Okuda	no flags	Details
patch v1 (527 bytes, patch) 2015-04-13 04:28 EDT, Jan Synacek	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:2131	normal	SHIPPED_LIVE	Moderate: openldap security, bug fix, and enhancement update	2015-11-19 04:10:21 EST

Groups: None (edit)

Description Hisanobu Okuda 2014-10-28 05:15:08 EDT

Description of problem:
httpd 2.4 reported segfault in nss_ShutdownShutdownList.

The back trace is :-

Program terminated with signal 11, Segmentation fault.
#0  0x00007f09fc9736f0 in ?? ()
(gdb) bt
#0  0x00007f09fc9736f0 in ?? ()
#1  0x00007f09ffac2774 in nss_ShutdownShutdownList () at nssinit.c:1049
#2  nss_Shutdown () at nssinit.c:1077
#3  0x00007f09ffac2a53 in NSS_ShutdownContext (context=0x7f0a12717f90) at nssinit.c:1214
#4  0x00007f0a006d1616 in Curl_nss_cleanup () at nss.c:980
#5  0x00007f0a006c8e59 in Curl_ssl_cleanup () at sslgen.c:189
#6  0x00007f0a006ba9a5 in curl_global_cleanup () at easy.c:322
#7  0x00007f0a009059b8 in zm_shutdown_curl (type=<optimized out>, module_number=28)
    at /usr/src/debug/php-5.4.16/ext/curl/interface.c:959
#8  0x00007f0a01ece297 in module_destructor (module=0x7f0a12107190) at /usr/src/debug/php-5.4.16/Zend/zend_API.c:2297
#9  0x00007f0a01ed3595 in zend_hash_apply_deleter (ht=ht@entry=0x7f0a022c7220 <module_registry>, p=0x7f0a12107130)
    at /usr/src/debug/php-5.4.16/Zend/zend_hash.c:650
#10 0x00007f0a01ed4dc8 in zend_hash_graceful_reverse_destroy (ht=0x7f0a022c7220 <module_registry>)
    at /usr/src/debug/php-5.4.16/Zend/zend_hash.c:687
#11 0x00007f0a01eccadc in zend_destroy_modules () at /usr/src/debug/php-5.4.16/Zend/zend_API.c:1832
#12 0x00007f0a01ec67ae in zend_shutdown () at /usr/src/debug/php-5.4.16/Zend/zend.c:820
#13 0x00007f0a01e6755b in php_module_shutdown () at /usr/src/debug/php-5.4.16/main/main.c:2367
#14 0x00007f0a01e67619 in php_module_shutdown_wrapper (sapi_globals=<optimized out>) at /usr/src/debug/php-5.4.16/main/main.c:2335
#15 0x00007f0a01f73231 in php_apache_child_shutdown (tmp=<optimized out>)
    at /usr/src/debug/php-5.4.16/sapi/apache2handler/sapi_apache2.c:398
#16 0x00007f0a0ecc71ae in run_cleanups (cref=<optimized out>) at memory/unix/apr_pools.c:2352
#17 apr_pool_destroy (pool=0x7f0a12337048) at memory/unix/apr_pools.c:814
#18 0x00007f0a0596f21e in clean_child_exit (code=code@entry=0) at prefork.c:218
#19 0x00007f0a0596f6c7 in child_main (child_num_arg=child_num_arg@entry=15) at prefork.c:725
#20 0x00007f0a0596fa26 in make_child (s=0x7f0a11f90348, slot=15) at prefork.c:800
#21 0x00007f0a059706be in perform_idle_server_maintenance (p=<optimized out>) at prefork.c:902
#22 prefork_run (_pconf=<optimized out>, plog=<optimized out>, s=<optimized out>) at prefork.c:1090
#23 0x00007f0a0fff30fe in ap_run_mpm (pconf=0x7f0a11f65138, plog=0x7f0a11f92358, s=0x7f0a11f90348) at mpm_common.c:96
#24 0x00007f0a0ffec726 in main (argc=2, argv=0x7fff152a8158) at main.c:777
(gdb) 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Hisanobu Okuda 2014-10-28 05:19:11 EDT

Found the nssShutdownList.funcs[1].func points a wrong address.

(gdb) up                                                                                                                           
#1  0x00007f09ffac2774 in nss_ShutdownShutdownList () at nssinit.c:1049
1049    nssinit.c: No such file or directory.
(gdb) print nssShutdownList.peakFuncs                                                                                              
$1 = 2
(gdb) print nssShutdownList.funcs[0]                                                                                               
$2 = {
  func = 0x7f0a000189a0 <ssl_ShutdownLocks>, <<=== this is OK.
  appData = 0x0
}
(gdb) print nssShutdownList.funcs[1]                                                                                               
$3 = {
  func = 0x7f09fc9736f0, <<============= WRONG!
  appData = 0x0
}
(gdb) 

But I have no idea to find the root cause why the wrong pointer is stored.

Comment 3 Joe Orton 2014-10-28 05:26:16 EDT

Please supply steps to reproduce, package versions, etc, per the standard bugzilla template.

Comment 4 Hisanobu Okuda 2014-10-28 05:42:35 EDT

Created attachment 951337 [details]
installed-rpms

Comment 10 Jan Synacek 2015-04-13 04:28:01 EDT

Created attachment 1013854 [details]
patch v1

Comment 16 Matus Honek 2015-07-23 05:40:50 EDT

The commit below modifies the patch for this bug, so that correct __atribute__ ((destructor)) ordering is used. Incorrect destructor ordering was discovered as a regression reported in bug #1231228.

http://pkgs.devel.redhat.com/cgit/rpms/openldap/commit/?h=rhel-7.2&id=a0cc331d5f354b4aef0669977e164dce3b117463

Comment 19 errata-xmlrpc 2015-11-19 03:52:35 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2131.html

Note You need to log in before you can comment on or make changes to this bug.