It was discovered that the slapi-nis Directory Server plug-in did not correctly perform memory reallocation when handling user account information. A request for information about a group with many members, or a request for a user that belongs to a large number of groups, would cause a Directory Server to enter an infinite loop and consume an excessive amount of CPU time. Acknowledgements: This issue was discovered by Sumit Bose of Red Hat.
Created attachment 994786 [details] patch 1 makes use of libnss_sss.so.2 directly First patch in a series to fix the issue. We have two separate problems that cause deadlock: one is resizing issue (coming in patch 2) and another is traversing of NSS stack for all requests for user/group names (patch 1). The latter is amplifying the issue with realloc() because nss_files.so.2 is always in the NSS stack and will always lock up access to /etc/group or /etc/passwd for other threads.
Created attachment 994788 [details] patch 2 store the length of reallocated chunk Patch 2 makes sure we remember new size of the reallocated memory.
Created attachment 995077 [details] patch 3 make default nss buffer larger Patch 3 makes sure the default buffer size is of reasonable size -- initial buffer size for getgrnam/getgrgid in glibc is about 1KiB while for typical AD environments group information may occupy a larger space. Use 16KiB by default.
Comment on attachment 995077 [details] patch 3 make default nss buffer larger wrong MIME type
Splitting IPA memory corruption issue when using get_user_grouplist() to separate bug 1205200 with the CVE-2015-1827 assigned.
Created slapi-nis tracking bugs for this issue: Affects: fedora-all [bug 1206049]
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0728 https://rhn.redhat.com/errata/RHSA-2015-0728.html
freeipa-4.1.4-1.fc22, slapi-nis-0.54.2-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
freeipa-4.1.4-1.fc21, slapi-nis-0.54.2-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.