Description of problem: 389 directory can crash when a search for th ememory pool file statistics is executed. Invesigation shows that __memp_stat can overwrite the allocated memory Version-Release number of selected component (if applicable): 4.7.25 and later How reproducible: hard. the crashes occured occasionally at a customer site, so far it was possible to reproduce the crash only with manually interfering into th etiming in gdb, see below Steps to Reproduce with libdb as component in 389-ds: Create and instance with several backends, start the server and run a monitor search, only a couple of files will be open. attach gdb to slapd and set a breakpoint in __memp_stat() start the monitor search when the breakpoint is hit, set another breakpoint in __memp_get_files(), this will be called for each file contained in the mpfstat when this breakpoint is hit the first time, start a search for a backend and attribute where the index file is not yet open, choose a "long" filename, eg suffix=moremoremore attr is telephonenumber, which will result in "moremoremore/telephonenumber.db4" continue the thread with the monitor search, the __memp_get_files breakpoint will be hit several times, inparallel the seaarch thjread gets enough time to open the telephonenumber index file and add it to the file list. After several itearations I got the crash. Actual results: Expected results: Additional info: In my analysis I think the problem is here in __memp_stat: /* Per-file statistics. */ if (fspp != NULL) { *fspp = NULL; /* Count the MPOOLFILE structures. */ It does not only count the files, but also determines the length of the filenames and calculates the len ot allocate i = 0; len = 0; if ((ret = __memp_walk_files(env, mp, __memp_count_files, &len, &i, flags)) != 0) return (ret); len is the size of memory to allocate i is the number of files counted if (i == 0) return (0); len += sizeof(DB_MPOOL_FSTAT *); /* Trailing NULL */ /* Allocate space */ if ((ret = __os_umalloc(env, len, fspp)) != 0) return (ret); here the space is allocated and used tfsp = *fspp; *tfsp = NULL; /* * Files may have been opened since we counted, don't walk * off the end of the allocated space. */ this comment indicates that it could happen that files are opened in between and does a countdown of i, stopping if i == 0 this works only if a new file is always appended at the end, if not the required space for file names can increase if ((ret = __memp_walk_files(env, mp, __memp_get_files, &tfsp, &i, flags)) != 0) return (ret); *++tfsp = NULL; } It looks like this was introduced when hash buckets for mpool files were introduced, in my opinion the problem didn't exist in libdb 3.x
+1
Reported upstream: https://community.oracle.com/thread/3701204 ...
(In reply to Xose Vazquez Perez from comment #2) > Reported upstream: https://community.oracle.com/thread/3701204 > > ... At https://community.oracle.com/message/13019543#13019543 yong-Oracle says: A fix is available for the latest 6.1 code base. If you want a patch for the 6.1 version, please email yong.b.li (at) oracle.com
we would need the fix for RHEL6 and RHEL7, can this patch be applied to libdb 4.7 and 5.3 ?
(In reply to Ludwig from comment #4) > we would need the fix for RHEL6 and RHEL7, can this patch be applied to > libdb 4.7 and 5.3 ? For the time, don't count on it. The licence of BerkeleyDB >5.3 was changed from Sleepycat(BSD) to GNU AGPL v3: https://docs.oracle.com/cd/E17076_03/html/installation/license_change60.html So, you need explicit permission of Oracle to backport fixes to 5.3 or lower releases.
(In reply to Xose Vazquez Perez from comment #5) > The licence of BerkeleyDB >5.3 was changed from Sleepycat(BSD) to GNU AGPL > v3: > https://docs.oracle.com/cd/E17076_03/html/installation/license_change60.html > > So, you need explicit permission of Oracle to backport fixes to 5.3 or lower > releases. I just emailed the the responsible person (yong-Oracle) asking for the patch and the permission to backport. Let's hope we would get it.
Created attachment 1026575 [details] Upstream patch for the 6.1.23 version
Snippets from the email conversation: > Here is the patch. You're welcomed to backport it to previous BDB versions. > We can help you backport the patch to previous BDB versions. Which specific versions do you prefer? So we've got both the patch and the permission to backport, and on top of it offer for help with the backport. I've responded to the latter with the versions in current RHEL (4.7.25 and 5.3.21), hopefully we will hear back soon.
Created attachment 1027041 [details] Upstream patch for the 5.3.21 version
Created attachment 1027042 [details] Upstream patch for the 4.7.25 version
libdb-5.3.28-12.fc22,libdb4-4.8.30-18.fc22 has been submitted as an update for Fedora 22. https://admin.fedoraproject.org/updates/libdb-5.3.28-12.fc22,libdb4-4.8.30-18.fc22
libdb-5.3.28-12.fc21,libdb4-4.8.30-18.fc21 has been submitted as an update for Fedora 21. https://admin.fedoraproject.org/updates/libdb-5.3.28-12.fc21,libdb4-4.8.30-18.fc21
Package libdb-5.3.28-12.fc21, libdb4-4.8.30-18.fc21: * should fix your issue, * was pushed to the Fedora 21 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing libdb-5.3.28-12.fc21 libdb4-4.8.30-18.fc21' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-8794/libdb-5.3.28-12.fc21,libdb4-4.8.30-18.fc21 then log in and leave karma (feedback).
libdb-5.3.28-12.fc22, libdb4-4.8.30-18.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
libdb-5.3.28-12.fc21, libdb4-4.8.30-18.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.