This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1252082 - removing chaining database links trigger valgrind read errors
removing chaining database links trigger valgrind read errors
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
7.0
Unspecified Unspecified
medium Severity medium
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-10 12:39 EDT by Noriko Hosoi
Modified: 2015-11-19 06:43 EST (History)
4 users (show)

See Also:
Fixed In Version: 389-ds-base-1.3.4.0-11.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-11-19 06:43:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
valgrind.out (73.02 KB, text/plain)
2015-08-23 13:48 EDT, Viktor Ashirov
no flags Details

  None (edit)
Description Noriko Hosoi 2015-08-10 12:39:48 EDT
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/47686

While deleting a chainingdb database link we start calling that backend's callbacks, and one of those callbacks deletes other callbacks from that same callback list.

==16217== Invalid read of size 8
==16217==    at 0x4C713B9: dse_call_callback (dse.c:2555)
==16217==    by 0x4C70E31: dse_delete (dse.c:2439)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)
==16217==    by 0x378E407850: start_thread (in /lib64/libpthread-2.12.so)
==16217==    by 0x378E0E890C: clone (in /lib64/libc-2.12.so)
==16217==  Address 0xaf3e1e8 is 56 bytes inside a block of size 64 free'd
==16217==    at 0x4A063F0: free (vg_replace_malloc.c:446)
==16217==    by 0x4C5FB24: slapi_ch_free (ch_malloc.c:363)
==16217==    by 0x4C6C572: dse_callback_delete (dse.c:265)
==16217==    by 0x4C6C80D: dse_callback_removefromlist (dse.c:350)
==16217==    by 0x4C7129D: dse_remove_callback (dse.c:2523)
==16217==    by 0x4C7152F: slapi_config_remove_callback (dse.c:2588)
==16217==    by 0x8CB62DB: cb_delete_monitor_callback (cb_monitor.c:260)
==16217==    by 0x4C713A3: dse_call_callback (dse.c:2548)
==16217==    by 0x4C70E31: dse_delete (dse.c:2439)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)
==16217==    by 0x378E407850: start_thread (in /lib64/libpthread-2.12.so)
==16217==    by 0x378E0E890C: clone (in /lib64/libc-2.12.so)
==16217==
==16217== Thread 19:
==16217== Invalid read of size 8
==16217==    at 0x4C713B9: dse_call_callback (dse.c:2555)
==16217==    by 0x4C70F9E: dse_delete (dse.c:2465)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)
==16217==    by 0x378E407850: start_thread (in /lib64/libpthread-2.12.so)
==16217==    by 0x378E0E890C: clone (in /lib64/libc-2.12.so)
==16217==  Address 0xcc6bf38 is 56 bytes inside a block of size 64 free'd
==16217==    at 0x4A063F0: free (vg_replace_malloc.c:446)
==16217==    by 0x4C5FB24: slapi_ch_free (ch_malloc.c:363)
==16217==    by 0x4C6C572: dse_callback_delete (dse.c:265)
==16217==    by 0x4C6C80D: dse_callback_removefromlist (dse.c:350)
==16217==    by 0x4C7129D: dse_remove_callback (dse.c:2523)
==16217==    by 0x4C7152F: slapi_config_remove_callback (dse.c:2588)
==16217==    by 0x8CB351E: cb_instance_delete_config_callback (cb_instance.c:1714)
==16217==    by 0x4C713A3: dse_call_callback (dse.c:2548)
==16217==    by 0x4C70F9E: dse_delete (dse.c:2465)
==16217==    by 0x4C652CB: op_shared_delete (delete.c:364)
==16217==    by 0x4C64AB4: do_delete (delete.c:128)
==16217==    by 0x415C00: connection_dispatch_operation (connection.c:650)
==16217==    by 0x417AB2: connection_threadmain (connection.c:2534)
==16217==    by 0x3A8D029A72: ??? (in /lib64/libnspr4.so)
Comment 1 mreynolds 2015-08-10 13:03:34 EDT
Fixed upstream.

Issue is only detectable in valgrind.

Steps to reproduce:

[1]  Enable valgrind for DS, and start it
[2]  Create a database link:

ldapmodify ...

dn: cn=example_link,cn=chaining database,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: example_link
nsslapd-suffix: dc=example,dc=com
nsmultiplexorbinddn: uid=test,dc=example,dc=com
nsfarmserverurl: ldap://localhost:389/
nsmultiplexorcredentials: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUV
 GRERBNEJDUmxObUk0WXpjM1l5MHdaVE5rTXpZNA0KTnkxaE9XSmhORGRoT0MwMk1ESmpNV014TUFB
 Q0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQnY1M2VNeTVuR0hZT
 WRCVXRUYkcxcA==}mzH2Saj9gPyeozCbe+QehQ==

dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
add: nsslapd-backend
nsslapd-backend: example_link

dn: cn=dc\3Dexample\2Cdc\3Dcom,cn=mapping tree,cn=config
changetype: modify
delete: nsslapd-backend
nsslapd-backend: example_link


[3]  Delete the Link

ldapmodify ...

dn: cn=monitor,cn=example_link,cn=chaining database,cn=plugins,cn=config
changetype: delete

dn: cn=example_link,cn=chaining database,cn=plugins,cn=config
changetype: delete

[4]  Stop the server

[5]  Check there is nothing in the valgrind report mentioning "dse_call_callback" and "Invalid read"
Comment 3 Viktor Ashirov 2015-08-23 13:48:25 EDT
Created attachment 1066067 [details]
valgrind.out

Build tested: 389-ds-base-1.3.4.0-13.el7.x86_64

I don't see any invalid reads with related dse_call_callback in the valgrind output. 

But there are plenty of these messages:
==20636==    by 0x4E917B8: dse_call_callback.isra.1 (dse.c:2634)

Mark, could you please confirm that they are unrelated? 
Thanks!
Comment 4 mreynolds 2015-08-25 11:41:05 EDT
(In reply to Viktor Ashirov from comment #3)
> Created attachment 1066067 [details]
> valgrind.out
> 
> Build tested: 389-ds-base-1.3.4.0-13.el7.x86_64
> 
> I don't see any invalid reads with related dse_call_callback in the valgrind
> output. 
> 
> But there are plenty of these messages:
> ==20636==    by 0x4E917B8: dse_call_callback.isra.1 (dse.c:2634)
> 
> Mark, could you please confirm that they are unrelated? 
> Thanks!

Those are unrelated messages, and can be ignored.

Thanks,
Mark
Comment 5 Viktor Ashirov 2015-08-25 11:42:50 EDT
Thanks, Mark!

Marking as VERIFIED.
Comment 6 errata-xmlrpc 2015-11-19 06:43:58 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2351.html

Note You need to log in before you can comment on or make changes to this bug.