1259516 – crash in bind operation csnset_free

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1259516 - crash in bind operation csnset_free

Summary: crash in bind operation csnset_free

Keywords:
Status:	CLOSED INSUFFICIENT_DATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Noriko Hosoi
QA Contact:	Viktor Ashirov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-09-02 20:47 UTC by German Parente
Modified:	2020-09-13 21:31 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-09-14 16:02:08 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Full stack trace (177.12 KB, text/plain) 2015-09-02 20:47 UTC, German Parente	no flags	Details
access log buffer (525.55 KB, text/plain) 2015-09-02 21:04 UTC, German Parente	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	389ds 389-ds-base issues 1607	0	None	closed	Initialize integer pointer in reslimit_update_from_entry()	2020-12-19 03:34:16 UTC

Description German Parente 2015-09-02 20:47:22 UTC

Created attachment 1069590 [details]
Full stack trace

Description of problem:

Server crashes at bind operation when free'ing csn of the internal entry requested for password policy check.

The full bt is in attachment. Here it's an extract:

Core was generated by `/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-SCHAEFFLER-COM -i /var/run/dirsrv/slapd'.
Program terminated with signal 11, Segmentation fault.
#0  csnset_purge (csnset=csnset@entry=0x7fd448101680, 
    csnUpTo=csnUpTo@entry=0x0) at ldap/servers/slapd/csnset.c:323
323					nnext = n->next;



#0  csnset_purge (csnset=csnset@entry=0x7fd448101680, csnUpTo=csnUpTo@entry=0x0) at ldap/servers/slapd/csnset.c:323
#1  0x00007fd4a3e87767 in csnset_free (csnset=csnset@entry=0x7fd448101680) at ldap/servers/slapd/csnset.c:162
#2  0x00007fd4a3f06a89 in value_done (v=0x7fd448101670) at ldap/servers/slapd/value.c:256
#3  0x00007fd4a3f06ab6 in slapi_value_free (v=0x7fd44810e9e0) at ldap/servers/slapd/value.c:241
#4  0x00007fd4a3f07a95 in valuearray_free_ext (va=va@entry=0x7fd4481c1368, idx=<optimized out>, idx@entry=0) at ldap/servers/slapd/valueset.c:323
#5  0x00007fd4a3f07ac7 in valuearray_free (va=va@entry=0x7fd4481c1368) at ldap/servers/slapd/valueset.c:333
#6  0x00007fd4a3f08159 in slapi_valueset_done (vs=vs@entry=0x7fd4481c1358) at ldap/servers/slapd/valueset.c:611
#7  0x00007fd4a3e7d7b8 in attr_done (a=0x7fd4481c1350) at ldap/servers/slapd/attr.c:465
#8  0x00007fd4a3e7d83a in slapi_attr_free (ppa=ppa@entry=0x7fd4747f57f0) at ldap/servers/slapd/attr.c:451
#9  0x00007fd4a3e7ea14 in attrlist_free (alist=<optimized out>) at ldap/servers/slapd/attrlist.c:53
#10 0x00007fd4a3e93810 in slapi_entry_free (e=e@entry=0x7fd44817c880) at ldap/servers/slapd/entry.c:2050
#11 0x00007fd4a439b114 in do_bind (pb=pb@entry=0x7fd4747f7ae0) at ldap/servers/slapd/bind.c:874
#12 0x00007fd4a43a244f in connection_dispatch_operation (pb=0x7fd4747f7ae0, op=0x7fd4a5d2a680, conn=0x7fd480f35880) at ldap/servers/slapd/connection.c:635
#13 connection_threadmain () at ldap/servers/slapd/connection.c:2534
#14 0x00007fd4a22c99db in _pt_root (arg=0x7fd4a5d06890) at ../../../nspr/pr/src/pthreads/ptthread.c:212
#15 0x00007fd4a1c6adf5 in start_thread (arg=0x7fd4747f8700) at pthread_create.c:308
#16 0x00007fd4a19981ad in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

(gdb) frame 10
#10 0x00007fd4a3e93810 in slapi_entry_free (e=e@entry=0x7fd44817c880) at ldap/servers/slapd/entry.c:2050
2050			attrlist_free(e->e_attrs);
(gdb) print_slapi_entry e
$1 = {flag = 0 '\000', udn = 0x0, dn = 0x0, ndn = 0x0, ndn_len = 0}
$2 = 0x0
$3 = 0x7fd4481e1bb0 ""
$4 = 0x7fd4481bbd90 "com"
$5 = 0x7fd448186670 "dc=com"
$6 = 0x7fd448170eb0 "com"
$7 = 0x7fd4481b58e0 "=com"
$8 = 0x7fd4481710e0 "dc=com"
$9 = 0x7fd448172d60 "dc=com"
$10 = 0x7fd4481825d0 "com"
$11 = 0x7fd448155c90 "dc=com"
$12 = 0x7fd448172af0 "dc=com"
$13 = 0x7fd448182ca0 "dc=com"
$14 = 0x7fd4481c15e0 "com"
$15 = 0x7fd4481dfe60 "dc=com"
$16 = 0x7fd4481e0290 ""
$17 = 0x7fd44817c250 ""
$18 = 0x7fd44817c1d0 ""
$19 = 0x7fd44817c150 "=com"
$20 = 0x7fd44817c090 "P훤\324\177"
$21 = 0x7fd44817c010 "P훤\324\177"
$22 = 0x7fd44817bf90 " 9\233\244\324\177"
$23 = 0x7fd44817bf10 ""
$24 = 0x7fd44817bdf0 "P훤\324\177"
$25 = 0x7fd44817bd70 "P\002"
$26 = 0x7fd448188680 ""
$27 = 0x7fd448188600 ""
$28 = 0x7fd448188580 ""
$29 = 0x0
$30 = 0x7fd4481dd730 "loginShell"
$31 = 0x7fd448138220 "objectClass"
$32 = 0x7fd44809e440 "cn"
$33 = 0x7fd44804f530 "nsUniqueId"
$34 = 0x7fd44804edc0 "entrydn"

(entry seems to be corrupt).

And then, csn:

(gdb) frame 2
#2  0x00007fd4a3f06a89 in value_done (v=0x7fd448101670) at ldap/servers/slapd/value.c:256
256		        csnset_free(&(v->v_csnset));
(gdb) print &(v->v_csnset)->type
$35 = (CSNType *) 0x45 <Address 0x45 out of bounds>
(gdb) 

(gdb) print &(v->v_csnset)->csn.seqnum
$38 = (PRUint16 *) 0x55
(gdb) print &(v->v_csnset)->csn.rid
$39 = (ReplicaId *) 0x57
(gdb) print &(v->v_csnset)->csn.tstamp
$40 = (time_t *) 0x4d

No replica 87 in customer topology.



Version-Release number of selected component (if applicable): 389-ds-base-1.3.3.1-15


How reproducible: it has been reproduced only once at customer site.


Steps to Reproduce:

N/A


Actual results:

Server crashed.


Expected results:


Additional info:

I apologize that unfortunately I have no more info of how to reproduce this or further troubleshoot.

Comment 4 German Parente 2015-09-02 21:04:03 UTC

Created attachment 1069595 [details]
access log buffer

Note You need to log in before you can comment on or make changes to this bug.