Bug 1267296 - ns-slapd crash double free in pagedresults_cleanup
ns-slapd crash double free in pagedresults_cleanup
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
6.8
All Linux
urgent Severity urgent
: rc
: ---
Assigned To: Noriko Hosoi
Viktor Ashirov
Petr Bokoc
: ZStream
Depends On:
Blocks: 1268772
  Show dependency treegraph
 
Reported: 2015-09-29 10:58 EDT by German Parente
Modified: 2016-05-10 15:21 EDT (History)
8 users (show)

See Also:
Fixed In Version: 389-ds-base-1.2.11.15-67.el6
Doc Type: Bug Fix
Doc Text:
*ns-slapd* no longer crashes when freeing a search results object Previously, when Directory Server freed a search results object, there was a brief period of time before the freed information was set to the `pagedresults` handle. If the `paged-results` handle was released due to a timeout in during this period, a double free event occured, causing *ns-slapd* to crash. This problem has been eliminated and double free no longer occurs when freeing search results objects.
Story Points: ---
Clone Of:
: 1268772 (view as bug list)
Environment:
Last Closed: 2016-05-10 15:21:30 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description German Parente 2015-09-29 10:58:28 EDT
Description of problem:

customer is experiencing a crash using rhel6.7, more precisely, using release 60 + fix for crash paged searches with this signature:

Thread 1 (Thread 0x7f1d8d66a7c0 (LWP 26260)):
#0  0x0000003195432625 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
        resultvar = 0
        pid = <value optimized out>
        selftid = 26260
#1  0x0000003195433e05 in abort () at abort.c:92
        save_stage = 2
        act = {__sigaction_handler = {sa_handler = 0x7fffd7ed4bd8, sa_sigaction = 0x7fffd7ed4bd8}, sa_mask = {__val = {140736816040896, 140736816053753, 18, 212958803342, 3, 140736816040906, 6, 212958803346, 2, 140736816040894, 2, 212958796611, 1, 212958803342, 3, 140736816040902}}, sa_flags = 10, sa_restorer = 0x3195557592}
        sigs = {__val = {32, 0 <repeats 15 times>}}
#2  0x0000003195470537 in __libc_message (do_abort=2, fmt=0x3195558780 "*** glibc detected *** %s: %s: 0x%s ***\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
        ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffd7ed5540, reg_save_area = 0x7fffd7ed5450}}
        ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffd7ed5540, reg_save_area = 0x7fffd7ed5450}}
        fd = 2
        on_2 = <value optimized out>
        list = <value optimized out>
        nlist = <value optimized out>
        cp = <value optimized out>
        written = <value optimized out>
#3  0x0000003195475e66 in malloc_printerr (action=3, str=0x319555686e "free(): invalid pointer", ptr=<value optimized out>) at malloc.c:6336
        buf = "00007f1cf000dd10"
        cp = <value optimized out>
#4  0x0000003aa664c416 in slapi_ch_free (ptr=0x7f1cf0003ee0) at ldap/servers/slapd/ch_malloc.c:363
No locals.
#5  0x00007f1d886b7ccd in delete_search_result_set (pb=0x0, sr=0x7f1d34022a18) at ldap/servers/slapd/back-ldbm/ldbm_search.c:1897
        rc = 0
        filt_errs = 0
#6  0x0000003aa668fe30 in pagedresults_cleanup (conn=0x7f1d73104cd0, needlock=0) at ldap/servers/slapd/pagedresults.c:764
        rc = <value optimized out>
        i = <value optimized out>
        prp = 0x7f1d34022a10
#7  0x0000000000414a00 in connection_cleanup (conn=0x7f1d73104cd0) at ldap/servers/slapd/connection.c:207
No locals.
#8  0x0000000000415971 in connection_table_move_connection_out_of_active_list (ct=0x21acfe0, c=0x7f1d73104cd0) at ldap/servers/slapd/conntable.c:322
No locals.
#9  0x000000000041849e in setup_pr_read_pds (ports=0x7fffd7ed5be0) at ldap/servers/slapd/daemon.c:1708
        add_fd = <value optimized out>
        c = 0x7f1d73104cd0
        socketdesc = 0
        count = 38
        next = 0x7f1d73105e50
        accept_new_connections = <value optimized out>
        slapdFrontendConfig = <value optimized out>
        max_threads_per_conn = 5
        n_listeners = <value optimized out>
        last_accept_new_connections = 1
#10 slapd_daemon (ports=0x7fffd7ed5be0) at ldap/servers/slapd/daemon.c:1165

Version-Release number of selected component (if applicable): 

389-ds-base-1.2.11.15-60.2.el6_7.x86_64


How reproducible: very rarely.


Steps to Reproduce:

unknown.


Additional info:

The full stack trace can be found in bz 1247792
Comment 11 errata-xmlrpc 2016-05-10 15:21:30 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0737.html

Note You need to log in before you can comment on or make changes to this bug.