RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1268772 - ns-slapd crash double free in pagedresults_cleanup
Summary: ns-slapd crash double free in pagedresults_cleanup
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.8
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On: 1267296
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-10-05 08:30 UTC by Jan Kurik
Modified: 2015-11-10 09:15 UTC (History)
8 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-65.el6_7
Doc Type: Bug Fix
Doc Text:
Cause: When a search results object was freed, there was a window until the freed information was set to the pagedresults handle. If the paged-results handle was released due to a timeout in the window, double free occurred. Fix: The window is eliminated and there is no chance for the double free now.
Clone Of: 1267296
Environment:
Last Closed: 2015-11-10 09:15:20 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1998 0 normal SHIPPED_LIVE 389-ds-base bug fix update 2015-11-10 14:12:51 UTC

Description Jan Kurik 2015-10-05 08:30:11 UTC 
This bug has been copied from bug #1267296 and has been proposed
to be backported to 6.7 z-stream (EUS).
Comment 4 Noriko Hosoi 2015-10-07 00:16:59 UTC 
For verification...
It is extremely hard to reproduce the bug with the standalone 389-ds-base.
I recommend to run
1) tet simple paged results test suite
2) upstream simple paged results related test cases.
3) run ldapsearch -E pr=<page_size> -l <timelimit>
   and wait longer than <timelimit> in the middle of the paging.
   If the connection is closed with T2 (SLAPD_DISCONNECT_IO_TIMEOUT) without any problem, test is passed.

Ideally, set up IPA/SSSD and stress DS with short timelimit (nsslapd-timelimit in cn=config in dse.ldif) and short client_idle_timeout in sssd.conf.  Then, stress the DS via SSSD.  If it runs fine with no crash for long enough (one day?), we are confident to say verified.
Comment 5 Sankar Ramalingam 2015-10-21 17:27:29 UTC 
1. Executed simplepaged acceptance tests. No regression found.

############## Result  for  backend test :   SIMPLEPAGED run
    SIMPLEPAGED run elapse time : 00:04:57
    SIMPLEPAGED run Tests PASS      : 100% (17/17)

2. Executed simplepaged search with -E pr=15 -l 9 and waited for more than the timelimit. nsslapd-timelimit is set to 7, cn=config in dse.ldif.
The connection got closed without any problem.

3. Currently, I am stressing the server with add/modify/delete/search in an IPA environment to check if there are crashes. nsslapd-timelimit value in cn=config is set to 7 and value for client_idle_timeout in sssd.conf is set 9. I will observe the setup for about 24hrs and then update the bug with my findings.
Comment 6 Sankar Ramalingam 2015-10-22 17:08:29 UTC 
Stressed directory sever for 24hrs and I observed no crashes. Hence, marking the bug as Verified.

[root@vm-idm-004 ~]# rpm -qa |egrep 'ipa-|389-ds-'
ipa-server-3.0.0-47.el6.x86_64
ipa-python-3.0.0-47.el6.x86_64
sssd-ipa-1.12.4-47.el6.x86_64
ipa-client-3.0.0-47.el6.x86_64
ipa-pki-common-theme-9.0.3-7.el6.noarch
389-ds-base-1.2.11.15-65.el6_7.x86_64
ipa-admintools-3.0.0-47.el6.x86_64
389-ds-base-debuginfo-1.2.11.15-65.el6_7.x86_64
389-ds-base-libs-1.2.11.15-65.el6_7.x86_64
ipa-pki-ca-theme-9.0.3-7.el6.noarch
ipa-server-selinux-3.0.0-47.el6.x86_64
Comment 8 errata-xmlrpc 2015-11-10 09:15:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1998.html
Note You need to log in before you can comment on or make changes to this bug.