RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1399600 - ns-slapd segfaults during execution of tickets/ticket47966_test.py
Summary: ns-slapd segfaults during execution of tickets/ticket47966_test.py
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 11:29 UTC by Viktor Ashirov
Modified: 2017-03-21 10:24 UTC (History)
7 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-86.el6
Doc Type: Bug Fix
Doc Text:
Virtual list view-related problems have been fixed Previously, when removing a virtual list view (VLV) index, the "dblayer_erase_index_file_nolock()" function was not called. Thus, the physical index file and the back pointer set to the *dblayer* handle were not removed. Consequently, Directory Server terminated unexpectedly. This fix updates the code and the "dblayer_erase_index_file_nolock()" function is now called when removing a VLV index. In addition, the "vlv_init()" function previously could be called multiple times without unregistering VLV plug-in callbacks. As a consequence, Directory Server sometimes terminated unexpectedly. With this update, callbacks are now unregistered. As a result, Directory Server no longer terminates unexpectedly in the described situations.
Clone Of:
Environment:
Last Closed: 2017-03-21 10:24:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0667 0 normal SHIPPED_LIVE 389-ds-base bug fix update 2017-03-21 12:35:05 UTC

Description Viktor Ashirov 2016-11-29 11:29:48 UTC 
Description of problem:
ns-slapd segfaults during execution of tickets/ticket47966_test.py

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-85.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. run tickets/ticket47966_test.py
2.
3.

Actual results:
Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=0x7f5ba4234120, bytes=<value optimized out>) at malloc.c:4561
4561	      fwd->bk = victim;
(gdb) bt
#0  _int_malloc (av=0x7f5ba4234120, bytes=<value optimized out>) at malloc.c:4561
#1  0x00007f5ba3f20aac in __libc_malloc (bytes=416) at malloc.c:3667
#2  0x00007f5ba6447ccb in slapi_ch_malloc (size=416) at ldap/servers/slapd/ch_malloc.c:155
#3  0x00007f5ba64872a4 in ber_special_alloc (flags=960) at ldap/servers/slapd/operation.c:151
#4  operation_new (flags=960) at ldap/servers/slapd/operation.c:186
#5  0x0000000000413942 in connection_make_new_pb (ppb=0x7ffc387a2018, conn=0x7f5b9448a150)
    at ldap/servers/slapd/connection.c:1748
#6  0x00000000004139c8 in connection_activity (conn=0x7f5b9448a150)
    at ldap/servers/slapd/connection.c:2431
#7  0x000000000041963c in handle_pr_read_ready (ports=0x7ffc387a25e0) at ldap/servers/slapd/daemon.c:2170
#8  slapd_daemon (ports=0x7ffc387a25e0) at ldap/servers/slapd/daemon.c:1357
#9  0x00000000004202a3 in main (argc=7, argv=0x7ffc387a2978) at ldap/servers/slapd/main.c:1265


Expected results:


Additional info:
Comment 2 mreynolds 2016-12-16 16:20:22 UTC 
Fixed upstream.
Comment 3 Noriko Hosoi 2016-12-16 17:47:26 UTC 
Hi Mark,

This is the patch I mentioned in the scrum.  As seen in the ticket 48987, an invalid access was reported in the memory checker when a vlv operation (actually vlv index deletion) was made.  The patch is small and looks safe.  Could you please apply this one as well?

    Ticket #48987 - Heap use after free in dblayer_close_indexes
    
    Description: Once an attribute info is deleted, its backpointer
    dblayer_handle_ai_backpointer in the dblayer handle needs to be
    set to NULL not to access the address again. We also need to set
    this to null from within the dblayer_close_indexes because there
    is no guarantee on the order that we free the handle or the
    attrinfo.
    
    https://fedorahosted.org/389/ticket/48987
Comment 4 mreynolds 2016-12-16 19:38:08 UTC 
(In reply to Noriko Hosoi from comment #3)
> Hi Mark,
> 
> This is the patch I mentioned in the scrum.  As seen in the ticket 48987, an
> invalid access was reported in the memory checker when a vlv operation
> (actually vlv index deletion) was made.  The patch is small and looks safe. 
> Could you please apply this one as well?

Thank you very much for recalling this one!  It's now pushed.

> 
>     Ticket #48987 - Heap use after free in dblayer_close_indexes
>
Comment 5 Noriko Hosoi 2016-12-16 20:09:27 UTC 
(In reply to mreynolds from comment #4)
> Thank you very much for recalling this one!  It's now pushed.
Thanks a lot, Mark!!
Comment 7 Simon Pichugin 2017-01-10 12:39:29 UTC 
[0 root@qeos-212 ds]# py.test -v dirsrvtests/tests/tickets/ticket47966_test.py
======================= test session starts =======================
platform linux2 -- Python 2.7.8, pytest-3.0.5, py-1.4.32, pluggy-0.4.0 -- /opt/rh/python27/root/usr/bin/python
cachedir: .cache
DS build: 1.2.11.15 B2017.010.016
389-ds-base: 1.2.11.15-86.el6
nss: 3.27.1-12.el6
nspr: 4.13.1-1.el6
openldap: 2.4.40-16.el6
svrcore: 4.0.4-5.1.el6

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: html-1.13.0, cov-2.4.0, beakerlib-0.6
collected 1 items

dirsrvtests/tests/tickets/ticket47966_test.py::test_ticket47966 PASSED

==================== 1 passed in 141.75 seconds ====================

Marking as verified.
Comment 11 errata-xmlrpc 2017-03-21 10:24:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html
Note You need to log in before you can comment on or make changes to this bug.