Bug 1399600 - ns-slapd segfaults during execution of tickets/ticket47966_test.py
Summary: ns-slapd segfaults during execution of tickets/ticket47966_test.py
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.9
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
Marc Muehlfeld
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-29 11:29 UTC by Viktor Ashirov
Modified: 2017-03-21 10:24 UTC (History)
7 users (show)

Fixed In Version: 389-ds-base-1.2.11.15-86.el6
Doc Type: Bug Fix
Doc Text:
Virtual list view-related problems have been fixed Previously, when removing a virtual list view (VLV) index, the "dblayer_erase_index_file_nolock()" function was not called. Thus, the physical index file and the back pointer set to the *dblayer* handle were not removed. Consequently, Directory Server terminated unexpectedly. This fix updates the code and the "dblayer_erase_index_file_nolock()" function is now called when removing a VLV index. In addition, the "vlv_init()" function previously could be called multiple times without unregistering VLV plug-in callbacks. As a consequence, Directory Server sometimes terminated unexpectedly. With this update, callbacks are now unregistered. As a result, Directory Server no longer terminates unexpectedly in the described situations.
Clone Of:
Environment:
Last Closed: 2017-03-21 10:24:02 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:0667 0 normal SHIPPED_LIVE 389-ds-base bug fix update 2017-03-21 12:35:05 UTC

Description Viktor Ashirov 2016-11-29 11:29:48 UTC 
Description of problem:
ns-slapd segfaults during execution of tickets/ticket47966_test.py

Version-Release number of selected component (if applicable):
389-ds-base-1.2.11.15-85.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. run tickets/ticket47966_test.py
2.
3.

Actual results:
Program received signal SIGSEGV, Segmentation fault.
_int_malloc (av=0x7f5ba4234120, bytes=<value optimized out>) at malloc.c:4561
4561	      fwd->bk = victim;
(gdb) bt
#0  _int_malloc (av=0x7f5ba4234120, bytes=<value optimized out>) at malloc.c:4561
#1  0x00007f5ba3f20aac in __libc_malloc (bytes=416) at malloc.c:3667
#2  0x00007f5ba6447ccb in slapi_ch_malloc (size=416) at ldap/servers/slapd/ch_malloc.c:155
#3  0x00007f5ba64872a4 in ber_special_alloc (flags=960) at ldap/servers/slapd/operation.c:151
#4  operation_new (flags=960) at ldap/servers/slapd/operation.c:186
#5  0x0000000000413942 in connection_make_new_pb (ppb=0x7ffc387a2018, conn=0x7f5b9448a150)
    at ldap/servers/slapd/connection.c:1748
#6  0x00000000004139c8 in connection_activity (conn=0x7f5b9448a150)
    at ldap/servers/slapd/connection.c:2431
#7  0x000000000041963c in handle_pr_read_ready (ports=0x7ffc387a25e0) at ldap/servers/slapd/daemon.c:2170
#8  slapd_daemon (ports=0x7ffc387a25e0) at ldap/servers/slapd/daemon.c:1357
#9  0x00000000004202a3 in main (argc=7, argv=0x7ffc387a2978) at ldap/servers/slapd/main.c:1265


Expected results:


Additional info:
Comment 2 mreynolds 2016-12-16 16:20:22 UTC 
Fixed upstream.
Comment 3 Noriko Hosoi 2016-12-16 17:47:26 UTC 
Hi Mark,

This is the patch I mentioned in the scrum.  As seen in the ticket 48987, an invalid access was reported in the memory checker when a vlv operation (actually vlv index deletion) was made.  The patch is small and looks safe.  Could you please apply this one as well?

    Ticket #48987 - Heap use after free in dblayer_close_indexes
    
    Description: Once an attribute info is deleted, its backpointer
    dblayer_handle_ai_backpointer in the dblayer handle needs to be
    set to NULL not to access the address again. We also need to set
    this to null from within the dblayer_close_indexes because there
    is no guarantee on the order that we free the handle or the
    attrinfo.
    
    https://fedorahosted.org/389/ticket/48987
Comment 4 mreynolds 2016-12-16 19:38:08 UTC 
(In reply to Noriko Hosoi from comment #3)
> Hi Mark,
> 
> This is the patch I mentioned in the scrum.  As seen in the ticket 48987, an
> invalid access was reported in the memory checker when a vlv operation
> (actually vlv index deletion) was made.  The patch is small and looks safe. 
> Could you please apply this one as well?

Thank you very much for recalling this one!  It's now pushed.

> 
>     Ticket #48987 - Heap use after free in dblayer_close_indexes
>
Comment 5 Noriko Hosoi 2016-12-16 20:09:27 UTC 
(In reply to mreynolds from comment #4)
> Thank you very much for recalling this one!  It's now pushed.
Thanks a lot, Mark!!
Comment 7 Simon Pichugin 2017-01-10 12:39:29 UTC 
[0 root@qeos-212 ds]# py.test -v dirsrvtests/tests/tickets/ticket47966_test.py
======================= test session starts =======================
platform linux2 -- Python 2.7.8, pytest-3.0.5, py-1.4.32, pluggy-0.4.0 -- /opt/rh/python27/root/usr/bin/python
cachedir: .cache
DS build: 1.2.11.15 B2017.010.016
389-ds-base: 1.2.11.15-86.el6
nss: 3.27.1-12.el6
nspr: 4.13.1-1.el6
openldap: 2.4.40-16.el6
svrcore: 4.0.4-5.1.el6

rootdir: /mnt/tests/rhds/tests/upstream/ds, inifile:
plugins: html-1.13.0, cov-2.4.0, beakerlib-0.6
collected 1 items

dirsrvtests/tests/tickets/ticket47966_test.py::test_ticket47966 PASSED

==================== 1 passed in 141.75 seconds ====================

Marking as verified.
Comment 11 errata-xmlrpc 2017-03-21 10:24:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2017-0667.html
Note You need to log in before you can comment on or make changes to this bug.