Bug 1400422 - Use-after free in resolver in case the fd is writeable and readable at the same time
Summary: Use-after free in resolver in case the fd is writeable and readable at the sa...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: All
OS: Linux
urgent
urgent
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Amith
URL:
Whiteboard:
: 1894237 (view as bug list)
Depends On:
Blocks: 1404340
TreeView+ depends on / blocked
 
Reported: 2016-12-01 08:02 UTC by Jakub Hrozek
Modified: 2020-11-04 11:58 UTC (History)
12 users (show)

Fixed In Version: sssd-1.15.0-1.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1404340 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:02:33 UTC
Target Upstream Version:

Attachments (Terms of Use)
core_backtrace (4.73 KB, text/plain)
2017-05-04 17:08 UTC, Orion Poplawski 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 4283 0 None closed Use-after free in resolver in case the fd is writeable and readable at the same time 2020-11-16 21:14:01 UTC
Red Hat Product Errata RHEA-2017:2294 0 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Jakub Hrozek 2016-12-01 08:02:45 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/3250

Carl Henrik Holth Lunde found a bug in SSSD resolver code in case the file descriptor we use to integrate c-ares with libtevent is both readable and writable at the same time. In this case, we process the request twice, both for TEVENT_FD_WRITE and TEVENT_FD_READ. The first callback processing frees the internal watch structure and the second callback invocation accesses invalid memory.

Carl also proposed a patch for this bug himself.
Comment 1 Jakub Hrozek 2016-12-01 08:05:39 UTC 
There is no reliable reproducer. For testing, I would recommend to run our regression tests for the resolver and the fail over code.
Comment 2 Jakub Hrozek 2016-12-02 10:26:24 UTC 
Hi Namita,
could you please qa_ack this bug in Steeve's absence this week? See comment #1 about reproducer.

The customer impact is an intermittent crash in their environment and because we are already planning a 7.3 z-stream update, I would like to include this bug as well.

Thank you!
Comment 3 Jakub Hrozek 2016-12-08 10:58:09 UTC 
Fixed upstream:
    master: 9676b464dd428557ff5a648e1351a3972440396f
    sssd-1-14: fefdd70237cbe82af7d8845131e45401e73b3b07
    sssd-1-13: 07959a61f12cd9e60dff6651f4e1ce05c83c4da7
Comment 4 Jakub Hrozek 2016-12-13 14:23:29 UTC 
Hi Thorsten, could you please add GSSApproved for this bug? It's a crasher for the customer and a fix is available..
Comment 8 Orion Poplawski 2017-05-04 17:08:11 UTC 
Created attachment 1276398 [details]
core_backtrace

Is this the same crash?  Can't find a backtrace in either bug report so hard to tell.
Comment 9 Jakub Hrozek 2017-05-04 19:07:09 UTC 
(In reply to Orion Poplawski from comment #8)
> Created attachment 1276398 [details]
> core_backtrace
> 
> Is this the same crash?  Can't find a backtrace in either bug report so hard
> to tell.

No, I'm afraid yours is a different issue, because the backtrace of this bug would be (judging by commit message of its fix):
    Invalid read of size 4
       at fd_input_available (async_resolv.c:147)
       by epoll_event_loop (tevent_epoll.c:728)
       by epoll_event_loop_once (tevent_epoll.c:926)
       by std_event_loop_once (tevent_standard.c:114)
       by _tevent_loop_once (tevent.c:533)
       by tevent_common_loop_wait (tevent.c:637)
       by std_event_loop_wait (tevent_standard.c:140)
       by server_loop (server.c:702)
       by main (data_provider_be.c:587)

Yours goes through sss_ldap_init_send
Comment 10 Lukas Slebodnik 2017-05-05 08:35:50 UTC 
Orion,
Please file a new bug.
Comment 11 Amith 2017-05-18 03:21:20 UTC 
Verified Sanity only on SSSD Version: sssd-1.15.2-29.el7.x86_64

The automated regression round for the FAILOVER suite which covers the resolver code as well, was executed successfully on beaker.

See beaker job: https://beaker.engineering.redhat.com/jobs/1860966
Comment 12 errata-xmlrpc 2017-08-01 09:02:33 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294
Comment 13 Alexey Tikhonov 2020-11-04 11:58:13 UTC 
*** Bug 1894237 has been marked as a duplicate of this bug. ***
Note You need to log in before you can comment on or make changes to this bug.