RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1517968 - heap-use-after-free in slapi_sdn_common_ancestor
Summary: heap-use-after-free in slapi_sdn_common_ancestor
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: 389-ds-base
Version: 8.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: mreynolds
QA Contact: RHDS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-27 19:00 UTC by Viktor Ashirov
Modified: 2021-01-26 09:47 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-01-08 07:25:44 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github 389ds 389-ds-base issues 2532 0 None open heap-use-after-free in slapi_sdn_common_ancestor 2021-01-26 09:47:25 UTC

Description Viktor Ashirov 2017-11-27 19:00:43 UTC 
Description of problem:
=================================================================
==12884== ERROR: AddressSanitizer: heap-use-after-free on address 0x600e0014cb70 at pc 0x7f36c786e615 bp 0x7f3680ed4c70 sp 0x7f3680ed4c60
READ of size 8 at 0x600e0014cb70 thread T35
    #0 0x7f36c786e614 in slapi_sdn_common_ancestor /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2523
    #1 0x7f36c7874937 in dse_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2431
    #2 0x7f36c785f486 in op_shared_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:324
    #3 0x7f36c785fa1a in do_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:97
    #4 0x55d6ad486e38 in ?? /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:614
    #5 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
    #6 0x7f36c7eec867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #7 0x7f36c5397dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
    #8 0x7f36c4a459bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x600e0014cb70 is located 64 bytes inside of 72-byte region [0x600e0014cb30,0x600e0014cb78)
freed by thread T35 here:
    #0 0x7f36c7ee8dd9 in __interceptor_free _asan_rtl_
    #1 0x7f36c78576c8 in slapi_ch_free /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:270
    #2 0x7f36c78751e7 in dse_remove_callback /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:321
    #3 0x7f36c7875639 in slapi_config_remove_callback /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2618
    #4 0x7f36bc4b890c in cb_delete_monitor_callback /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/chainingdb/cb_monitor.c:236
    #5 0x7f36bc4b32ec in cb_instance_delete_config_callback /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/chainingdb/cb_instance.c:1759
    #6 0x7f36c786e520 in slapi_sdn_common_ancestor /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2543
    #7 0x7f36c7874937 in dse_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2431
    #8 0x7f36c785f486 in op_shared_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:324
    #9 0x7f36c785fa1a in do_delete /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:97
    #10 0x55d6ad486e38 in ?? /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:614
    #11 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
previously allocated by thread T33 here:
    #0 0x7f36c7ee8ff5 in calloc _asan_rtl_
    #1 0x7f36c7857288 in slapi_ch_calloc /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:180
    #2 0x7f36c7874bd2 in dse_register_callback /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:214
    #3 0x7f36c787546a in slapi_config_register_callback_plugin /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2597
    #4 0x7f36c787551d in slapi_config_register_callback /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2567
    #5 0x7f36bc4afb97 in cb_instance_add_monitor_later /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/chainingdb/cb_instance.c:1788
    #6 0x7f36c7888544 in slapd_versatile_strerror /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/eventq.c:278
    #7 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
Thread T35 created by T0 here:
    #0 0x7f36c7edda0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f36c59f795b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457
    #2 0x0
Thread T33 created by T0 here:
    #0 0x7f36c7edda0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f36c59f795b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457
Shadow bytes around the buggy address:
  0x0c0240021910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021940: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c0240021950: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0240021960: fd fa fa fa fa fa fd fd fd fd fd fd fd fd[fd]fa
  0x0c0240021970: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0240021980: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0240021990: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c02400219a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c02400219b0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==12884== ABORTING


Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-10.el7.x86_64

Problem has occurred in chainingdb test suite in TET.
Comment 2 wibrown@redhat.com 2017-11-28 14:40:08 UTC 
I think this is related to dynamically removing the chaining backend, so this is not a large priority to us I don't think ....
Comment 3 wibrown@redhat.com 2017-11-28 15:37:54 UTC 
Upstream ticket:
https://pagure.io/389-ds-base/issue/49473
Comment 10 RHEL Program Management 2021-01-08 07:25:44 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.
Note You need to log in before you can comment on or make changes to this bug.