RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1533458 - AddressSanitizer: heap-buffer-overflow in SetUnicodeStringFromUTF_8 (collate.c:259)
Summary: AddressSanitizer: heap-buffer-overflow in SetUnicodeStringFromUTF_8 (collate....
Keywords:
Status: CLOSED DUPLICATE of bug 1540106
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-01-11 12:14 UTC by Viktor Ashirov
Modified: 2018-02-08 16:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-02-08 16:17:58 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Viktor Ashirov 2018-01-11 12:14:45 UTC 
Description of problem:

On a freshly installed instance of DS built with ASAN:

[root@qeos-46 tests]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com '(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (description:2.16.840.1.113730.3.3.2.1.1.6:=\*German)
# requesting: ALL
#


# numResponses: 0
ldap_result: Can't contact LDAP server (-1)


Server crashes with the following ASAN backtrace:
=================================================================
==12186== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006008de8bf at pc 0x7f2c9dcc39b8 bp 0x7f2c7b70df00 sp 0x7f2c7b70def0
READ of size 1 at 0x6006008de8bf thread T32
    #0 0x7f2c9dcc39b7 in ?? ldap/servers/plugins/collation/collate.c:259
    #1 0x7f2c9dcca21d in ss_filter_match ldap/servers/plugins/collation/orfilter.c:196
    #2 0x7f2ca4df3e0d in test_ava_filter ldap/servers/slapd/filterentry.c:521
    #3 0x7f2ca4df469a in test_ava_filter ldap/servers/slapd/filterentry.c:879
    #4 0x7f2ca4df6426 in slapi_vattr_filter_test_ext ldap/servers/slapd/filterentry.c:771
    #5 0x7f2c98cc050e in ldbm_back_next_search_entry_ext ldap/servers/slapd/back-ldbm/ldbm_search.c:1669
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
    #6 0x7f2ca4e4bec2 in iterate ldap/servers/slapd/opshared.c:1221
    #7 0x7f2ca4e4f2f2 in op_shared_search ldap/servers/slapd/opshared.c:811
    #8 0x5625a1eebc52 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:332
    #9 0x5625a1ec50aa in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648
    #10 0x7f2ca2f56c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
    #11 0x7f2ca544c867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #12 0x7f2ca28f6dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
    #13 0x7f2ca1fa494c in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x6006008de8bf is located 1 bytes to the left of 24-byte region [0x6006008de8c0,0x6006008de8d8)
allocated by thread T32 here:
    #0 0x7f2ca5448ef9 in malloc _asan_rtl_
    #1 0x7f2ca4db6f07 in slapi_ch_malloc ldap/servers/slapd/ch_malloc.c:95
    #2 0x7f2c9dccb320 in ss_filter_keys ldap/servers/plugins/collation/orfilter.c:470
addr2line: Dwarf Error: Unable to read alt ref 25981.
    #3 0x7f2ca4e7f63b in attempt_mr_filter_create ldap/servers/slapd/plugin_mr.c:590
    #4 0x7f2ca4e8059b in plugin_mr_filter_create ldap/servers/slapd/plugin_mr.c:612
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
    #5 0x7f2ca4deab45 in slapi_filter_dup ldap/servers/slapd/filter.c:699
    #6 0x7f2c98cbd447 in ldbm_back_search ldap/servers/slapd/back-ldbm/ldbm_search.c:891
    #7 0x7f2ca4e4ecfb in op_shared_search ldap/servers/slapd/opshared.c:755
    #8 0x5625a1eebc52 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:332
    #9 0x5625a1ec50aa in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648
    #10 0x7f2ca2f56c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
Thread T32 created by T0 here:
    #0 0x7f2ca543da0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f2ca2f5695b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457
    #2 0x0
Shadow bytes around the buggy address:
  0x0c0140113cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0140113d10: fa fa 00 00 00 00 fa[fa]00 00 00 fa fa fa 00 00
  0x0c0140113d20: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
  0x0c0140113d30: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 06
  0x0c0140113d40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0140113d50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0140113d60: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==12186== ABORTING


Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-11.el7.x86_64
Comment 2 Nathan Kinder 2018-02-08 16:17:58 UTC 

*** This bug has been marked as a duplicate of bug 1540106 ***
Note You need to log in before you can comment on or make changes to this bug.