1553594 – ldappasswd cause the IPA embedded Directory server to SIGSEGV

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1553594 - ldappasswd cause the IPA embedded Directory server to SIGSEGV

Summary: ldappasswd cause the IPA embedded Directory server to SIGSEGV

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-03-09 07:15 UTC by Ming Davies
Modified:	2021-12-10 15:51 UTC (History)
CC List:	11 users (show)
Fixed In Version:	ipa-4.6.4-1.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-10-30 10:57:12 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-7535	0	None	None	None	2021-12-10 15:51:11 UTC
Red Hat Product Errata	RHBA-2018:3187	0	None	None	None	2018-10-30 10:58:18 UTC

Description Ming Davies 2018-03-09 07:15:42 UTC

Description of problem:
ldappasswd cause the IPA embedded Directory server to SIGSEGV when changing a sysaccount user's password. The issue doesn't happen if it was done via ldapmodify.


Version-Release number of selected component (if applicable):
I have managed to reproduce the issue on two different versions of IPA:
Customer's version:
ipa-server-4.4.0-12.el7.x86_64
389-ds-base-libs-1.3.5.10-21.el7_3.x86_64


My test env:
ipa-server-4.5.0-22.el7_4.x86_64
389-ds-base-1.3.6.1-24.el7_4.x86_64


How reproducible:
The issue can be easily reproduced.


Steps to Reproduce:
1. Create a test sysaccount user:
# ldapsearch -x -H ldaps://dell-per510-3.linux.testrealm.local -D "cn=Directory manager" -W -b "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local"
# extended LDIF
#
# LDAPv3
# base <uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# xxxxx, sysaccounts, etc, linux.testrealm.local
dn: uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
uid: bnpsasle
objectClass: inetUser
objectClass: simpleSecurityObject
objectClass: account
objectClass: top
memberOf: cn=System: Change User password,cn=permissions,cn=pbac,cn=etc,dc=lin
 ux,dc=testrealm,dc=local
userPassword:: e1NTSEF9ZG5lUkdXV3JTeTc2ODJncHdNNGg5NzhQVmZ1cG5Uc1pBaEoyNGc9PQ=
 =

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

2. Attempt to change the user's password as herself/himself via ldapmodify
# ldapmodify -h dell-per510-3.linux.testrealm.local -p 389 -D "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W << EOF
dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
changetype: modify
replace: userpassword
userpassword: @\g/G8U;
EOF

3. "ps -ef |grep ns-slapd" shows that ns-slapd is still listening.

4. Change the ""uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" user's password back to "password" as "cn=Directory manager":
# ldapmodify -D "cn=Directory manager" -W << EOF
dn: uid=xxxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local
changetype: modify
replace: userpassword
userpassword: password
EOF

5. Verify that ns-slapd is still listening.

6. Attempt to change the user's password with ldappasswd:
# ldappasswd -H ldaps://dell-per510-3.linux.testrealm.local -D "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local" -W -a password -s "@\g/G8U;" "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local"
Enter LDAP Password: 
ldap_result: Can't contact LDAP server (-1)


Corresponding /var/log/messages:
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: dirsrv: main process exited, code=killed, status=11/SEGV
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: Unit dirsrv entered failed state.
Mar  8 22:38:01 dell-per510-3.linux.testrealm.local systemd[1]: dirsrv failed.


stacktrace
#0  __strlen_sse2_pminub () at ../sysdeps/x86_64/multiarch/strlen-sse2-pminub.S:38
#1  0x00007f697dfcdcb1 in ipapwd_set_extradata (dn=0x7f68fc000f50 "uid=xxxxx,cn=sysaccounts,cn=etc,dc=linux,dc=testrealm,dc=local", principal=0x0, unixtime=1520548630)
    at common.c:966
#2  0x00007f697dfd4c7c in ipapwd_chpwop (krbcfg=0x7f68fc004dd0, pb=0x7f695aff4a90) at ipa_pwd_extop.c:589
#3  ipapwd_extop (pb=0x7f695aff4a90) at ipa_pwd_extop.c:1761
#4  0x00007f698bcd2ed4 in do_extended (pb=pb@entry=0x7f695aff4a90) at ldap/servers/slapd/extendop.c:354
#5  0x00007f698bccbada in connection_dispatch_operation (pb=0x7f695aff4a90, op=0x7f698cb0f710, conn=0x7f69740be710) at ldap/servers/slapd/connection.c:680
#6  connection_threadmain () at ldap/servers/slapd/connection.c:1759
#7  0x00007f69899c19bb in _pt_root (arg=0x7f698ca59260) at ../../../nspr/pr/src/pthreads/ptthread.c:216
#8  0x00007f6989361dc5 in start_thread (arg=0x7f695aff5700) at pthread_create.c:308
#9  0x00007f698909073d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113


Actual results:
ldappasswd cause the IPA embedded Directory server to SIGSEGV

Expected results:
ldappasswd  should not cause the IPA embedded Directory server to SIGSEGV

Additional info:

Comment 3 mreynolds 2018-03-12 14:44:04 UTC

I'm not sure this a DS problem as it's crashing in an IPA plugin when checking the str length of a NULL pointer:


daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c

    592     if (pwdata.changetype == IPA_CHANGETYPE_NORMAL) {
    593         principal = slapi_entry_attr_get_charptr(pwdata.target,
    594                                                  "krbPrincipalName");
    595     } else {
    596         principal = slapi_ch_smprintf("root/admin@%s", krbcfg->realm);
    597     }
    598     ipapwd_set_extradata(pwdata.dn, principal, pwdata.timeNow);

"principle" is NULL, as the pwdata.target does not have the attribute "krbPrincipalName".  I don't see how DS or ldappasswd is at fault here, but I could easily be missing something.

Comment 4 Rob Crittenden 2018-03-12 14:48:26 UTC

Sorry, you're right. I read the stack too quickly, moving back to ipa.

Comment 5 Ming Davies 2018-04-03 16:27:30 UTC

Hi,

Any updates please?

Thanks and regards,
Ming

Comment 6 Rob Crittenden 2018-04-03 18:47:15 UTC

Mark has it right. The IPA password plugin isn't taking into consideration changing the password of a system account (which doesn't have Kerberos attributes) .

Comment 8 Rob Crittenden 2018-05-23 20:22:19 UTC

Upstream ticket:
https://pagure.io/freeipa/issue/7561

Comment 9 Florence Blanc-Renaud 2018-05-29 06:55:16 UTC

Fixed upstream
master:
https://pagure.io/freeipa/c/45d776a7bf05f3495dee078c7dd58ed0db13f64a
https://pagure.io/freeipa/c/7c5ecb8d08827a60f77eda0911a6b39db5badf82

ipa-4-5:
https://pagure.io/freeipa/c/4065b9978d6da5dc950ed2f1ac27e35c36195162


ipa-4-6:
https://pagure.io/freeipa/c/92595cc36b89c06b419299d923e630fb94b4d42a

Comment 11 Rob Crittenden 2018-06-29 14:33:53 UTC

Backported test to ipa-4-6:
https://pagure.io/freeipa/c/6652eb088e87cd3f74bd58be3ccda89ec0a46664

Comment 13 Mohammad Rizwan 2018-08-24 07:24:52 UTC

version:
ipa-server-4.6.4-6.el7.x86_64
389-ds-base-1.3.8.4-11.el7.x86_64
openldap-2.4.44-18.el7.x86_64

Steps:

Execute upstream test_commands testsuite:

IPATEST_YAML_CONFIG=/root/mh_cfg.yaml ipa-run-tests -v -r a --with-xunit test_integration/test_commands.py::TestIPACommand::test_change_sysaccount_password_issue7561 --logging-level=DEBUG


Actual result:

[..]
[ipatests.pytest_plugins.integration.host.Host.master.cmd47] RUN ['cat', '/root/ipatests/backup_hostname']
[ipatests.pytest_plugins.integration.host.Host.master.cmd47] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['hostname', u'master.testrelm.test']
[ipatests.pytest_plugins.integration.host.Host.master.cmd48] RUN ['hostname', u'master.testrelm.test']
[ipatests.pytest_plugins.integration.host.Host.master.cmd48] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['rm', '/root/ipatests/backup_hostname']
[ipatests.pytest_plugins.integration.host.Host.master.cmd49] RUN ['rm', '/root/ipatests/backup_hostname']
[ipatests.pytest_plugins.integration.host.Host.master.cmd49] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['kdestroy', '-A']
[ipatests.pytest_plugins.integration.host.Host.master.cmd50] RUN ['kdestroy', '-A']
[ipatests.pytest_plugins.integration.host.Host.master.cmd50] Exit code: 0
[ipatests.pytest_plugins.integration.host.Host.master.OpenSSHTransport] RUN ['rm', '-rvf', '/root/ipatests']
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] RUN ['rm', '-rvf', '/root/ipatests']
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] removed ‘/root/ipatests/env.sh’
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] removed directory: ‘/root/ipatests’
[ipatests.pytest_plugins.integration.host.Host.master.cmd51] Exit code: 0


------------------------------------------- generated xml file: /root/nosetests.xml -------------------------------------------
================================================= 1 passed in 442.83 seconds ==================================================

Full console logs provided.

Based on above observations, marking the bug as verified.

Comment 16 errata-xmlrpc 2018-10-30 10:57:12 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:3187

Note You need to log in before you can comment on or make changes to this bug.