Red Hat Bugzilla – Bug 1570527
memory management issue in the sssd_nss_ex interface can cause the ns-slapd process on IPA server to crash [rhel-7.5.z]
Last modified: 2018-07-30 09:54:56 EDT
This bug has been copied from bug #1566782 and has been proposed to be backported to 7.5 z-stream (EUS).
1. Reproducing the issue: Versions ======== sssd-1.16.0-19.el7.x86_64 libsss_nss_idmap-1.16.0-19.el7.x86_64 1. Configure sssd.conf to use ldap provider with 389-ds-base configured as ldap server [sssd] domains = EXAMPLE.TEST config_file_version = 2 services = nss, pam, ifp [domain/EXAMPLE.TEST] enumerate = false id_provider = ldap ldap_uri = ldap://host-8-242-110.host.centralci.eng.rdu2.redhat.com ldap_search_base = dc=example,dc=test ldap_tls_cacert = /etc/openldap/cacerts/cacert.pem auth_provider = krb5 krb5_server = host-8-242-110.host.centralci.eng.rdu2.redhat.com krb5_kpasswd = host-8-242-110.host.centralci.eng.rdu2.redhat.com krb5_realm = EXAMPLE.TEST debug_level = 9 cache_credentials = True krb5_store_password_if_offline = True [nss] debug_level = 9 [pam] debug_level = 9 offline_credentials_expiration = 0 [secrets] debug_level = 9 [kcm] debug_level = 9 2. Add users in ldap foo0 who is membero of more than 10 Groups [root@host-8-242-110 opt]# id foo0 uid=14583100(foo0) gid=14564100(ldap_group0) groups=14564100(ldap_group0),24564106(group7),24564107(group8),24564108(group9),24564105(group6),24564109(group10),24564112(group13),24564116(group17),24564118(group19),24564100(group1),24564102(group3),24564103(group4),24564110(group11),24564114(group15),24564117(group18),24564119(group20),24564101(group2),24564104(group5),24564111(group12),24564113(group14),24564115(group16) 3. Download the program as specified in https://bugzilla.redhat.com/show_bug.cgi?id=1566782#c37 4. gcc test.c -lsss_nss_idmap -o test 5. Run valgrind as shown below valgrind ./test foo0 valgrind shows leaks as shown below: [root@host-8-242-110 opt]# valgrind ./test foo1 ==2039== Memcheck, a memory error detector ==2039== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2039== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==2039== Command: ./test foo1 ==2039== foo1: sss_nss_getgrouplist_ex 2: No such file or directory ==2039== ==2039== HEAP SUMMARY: ==2039== in use at exit: 0 bytes in 0 blocks ==2039== total heap usage: 6 allocs, 6 frees, 192 bytes allocated ==2039== ==2039== All heap blocks were freed -- no leaks are possible ==2039== ==2039== For counts of detected and suppressed errors, rerun with: -v ==2039== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) [root@host-8-242-110 opt]# valgrind ./test foo0 ==2044== Memcheck, a memory error detector ==2044== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==2044== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==2044== Command: ./test foo0 ==2044== ==2044== Invalid read of size 8 ==2044== at 0x4C2E060: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1022) ==2044== by 0x4E38E61: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== Address 0x582d090 is 0 bytes inside a block of size 40 free'd ==2044== at 0x4C2BB58: realloc (vg_replace_malloc.c:785) ==2044== by 0x4E3C531: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E38651: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E387DA: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E38E1C: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== Block was alloc'd at ==2044== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==2044== by 0x4E38DE4: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== ==2044== Invalid read of size 8 ==2044== at 0x4C2E06E: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1022) ==2044== by 0x4E38E61: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== Address 0x582d0a0 is 16 bytes inside a block of size 40 free'd ==2044== at 0x4C2BB58: realloc (vg_replace_malloc.c:785) ==2044== by 0x4E3C531: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E38651: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E387DA: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E38E1C: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== Block was alloc'd at ==2044== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==2044== by 0x4E38DE4: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== ==2044== Invalid free() / delete / delete[] / realloc() ==2044== at 0x4C2ACBD: free (vg_replace_malloc.c:530) ==2044== by 0x4E38E6E: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== Address 0x582d090 is 0 bytes inside a block of size 40 free'd ==2044== at 0x4C2BB58: realloc (vg_replace_malloc.c:785) ==2044== by 0x4E3C531: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E38651: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E387DA: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x4E38E1C: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== Block was alloc'd at ==2044== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==2044== by 0x4E38DE4: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==2044== by 0x400671: main (in /opt/test) ==2044== foo0: 10 112233 0 0 0 0 0 0 0 0 0 ==2044== ==2044== HEAP SUMMARY: ==2044== in use at exit: 40 bytes in 1 blocks ==2044== total heap usage: 6 allocs, 6 frees, 383 bytes allocated ==2044== ==2044== LEAK SUMMARY: ==2044== definitely lost: 40 bytes in 1 blocks ==2044== indirectly lost: 0 bytes in 0 blocks ==2044== possibly lost: 0 bytes in 0 blocks ==2044== still reachable: 0 bytes in 0 blocks ==2044== suppressed: 0 bytes in 0 blocks ==2044== Rerun with --leak-check=full to see details of leaked memory ==2044== ==2044== For counts of detected and suppressed errors, rerun with: -v ==2044== ERROR SUMMARY: 6 errors from 3 contexts (suppressed: 0 from 0) Verify updated sssd and libsss_nss_idmap fixes the leaks. Update to sssd-1.16.0-19.el7_5.5.x86_64 and libsss_nss_idmap-1.16.0-19.el7_5.5.x86_64 Run the valgrind progam again. and no leaks should be shown. [root@host-8-242-110 opt]# valgrind ./test foo0 ==3819== Memcheck, a memory error detector ==3819== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==3819== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==3819== Command: ./test foo0 ==3819== foo0: sss_nss_getgrouplist_ex 34: Numerical result out of range ==3819== ==3819== HEAP SUMMARY: ==3819== in use at exit: 0 bytes in 0 blocks ==3819== total heap usage: 6 allocs, 6 frees, 463 bytes allocated ==3819== ==3819== All heap blocks were freed -- no leaks are possible ==3819== ==3819== For counts of detected and suppressed errors, rerun with: -v ==3819== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Here are the observations. 1. Able to observe the errors with sssd-1.16.0-19.el7.x86_64 and ipa-server-4.5.4-10.el7.x86_64 [root@master ~]# sss_cache -E No cache object matched the specified search [root@master ~]# valgrind ./test ipauser1 ==16598== Memcheck, a memory error detector ==16598== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==16598== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==16598== Command: ./test ipauser1 ==16598== ==16598== Invalid read of size 8 ==16598== at 0x4C2E060: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1022) ==16598== by 0x4E38E61: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== Address 0x582d090 is 0 bytes inside a block of size 40 free'd ==16598== at 0x4C2BB58: realloc (vg_replace_malloc.c:785) ==16598== by 0x4E3899A: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x4E38E1C: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== Block was alloc'd at ==16598== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==16598== by 0x4E38DE4: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== ==16598== Invalid read of size 8 ==16598== at 0x4C2E06E: memcpy@@GLIBC_2.14 (vg_replace_strmem.c:1022) ==16598== by 0x4E38E61: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== Address 0x582d0a0 is 16 bytes inside a block of size 40 free'd ==16598== at 0x4C2BB58: realloc (vg_replace_malloc.c:785) ==16598== by 0x4E3899A: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x4E38E1C: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== Block was alloc'd at ==16598== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==16598== by 0x4E38DE4: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== ==16598== Invalid free() / delete / delete[] / realloc() ==16598== at 0x4C2ACBD: free (vg_replace_malloc.c:530) ==16598== by 0x4E38E6E: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== Address 0x582d090 is 0 bytes inside a block of size 40 free'd ==16598== at 0x4C2BB58: realloc (vg_replace_malloc.c:785) ==16598== by 0x4E3899A: ??? (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x4E38E1C: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== Block was alloc'd at ==16598== at 0x4C29BC3: malloc (vg_replace_malloc.c:299) ==16598== by 0x4E38DE4: sss_nss_getgrouplist_timeout (in /usr/lib64/libsss_nss_idmap.so.0.4.0) ==16598== by 0x400671: main (in /root/test) ==16598== ipauser1: sss_nss_getgrouplist_ex 34: Numerical result out of range ==16598== ==16598== HEAP SUMMARY: ==16598== in use at exit: 56 bytes in 1 blocks ==16598== total heap usage: 7 allocs, 7 frees, 308 bytes allocated ==16598== ==16598== LEAK SUMMARY: ==16598== definitely lost: 56 bytes in 1 blocks ==16598== indirectly lost: 0 bytes in 0 blocks ==16598== possibly lost: 0 bytes in 0 blocks ==16598== still reachable: 0 bytes in 0 blocks ==16598== suppressed: 0 bytes in 0 blocks ==16598== Rerun with --leak-check=full to see details of leaked memory ==16598== ==16598== For counts of detected and suppressed errors, rerun with: -v ==16598== ERROR SUMMARY: 6 errors from 3 contexts (suppressed: 0 from 0) 2. With latest version of sssd the fix is seen. [root@master ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.5 (Maipo) [root@master ~]# rpm -q ipa-server sssd ipa-server-4.5.4-10.el7_5.2.x86_64 sssd-1.16.0-19.el7_5.5.x86_64 ipauser1 is a member of more than 10 local ipa groups [root@master ~]# id ipauser1 uid=687800001(ipauser1) gid=687800001(ipauser1) groups=687800001(ipauser1),687800004(group3),687800003(group2),687800005(group4),687800007(group1),687800009(group7),687800006(group5),687800008(group6),687800011(group9),687800012(group10),687800002(editors),687800010(group8),687800013(group11) [root@master ~]# valgrind ./test ipauser1 ==16657== Memcheck, a memory error detector ==16657== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==16657== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info ==16657== Command: ./test ipauser1 ==16657== ipauser1: sss_nss_getgrouplist_ex 34: Numerical result out of range ==16657== ==16657== HEAP SUMMARY: ==16657== in use at exit: 0 bytes in 0 blocks ==16657== total heap usage: 6 allocs, 6 frees, 411 bytes allocated ==16657== ==16657== All heap blocks were freed -- no leaks are possible ==16657== ==16657== For counts of detected and suppressed errors, rerun with: -v ==16657== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:1986