Bug 1582598 - Reference counting bug in python-ldap causes segfault
Summary: Reference counting bug in python-ldap causes segfault
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: python-ldap
Version: 28
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: John (J5) Palmieri
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1582600 1582786
TreeView+ depends on / blocked
 
Reported: 2018-05-25 17:16 UTC by Christian Heimes
Modified: 2018-05-27 19:32 UTC (History)
7 users (show)

Fixed In Version: python-ldap-3.1.0-1.fc28
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1582600 1582786 (view as bug list)
Environment:
Last Closed: 2018-05-27 19:32:17 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Pagure freeipa issue 7324 0 None None None 2018-05-25 17:16:37 UTC
Github /python-ldap python-ldap issues 218 0 None None None 2018-05-25 17:16:06 UTC

Description Christian Heimes 2018-05-25 17:16:06 UTC 
Description of problem:
python-ldap has a reference counting bug that causes a reproducible segfault in FreeIPA.

It's is only triggered when an LDAP server returns multiple attribute entries with the same name. An LDAP result contains a sequence of attributes, each item has an attribute name entry and a sequence of values. python-ldap code has extra code to handle a sequence with more than one attribute with the same name. However the code for this special case was both buggy and never triggered in any test case.

When python-ldap iterates over the attributes, it checks if an attribute name is already in the result dict. That was never the case before. In this special case, ipaAllowedToPerform;write_keys was already in the dict. The code retrieves the result list with PyDict_GetItem and later decreases the reference counter of the list. But that is wrong. PyDict_GetItem returns a borrowed reference, not a new reference. The ref count of the list dropped to zero and a broken object was returned to Python space. Later on when the object was accessed and the memory location was modified in the mean time, the interpreter crashed with a segfault.

Version-Release number of selected component (if applicable):
all versions before 3.1.0

How reproducible:
always with FreeIPA

Steps to Reproduce:
1. ipa host-allow-create-keytab $(hostname) --users=admin
2. repeat "ipa host-show $(hostname) --all" multiple times

Actual results:
segfault in HTTPD error log

Expected results:
No segfault
Comment 1 Christian Heimes 2018-05-25 17:17:42 UTC 
Fixed in release 3.1.0 by commit https://github.com/python-ldap/python-ldap/commit/77e934e88766002e77462d541b6e9c9599c7d410
Comment 2 Christian Heimes 2018-05-25 17:24:57 UTC 
Neither F27 nor RHEL are affected. The bug was introduced when python-ldap was ported to Python 3, see commit https://github.com/python-ldap/python-ldap/commit/fa35757fa2a425784676a91909b8f721cf13c095#diff-7edf3a425345c27675d056757a6a04c3R103

PyMapping_GetItemString() returns a new reference, PyDict_GetItem() a borrowed reference.
Comment 3 Fedora Update System 2018-05-25 18:04:44 UTC 
python-ldap-3.1.0-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-196e3ee42f
Comment 4 Fedora Update System 2018-05-26 23:30:54 UTC 
python-ldap-3.1.0-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-196e3ee42f
Comment 5 Fedora Update System 2018-05-27 19:32:17 UTC 
python-ldap-3.1.0-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.