1843838 – heap-use-after-free in slapi_be_getsuffix

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1843838 - heap-use-after-free in slapi_be_getsuffix

Summary: heap-use-after-free in slapi_be_getsuffix

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	389-ds-base
Sub Component:
Version:	---
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	mreynolds
QA Contact:	RHDS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-04 09:26 UTC by sgouvern
Modified:	2021-05-18 15:45 UTC (History)
CC List:	4 users (show)
Fixed In Version:	389-ds-1.4-8040020201216214810.866effaa
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-05-18 15:45:16 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description sgouvern 2020-06-04 09:26:39 UTC

Description of problem:
ASAN report :

=================================================================
==278094==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000230850 at pc 0x7f3b5b63f580 bp 0x7ffd71325a60 sp 0x7ffd71325a50
READ of size 4 at 0x611000230850 thread T0
    #0 0x7f3b5b63f57f in slapi_be_getsuffix (/usr/lib64/dirsrv/libslapd.so.0+0xd657f)
    #1 0x7f3b4b5f60cb in ldbm_instance_search_config_entry_callback ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:759
    #2 0x7f3b5b6658c9  (/usr/lib64/dirsrv/libslapd.so.0+0xfc8c9)
    #3 0x7f3b5b665b04  (/usr/lib64/dirsrv/libslapd.so.0+0xfcb04)
    #4 0x7f3b5b7cf3f3  (/usr/lib64/dirsrv/libslapd.so.0+0x2663f3)
    #5 0x7f3b5b7cf3d3  (/usr/lib64/dirsrv/libslapd.so.0+0x2663d3)
    #6 0x7f3b5b7cf3d3  (/usr/lib64/dirsrv/libslapd.so.0+0x2663d3)
    #7 0x7f3b5b664e81  (/usr/lib64/dirsrv/libslapd.so.0+0xfbe81)
    #8 0x7f3b5b66c6ff in dse_modify (/usr/lib64/dirsrv/libslapd.so.0+0x1036ff)
    #9 0x7f3b5b6e9973  (/usr/lib64/dirsrv/libslapd.so.0+0x180973)
    #10 0x7f3b5b6ebf58  (/usr/lib64/dirsrv/libslapd.so.0+0x182f58)
    #11 0x7f3b5b6ee25b in slapi_modify_internal (/usr/lib64/dirsrv/libslapd.so.0+0x18525b)
    #12 0x7f3b5b7ba70c  (/usr/lib64/dirsrv/libslapd.so.0+0x25170c)
    #13 0x7f3b5b7ba99f in uuid_cleanup (/usr/lib64/dirsrv/libslapd.so.0+0x25199f)
    #14 0x55e3388b535e in slapd_daemon ldap/servers/slapd/daemon.c:1212
    #15 0x55e338891af2 in main (/usr/sbin/ns-slapd+0x30af2)
    #16 0x7f3b57f877b2 in __libc_start_main (/lib64/libc.so.6+0x237b2)
    #17 0x55e338893ced in _start (/usr/sbin/ns-slapd+0x32ced)

0x611000230850 is located 144 bytes inside of 208-byte region [0x6110002307c0,0x611000230890)
freed by thread T33 here:
    #0 0x7f3b5bbd07e0 in __interceptor_free (/lib64/libasan.so.5+0xef7e0)
    #1 0x7f3b5b64643c in slapi_ch_free (/usr/lib64/dirsrv/libslapd.so.0+0xdd43c)
    #2 0x7f3b5b641d2f in slapi_be_free (/usr/lib64/dirsrv/libslapd.so.0+0xd8d2f)
    #3 0x55e3388aee17 in disk_monitoring_thread ldap/servers/slapd/daemon.c:712
    #4 0x7f3b58f31567  (/lib64/libnspr4.so+0x2b567)

previously allocated by thread T0 here:
    #0 0x7f3b5bbd0db0 in calloc (/lib64/libasan.so.5+0xefdb0)
    #1 0x7f3b5b646035 in slapi_ch_calloc (/usr/lib64/dirsrv/libslapd.so.0+0xdd035)
    #2 0x7f3b5b641993 in slapi_be_new (/usr/lib64/dirsrv/libslapd.so.0+0xd8993)
    #3 0x7f3b4b5f9126 in ldbm_instance_generate ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:889
    #4 0x7f3b4b5f9862 in ldbm_instance_add_instance_entry_callback ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:1108
    #5 0x7f3b4b5d15d7 in ldbm_config_read_instance_entries ldap/servers/slapd/back-ldbm/ldbm_config.c:1005
    #6 0x7f3b4b5d4d9e in ldbm_config_load_dse_info ldap/servers/slapd/back-ldbm/ldbm_config.c:1096
    #7 0x7f3b4b58360b in dblayer_setup ldap/servers/slapd/back-ldbm/dblayer.c:275
    #8 0x7f3b4b627ba9 in ldbm_back_start ldap/servers/slapd/back-ldbm/start.c:46
    #9 0x7f3b5b726993  (/usr/lib64/dirsrv/libslapd.so.0+0x1bd993)
    #10 0x7f3b5b72d573 in plugin_startall (/usr/lib64/dirsrv/libslapd.so.0+0x1c4573)
    #11 0x55e3388919c0 in main (/usr/sbin/ns-slapd+0x309c0)
    #12 0x7f3b57f877b2 in __libc_start_main (/lib64/libc.so.6+0x237b2)

Thread T33 created by T0 here:
    #0 0x7f3b5bb33ea3 in __interceptor_pthread_create (/lib64/libasan.so.5+0x52ea3)
    #1 0x7f3b58f3123e  (/lib64/libnspr4.so+0x2b23e)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/dirsrv/libslapd.so.0+0xd657f) in slapi_be_getsuffix
Shadow bytes around the buggy address:
  0x0c228003e0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003e0c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228003e0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003e0e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c228003e0f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c228003e100: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c228003e110: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228003e120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003e130: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c228003e140: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228003e150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==278094==ABORTING


Version-Release number of selected component (if applicable):
389-ds-base-1.4.3.8-2.1asan.el8.x86_64 / 389-ds-base-1.4.3.8-2.module+el8.3.0+6591+ebfc9766.x86_64

How reproducible:
always

Steps to Reproduce:
run dirsrvtests/tests/suites/disk_monitoring/disk_monitoring_test.py with the ASAN build

Comment 1 Viktor Ashirov 2020-06-04 10:33:03 UTC

The ASAN output has missing symbols. Could you please install the relevant debuginfo packages and rerun test again?

Comment 2 sgouvern 2020-06-04 17:31:18 UTC

 dirsrvtests/tests/suites/disk_monitoring/disk_monitoring_test.py run with the asan build and all relevant debuginfo packages :

=================================================================
==283581==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000230850 at pc 0x7f7ebb729580 bp 0x7ffd60363f90 sp 0x7ffd60363f80
READ of size 4 at 0x611000230850 thread T0
    #0 0x7f7ebb72957f in slapi_be_getsuffix (/usr/lib64/dirsrv/libslapd.so.0+0xd657f)
    #1 0x7f7eab6f60cb in ldbm_instance_search_config_entry_callback ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:759
    #2 0x7f7ebb74f8c9 in dse_call_callback ldap/servers/slapd/dse.c:2646
    #3 0x7f7ebb74fb04 in dse_write_entry ldap/servers/slapd/dse.c:1053
    #4 0x7f7ebb8b93f3 in avl_inapply ldap/libraries/libavl/avl.c:484
    #5 0x7f7ebb8b93d3 in avl_inapply ldap/libraries/libavl/avl.c:481
    #6 0x7f7ebb8b93d3 in avl_inapply ldap/libraries/libavl/avl.c:481
    #7 0x7f7ebb74ee81 in dse_write_file_nolock ldap/servers/slapd/dse.c:980
    #8 0x7f7ebb7566ff in dse_replace_entry ldap/servers/slapd/dse.c:1295
    #9 0x7f7ebb7566ff in dse_modify ldap/servers/slapd/dse.c:2019
    #10 0x7f7ebb7d3973 in op_shared_modify ldap/servers/slapd/modify.c:1021
    #11 0x7f7ebb7d5f58  (/usr/lib64/dirsrv/libslapd.so.0+0x182f58)
    #12 0x7f7ebb7d825b in slapi_modify_internal ldap/servers/slapd/modify.c:408
    #13 0x7f7ebb8a470c in modify_state_entry ldap/servers/slapd/uuid.c:679
    #14 0x7f7ebb8a499f in write_state_to_entry ldap/servers/slapd/uuid.c:603
    #15 0x7f7ebb8a499f in write_state ldap/servers/slapd/uuid.c:561
    #16 0x7f7ebb8a499f in uuid_cleanup ldap/servers/slapd/uuid.c:201
    #17 0x560d27f3835e in slapd_daemon ldap/servers/slapd/daemon.c:1212
    #18 0x560d27f14af2 in main (/usr/sbin/ns-slapd+0x30af2)
    #19 0x7f7eb80717b2 in __libc_start_main (/lib64/libc.so.6+0x237b2)
    #20 0x560d27f16ced in _start (/usr/sbin/ns-slapd+0x32ced)

0x611000230850 is located 144 bytes inside of 208-byte region [0x6110002307c0,0x611000230890)
freed by thread T33 here:
    #0 0x7f7ebbcba7e0 in __interceptor_free (/lib64/libasan.so.5+0xef7e0)
    #1 0x7f7ebb73043c in slapi_ch_free (/usr/lib64/dirsrv/libslapd.so.0+0xdd43c)
    #2 0x7f7ebb72bd2f in slapi_be_free (/usr/lib64/dirsrv/libslapd.so.0+0xd8d2f)
    #3 0x560d27f31e17 in disk_monitoring_thread ldap/servers/slapd/daemon.c:712
    #4 0x7f7eb901b567 in _pt_root ../../.././nspr/pr/src/pthreads/ptthread.c:201

previously allocated by thread T0 here:
    #0 0x7f7ebbcbadb0 in calloc (/lib64/libasan.so.5+0xefdb0)
    #1 0x7f7ebb730035 in slapi_ch_calloc (/usr/lib64/dirsrv/libslapd.so.0+0xdd035)
    #2 0x7f7ebb72b993 in slapi_be_new (/usr/lib64/dirsrv/libslapd.so.0+0xd8993)
    #3 0x7f7eab6f9126 in ldbm_instance_generate ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:889
    #4 0x7f7eab6f9862 in ldbm_instance_add_instance_entry_callback ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:1108
    #5 0x7f7eab6d15d7 in ldbm_config_read_instance_entries ldap/servers/slapd/back-ldbm/ldbm_config.c:1005
    #6 0x7f7eab6d4d9e in ldbm_config_load_dse_info ldap/servers/slapd/back-ldbm/ldbm_config.c:1096
    #7 0x7f7eab68360b in dblayer_setup ldap/servers/slapd/back-ldbm/dblayer.c:275
    #8 0x7f7eab727ba9 in ldbm_back_start ldap/servers/slapd/back-ldbm/start.c:46
    #9 0x7f7ebb810993 in plugin_call_func ldap/servers/slapd/plugin.c:2030
    #10 0x7f7ebb817573 in plugin_call_one ldap/servers/slapd/plugin.c:1979
    #11 0x7f7ebb817573 in plugin_dependency_startall ldap/servers/slapd/plugin.c:1733
    #12 0x560d27f149c0 in main (/usr/sbin/ns-slapd+0x309c0)
    #13 0x7f7eb80717b2 in __libc_start_main (/lib64/libc.so.6+0x237b2)

Thread T33 created by T0 here:
    #0 0x7f7ebbc1dea3 in __interceptor_pthread_create (/lib64/libasan.so.5+0x52ea3)
    #1 0x7f7eb901b23e in _PR_CreateThread ../../.././nspr/pr/src/pthreads/ptthread.c:433

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/dirsrv/libslapd.so.0+0xd657f) in slapi_be_getsuffix
Shadow bytes around the buggy address:
  0x0c228003e0b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003e0c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228003e0d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003e0e0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c228003e0f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c228003e100: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c228003e110: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c228003e120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228003e130: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c228003e140: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228003e150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==283581==ABORTING

Comment 4 mreynolds 2020-10-20 13:30:23 UTC

This might have been indrectly fixed via:  https://bugzilla.redhat.com/show_bug.cgi?id=1859225 (not in POST yet, but will be soon)

Comment 6 sgouvern 2020-12-07 15:13:24 UTC

openstack upgrade impacting the availability of a 1mt machine to test 
-> moving to ITM 6

Comment 7 sgouvern 2020-12-08 16:45:33 UTC

# rpm -qa | grep 389
389-ds-base-debuginfo-1.4.3.16-4asan.el8.x86_64
python3-lib389-1.4.3.16-4asan.el8.noarch
389-ds-base-legacy-tools-debuginfo-1.4.3.16-4asan.el8.x86_64
389-ds-base-legacy-tools-1.4.3.16-4asan.el8.x86_64
389-ds-base-libs-1.4.3.16-4asan.el8.x86_64
389-ds-base-snmp-1.4.3.16-4asan.el8.x86_64
389-ds-base-debugsource-1.4.3.16-4asan.el8.x86_64
389-ds-base-1.4.3.16-4asan.el8.x86_64
389-ds-base-snmp-debuginfo-1.4.3.16-4asan.el8.x86_64
389-ds-base-libs-debuginfo-1.4.3.16-4asan.el8.x86_64

running # PYTHONPATH=src/lib389/ DISK_MONITORING_ACK=1 py.test -s -v dirsrvtests/tests/suites/disk_monitoring/disk_monitoring_test.py

heap-use-after-free is still there in slapi_be_getsuffix

=================================================================
==276359==ERROR: AddressSanitizer: heap-use-after-free on address 0x6100002745c0 at pc 0x7fd14fbb97ac bp 0x7fff8bd1b810 sp 0x7fff8bd1b800
READ of size 4 at 0x6100002745c0 thread T0
    #0 0x7fd14fbb97ab in slapi_be_getsuffix (/usr/lib64/dirsrv/libslapd.so.0+0xd67ab)
    #1 0x7fd13f90d497 in ldbm_instance_search_config_entry_callback ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:758
    #2 0x7fd14fbdfca9 in dse_call_callback ldap/servers/slapd/dse.c:2667
    #3 0x7fd14fbdfee4 in dse_write_entry ldap/servers/slapd/dse.c:1053
    #4 0x7fd14fd4ae83 in avl_inapply ldap/libraries/libavl/avl.c:484
    #5 0x7fd14fd4ae63 in avl_inapply ldap/libraries/libavl/avl.c:481
    #6 0x7fd14fd4ae63 in avl_inapply ldap/libraries/libavl/avl.c:481
    #7 0x7fd14fbdf261 in dse_write_file_nolock ldap/servers/slapd/dse.c:980
    #8 0x7fd14fbe6b80 in dse_replace_entry ldap/servers/slapd/dse.c:1298
    #9 0x7fd14fbe6b80 in dse_modify ldap/servers/slapd/dse.c:2024
    #10 0x7fd14fc64283 in op_shared_modify ldap/servers/slapd/modify.c:1025
    #11 0x7fd14fc669e8  (/usr/lib64/dirsrv/libslapd.so.0+0x1839e8)
    #12 0x7fd14fc68ceb in slapi_modify_internal ldap/servers/slapd/modify.c:408
    #13 0x7fd14fd3617c in modify_state_entry ldap/servers/slapd/uuid.c:679
    #14 0x7fd14fd3640f in write_state_to_entry ldap/servers/slapd/uuid.c:603
    #15 0x7fd14fd3640f in write_state ldap/servers/slapd/uuid.c:561
    #16 0x7fd14fd3640f in uuid_cleanup ldap/servers/slapd/uuid.c:201
    #17 0x5653acea157e in slapd_daemon ldap/servers/slapd/daemon.c:1219
    #18 0x5653ace7ddc6 in main (/usr/sbin/ns-slapd+0x30dc6)
    #19 0x7fd14c5028e2 in __libc_start_main (/lib64/libc.so.6+0x238e2)
    #20 0x5653ace7fffd in _start (/usr/sbin/ns-slapd+0x32ffd)

0x6100002745c0 is located 128 bytes inside of 192-byte region [0x610000274540,0x610000274600)
freed by thread T25 here:
    #0 0x7fd15014c7e0 in __interceptor_free (/lib64/libasan.so.5+0xef7e0)
    #1 0x7fd14fbc052c in slapi_ch_free (/usr/lib64/dirsrv/libslapd.so.0+0xdd52c)
    #2 0x7fd14fbbbf3f in slapi_be_free (/usr/lib64/dirsrv/libslapd.so.0+0xd8f3f)
    #3 0x5653ace9b1e7 in disk_monitoring_thread ldap/servers/slapd/daemon.c:712
    #4 0x7fd14d4ac5a7  (/lib64/libnspr4.so+0x2b5a7)

previously allocated by thread T0 here:
    #0 0x7fd15014cdb0 in calloc (/lib64/libasan.so.5+0xefdb0)
    #1 0x7fd14fbc0125 in slapi_ch_calloc (/usr/lib64/dirsrv/libslapd.so.0+0xdd125)
    #2 0x7fd14fbbbba3 in slapi_be_new (/usr/lib64/dirsrv/libslapd.so.0+0xd8ba3)
    #3 0x7fd13f910338 in ldbm_instance_generate ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:887
    #4 0x7fd13f910ac2 in ldbm_instance_add_instance_entry_callback ldap/servers/slapd/back-ldbm/ldbm_instance_config.c:1090
    #5 0x7fd13f8e8837 in ldbm_config_read_instance_entries ldap/servers/slapd/back-ldbm/ldbm_config.c:1005
    #6 0x7fd13f8ebffc in ldbm_config_load_dse_info ldap/servers/slapd/back-ldbm/ldbm_config.c:1096
    #7 0x7fd13f89a3ab in dblayer_setup ldap/servers/slapd/back-ldbm/dblayer.c:275
    #8 0x7fd13f940629 in ldbm_back_start ldap/servers/slapd/back-ldbm/start.c:46
    #9 0x7fd14fca16a3 in plugin_call_func ldap/servers/slapd/plugin.c:2030
    #10 0x7fd14fca8283 in plugin_call_one ldap/servers/slapd/plugin.c:1979
    #11 0x7fd14fca8283 in plugin_dependency_startall ldap/servers/slapd/plugin.c:1733
    #12 0x5653ace7dc94 in main (/usr/sbin/ns-slapd+0x30c94)
    #13 0x7fd14c5028e2 in __libc_start_main (/lib64/libc.so.6+0x238e2)

Thread T25 created by T0 here:
    #0 0x7fd1500afea3 in __interceptor_pthread_create (/lib64/libasan.so.5+0x52ea3)
    #1 0x7fd14d4ac27e  (/lib64/libnspr4.so+0x2b27e)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/dirsrv/libslapd.so.0+0xd67ab) in slapi_be_getsuffix
Shadow bytes around the buggy address:
  0x0c2080046860: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080046870: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2080046880: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080046890: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c20800468a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c20800468b0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c20800468c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c20800468d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c20800468e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c20800468f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2080046900: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==276359==ABORTING


marking FailedQA / ASSIGNED

Comment 8 mreynolds 2020-12-11 20:29:53 UTC

Upstream ticket:

https://github.com/389ds/389-ds-base/issues/4483

Comment 10 sgouvern 2021-01-14 17:51:30 UTC

With build 389-ds-base-1.4.3.16-8.1asan.el8.x86_64

running # PYTHONPATH=src/lib389/ DISK_MONITORING_ACK=1 ASAN=1 py.test -s -v dirsrvtests/tests/suites/disk_monitoring/disk_monitoring_test.py

no heap-use-after-free is detected 

=> marking as verified:tested

Comment 13 sgouvern 2021-01-18 14:11:39 UTC

wrong build attached to the errata -> moving to ITM12

Comment 14 sgouvern 2021-01-18 14:44:23 UTC

Correct build now attached to the errata : as per comment 10, marking as VERIFIED and moving back to ITM11

Comment 16 errata-xmlrpc 2021-05-18 15:45:16 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (389-ds:1.4 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1835

Note You need to log in before you can comment on or make changes to this bug.