Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 2164503

Summary: factory extensions can crash server when dynamic plugins is enabled
Product: Red Hat Directory Server Reporter: mreynolds
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: LDAP QA Team <idm-ds-qe-bugs>
Severity: medium Docs Contact: Evgenia Martynyuk <emartyny>
Priority: medium    
Version: 12.3CC: emartyny, idm-ds-dev-bugs, pasik, vashirov
Target Milestone: DS12.3Keywords: Triaged
Target Release: dirsrv-12.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: sync-to-jira
Fixed In Version: redhat-ds-12-9030020230711000312-1674d57 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-11-21 15:13:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description mreynolds 2023-01-25 15:59:17 UTC 
Description of problem:

A heap buffer overflow occurs when using sync repl and dynamic plugins.  The factory extension buffer is not preoperly read when need extensions are registered.

==370885==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400057d880 at pc 0x7ff9100c13b8 bp 0x7ff86e404d50 sp 0x7ff86e404d48
READ of size 8 at 0x60400057d880 thread T19
    #0 0x7ff9100c13b7 in slapi_get_object_extension (/usr/lib64/dirsrv/libslapd.so.0+0x2c13b7)
    #1 0x7ff90d19fad3 in sync_get_operation_extension ldap/servers/plugins/sync/sync_refresh.c:896
    #2 0x7ff90d19fad3 in sync_srch_refresh_pre_result ldap/servers/plugins/sync/sync_refresh.c:284
    #3 0x7ff91015806f in plugin_call_func ldap/servers/slapd/plugin.c:2001
    #4 0x7ff910158545 in plugin_call_list ldap/servers/slapd/plugin.c:1944
    #5 0x7ff910195b98 in flush_ber ldap/servers/slapd/result.c:1782
    #6 0x7ff91019a4df in send_ldap_result_ext ldap/servers/slapd/result.c:642
    #7 0x7ff91018fb72 in send_ldap_result (/usr/lib64/dirsrv/libslapd.so.0+0x38fb72)
    #8 0x7ff910157b3b in slapi_send_ldap_result (/usr/lib64/dirsrv/libslapd.so.0+0x357b3b)
    #9 0x7ff9100b2eb5 in dse_modify ldap/servers/slapd/dse.c:2126
    #10 0x7ff910121716 in op_shared_modify ldap/servers/slapd/modify.c:1022
    #11 0x7ff91012630b in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x32630b)
    #12 0x5586497f8320 in connection_dispatch_operation ldap/servers/slapd/connection.c:653
    #13 0x5586497f8320 in connection_threadmain ldap/servers/slapd/connection.c:1805
    #14 0x7ff910ee4412 in _pt_root (/lib64/libnspr4.so+0x2c412)
    #15 0x7ff90fa8cdec in start_thread (/lib64/libc.so.6+0x8cdec)
    #16 0x7ff90fb1236f in clone3 (/lib64/libc.so.6+0x11236f)

0x60400057d880 is located 0 bytes to the right of 48-byte region [0x60400057d850,0x60400057d880)
allocated by thread T19 here:
    #0 0x7ff9108ba097 in calloc (/lib64/libasan.so.8+0xba097)
    #1 0x7ff910075c55 in slapi_ch_calloc (/usr/lib64/dirsrv/libslapd.so.0+0x275c55)
    #2 0x7ff9100c435c in factory_create_extension (/usr/lib64/dirsrv/libslapd.so.0+0x2c435c)
    #3 0x5586497e2ffe in connection_add_operation ldap/servers/slapd/connection.c:2086
    #4 0x5586497e2ffe in connection_make_new_pb ldap/servers/slapd/connection.c:977
    #5 0x5586497f6072 in connection_threadmain ldap/servers/slapd/connection.c:1614
    #6 0x7ff910ee4412 in _pt_root (/lib64/libnspr4.so+0x2c412)
    #7 0x7ff90fa8cdec in start_thread (/lib64/libc.so.6+0x8cdec)
    #8 0x7ff90fb1236f in clone3 (/lib64/libc.so.6+0x11236f)


How reproducible:

Every time with ASAN build

Steps to Reproduce:
1.  Create ASAN build of 389-ds-base
2.  Run CI test: 

LSAN_OPTIONS=exitcode=0:log_threads=1:verbosity=1 PYINSTALL=1 py.test dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
Comment 1 mreynolds 2023-01-25 16:00:12 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5600
Comment 5 errata-xmlrpc 2023-11-21 15:13:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (redhat-ds:12 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2023:7429