Bug 2164503 - factory extensions can crash server when dynamic plugins is enabled
Summary: factory extensions can crash server when dynamic plugins is enabled
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Directory Server
Classification: Red Hat
Component: 389-ds-base
Version: 12.3
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: DS12.3
: dirsrv-12.3
Assignee: mreynolds
QA Contact: LDAP QA Team
Zuzana Zoubkova
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-25 15:59 UTC by mreynolds
Modified: 2023-08-15 16:10 UTC (History)
4 users (show)

Fixed In Version: redhat-ds-12-9030020230711000312-1674d57
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker IDMDS-2747 0 None None None 2023-01-25 16:17:27 UTC
Red Hat Issue Tracker IDMDS-3531 0 None None None 2023-08-09 09:51:57 UTC

Description mreynolds 2023-01-25 15:59:17 UTC 
Description of problem:

A heap buffer overflow occurs when using sync repl and dynamic plugins.  The factory extension buffer is not preoperly read when need extensions are registered.

==370885==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60400057d880 at pc 0x7ff9100c13b8 bp 0x7ff86e404d50 sp 0x7ff86e404d48
READ of size 8 at 0x60400057d880 thread T19
    #0 0x7ff9100c13b7 in slapi_get_object_extension (/usr/lib64/dirsrv/libslapd.so.0+0x2c13b7)
    #1 0x7ff90d19fad3 in sync_get_operation_extension ldap/servers/plugins/sync/sync_refresh.c:896
    #2 0x7ff90d19fad3 in sync_srch_refresh_pre_result ldap/servers/plugins/sync/sync_refresh.c:284
    #3 0x7ff91015806f in plugin_call_func ldap/servers/slapd/plugin.c:2001
    #4 0x7ff910158545 in plugin_call_list ldap/servers/slapd/plugin.c:1944
    #5 0x7ff910195b98 in flush_ber ldap/servers/slapd/result.c:1782
    #6 0x7ff91019a4df in send_ldap_result_ext ldap/servers/slapd/result.c:642
    #7 0x7ff91018fb72 in send_ldap_result (/usr/lib64/dirsrv/libslapd.so.0+0x38fb72)
    #8 0x7ff910157b3b in slapi_send_ldap_result (/usr/lib64/dirsrv/libslapd.so.0+0x357b3b)
    #9 0x7ff9100b2eb5 in dse_modify ldap/servers/slapd/dse.c:2126
    #10 0x7ff910121716 in op_shared_modify ldap/servers/slapd/modify.c:1022
    #11 0x7ff91012630b in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x32630b)
    #12 0x5586497f8320 in connection_dispatch_operation ldap/servers/slapd/connection.c:653
    #13 0x5586497f8320 in connection_threadmain ldap/servers/slapd/connection.c:1805
    #14 0x7ff910ee4412 in _pt_root (/lib64/libnspr4.so+0x2c412)
    #15 0x7ff90fa8cdec in start_thread (/lib64/libc.so.6+0x8cdec)
    #16 0x7ff90fb1236f in clone3 (/lib64/libc.so.6+0x11236f)

0x60400057d880 is located 0 bytes to the right of 48-byte region [0x60400057d850,0x60400057d880)
allocated by thread T19 here:
    #0 0x7ff9108ba097 in calloc (/lib64/libasan.so.8+0xba097)
    #1 0x7ff910075c55 in slapi_ch_calloc (/usr/lib64/dirsrv/libslapd.so.0+0x275c55)
    #2 0x7ff9100c435c in factory_create_extension (/usr/lib64/dirsrv/libslapd.so.0+0x2c435c)
    #3 0x5586497e2ffe in connection_add_operation ldap/servers/slapd/connection.c:2086
    #4 0x5586497e2ffe in connection_make_new_pb ldap/servers/slapd/connection.c:977
    #5 0x5586497f6072 in connection_threadmain ldap/servers/slapd/connection.c:1614
    #6 0x7ff910ee4412 in _pt_root (/lib64/libnspr4.so+0x2c412)
    #7 0x7ff90fa8cdec in start_thread (/lib64/libc.so.6+0x8cdec)
    #8 0x7ff90fb1236f in clone3 (/lib64/libc.so.6+0x11236f)


How reproducible:

Every time with ASAN build

Steps to Reproduce:
1.  Create ASAN build of 389-ds-base
2.  Run CI test: 

LSAN_OPTIONS=exitcode=0:log_threads=1:verbosity=1 PYINSTALL=1 py.test dirsrvtests/tests/suites/syncrepl_plugin/basic_test.py
Comment 1 mreynolds 2023-01-25 16:00:12 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/5600
Note You need to log in before you can comment on or make changes to this bug.