Bug 593899 - adding specific ACI causes very large mem allocate request
Summary: adding specific ACI causes very large mem allocate request
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: 389
Classification: Retired
Component: Directory Server
Version: 1.2.6
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Noriko Hosoi
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks: 434914 389_1.2.6
TreeView+ depends on / blocked
 
Reported: 2010-05-20 02:05 UTC by Michael Gregg
Modified: 2015-12-07 16:53 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-07 16:53:36 UTC


Attachments (Terms of Use)
This is the ldif containing the aci that causes problems. (1.92 KB, application/octet-stream)
2010-05-20 02:05 UTC, Michael Gregg
no flags Details
dse.ldif of the failing server (77.20 KB, application/octet-stream)
2010-05-20 02:06 UTC, Michael Gregg
no flags Details
git diff aclparse.c (1.37 KB, patch)
2010-05-20 02:21 UTC, Noriko Hosoi
rmeggins: review+
Details | Diff
git patch file (9.0) (5.81 KB, patch)
2010-05-20 21:07 UTC, Noriko Hosoi
nhosoi: review?
rmeggins: review+
Details | Diff
git patch file (9.0) (1.24 KB, patch)
2010-05-22 01:32 UTC, Noriko Hosoi
no flags Details | Diff
svn diff bug593899_acceptance.sh (3.58 KB, patch)
2010-05-22 01:37 UTC, Noriko Hosoi
no flags Details | Diff

Description Michael Gregg 2010-05-20 02:05:29 UTC
Created attachment 415295 [details]
This is the ldif containing the aci that causes problems.

Description of problem:
Adding specific, attached ACI causes 389 to attempt allocating a huge amount of memory, causing a server crash on most systems. 

Version-Release number of selected component (if applicable):
redhat-ds-base-8.2.0-2010051204.el5dsrv

How reproducible:
always

Steps to Reproduce:
1. create a setup that prepares ds for this aci. 
2. add aci
3.
  
Actual results:
[19/May/2010:17:42:49 -0700] memory allocator - calloc of 1 elems of 4294967266 bytes failed; OS error 12 (Cannot allocate memory)
The server has probably allocated all available virtual memory. 
Can't recover. Calling exit.

Additional info:
I've attached the aci of my ds instance for reference.

Comment 1 Michael Gregg 2010-05-20 02:06:19 UTC
Look at the size of the calloc

From Noriko:
(gdb) bt
#0  slapi_ch_calloc (nelem=1, size=18446744073709551586)
    at ldap/servers/slapd/ch_malloc.c:247
#1  0x00002b1be360d437 in __aclp_chk_paramRules (aci_item=0x161e6fb0,
    start=0x161e74ef "n=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ",
    end=0x161e74d0 "deny absolute ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ")
    at ldap/servers/plugins/acl/aclparse.c:1534
#2  0x00002b1be360bee9 in __aclp__normalize_acltxt (aci_item=0x161e6fb0,
    str=0x161e70e4 "version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;")
    at ldap/servers/plugins/acl/aclparse.c:826
#3  0x00002b1be360b49c in __aclp__sanity_check_acltxt (aci_item=0x161e6fb0,
    str=0x161e70e4 "version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;")
    at ldap/servers/plugins/acl/aclparse.c:500
#4  0x00002b1be360abed in __aclp__parse_aci (
    str=0x161e70e4 "version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;",
    aci_item=0x161e6fb0) at ldap/servers/plugins/acl/aclparse.c:229
#5  0x00002b1be360a986 in acl_parse (
    str=0x161e70e4 "version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;",
    aci_item=0x161e6fb0) at ldap/servers/plugins/acl/aclparse.c:121
#6  0x00002b1be360d3e2 in acl_verify_syntax (e_sdn=0x161de7d0, bval=0x161e5700)
    at ldap/servers/plugins/acl/aclparse.c:1516
#7  0x00002b1be360d33b in acl_verify_aci_syntax (e=0x161de7d0,
    errbuf=0x445e2db8) at ldap/servers/plugins/acl/aclparse.c:1478
#8  0x00002b1be09a8acb in plugin_call_acl_verify_syntax (pb=0x161de420,
    e=0x161de7d0, errbuf=0x445e2db8) at ldap/servers/slapd/plugin_acl.c:198
#9  0x00002b1be44f017e in ldbm_back_add (pb=0x161de420)
    at ldap/servers/slapd/back-ldbm/ldbm_add.c:587
#10 0x00002b1be0952d7c in op_shared_add (pb=0x161de420)
    at ldap/servers/slapd/add.c:658
#11 0x00002b1be0952114 in do_add (pb=0x161de420)
    at ldap/servers/slapd/add.c:259
#12 0x000000000041317c in connection_dispatch_operation (conn=0x2aaaaaaafb38,
    op=0x161e25e0, pb=0x161de420) at ldap/servers/slapd/connection.c:544
#13 0x00000000004147f5 in connection_threadmain ()
    at ldap/servers/slapd/connection.c:2274
#14 0x0000003157427fad in ?? () from /usr/lib64/libnspr4.so
#15 0x0000003146206617 in start_thread () from /lib64/libpthread.so.0
#16 0x00000031456d3c2d in clone () from /lib64/libc.so.6
(gdb) up
#1  0x00002b1be360d437 in __aclp_chk_paramRules (aci_item=0x161e6fb0,
    start=0x161e74ef "n=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ",
    end=0x161e74d0 "deny absolute ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ")
    at ldap/servers/plugins/acl/aclparse.c:1534
1534        s = str = (char *) slapi_ch_calloc(1, len + 1);
(gdb) p len
$1 = 18446744073709551585

Comment 2 Michael Gregg 2010-05-20 02:06:48 UTC
Created attachment 415296 [details]
dse.ldif of the failing server

Comment 3 Noriko Hosoi 2010-05-20 02:14:22 UTC
One problem in the test acis:
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;)

The userdn value is not double quoted.  See this definition in http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Access_Control-Bind_Rules.html#Bind_Rules-Defining_User_Access___userdn_Keyword
userdn = "ldap:///suffix??scope?(filter)"

If you put double quotes around the userdn value like this:
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl Compare - OU_3750; deny ( compare ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
then the memory error does not occur.  But I agree even if an invalid acl is added, the server should not quit.  I'm fixing the problem now.

Another problem is being observed.  Once double quotes are put around the value, then the add fails with the invalid syntax.  I'm investigating it now,
ldap_add: Invalid syntax
ldap_add: additional info: ACL Syntax Error(-5):( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = \2a)(version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=\"ldap:///cn=\2a, ou=organizationalUnit_3750, o=iPlanet_ACIs.com\" ;)

Comment 4 Noriko Hosoi 2010-05-20 02:21:10 UTC
Created attachment 415297 [details]
git diff aclparse.c

Still preliminary...
At least, this fixes the calloc failure problem.

adding new entry ou=organizationalUnit_3750, o=iPlanet_ACIs.com
ldap_add: Invalid syntax
ldap_add: additional info: ACL Syntax Error(-5):( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = \2a)(version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=\2a, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;)

Comment 5 Noriko Hosoi 2010-05-20 17:31:58 UTC
I've installed DS8.1, added the same entry, and got this same ACL Syntax Error.  I wonder if the test has passed on 8.1?  (I don't mean it's okay as is.  We still need to investigate the cause. :)

adding new entry ou=organizationalUnit_3750, o=iPlanet_ACIs.com
ldap_add: Invalid syntax
ldap_add: additional info: ACL Syntax Error(-5):( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = \2a)(version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=\2a, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;)

Comment 6 Noriko Hosoi 2010-05-20 18:40:19 UTC
It turned out it was another test acl error...
Original:
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl Compare - OU_3750; deny ( compare ) userdn=ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com ;)

Corrected:
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Compare - OU_3750"; deny ( compare ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)

1) acl name must be quoted.
2) userdn value in permissionbind_rule must be quoted
   userdn = "ldap:///suffix??scope?(filter)"

aci: (target)(version 3.0;acl "name";permissionbind_rule; permissionbind_rule; ... permissionbind_rule;)

By fixing them, this test ldif could be added to the server:
======================================================================
dn: ou=organizationalUnit_3750, o=iPlanet_ACIs.com
objectClass: top
objectClass: organizationalUnit
ou: organizationalUnit_3750
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Compare - OU_3750"; deny ( compare ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Read - OU_3750"; deny ( read ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Search - OU_3750"; deny ( search ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Delete - OU_3750"; deny ( delete ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Add - OU_3750"; deny ( add ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Write - OU_3750"; deny ( write ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Selfwrite - OU_3750"; deny ( selfwrite ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)
aci: ( target = ldap:///ou=organizationalUnit_3750, o=iPlanet_ACIs.com )(targetattr = *)(version 3.0; acl "Proxy - OU_3750"; deny ( proxy ) userdn="ldap:///cn=*, ou=organizationalUnit_3750, o=iPlanet_ACIs.com" ;)

dn: cn=User_3750, ou=organizationalUnit_3750, o=iPlanet_ACIs.com
objectClass: top
objectClass: person
cn: User_3750
sn: User_3750 sn
userPassword: secret_3750
======================================================================

Comment 7 Rich Megginson 2010-05-20 20:26:26 UTC
Comment on attachment 415297 [details]
git diff aclparse.c

Looks good.

I see that end is uninitialized in the declaration in __aclp__getNextLASRule - is it possible that end could not be assigned in the main while loop?

Comment 8 Michael Gregg 2010-05-20 20:51:54 UTC
I'll run the LD test this applies to again once the daily build is done. 

As for this bug, should I create a new acceptance test that adds this invalid
ACI looking for a crash?

Comment 9 Noriko Hosoi 2010-05-20 21:01:28 UTC
(In reply to comment #8)
> I'll run the LD test this applies to again once the daily build is done. 
> 
> As for this bug, should I create a new acceptance test that adds this invalid
> ACI looking for a crash?    

It'd be a good idea!  Thanks!!

Comment 10 Noriko Hosoi 2010-05-20 21:07:28 UTC
Created attachment 415515 [details]
git patch file (9.0)

(In reply to comment #7)
> 
> I see that end is uninitialized in the declaration in __aclp__getNextLASRule -
> is it possible that end could not be assigned in the main while loop?    

Yep, I've also noticed it after putting the previous patch... :)

I've run ACL,GER tests and Michael's test case against 8.2 with this patch and got 100% pass. And now running them against 9.0 with valgrind.  So far, nothing is suspicious.

Comment 11 Noriko Hosoi 2010-05-20 22:02:29 UTC
Reviewed by Rich (Thank you!!)

Pushed to master:

$ git merge work
Updating 55489b8..6f07051
Fast forward
 ldap/servers/plugins/acl/aclparse.c |   88 ++++++++++++++++++++++++----------
 1 files changed, 62 insertions(+), 26 deletions(-)

$ git push
Counting objects: 13, done.
Delta compression using 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.48 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   55489b8..6f07051  master -> master

And pushed to Directory_Server_8_2_Branch:

$ git cherry-pick 6f0705102374bcff44c24f0d90e7fb4c70e646df
Finished one cherry-pick.

$ git push origin ds82-local:Directory_Server_8_2_Branch
Counting objects: 13, done.
Delta compression using 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.49 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   4f83c26..652f9e5  ds82-local -> Directory_Server_8_2_Branch

Comment 12 Noriko Hosoi 2010-05-22 01:32:52 UTC
Created attachment 415812 [details]
git patch file (9.0)

Committing the change following the one line rule...

Pushed to master:
$ git merge work
Updating 80f3188..08a38d3
Fast forward
 ldap/servers/plugins/acl/aclparse.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)
$ git push
Counting objects: 13, done.
Delta compression using 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 845 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   80f3188..08a38d3  master -> master

Pushed to Directory_Server_8_2_Branch, as well.

$ git cherry-pick 08a38d39590e4117673ca5d5fe2f4d6b1924da1f
Finished one cherry-pick.
[ds82-local 14fc7fc] 593899 - adding specific ACI causes very large mem allocate request
 1 files changed, 1 insertions(+), 0 deletions(-)
$ git push origin ds82-local:Directory_Server_8_2_Branch
Counting objects: 13, done.
Delta compression using 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 849 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   3ae15e2..14fc7fc  ds82-local -> Directory_Server_8_2_Branch

Comment 13 Noriko Hosoi 2010-05-22 01:37:23 UTC
Created attachment 415813 [details]
svn diff bug593899_acceptance.sh

When generating a string including double quotes from shell scripts, they need to be escaped.  Otherwise, the double quotes are dropped.

$ svn commit
Sending        bug593899/bug593899_acceptance.sh
Transmitting file data .
Committed revision 4631.

Comment 14 Jenny Severance 2010-05-24 14:15:11 UTC
verified - automated regression test was created and is now passing - thanks Michael.


Note You need to log in before you can comment on or make changes to this bug.