Bug 681332 - modifying attr value crashes the server, which is supposed to be indexed as substring type, but has octetstring syntax
Summary: modifying attr value crashes the server, which is supposed to be indexed as s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 679978
Blocks: 639035 389_1.2.8 680575
TreeView+ depends on / blocked
 
Reported: 2011-03-01 19:20 UTC by Noriko Hosoi
Modified: 2015-01-04 23:46 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.2.8-0.6.rc1.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 679978
Environment:
Last Closed: 2011-05-19 12:42:20 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0533 0 normal SHIPPED_LIVE new package: 389-ds-base 2011-05-18 17:57:44 UTC

Description Noriko Hosoi 2011-03-01 19:20:57 UTC 
+++ This bug was initially created as a clone of Bug #679978 +++

Steps to reproduce the problem.
1. Create an index (note: extraId is not defined in the schema yet)
dn: cn=extraId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
nsIndexType: eq
nsIndexType: pres
nsIndexType: sub
nsSystemIndex: false
objectClass: top
objectClass: nsIndex
cn: extraId

2. add the attr type to schema:
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( extraId-oid NAME 'extraId' DESC 'CMS defined attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
-
add: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.1000 NAME 'extInetOrgPerson' SUP inetOrgPerson STRUCTURAL MAY ( extraId ) X-ORIGIN 'user defined' )

3. Add an extInetOrgPerson entry
dn: uid=tuser0, dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: extinetOrgPerson
...
extraId: cn=tuser0:00000000

4. Modifying extraId crashes the server.
dn: uid=tuser0, dc=example,dc=com
changetype: modify 
replace: extraId
extraId: tuser0:12345678

(gdb) bt
#0  0x00007fc59f1755b4 in valuearray_minus_valuearray (sattr=0x1082cc0, a=0x0, 
    b=0x0) at ldap/servers/slapd/back-ldbm/index.c:2155
#1  0x00007fc59f174f32 in index_addordel_values_ext_sv (be=0xf45c00, 
    type=0x7fc5600009d0 "extraId", vals=0x7fc560009170, evals=0x7fc560009b60, 
    id=1021, flags=34, txn=0x7fc598e1f980, idl_disposition=0x0, 
    buffer_handle=0x0) at ldap/servers/slapd/back-ldbm/index.c:1969
#2  0x00007fc59f1749e9 in index_addordel_values_sv (be=0xf45c00, 
    type=0x7fc5600009d0 "extraId", vals=0x7fc560009170, evals=0x7fc560009b60, 
    id=1021, flags=34, txn=0x7fc598e1f980)
    at ldap/servers/slapd/back-ldbm/index.c:1839
#3  0x00007fc59f171a1e in index_add_mods (be=0xf45c00, mods=0x7fc5600009f0, 
    olde=0x7fc56c005bb0, newe=0x7fc5600064b0, txn=0x7fc598e1f980)
    at ldap/servers/slapd/back-ldbm/index.c:596
#4  0x00007fc59f1922c3 in ldbm_back_modify (pb=0xe59e50)
    at ldap/servers/slapd/back-ldbm/ldbm_modify.c:443
#5  0x00007fc5a2061895 in op_shared_modify (pb=0xe59e50, pw_change=0, 
    old_pw=0x0) at ldap/servers/slapd/modify.c:885
#6  0x00007fc5a206075a in do_modify (pb=0xe59e50)
    at ldap/servers/slapd/modify.c:383
#7  0x0000000000413ab0 in connection_dispatch_operation (conn=0x7fc598e2c410, 
    op=0x12ffbf0, pb=0xe59e50) at ldap/servers/slapd/connection.c:583
#8  0x00000000004152c0 in connection_threadmain ()
    at ldap/servers/slapd/connection.c:2328
#9  0x00000034f6229593 in _pt_root (arg=0x127e610)
    at ../../../mozilla/nsprpub/pr/src/pthreads/ptthread.c:228
#10 0x00000034e7207761 in start_thread (arg=0x7fc598e26710)
    at pthread_create.c:301
#11 0x00000034e6ae14fd in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:115

Note: If the server is restarted after adding the schema, the crash does not occur since the server picks up the correct syntax for the attribute.

--- Additional comment from nhosoi on 2011-02-28 20:15:51 EST ---

Created attachment 481477 [details]
git patch file (master)

Description: When indexing, index_addordel_values_ext_sv calls a helper
function valuearray_minus_valuearray in index.c.  There is a corner case
that could pass NULL array arguments to valuearray_minus_valuearray.
In valuearray_minus_valuearray, the array's elements were accessed w/o
checking the array was NULL or not.  This patch is adding the check.

Note: This patch fixes the crash problem, but there is still the usage problem there.  Adding an index (e.g., presence, equality, and substring indexes) on the non-exisiting attribute type assumes the type octet string, where substring index is not allowed for the octet string.  Adding the corresponding schema after that does not tell the index module that the attribute type's syntax has been changed.  This makes the substring indexing ignored as shown using the example below:

Initial state of the index extraId: (dbscan output -- only presence and equality indexes are in the index file)
+                                       
	10 
=cn=tuser0:00000000                     
	10 

Replaced extraId value with cn=tuser0:12345678: (still only presence and equality indexes are in the file)
+                                       
	10 
=cn=tuser0:12345678                     
	10 

Substring indexes are not generated even if the attribute extraId is reindexed by db2index.pl command/reindexing task.  To pick up the correct syntax, the server needs to be restarted.  Then, reindexing extraId would create substring indexes.
# dbscan -f extraId.db4 -r
*0:1                                    
	10 
*123                                    
	10 
[...]
*use                                    
	10 
+                                       
	10 
=cn=tuser0:12345678                     
	10

--- Additional comment from nhosoi on 2011-03-01 14:15:22 EST ---

Reviewed by Rich and Nathan (Thank you!!!)

Pushed to master.

$ git merge 679978
Updating 11f265b..6d4566e
Fast-forward
 ldap/servers/slapd/back-ldbm/index.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
$ git push
Counting objects: 13, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 895 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   11f265b..6d4566e  master -> master

389-ds-base-1.2.8 branch:
Cherry-picking the commit: 6d4566ee11e3789c9f9ebacea8bde420f36cb6fd
$ git cherry-pick 6d4566ee11e3789c9f9ebacea8bde420f36cb6fd
[ds128-local 3b33ef4] Bug 679978 - modifying attr value crashes the server, which is supposed to  be indexed as substring type, but has octetstring syntax
 1 files changed, 2 insertions(+), 2 deletions(-)
Pushed to the branch.
$ git push origin ds128-local:389-ds-base-1.2.8
Counting objects: 13, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 902 bytes, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   9eb6f1b..3b33ef4  ds128-local -> 389-ds-base-1.2.8
Comment 3 Amita Sharma 2011-04-26 10:57:59 UTC 
1. [root@rheltest etc]# ldapmodify -a -D "cn=directory manager" -w Secret123 -p
389 -h localhost << EOF
> dn: cn=extraId,cn=index,cn=userRoot,cn=ldbm database,cn=plugins,cn=config
> nsIndexType: eq
> nsIndexType: pres
> nsIndexType: sub
> nsSystemIndex: false
> objectClass: top
> objectClass: nsIndex
> cn: extraId
> EOF
adding new entry "cn=extraId,cn=index,cn=userRoot,cn=ldbm
database,cn=plugins,cn=config"

2. [root@rheltest amsharma]# ldapmodify -a -D "cn=directory manager" -w
Secret123 -p 389 -h localhost -v -f /home/amsharma/addattribute.ldif
ldap_initialize( ldap://localhost:389 )
add attributeTypes:
 ( extraId-oid NAME 'extraId' DESC 'CMS defined attribute' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN 'user defined' )
add objectClasses:
 ( 2.16.840.1.113730.3.2.1000 NAME 'extInetOrgPerson' SUP inetOrgPerson
STRUCTURAL MAY ( extraId ) X-ORIGIN 'user defined' )
modifying entry "cn=schema"
modify complete


3.[root@rheltest amsharma]# ldapmodify -a -D "cn=directory manager" -w
Secret123 -p 389 -h localhost -v -f /home/amsharma/adduser.ldif
ldap_initialize( ldap://localhost:389 )
add cn:
 ams
add sn:
 ams
add givenname:
 ams
add objectclass:
 top
 person
 organizationalPerson
 inetOrgPerson
 extinetOrgPerson
add extraId:
 cn=tuser1:00000000
add uid:
 ams
add mail:
 ams
add userpassword:
 amsamsams
adding new entry "uid=tuser1,dc=pnq,dc=redhat,dc=com"
modify complete


4. [root@rheltest amsharma]# ldapmodify -x -D "cn=directory manager" -w
Secret123 -p 389 -h localhost << EOF
> dn: uid=tuser1,dc=pnq,dc=redhat,dc=com
> changetype: modify
> replace: extraId
> extraId: tuser1:00000006
> EOF
modifying entry "uid=tuser1,dc=pnq,dc=redhat,dc=com"

5. [root@rheltest amsharma]# ldapmodify -x -D "cn=directory manager" -w
Secret123 -p 389 -h localhost << EOF
dn: uid=tuser1,dc=pnq,dc=redhat,dc=com
changetype: modify
replace: extraId
extraId: tuser1:abcd    
EOF

modifying entry "uid=tuser1,dc=pnq,dc=redhat,dc=com"

6. [root@rheltest amsharma]# ldapmodify -x -D "cn=directory manager" -w
Secret123 -p 389 -h localhost << EOF
dn: uid=tuser1,dc=pnq,dc=redhat,dc=com
changetype: modify
replace: extraId
extraId: tuser1:xyZ0gft
EOF

modifying entry "uid=tuser1,dc=pnq,dc=redhat,dc=com"

Tested Successfully hence marking the status as VERIFIED.
Comment 4 errata-xmlrpc 2011-05-19 12:42:20 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0533.html
Note You need to log in before you can comment on or make changes to this bug.