RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 690536 - Double free in dse_add()
Summary: Double free in dse_add()
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 690526
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-03-24 15:40 UTC by Nathan Kinder
Modified: 2015-01-04 23:47 UTC (History)
6 users (show)

Fixed In Version: 389-ds-base-1.2.8-0.8.rc2.el6
Doc Type: Bug Fix
Doc Text:
Clone Of: 690526
Environment:
Last Closed: 2011-05-19 12:42:55 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:0533 0 normal SHIPPED_LIVE new package: 389-ds-base 2011-05-18 17:57:44 UTC

Description Nathan Kinder 2011-03-24 15:40:27 UTC 
+++ This bug was initially created as a clone of Bug #690526 +++

It's possible to encounter a double free of a Slapi_Entry in an error condition in dse_add().  This function makes a copy of the entry being added for use by postop plug-ins, but it can be free'd twice in the following code:

  e_copy = slapi_entry_dup(e);
  if ( dse_add_entry_pb(pdse, e_copy, pb) != 0)
  {
      slapi_send_ldap_result( pb, LDAP_OPERATIONS_ERROR, NULL, NULL, 0, NULL );
      slapi_sdn_done(&sdn);
      return dse_add_return(error, e_copy);
  }

The dse_add_entry_pb() function frees the passed in entry in all conditions, but dse_add_return() also free's the passed in entry.  This double free could trigger a crash.

The way dse_add works is that entry in SLAPI_ADD_ENTRY in the pblock should be consumed upon success, but will be left for the caller to deal with upon failure.  We should be passing NULL for the second argument to dse_add_return() to avoid the double free.

--- Additional comment from nkinder on 2011-03-24 11:18:30 EDT ---

Created attachment 487370 [details]
Patch for cov#10734

--- Additional comment from rmeggins on 2011-03-24 11:24:27 EDT ---

Do we need to get this in asap?

--- Additional comment from nkinder on 2011-03-24 11:37:24 EDT ---

(In reply to comment #2)
> Do we need to get this in asap?

I don't know how easy it is to trigger this issue since it is in an error block when adding an entry to the dse backend, but it seems like we should try to get it in ASAP to me.

--- Additional comment from nkinder on 2011-03-24 11:39:15 EDT ---

Pushed to master.  Thanks to Rich for his review!

Counting objects: 11, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (6/6), done.
Writing objects: 100% (6/6), 1.02 KiB, done.
Total 6 (delta 4), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   b41338f..1b22679  master -> master
Comment 1 Jenny Severance 2011-03-24 15:43:09 UTC 
Can you please add steps to reproduce? Thanks jenny
Comment 2 Nathan Kinder 2011-03-24 15:46:59 UTC 
(In reply to comment #1)
> Can you please add steps to reproduce? Thanks jenny

Sorry, this was found via a Coverity scan.  The issue can only be triggered by some sort of internal error condition, so I don't know how easy it would be to reproduce.  I believe we should re-run Coverity for verification.
Comment 3 Rich Megginson 2011-03-28 22:59:19 UTC 
Checking in 0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch;
/cvs/dist/rpms/389-ds-base/RHEL-6/0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch,v  <--  0008-Bug-690526-cov-10734-Double-free-in-dse_add.patch
initial revision: 1.1
done
Checking in 389-ds-base.spec;
/cvs/dist/rpms/389-ds-base/RHEL-6/389-ds-base.spec,v  <--  389-ds-base.spec
new revision: 1.19; previous revision: 1.18
done
Comment 5 Chandrasekar Kannan 2011-04-20 23:36:32 UTC 
Coverity related. Can I ask dev to confirm that subsequent coverity runs aren't showing this issue ?.
Comment 6 Rich Megginson 2011-04-29 14:22:17 UTC 
verified - coverity shows no issue
Comment 7 Amita Sharma 2011-05-02 05:49:50 UTC 
Thanks for the confirmation Rich.
Comment 8 errata-xmlrpc 2011-05-19 12:42:55 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2011-0533.html
Note You need to log in before you can comment on or make changes to this bug.