Bug 698921 - ldapadd crashes on x86_64 with specific ldifs
Summary: ldapadd crashes on x86_64 with specific ldifs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.1
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 716858
TreeView+ depends on / blocked
 
Reported: 2011-04-22 09:49 UTC by Ondrej Moriš
Modified: 2013-03-04 01:29 UTC (History)
5 users (show)

Fixed In Version: openldap-2.4.23-16.el6
Doc Type: Bug Fix
Doc Text:
- pass LDIF input file to any openldap client tool (e.g. ldapadd) while the file is not terminated by newline character - the client crashes with segmentation fault - the unusual situation is now handled by to tools - requested operation succeeds and the tool does not crash
Clone Of:
: 716858 (view as bug list)
Environment:
Last Closed: 2011-12-06 12:12:27 UTC
Target Upstream Version:


Attachments (Terms of Use)
Base data without a new line at the end, no crash. (122 bytes, application/octet-stream)
2011-04-22 09:49 UTC, Ondrej Moriš
no flags Details
User and base data without a new line at the end, crash. (289 bytes, text/plain)
2011-04-22 09:50 UTC, Ondrej Moriš
no flags Details
Base data without a new line at the end, no crash. (122 bytes, text/plain)
2011-04-22 09:51 UTC, Ondrej Moriš
no flags Details
User data without a new line at the end, crash. (165 bytes, text/plain)
2011-04-22 09:51 UTC, Ondrej Moriš
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1514 normal SHIPPED_LIVE openldap bug fix and enhancement update 2011-12-06 00:51:20 UTC

Description Ondrej Moriš 2011-04-22 09:49:38 UTC
Created attachment 494151 [details]
Base data without a new line at the end, no crash.

Description of a problem:

Client tool ldapadd crashed (or hang) with specific ldifs (attached dataB.ldif, dataA.ldif). It is cause by no new line in the end of these ldifs, if you add a new line at the end, ldapadd will not crash. The curious thing is here is that ldapadd does not need a new line in ldif file in general (attached base.ldif), but if it is missing in a certain ldif, it will cause crash. 

It is no hard to see that there is not

Version-Release number of selected component (if applicable):

openldap-2.4.19-15.el6_0.2
openldap-2.4.23-15.el6

How reproducible:

Always on x86_64, never on the other archs (i386, s390x, ppc64).

Steps to Reproduce:

1.  Start slapd service using attached slapd.conf.

2A. ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w x -f base.ldif
    ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w x -f dataB.ldif

2B. ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w x -f dataA.ldif

  
Actual results:

2A.

adding new entry "dc=my-domain, dc=com"

adding new entry "cn=B,dc=my-domain,dc=com"

*** glibc detected *** ldapadd: munmap_chunk(): invalid pointer: 0x00000000023a3018 ***
======= Backtrace: =========
/lib64/libc.so.6[0x36e0875716]
ldapadd[0x404364]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x36e081ec9d]
ldapadd[0x403759]
======= Memory map: ========
00400000-00412000 r-xp 00000000 fd:00 2907213                            /usr/bin/ldapmodify
00612000-00613000 rw-p 00012000 fd:00 2907213                            /usr/bin/ldapmodify
02398000-023b9000 rw-p 00000000 00:00 0                                  [heap]
35ba400000-35ba407000 r-xp 00000000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba407000-35ba607000 ---p 00007000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba607000-35ba608000 r--p 00007000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba608000-35ba609000 rw-p 00008000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba609000-35ba637000 rw-p 00000000 00:00 0 
35bd000000-35bd019000 r-xp 00000000 fd:00 2901547                        /usr/lib64/libsasl2.so.2.0.23
35bd019000-35bd219000 ---p 00019000 fd:00 2901547                        /usr/lib64/libsasl2.so.2.0.23
35bd219000-35bd21a000 rw-p 00019000 fd:00 2901547                        /usr/lib64/libsasl2.so.2.0.23
36e0000000-36e0020000 r-xp 00000000 fd:00 2228226                        /lib64/ld-2.12.so
36e021f000-36e0220000 r--p 0001f000 fd:00 2228226                        /lib64/ld-2.12.so
36e0220000-36e0221000 rw-p 00020000 fd:00 2228226                        /lib64/ld-2.12.so
36e0221000-36e0222000 rw-p 00000000 00:00 0 
36e0400000-36e0402000 r-xp 00000000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0402000-36e0602000 ---p 00002000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0602000-36e0603000 r--p 00002000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0603000-36e0604000 rw-p 00003000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0800000-36e0987000 r-xp 00000000 fd:00 2228242                        /lib64/libc-2.12.so
36e0987000-36e0b87000 ---p 00187000 fd:00 2228242                        /lib64/libc-2.12.so
36e0b87000-36e0b8b000 r--p 00187000 fd:00 2228242                        /lib64/libc-2.12.so
36e0b8b000-36e0b8c000 rw-p 0018b000 fd:00 2228242                        /lib64/libc-2.12.so
36e0b8c000-36e0b91000 rw-p 00000000 00:00 0 
36e0c00000-36e0c17000 r-xp 00000000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0c17000-36e0e17000 ---p 00017000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0e17000-36e0e18000 r--p 00017000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0e18000-36e0e19000 rw-p 00018000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0e19000-36e0e1d000 rw-p 00000000 00:00 0 
36e1400000-36e1415000 r-xp 00000000 fd:00 2228246                        /lib64/libz.so.1.2.3
36e1415000-36e1614000 ---p 00015000 fd:00 2228246                        /lib64/libz.so.1.2.3
36e1614000-36e1615000 rw-p 00014000 fd:00 2228246                        /lib64/libz.so.1.2.3
36e2000000-36e2016000 r-xp 00000000 fd:00 2228276                        /lib64/libgcc_s-4.4.5-20110214.so.1
36e2016000-36e2215000 ---p 00016000 fd:00 2228276                        /lib64/libgcc_s-4.4.5-20110214.so.1
36e2215000-36e2216000 rw-p 00015000 fd:00 2228276                        /lib64/libgcc_s-4.4.5-20110214.so.1
36e2c00000-36e2c16000 r-xp 00000000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2c16000-36e2e16000 ---p 00016000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2e16000-36e2e17000 r--p 00016000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2e17000-36e2e18000 rw-p 00017000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2e18000-36e2e1a000 rw-p 00000000 00:00 0 
7fbbd68e4000-7fbbd68e9000 r-xp 00000000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd68e9000-7fbbd6ae8000 ---p 00005000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd6ae8000-7fbbd6ae9000 r--p 00004000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd6ae9000-7fbbd6aea000 rw-p 00005000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd6aea000-7fbbd6af6000 r-xp 00000000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6af6000-7fbbd6cf5000 ---p 0000c000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6cf5000-7fbbd6cf6000 r--p 0000b000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6cf6000-7fbbd6cf7000 rw-p 0000c000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6cf7000-7fbbd6cfc000 rw-p 00000000 00:00 0 
7fbbd6cfc000-7fbbd6d59000 r-xp 00000000 fd:00 2228554                    /lib64/libfreebl3.so
7fbbd6d59000-7fbbd6f58000 ---p 0005d000 fd:00 2228554                    /lib64/libfreebl3.so
7fbbd6f58000-7fbbd6f5a000 rw-p 0005c000 fd:00 2228554                    /lib64/libfreebl3.so
7fbbd6f5a000-7fbbd6f5f000 rw-p 00000000 00:00 0 
7fbbd6f5f000-7fbbd6f97000 r-xp 00000000 fd:00 2228306                    /lib64/libnspr4.so
7fbbd6f97000-7fbbd7197000 ---p 00038000 fd:00 2228306                    /lib64/libnspr4.so
7fbbd7197000-7fbbd7199000 rw-p 00038000 fd:00 2228306                    /lib64/libnspr4.so
7fbbd7199000-7fbbd719d000 rw-p 00000000 00:00 0 
7fbbd719d000-7fbbd71a1000 r-xp 00000000 fd:00 2228308                    /lib64/libplc4.so
7fbbd71a1000-7fbbd73a0000 ---p 00004000 fd:00 2228308                    /lib64/libplc4.so
7fbbd73a0000-7fbbd73a1000 rw-p 00003000 fd:00 2228308                    /lib64/libplc4.so
7fbbd73a1000-7fbbd73a4000 r-xp 00000000 fd:00 2228312                    /lib64/libplds4.so
7fbbd73a4000-7fbbd75a3000 ---p 00003000 fd:00 2228312                    /lib64/libplds4.so
7fbbd75a3000-7fbbd75a4000 rw-p 00002000 fd:00 2228312                    /lib64/libplds4.so
7fbbd75a4000-7fbbd75be000 r-xp 00000000 fd:00 2899283                    /usr/lib64/libnssutil3.so
7fbbd75be000-7fbbd77bd000 ---p 0001a000 fd:00 2899283                    /usr/lib64/libnssutil3.so
7fbbd77bd000-7fbbd77c3000 rw-p 00019000 fd:00 2899283                    /usr/lib64/libnssutil3.so
7fbbd77c3000-7fbbd77c4000 rw-p 00000000 00:00 0 
7fbbd77c4000-7fbbd78f7000 r-xp 00000000 fd:00 2899487                    /usr/lib64/libnss3.so
7fbbd78f7000-7fbbd7af7000 ---p 00133000 fd:00 2899487                    /usr/lib64/libnss3.so
7fbbd7af7000-7fbbd7afe000 rw-p 00133000 fd:00 2899487                    /usr/lib64/libnss3.so
7fbbd7afe000-7fbbd7aff000 rw-p 00000000 00:00 0 
7fbbd7aff000-7fbbd7b27000 r-xp 00000000 fd:00 2899469                    /usr/lib64/libsmime3.so
7fbbd7b27000-7fbbd7d27000 ---p 00028000 fd:00 2899469                    /usr/lib64/libsmime3.soreproducer.sh: line 10: 26554 Aborted                 (core dumped) ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w

2B.

adding new entry "dc=my-domain, dc=com"

*** glibc detected *** ldapadd: malloc(): memory corruption: 0x00000000023cde60 ***
(hang)

Expected results:

No crashes, no hangs, users are added correctly.

Comment 1 Ondrej Moriš 2011-04-22 09:50:26 UTC
Created attachment 494152 [details]
User and base data without a new line at the end, crash.

Comment 2 Ondrej Moriš 2011-04-22 09:51:19 UTC
Created attachment 494153 [details]
Base data without a new line at the end, no crash.

Comment 3 Ondrej Moriš 2011-04-22 09:51:58 UTC
Created attachment 494154 [details]
User data without a new line at the end, crash.

Comment 9 Jan Vcelak 2011-07-18 15:54:51 UTC
Fix included in openldap-2.4.23-16.el6

Comment 11 Jan Vcelak 2011-08-15 09:05:59 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- pass LDIF input file to any openldap client tool (e.g. ldapadd) while the file is not terminated by newline character
- the client crashes with segmentation fault
- the unusual situation is now handled by to tools
- requested operation succeeds and the tool does not crash

Comment 13 errata-xmlrpc 2011-12-06 12:12:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1514.html


Note You need to log in before you can comment on or make changes to this bug.