RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 698921 - ldapadd crashes on x86_64 with specific ldifs
Summary: ldapadd crashes on x86_64 with specific ldifs
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: openldap
Version: 6.1
Hardware: x86_64
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Jan Vcelak
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks: 716858
TreeView+ depends on / blocked
 
Reported: 2011-04-22 09:49 UTC by Ondrej Moriš
Modified: 2013-03-04 01:29 UTC (History)
5 users (show)

Fixed In Version: openldap-2.4.23-16.el6
Doc Type: Bug Fix
Doc Text:
- pass LDIF input file to any openldap client tool (e.g. ldapadd) while the file is not terminated by newline character - the client crashes with segmentation fault - the unusual situation is now handled by to tools - requested operation succeeds and the tool does not crash
Clone Of:
: 716858 (view as bug list)
Environment:
Last Closed: 2011-12-06 12:12:27 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Base data without a new line at the end, no crash. (122 bytes, application/octet-stream)
2011-04-22 09:49 UTC, Ondrej Moriš 		no flags Details
User and base data without a new line at the end, crash. (289 bytes, text/plain)
2011-04-22 09:50 UTC, Ondrej Moriš 		no flags Details
Base data without a new line at the end, no crash. (122 bytes, text/plain)
2011-04-22 09:51 UTC, Ondrej Moriš 		no flags Details
User data without a new line at the end, crash. (165 bytes, text/plain)
2011-04-22 09:51 UTC, Ondrej Moriš 		no flags Details
Show Obsolete (1) View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:1514 0 normal SHIPPED_LIVE openldap bug fix and enhancement update 2011-12-06 00:51:20 UTC

Description Ondrej Moriš 2011-04-22 09:49:38 UTC 
Created attachment 494151 [details]
Base data without a new line at the end, no crash.

Description of a problem:

Client tool ldapadd crashed (or hang) with specific ldifs (attached dataB.ldif, dataA.ldif). It is cause by no new line in the end of these ldifs, if you add a new line at the end, ldapadd will not crash. The curious thing is here is that ldapadd does not need a new line in ldif file in general (attached base.ldif), but if it is missing in a certain ldif, it will cause crash. 

It is no hard to see that there is not

Version-Release number of selected component (if applicable):

openldap-2.4.19-15.el6_0.2
openldap-2.4.23-15.el6

How reproducible:

Always on x86_64, never on the other archs (i386, s390x, ppc64).

Steps to Reproduce:

1.  Start slapd service using attached slapd.conf.

2A. ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w x -f base.ldif
    ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w x -f dataB.ldif

2B. ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w x -f dataA.ldif

  
Actual results:

2A.

adding new entry "dc=my-domain, dc=com"

adding new entry "cn=B,dc=my-domain,dc=com"

*** glibc detected *** ldapadd: munmap_chunk(): invalid pointer: 0x00000000023a3018 ***
======= Backtrace: =========
/lib64/libc.so.6[0x36e0875716]
ldapadd[0x404364]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x36e081ec9d]
ldapadd[0x403759]
======= Memory map: ========
00400000-00412000 r-xp 00000000 fd:00 2907213                            /usr/bin/ldapmodify
00612000-00613000 rw-p 00012000 fd:00 2907213                            /usr/bin/ldapmodify
02398000-023b9000 rw-p 00000000 00:00 0                                  [heap]
35ba400000-35ba407000 r-xp 00000000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba407000-35ba607000 ---p 00007000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba607000-35ba608000 r--p 00007000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba608000-35ba609000 rw-p 00008000 fd:00 2228527                        /lib64/libcrypt-2.12.so
35ba609000-35ba637000 rw-p 00000000 00:00 0 
35bd000000-35bd019000 r-xp 00000000 fd:00 2901547                        /usr/lib64/libsasl2.so.2.0.23
35bd019000-35bd219000 ---p 00019000 fd:00 2901547                        /usr/lib64/libsasl2.so.2.0.23
35bd219000-35bd21a000 rw-p 00019000 fd:00 2901547                        /usr/lib64/libsasl2.so.2.0.23
36e0000000-36e0020000 r-xp 00000000 fd:00 2228226                        /lib64/ld-2.12.so
36e021f000-36e0220000 r--p 0001f000 fd:00 2228226                        /lib64/ld-2.12.so
36e0220000-36e0221000 rw-p 00020000 fd:00 2228226                        /lib64/ld-2.12.so
36e0221000-36e0222000 rw-p 00000000 00:00 0 
36e0400000-36e0402000 r-xp 00000000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0402000-36e0602000 ---p 00002000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0602000-36e0603000 r--p 00002000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0603000-36e0604000 rw-p 00003000 fd:00 2228248                        /lib64/libdl-2.12.so
36e0800000-36e0987000 r-xp 00000000 fd:00 2228242                        /lib64/libc-2.12.so
36e0987000-36e0b87000 ---p 00187000 fd:00 2228242                        /lib64/libc-2.12.so
36e0b87000-36e0b8b000 r--p 00187000 fd:00 2228242                        /lib64/libc-2.12.so
36e0b8b000-36e0b8c000 rw-p 0018b000 fd:00 2228242                        /lib64/libc-2.12.so
36e0b8c000-36e0b91000 rw-p 00000000 00:00 0 
36e0c00000-36e0c17000 r-xp 00000000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0c17000-36e0e17000 ---p 00017000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0e17000-36e0e18000 r--p 00017000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0e18000-36e0e19000 rw-p 00018000 fd:00 2228244                        /lib64/libpthread-2.12.so
36e0e19000-36e0e1d000 rw-p 00000000 00:00 0 
36e1400000-36e1415000 r-xp 00000000 fd:00 2228246                        /lib64/libz.so.1.2.3
36e1415000-36e1614000 ---p 00015000 fd:00 2228246                        /lib64/libz.so.1.2.3
36e1614000-36e1615000 rw-p 00014000 fd:00 2228246                        /lib64/libz.so.1.2.3
36e2000000-36e2016000 r-xp 00000000 fd:00 2228276                        /lib64/libgcc_s-4.4.5-20110214.so.1
36e2016000-36e2215000 ---p 00016000 fd:00 2228276                        /lib64/libgcc_s-4.4.5-20110214.so.1
36e2215000-36e2216000 rw-p 00015000 fd:00 2228276                        /lib64/libgcc_s-4.4.5-20110214.so.1
36e2c00000-36e2c16000 r-xp 00000000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2c16000-36e2e16000 ---p 00016000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2e16000-36e2e17000 r--p 00016000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2e17000-36e2e18000 rw-p 00017000 fd:00 2228284                        /lib64/libresolv-2.12.so
36e2e18000-36e2e1a000 rw-p 00000000 00:00 0 
7fbbd68e4000-7fbbd68e9000 r-xp 00000000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd68e9000-7fbbd6ae8000 ---p 00005000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd6ae8000-7fbbd6ae9000 r--p 00004000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd6ae9000-7fbbd6aea000 rw-p 00005000 fd:00 2228252                    /lib64/libnss_dns-2.12.so
7fbbd6aea000-7fbbd6af6000 r-xp 00000000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6af6000-7fbbd6cf5000 ---p 0000c000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6cf5000-7fbbd6cf6000 r--p 0000b000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6cf6000-7fbbd6cf7000 rw-p 0000c000 fd:00 2228254                    /lib64/libnss_files-2.12.so
7fbbd6cf7000-7fbbd6cfc000 rw-p 00000000 00:00 0 
7fbbd6cfc000-7fbbd6d59000 r-xp 00000000 fd:00 2228554                    /lib64/libfreebl3.so
7fbbd6d59000-7fbbd6f58000 ---p 0005d000 fd:00 2228554                    /lib64/libfreebl3.so
7fbbd6f58000-7fbbd6f5a000 rw-p 0005c000 fd:00 2228554                    /lib64/libfreebl3.so
7fbbd6f5a000-7fbbd6f5f000 rw-p 00000000 00:00 0 
7fbbd6f5f000-7fbbd6f97000 r-xp 00000000 fd:00 2228306                    /lib64/libnspr4.so
7fbbd6f97000-7fbbd7197000 ---p 00038000 fd:00 2228306                    /lib64/libnspr4.so
7fbbd7197000-7fbbd7199000 rw-p 00038000 fd:00 2228306                    /lib64/libnspr4.so
7fbbd7199000-7fbbd719d000 rw-p 00000000 00:00 0 
7fbbd719d000-7fbbd71a1000 r-xp 00000000 fd:00 2228308                    /lib64/libplc4.so
7fbbd71a1000-7fbbd73a0000 ---p 00004000 fd:00 2228308                    /lib64/libplc4.so
7fbbd73a0000-7fbbd73a1000 rw-p 00003000 fd:00 2228308                    /lib64/libplc4.so
7fbbd73a1000-7fbbd73a4000 r-xp 00000000 fd:00 2228312                    /lib64/libplds4.so
7fbbd73a4000-7fbbd75a3000 ---p 00003000 fd:00 2228312                    /lib64/libplds4.so
7fbbd75a3000-7fbbd75a4000 rw-p 00002000 fd:00 2228312                    /lib64/libplds4.so
7fbbd75a4000-7fbbd75be000 r-xp 00000000 fd:00 2899283                    /usr/lib64/libnssutil3.so
7fbbd75be000-7fbbd77bd000 ---p 0001a000 fd:00 2899283                    /usr/lib64/libnssutil3.so
7fbbd77bd000-7fbbd77c3000 rw-p 00019000 fd:00 2899283                    /usr/lib64/libnssutil3.so
7fbbd77c3000-7fbbd77c4000 rw-p 00000000 00:00 0 
7fbbd77c4000-7fbbd78f7000 r-xp 00000000 fd:00 2899487                    /usr/lib64/libnss3.so
7fbbd78f7000-7fbbd7af7000 ---p 00133000 fd:00 2899487                    /usr/lib64/libnss3.so
7fbbd7af7000-7fbbd7afe000 rw-p 00133000 fd:00 2899487                    /usr/lib64/libnss3.so
7fbbd7afe000-7fbbd7aff000 rw-p 00000000 00:00 0 
7fbbd7aff000-7fbbd7b27000 r-xp 00000000 fd:00 2899469                    /usr/lib64/libsmime3.so
7fbbd7b27000-7fbbd7d27000 ---p 00028000 fd:00 2899469                    /usr/lib64/libsmime3.soreproducer.sh: line 10: 26554 Aborted                 (core dumped) ldapadd -H ldap:// -D cn=Manager,dc=my-domain,dc=com -x -w

2B.

adding new entry "dc=my-domain, dc=com"

*** glibc detected *** ldapadd: malloc(): memory corruption: 0x00000000023cde60 ***
(hang)

Expected results:

No crashes, no hangs, users are added correctly.
Comment 1 Ondrej Moriš 2011-04-22 09:50:26 UTC 
Created attachment 494152 [details]
User and base data without a new line at the end, crash.
Comment 2 Ondrej Moriš 2011-04-22 09:51:19 UTC 
Created attachment 494153 [details]
Base data without a new line at the end, no crash.
Comment 3 Ondrej Moriš 2011-04-22 09:51:58 UTC 
Created attachment 494154 [details]
User data without a new line at the end, crash.
Comment 9 Jan Vcelak 2011-07-18 15:54:51 UTC 
Fix included in openldap-2.4.23-16.el6
Comment 11 Jan Vcelak 2011-08-15 09:05:59 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
- pass LDIF input file to any openldap client tool (e.g. ldapadd) while the file is not terminated by newline character
- the client crashes with segmentation fault
- the unusual situation is now handled by to tools
- requested operation succeeds and the tool does not crash
Comment 13 errata-xmlrpc 2011-12-06 12:12:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2011-1514.html
Note You need to log in before you can comment on or make changes to this bug.