Bug 700665 - Linked attributes callbacks access free'd pointers after close
Summary: Linked attributes callbacks access free'd pointers after close
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.1
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 700557
Blocks: 701559
TreeView+ depends on / blocked
 
Reported: 2011-04-28 22:20 UTC by Nathan Kinder
Modified: 2015-01-04 23:48 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 700557
Environment:
Last Closed: 2011-12-06 17:48:36 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2011:1711 0 normal SHIPPED_LIVE 389-ds-base bug fix and enhancement update 2011-12-06 01:02:20 UTC

Description Nathan Kinder 2011-04-28 22:20:58 UTC 
+++ This bug was initially created as a clone of Bug #700557 +++

The linked attributes plug-in callbacks can still try to access free'd resources after it's close callback has been called.  This can cause ns-slapd to crash.

This issue was found by kicking off a long-running memberOf fixup task with linked attributes configured, then immediately stopping ns-slapd.  This caused the linked attributes close function to be called, which releases it's resources, yet the server still calls the linked attributes callbacks for internal operations done by the memberOf fixup task.

The linked attributes close callback needs to unset the started flag that is used to determine if the plug-in resources are currently allocated and ready for service.

--- Additional comment from nkinder on 2011-04-28 13:39:49 EDT ---

This same issue actually applies to the following plug-ins:

- DNA
- Linked Attributes
- Managed Entries
- Auto Membership

We should address this issue in all of these plug-ins.  We need to unset the started flag in the close() callbacks, which needs to be done with the write lock on the config held.  To prevent problems with waiting readers, we need to make all readers check if the started flag is set after they obtain a reader lock.  This will deal with the case where the plug-in was stopped while a thread was waiting on a reader lock.  We also need to be sure to NOT free the lock in the close() function so that these waiting readers don't crash the server.

--- Additional comment from rmeggins on 2011-04-28 13:46:50 EDT ---

What is the scope of this work?

--- Additional comment from nkinder on 2011-04-28 13:53:31 EDT ---

Created attachment 495618 [details]
Patch

--- Additional comment from nkinder on 2011-04-28 18:17:57 EDT ---

Pushed patch to master.  Thanks to Rich for his review!

Counting objects: 25, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 3.44 KiB, done.
Total 13 (delta 8), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   c2c82cb..2210765  master -> master

--- Additional comment from nkinder on 2011-04-28 18:20:22 EDT ---

Pushed to 389-ds-base-1.2.8 branch.

Counting objects: 21, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (11/11), done.
Writing objects: 100% (11/11), 2.90 KiB, done.
Total 11 (delta 7), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   3bb70c1..ef51110  128-local -> 389-ds-base-1.2.8
Comment 5 Amita Sharma 2011-05-05 11:09:56 UTC 
Tested :

- Configure the linked attributes plug-in (attributes themselves don't matter).

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxx -p 389 << EOF
dn: cn=Linked Attributes,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on


- Enable the memberOf plug-in.

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxxx -p 389 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxxxxx -p 389 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: memberofattr
memberofattr: memberOf

ldapmodify -x -h localhost -D "cn=directory manager" -w xxxxxx -p 389 << EOF
dn: cn=MemberOf Plugin,cn=plugins,cn=config
changetype: modify
replace: memberofgroupattr
memberofgroupattr: uniqueMember

service dirsrv restart

- Import a sizeable database with many group memberships. 100 group entries
with 5000 users should be sufficient if you have some of the groups have many
members and have some groups be members of other groups (nested grouping).

- Run the fixup-memberof.pl script to fire of a fixup task on the entire
database, then immediately run 'service dirsrv stop'.

/usr/lib64/dirsrv/slapd-rheltest/fixup-memberof.pl -v -D "cn=Directory Manager" -w xxxxx -b "ou=unix,dc=corp,dc=example,dc=com"

No Crash found.
Comment 6 errata-xmlrpc 2011-12-06 17:48:36 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2011-1711.html
Note You need to log in before you can comment on or make changes to this bug.