Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 731112 - NSS_Init* functions are not thread safe
Summary: NSS_Init* functions are not thread safe
Alias: None
Product: Fedora
Classification: Fedora
Component: openldap
Version: rawhide
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Jan Vcelak
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 731168
TreeView+ depends on / blocked
Reported: 2011-08-16 18:12 UTC by Rich Megginson
Modified: 2013-03-04 01:29 UTC (History)
4 users (show)

Fixed In Version: openldap-2.4.24-5.fc15
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 731168 (view as bug list)
Last Closed: 2011-11-17 23:41:35 UTC
Type: ---

Attachments (Terms of Use)
backported patch for F14 (6.73 KB, patch)
2011-08-17 11:03 UTC, Jan Vcelak
rmeggins: review+
Details | Diff

Description Rich Megginson 2011-08-16 18:12:08 UTC
Description of problem:
    The NSS_InitContext et. al, and their corresponding shutdown functions,
    are not thread safe.  There can only be one thread at a time calling
    these functions.  Protect the calls with a mutex.  Create the mutex
    using a PR_CallOnce to ensure that the mutex is only created once and
    not used before created.  Move the registration of the nss shutdown
    callback to also use a PR_CallOnce.  Removed the call to
    SSL_ClearSessionCache() because it is always called at shutdown, and we must
    not call it more than once.

Fixed upstream: http://www.openldap.org/its/index.cgi?findid=7022

Comment 1 Rich Megginson 2011-08-16 20:17:27 UTC
Steps to reproduce:
set up 2 openldap servers - one as a syncrepl provider, and the other as a syncrepl consumer, doing replication over TLS, for example:

olcSyncrepl: {0}rid=1 provider=ldap://localhost.localdomain:1389 searchbase=dc
 =example,dc=com bindmethod=simple binddn=cn=manager,dc=example,dc=com credent
 ials=secret type=refreshAndPersist retry="1 +" starttls=critical tls_cacert=/

where the provider is listening to ldap://localhost.localdomain:1389/ and has a database with a suffix dc=example,dc=com.  In my testing, I also had a
olcRootDN: cn=Manager,dc=example,dc=com
for this database which I also used for syncrepl.

Run a client that adds entries to the provider, and run an ldapsearch (using TLS) on the consumer to check that the entries are synced to the consumer.

You should notice the crash on the consumer soon after enabling syncrepl to use TLS on the consumer.

Comment 2 Jan Vcelak 2011-08-17 11:03:07 UTC
Created attachment 518654 [details]
backported patch for F14

LDAP_MUTEX_LOCK -> ldap_pvt_thread_mutex_lock
LDAP_MUTEX_UNLOCK -> ldap_pvt_thread_mutex_unlock

Comment 3 Fedora Update System 2011-08-24 19:33:03 UTC
openldap-2.4.26-2.fc16 has been submitted as an update for Fedora 16.

Comment 4 Fedora Update System 2011-08-24 19:38:32 UTC
openldap-2.4.24-4.fc15 has been submitted as an update for Fedora 15.

Comment 5 Fedora Update System 2011-08-26 19:03:31 UTC
Package openldap-2.4.24-4.fc15:
* should fix your issue,
* was pushed to the Fedora 15 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openldap-2.4.24-4.fc15'
as soon as you are able to.
Please go to the following url:
then log in and leave karma (feedback).

Comment 6 Fedora Update System 2011-09-12 18:54:57 UTC
openldap-2.4.26-3.fc16 has been submitted as an update for Fedora 16.

Comment 7 Fedora Update System 2011-09-12 19:01:32 UTC
openldap-2.4.24-5.fc15 has been submitted as an update for Fedora 15.

Comment 8 Fedora Update System 2011-11-05 01:24:56 UTC
openldap-2.4.26-5.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2011-11-17 23:41:35 UTC
openldap-2.4.24-5.fc15 has been pushed to the Fedora 15 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.