Bug 788728 – Invalid read reported by valgrind

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 788728 - Invalid read reported by valgrind

Summary:	Invalid read reported by valgrind

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	6.3
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rich Megginson
QA Contact:	IDM QE LIST
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-02-08 17:03 EST by Rich Megginson
Modified:	2012-06-20 03:13 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:	389-ds-base-1.2.10.0-1.el6
Doc Type:	Bug Fix
Doc Text:	This is not a bug that could have been seen by a customer. This fix improves the server robustness.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-06-20 03:13:57 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2012:0813	normal	SHIPPED_LIVE	Low: 389-ds-base security, bug fix, and enhancement update	2012-06-19 15:29:15 EDT

Groups: None (edit)

Description Rich Megginson 2012-02-08 17:03:05 EST

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/275

==30265== Invalid read of size 1
==30265==    at 0x4C4DAE4: comp_cmp (attr.c:98)
==30265==    by 0x4C4DBED: slapi_attr_type_cmp (attr.c:131)
==30265==    by 0x4CAF1C7: default_mr_filter_match (plugin_mr.c:391)
==30265==    by 0x4C7589B: test_extensible_filter (filterentry.c:588)
==30265==    by 0x4C763F1: slapi_vattr_filter_test_ext_internal (filterentry.c:953)
==30265==    by 0x4C75EB7: slapi_vattr_filter_test_ext (filterentry.c:842)
==30265==    by 0x4C75DEE: slapi_vattr_filter_test (filterentry.c:790)
==30265==    by 0x9A43860: ldbm_back_next_search_entry_ext (ldbm_search.c:1598)
==30265==    by 0x9A42CA6: ldbm_back_next_search_entry (ldbm_search.c:1309)
==30265==    by 0x4C9ECE8: iterate (opshared.c:1183)
==30265==    by 0x4C9F5E8: send_results_ext (opshared.c:1580)
==30265==    by 0x4C9E3F9: op_shared_search (opshared.c:764)
==30265==    by 0x42CACA: do_search (search.c:397)
==30265==    by 0x414089: connection_dispatch_operation (connection.c:619)
==30265==    by 0x4158F4: connection_threadmain (connection.c:2336)
==30265==    by 0x36C3628442: ??? (in /lib64/libnspr4.so)
==30265==    by 0x3936C07B40: start_thread (pthread_create.c:305)
==30265==    by 0x39360DF49C: clone (clone.S:115)
==30265==  Address 0x5123ae0 is 0 bytes inside a block of size 19 free'd
==30265==    at 0x4A055FE: free (vg_replace_malloc.c:366)
==30265==    by 0x4C5552D: slapi_ch_free (ch_malloc.c:363)
==30265==    by 0x4C72530: filter_normalize_ext (filter.c:1163)
==30265==    by 0x4C725CD: slapi_filter_normalize (filter.c:1189)
==30265==    by 0x9A42281: ldbm_back_search (ldbm_search.c:882)
==30265==    by 0x4C9E30D: op_shared_search (opshared.c:714)
==30265==    by 0x42CACA: do_search (search.c:397)
==30265==    by 0x414089: connection_dispatch_operation (connection.c:619)
==30265==    by 0x4158F4: connection_threadmain (connection.c:2336)
==30265==    by 0x36C3628442: ??? (in /lib64/libnspr4.so)
==30265==    by 0x3936C07B40: start_thread (pthread_create.c:305)
==30265==    by 0x39360DF49C: clone (clone.S:115)

==13399== Thread 41:
==13399== Invalid read of size 8
==13399==    at 0x4CA061D: slapi_pblock_get (pblock.c:153)
==13399==    by 0x53A09DF: ces_filter_ava (ces.c:305)
==13399==    by 0x4CAF218: default_mr_filter_match (plugin_mr.c:398)
==13399==    by 0x4C7589B: test_extensible_filter (filterentry.c:588)
==13399==    by 0x4C763F1: slapi_vattr_filter_test_ext_internal (filterentry.c:953)
==13399==    by 0x4C75EB7: slapi_vattr_filter_test_ext (filterentry.c:842)
==13399==    by 0x4C75DEE: slapi_vattr_filter_test (filterentry.c:790)
==13399==    by 0x9A43860: ldbm_back_next_search_entry_ext (ldbm_search.c:1598)
==13399==    by 0x9A42CA6: ldbm_back_next_search_entry (ldbm_search.c:1309)
==13399==    by 0x4C9ECE8: iterate (opshared.c:1183)
==13399==    by 0x4C9F5E8: send_results_ext (opshared.c:1580)
==13399==    by 0x4C9E3F9: op_shared_search (opshared.c:764)
==13399==    by 0x42CAEF: do_search (search.c:400)
==13399==    by 0x414089: connection_dispatch_operation (connection.c:619)
==13399==    by 0x4158F4: connection_threadmain (connection.c:2336)
==13399==    by 0x36C3628442: ??? (in /lib64/libnspr4.so)
==13399==    by 0x3936C07B40: start_thread (pthread_create.c:305)
==13399==    by 0x39360DF49C: clone (clone.S:115)
==13399==  Address 0x0 is not stack'd, malloc'd or (recently) free'd

Comment 1 Noriko Hosoi 2012-02-13 19:57:21 EST

Steps to verify.
Run valgrind with the filter test case.
If the valgrind output files do not contain "Invalid read", the bug was verified.

Comment 5 Noriko Hosoi 2012-05-24 18:38:59 EDT

    Technical note added. If any revisions are required, please edit the
"Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content
Services team.

    New Contents:
Cause: Passed memory which could be modified in an API.
Consequence: Possible invalid memory access.
Fix: Duplicated memory is passed to the API.
Result: The memory check tool shows no invalid read.

Comment 6 Rich Megginson 2012-05-24 19:26:45 EDT

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
This is not a bug that could have been seen by a customer.  This fix improves the server robustness.

Comment 7 Amita Sharma 2012-05-30 04:08:37 EDT

Marking the bugs Verified, sanity only.

Comment 8 errata-xmlrpc 2012-06-20 03:13:57 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2012-0813.html

Note You need to log in before you can comment on or make changes to this bug.