Bug 872784 - slapcat segfaults when called form /usr/libexec/openldap/check-config.sh if /etc/openldap/slapd.d/cn=config.ldif not present
slapcat segfaults when called form /usr/libexec/openldap/check-config.sh if /...
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: openldap (Show other bugs)
17
x86_64 Linux
unspecified Severity low
: ---
: ---
Assigned To: Jan Včelák
Fedora Extras Quality Assurance
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-03 00:07 EDT by Bojan Smojver
Modified: 2013-08-01 13:17 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-08-01 13:17:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (870 bytes, patch)
2012-11-26 10:00 EST, Jan Vcelak
no flags Details | Diff

  None (edit)
Description Bojan Smojver 2012-11-03 00:07:45 EDT
Description of problem:
If one uses /etc/openldap/slapd.conf file instead of /etc/openldap/slapd.d/cn=config.ldif, on every restart of slapd, slapcat will segfault when called from  /usr/libexec/openldap/check-config.sh if /etc/openldap/slapd.d/cn=config.ldif file is not present. Log has:
------------------
Nov  3 15:00:34 beauty kernel: [87410.331508] slapcat[17655]: segfault at 0 ip 00007f5c526e75f9 sp 00007fff6db855f0 error 4 in slapd[7f5c52611000+187000]
------------------

Slapd works fine and all.

Version-Release number of selected component (if applicable):
openldap-2.4.33-2.fc17.x86_64

How reproducible:
Always.

Steps to Reproduce:
1. Use slapd.conf.
2. Restart slapd.
3. See slapcat segfault.
  
Actual results:
Segfault.

Expected results:
Should not segfault.

Additional info:
Comment 1 Jan Vcelak 2012-11-05 03:55:56 EST
You should not be using slapd.conf. :-)

Anyway, I'm unable to reproduce this problem. Please, can you attach your slapd.conf? Feel free to obfuscate any sensitive information.
Comment 2 Bojan Smojver 2012-11-05 15:59:55 EST
(In reply to comment #1)
> You should not be using slapd.conf. :-)

At one point Fedora init scripts converted this file to cn=config system (this was a few releases ago), which then made the whole thing an unreadable mess. It seems, however, that these days slapd has no trouble actually using this static file.

The main reason I went back to slapd.conf is bug #871670. It was simply easier to experiment with it, being a plain text file.

> Anyway, I'm unable to reproduce this problem. Please, can you attach your
> slapd.conf? Feel free to obfuscate any sensitive information.

Sent privately.
Comment 4 Jan Vcelak 2012-11-07 04:28:40 EST
(In reply to comment #2)
> At one point Fedora init scripts converted this file to cn=config system
> (this was a few releases ago), which then made the whole thing an unreadable
> mess. It seems, however, that these days slapd has no trouble actually using
> this static file.

Maybe unreadable, but you can change the configuration without stopping the server and the configuration will be persistent. It is quite possible that the support for slapd.conf will be dropped in future by upstream.

> Sent privately.

Thanks, but I still cannot reproduce. How did you set up OpenLDAP to use slapd.conf? Have you done some changes in /etc/sysconfig/slapd, or have you just deleted slapd.d? What permissions and selinux context do you have on slapd.conf and slapd.d?
Comment 5 Bojan Smojver 2012-11-07 17:56:33 EST
(In reply to comment #4)
 
> Thanks, but I still cannot reproduce. How did you set up OpenLDAP to use
> slapd.conf? Have you done some changes in /etc/sysconfig/slapd, or have you
> just deleted slapd.d? What permissions and selinux context do you have on
> slapd.conf and slapd.d?

This is what I have in /etc/sysconfig/slapd (this was carried over many, many Fedora upgrades):
--------------------
SLAPD_LDAP=no
SLAPD_URLS="ldap://127.0.0.1/ ldap://<NIC IP>/ ldaps://127.0.0.1 ldaps://<NIC IP>/"
--------------------

/etc/openldap/slapd.d is there, but it contains no files. If I touch cn=config.ldif, there will be no segfault, but obviously, slapd will not work properly.

All SELinux contexts and permissions are default. There are no denials in audit.log.
Comment 6 Bojan Smojver 2012-11-07 19:56:08 EST
Hope this helps:

# gdb /usr/sbin/slapcat 
GNU gdb (GDB) Fedora (7.4.50.20120120-52.fc17)
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/slapcat...Reading symbols from /usr/lib/debug/usr/sbin/slapd.debug...done.
done.
(gdb) set args -c -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))'
(gdb) r
Starting program: /usr/sbin/slapcat -c -H 'ldap:///cn=config???(|(objectClass=olcBdbConfig)(objectClass=olcHdbConfig))'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
# no data for entry id=00000000


Program received signal SIGSEGV, Segmentation fault.
0x000055555562a5f9 in ldif_tool_entry_next (be=<optimized out>) at ldif.c:1743
1743			Entry *e = tl->entries[ tl->ecurrent ];
Missing separate debuginfos, use: debuginfo-install keyutils-libs-1.5.5-2.fc17.x86_64 krb5-libs-1.10.2-6.fc17.x86_64 libcom_err-1.42.3-3.fc17.x86_64 libgcc-4.7.2-2.fc17.x86_64 libselinux-2.1.10-3.fc17.x86_64 nss-softokn-freebl-3.13.6-1.fc17.x86_64 zlib-1.2.5-7.fc17.x86_64
(gdb) bt
#0  0x000055555562a5f9 in ldif_tool_entry_next (be=<optimized out>)
    at ldif.c:1743
#1  0x00005555556076ac in slapcat (argc=<optimized out>, argv=<optimized out>)
    at slapcat.c:99
#2  0x00005555555789d1 in main (argc=<optimized out>, argv=0x7fffffffe3e8)
    at main.c:664
Comment 7 Jan Vcelak 2012-11-26 08:59:51 EST
I can reproduce now.
Comment 8 Jan Vcelak 2012-11-26 10:00:03 EST
Created attachment 651996 [details]
proposed patch

Patch to crash gracefully under described conditions.

Submitted upstream:
http://www.openldap.org/its/index.cgi?findid=7451
Comment 9 Jan Vcelak 2012-11-28 04:36:03 EST
A different patch was accepted:

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=e1ccebc

I do not think this fix is critical. I will update the package when there are more fixes.
Comment 10 Fedora Admin XMLRPC Client 2013-01-30 06:10:54 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 11 Fedora End Of Life 2013-07-04 01:57:56 EDT
This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 12 Fedora End Of Life 2013-08-01 13:17:14 EDT
Fedora 17 changed to end-of-life (EOL) status on 2013-07-30. Fedora 17 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.