8199 – Crash when modifying the first olcAttributeTypes element in olcSchemaConfig objectClass

Issue 8199 - Crash when modifying the first olcAttributeTypes element in olcSchemaConfig objectClass

Summary: Crash when modifying the first olcAttributeTypes element in olcSchemaConfig o...

Status:	VERIFIED FIXED

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	2.4.40
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-07-14 11:13 UTC by luca.bruno@rocket-internet.de
Modified:	2015-08-18 17:41 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description luca.bruno@rocket-internet.de 2015-07-14 11:13:56 UTC

Full_Name: Luca BRUNO
Version: 2.4.40
OS: Debian
URL: 
Submission from: (NULL) (217.110.53.72)


Hi,
slapd 2.4.40 realiably crashes when modifying the 0th olcAttributeTypes element
in a olcSchemaConfig object.
This is a stacktrace captured when trying to change the "DESC" field of the
"gecos" attribute in the "nis" schema (this is just an easier/dumb reproducer,
the crash was first seen in production with a custom schema).

Short stacktrace first:
"""
#0  0x00007f804d028d78 in at_next (at=at@entry=0x7f8040842318) at
../../../../servers/slapd/at.c:368
#1  0x00007f804cfd1a2a in config_generic (c=0x7f8040845650) at
../../../../servers/slapd/bconfig.c:1686
#2  0x00007f804cfd7a4b in config_set_vals (Conf=0x7f804d2d4ca0,
c=0x7f8040845650) at ../../../../servers/slapd/config.c:353
#3  0x00007f804cfd846d in config_parse_add (ct=ct@entry=0x7f804d2d4ca0,
c=c@entry=0x7f8040845650, valx=<optimized out>)
    at ../../../../servers/slapd/config.c:697
#4  0x00007f804cfcb977 in config_modify_add (ct=ct@entry=0x7f804d2d4ca0,
ca=ca@entry=0x7f8040845650, i=i@entry=0, 
    ad=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at
../../../../servers/slapd/bconfig.c:5504
#5  0x00007f804cfcc86d in config_modify_internal (ca=0x7f8040845650,
rs=0x7f8040847a50, op=0x7f804d2d9fc0, ce=<optimized out>)
    at ../../../../servers/slapd/bconfig.c:5761
#6  config_back_modify (op=0x7f804d2d9fc0, rs=0x7f8040847a50) at
../../../../servers/slapd/bconfig.c:5906
#7  0x00007f804cffa7f9 in fe_op_modify (op=0x7f80380008b0, rs=0x7f8040847a50) at
../../%2/../servers/slapd/modify.c:303
#8  0x00007f804cffc6bd in do_modify (op=0x7f80380008b0, rs=0x7f8040847a50) at
../../../../servers/slapd/modify.c:177
#9  0x00007f804cfe2d81 in connection_operation (ctx=ctx@entry=0x7f8040847ba0,
arg_v=arg_v@entry=0x7f80380008b0)
    at ../../../../servers/slapd/connection.c:1155
#10 0x00007f804cfe30a4 in connection_read_thread (ctx=0x7f8040847ba0,
argv=<optimized out>) at ../../../../servers/slapd/connection.c:1291
#11 0x00007f804cb43f83 in ldap_int_thread_pool_wrapper (opool=0x7f804dfedfd0) at
../../../../libraries/libldap_r/tpool.c:688
#12 0x00007f804af53b50 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
#13 0x00007f804ac9d95d in clone () from /lib/x86_64-linux-gnu/libc.so.6
#14 0x0000000000000000 in ?? ()
222""

Detailed trace:
"""
#0  0x00007f804d028d78 in at_next (at=at@entry=0x7f8040842318) at
../../../../servers/slapd/at.c:368
        __PRETTY_FUNCTION__ = "at_next"
#1  0x00007f804cfd1a2a in config_generic (c=0x7f8040845650) at
../../../../servers/slapd/bconfig.c:1686
        %3= <optimized out>
        at = 0x0
        prev = 0x0
        i = <optimized out>
        __PRETTY_FUNCTION__ = "config_generic"
#2  0x00007f804cfd7a4b in config_set_vals (Conf=0x7f804d2d4ca0,
c=0x7f8040845650) at ../../../../servers/slapd/config.c:353
        rc = <optimized out>
        arg_type = <optimized out>
        ptr = 0x0
#3  0x00007f804cfd846d in config_parse_add (ct=ct@entry=0x7f804d2d4ca0,
c=c@entry=0x7f8040845650, valx=<optimized out>)
    at ../../../../servers/slapd/config.c:697
        rc = 0
#4  0x00007f804cfcb977 in config_modify_add (ct=ct@entry=0x7f804d2d4ca0,
ca=ca@entry=0x7f8040845650, i=i@entry=0, 
    ad=<error reading variable: Unhandled dwarf expression opcode 0xfa>) at
../../../../servers/slapd/bconfig.3A3A5504
        rc = <optimized out>
#5  0x00007f804cfcc86d in config_modify_internal (ca=0x7f8040845650,
rs=0x7f8040847a50, op=0x7f804d2d9fc0, ce=<optimized out>)
    at ../../../../servers/slapd/bconfig.c:5761
        e = 0x7f804e00ae18
        save_attrs = 0x7f804e01fa30
        a = 0x7f804e40b858
        colst = 0x7f804e07f120
        i = <optimized out>
        dels = 0x0
        rc = <optimized out>
        oc_at = <optimized out>
        ct = 0x7f804d2d4ca0
        nocs = 2
        ptr = <optimized out>
        s = <optimized out>
        deltail = 0x7f8040846818
        ml = <optimized out>
#6  config_back_modify (op=0x7f804d2d9fc0, rs=0x7f8040847a50) at
../../../../servers/slapd/bconfig.c:5906
        cfb = 0x7f8040847a50
        ce = <optimized out>
        last = <optimized out>
        ml = <optimized out>
        ca = {argc = 18, argv = 0x7f804e99cfa0, argv_size = 513, 
          line = 0x7f804e058993 "( 1.3.6.1.1.1.1.4 NAME 'loginShell' DESC 'The d
to the login shell' EQUALITY caseExactIA5Match SYNTAX
1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )", tline = 0x7f804e99a340 "(", fname
= 0x7f804d071961 "slapd", lineno = 0, 
          log = "olcAttributeTypes: value #0", '\000' <repeats 4096 times>,
reply = {err = 0, msg = '\000' <repeats 255 times>}, depth = 0, valx = 1, 
          values = {v_int = 0, v_uint = 0, v_long = 0, v_ulong = 0, v_ber_t = 0,
v_string = 0x0, v_bv = {bv_len = 0, bv_val = 0x0}, v_dn = {vdn_dn = {
                bv_len = 0, bv_val = 0x0}, vdn_ndn = {bv_len = 0, bv_val =
0x0}}, v_ad = 0x0}, rvalue_vals = 0x0, rvalue_nvals = 0x0, op = 0, type = 25, 
          ca_op = 0x7f80380008b0, be = 0x7f804d2dbbe0, bi = 0x0, ca_entry =
0x7f804e00ae18, ca_private = 0x7f804e04f8e0, cleanup = 0, table = Cft_Schema}
        rdn % % {bv_len = 2, bv_val = 0x7f804e081ef0
"cn={2}nis,cn=schema,cn=config"}
        ptr = <optimized out>
        rad = 0x7f804dfeada0
        do_pause = <optimized out>
#7  0x00007f804cffa7f9 in fe_op_modify (op=0x7f80380008b0, rs=0x7f8040847a50) at
../../../../servers/slapd/modify.c:303
        update = <optimized out>
        repl_user = <optimized out>
        op_be = <optimized out>
        bd = 0x7f804d2dbbe0
        textbuf = "\002\000\000\000\000\000\000\000\214\311\303J\200\177\000\000\260\370\231N\200\177\000\000\345\375\377L\200\177\000\000\320\001\000\000\000\000\000\000\240\255\201N\200\177\000\000
\342\375M\200\177\000\000b\366\231N\200\177\000\000\277\000\000\000\000\000\000\000\200&#537;N\200\177\000\000\003\000\000\000\000\000\000\000`\366\231N\200\177\000\000\001\000\000\000\000\000\000\000a\366\231N\200\177\000\000\360h\204@\200\177\000\000\031\000\000\000\000\000\000\000\000\266\005N\200\177\000\000p%\377M\200\177",
'\000' <repeats 18 times>"\220,
\001\000P000\000\000\000\000&#2037;\377L\200\177\000\000\020\017\000\070\200\177\000\000\020\025\000\070\200\177\000\000\340i\204@\200\177\000\000pz\204@\200\177\000\000\000\001\000\000\000\000\000\000\260\b\000\070\200\177\000\000\025\000\000\000\000\000\000\000m\210\377L\200\177\000\000\000\000\000\000\000\000\000\000\020\025\000\070\200\177\000"
#8  0x00007f804cffc6bd in do_modify (op=0x7f80380008b0, rs=0x7f8040847a50) at
../../../../servers/slapd/modify.c:177
        dn = {bv_len = 29, bv_val = 0x7f804e99b569
"cn={2}nis,cn=schema,cn=config"}
        textbuf = "olcAttributeTypes\000jectClass\000amp\000�%F\217\067\260\264l\221c`=\bX\302J5\347\343\001\255\064\336\002!\036\322\326L\350\304'\245\234\026\016dJ'\315:\225\034\310f\245&#1228;uV.\234&F\233c\324\023'\022\236\236\370\"!C\307\065\246\067\363\302\373\021\205\207k\030\037\211d&#1865;\213\213\226\243G\324\345R\323&#1272;\277Lo\270v\031ccEc\215\227\031\244?\222\245\037.\302\303tO\210\211\250\255\ayg\316w(\317U4\210\274\372LJ\246`]\250\230\000!N\372\305\376\365\220\222\264)\004J\353\305^m\325\366\372\361\060&#1245;\203Sy\341\302\026M\333\027\252\002\370\234e\370M&#1157;;k\275\266L\200\177\000\000\000\000\000\000\000\000\000\000\b\000\000\000\022\020\204M0S\201N\200\177\000\000\341&#1554;L\200\177\000"
        tmp = 0x0
#9  0000007f804cfe8181 in connection_operation (ctx=ctx@entry=0x7f8040847ba0,
arg_v=arg_v@entry=0x7f80380008b0)
    at ../../../../servers/slapd/connection.c:1155
        rc = 80
        cancel = <optimized out>
        op = 0x7f80380008b0
        rs = {sr_type = REP_RESULT, sr_tag = 0, sr_msgid = 0, sr_err = 0,
sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = {
            sru_search = {r_entry = 0x0, r_attr_flags = 0, r_operational_attrs =
0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref 0x0x0}, sru_sasl = {
              r_sasldata = 0x0}, sru_extended = {r_rspoid = 0x0, r_rspdata =
0x0}}, sr_flags = 0}
        tag = 102
        opidx = SLAP_OP_MODIFY
        conn = 0x7f804e11a250
        memctx = 0x7f8038000f10
        memctx_null = 0x0
        memsiz = 1048576
        __PRETTY_FUNCTION__ = "connection_operation"
#10 0x00007f804cfe30a4 in connection_read_thread (ctx=0x7f8040847ba0,
argv=<optimized out>) at ../../../../servers/slapd/connection.c:1291
        rc = <optimized out>
        cri = {op = 0x7f80380008b0, func = 0, arg = 0x0, ctx = <optimized out>,
nullop = <optimized out>}
        s = <optimized out>
#11 0x00007f804cb43f83 in ldap_int_thread_pool_wrapper (xpool=0x7f804dfedfd0) at
../../../../libraries/libldap_r/tpool.ch688
        pool = 0x7f804dfedfd0
        task = 0x7f804e3ea890
        work_list = <optimized out>
        ctx = {ltu_id = 140188814968576, ltu_key = {{ltk_key = 0x7f804cfe0ec0,
ltk_data = 0x7f8038000e00, 
              ltk_free = 0x7f804cfe0f90 <conn_counter_destroy>}, {ltk_key =
0x7f804d03a760, ltk_data = 0x7f8038000f10, 
              ltk_free = 0x7f804d03a780 <slap_sl_mem_destroy>}, {ltk_key =
0x7f804cff6cb0, ltk_data = 0x0, 
              ltk_free = 0x7f804cff6c10 <slap_op_q_destroy>}, {ltk_key =
0x7f804e3e65d0, ltk_data = 0x7f804e81aab0, 
              ltk_free = 0x7f8047be4540 <bdb_reader_free>}, {ltk_key = 0x0,
ltk_data = 0x0, ltk_free = 0} <repeats 28 times>}}
        kctx = <optimized out>
        keyslot = <optimized out>
        hash = <optimized out>
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#12 0x00007f804af53b50 in start_thread () from
/lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#13 0x00007f804ac9d95d in clone () from /lib/x86_64-linux-gnu/libc.so.6
No symbol table info available.
#14 0x0000000000000000 in ?? ()
No symbol table info available.
"""

Comment 1 Ryan Tandy 2015-07-17 23:19:16 UTC

On Tue, Jul 14, 2015 at 11:13:56AM +0000, luca.bruno@rocket-internet.de wrote:
>slapd 2.4.40 realiably crashes when modifying the 0th olcAttributeTypes element
>in a olcSchemaConfig object.

This doesn't match my experience exactly, but if you were editing the 
config with some tool, it might reflect how that tool implements 
modifications.

I reproduced the crash with the following changeset:

dn: cn={2}nis,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: {1}( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )

Deleting all values clears c_at_head and c_at_tail (bconfig.c:1541). 
Adding a specific non-zero index assumes the head is already valid.

This was already fixed for olcObjectClasses in ITS#5388. I've pushed a 
patch doing the same for at_next, can you please verify it?

http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=b48d0169d04824f83c0e0855eea4d6429740cf08

Comment 2 Ryan Tandy 2015-07-17 23:19:46 UTC

changed notes
changed state Open to Test
moved from Incoming to Software Bugs

Comment 3 luca.bruno@rocket-internet.de 2015-07-19 16:22:23 UTC

On Friday 17 July 2015 16:19:16 Ryan Tandy wrote:
> On Tue, Jul 14, 2015 at 11:13:56AM +0000, luca.bruno@rocket-internet.de 
wrote:
> >slapd 2.4.40 realiably crashes when modifying the 0th olcAttributeTypes
> >element in a olcSchemaConfig object.
> 
> This doesn't match my experience exactly, but if you were editing the
> config with some tool, it might reflect how that tool implements
> modifications.

For a more specific background, this was Apache Directory Studio (pre-)2 doing 
schema changes on the debian backports 2.4.40 on wheezy (amd64).
IIRC it does in fact synthesize a batch-modify of schema entries.

> This was already fixed for olcObjectClasses in ITS#5388. I've pushed a
> patch doing the same for at_next, can you please verify it?
> 
> http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=patch;h=b48d0169d0
> 4824f83c0e0855eea4d6429740cf08

I'll try to apply that patch on top of my current setup and see if it stops 
crashing without any other regression. 

Thanks, Luca

-- 
Luca Bruno (kaeso)
 Security Engineer
 Rocket Internet SE
 -> GPG: 0xBB1A3A854F3BBEBF

Comment 4 Quanah Gibson-Mount 2015-07-28 16:03:45 UTC

changed notes
changed state Test to Release

Comment 5 OpenLDAP project 2015-08-18 17:41:52 UTC

fixed in master
fixed in RE25
fixed in RE24 (2.4.42)

Comment 6 Quanah Gibson-Mount 2015-08-18 17:41:52 UTC

changed notes
changed state Release to Closed