Full_Name: Karsten Heymann Version: 2.4.40, 2.4.44, git master OS: Debian 8 URL: Submission from: (NULL) (2a02:2450:dd1f::2450) Hi, I found the following problem with slapd 2.4.40, but it also applies to 2.4.44 and to the current git master (431c4af526b18abb4a18c2c4c8655690b753cbe5). When running ldap-csvexport.pl 1.9[1] with an ldap page size of 0 (option "-l 0") , the slapd process is instantly segfaulting. ldap-csvexport is a perl script that is using Net::LDAP and Net::LDAP::Control::Paged. Complete Commandline: ./ldap-csvexport-1.9/ldap-csvexport.pl -a uid -b o=metacloud.org -l 0 This is the output of slapd -d1: 591c0422 slap_listener_activate(9): 591c0422 >>> slap_listener(ldap:///) 591c0422 connection_get(13): got connid=1000 591c0422 connection_read(13): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 12 contents: 591c0422 op tag 0x60, time 1495008290 ber_get_next 591c0422 conn=1000 op=0 do_bind ber_scanf fmt ({imt) ber: ber_scanf fmt (m}) ber: 591c0422 >>> dnPrettyNormal: <> 591c0422 <<< dnPrettyNormal: <>, <> 591c0422 do_bind: version=3 dn="" method=128 591c0422 send_ldap_result: conn=1000 op=0 p=3 591c0422 send_ldap_response: msgid=1 tag=97 err=0 ber_flush2: 14 bytes to sd 13 591c0422 do_bind: v3 anonymous bind 591c0422 connection_get(13): got connid=1000 591c0422 connection_read(13): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 56 contents: 591c0422 op tag 0x63, time 1495008290 ber_get_next 591c0422 conn=1000 op=1 do_search ber_scanf fmt ({miiiib) ber: 591c0422 >>> dnPrettyNormal: <> 591c0422 <<< dnPrettyNormal: <>, <> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: 591c0422 => send_search_entry: conn 1000 dn="" ber_flush2: 48 bytes to sd 13 591c0422 <= send_search_entry: conn 1000 exit. 591c0422 send_ldap_result: conn=1000 op=1 p=3 591c0422 send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 13 591c0422 connection_get(13): got connid=1000 591c0422 connection_read(13): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 211 contents: 591c0422 op tag 0x63, time 1495008290 ber_get_next 591c0422 conn=1000 op=2 do_search ber_scanf fmt ({miiiib) ber: 591c0422 >>> dnPrettyNormal: <cn=Subschema> 591c0422 <<< dnPrettyNormal: <cn=Subschema>, <cn=subschema> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: 591c0422 => send_search_entry: conn 1000 dn="cn=Subschema" ber_flush2: 78881 bytes to sd 13 591c0422 <= send_search_entry: conn 1000 exit. 591c0422 send_ldap_result: conn=1000 op=2 p=3 591c0422 send_ldap_response: msgid=3 tag=101 err=0 ber_flush2: 14 bytes to sd 13 591c0422 connection_get(13): got connid=1000 591c0422 connection_read(13): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 94 contents: 591c0422 op tag 0x63, time 1495008290 ber_get_next 591c0422 conn=1000 op=3 do_search ber_scanf fmt ({miiiib) ber: 591c0422 >>> dnPrettyNormal: <o=metacloud.org> 591c0422 <<< dnPrettyNormal: <o=metacloud.org>, <o=metacloud.org> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: 591c0422 => get_ctrls ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: 591c0422 => get_ctrls: oid="1.2.840.113556.1.4.319" (noncritical) ber_scanf fmt ({im}) ber: 591c0422 <= get_ctrls: n=1 rc=0 err="" 591c0422 ==> limits_get: conn=1000 op=3 self="[anonymous]" this="o=metacloud.org" 591c0422 => mdb_search 591c0422 mdb_dn2entry("o=metacloud.org") 591c0422 => mdb_dn2id("o=metacloud.org") 591c0422 <= mdb_dn2id: got id=0x1 591c0422 send_ldap_result: conn=1000 op=1 p=3 591c0422 send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 13 591c0422 connection_get(13): got connid=1000 591c0422 connection_read(13): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 211 contents: 591c0422 op tag 0x63, time 1495008290 ber_get_next 591c0422 conn=1000 op=2 do_search ber_scanf fmt ({miiiib) ber: 591c0422 >>> dnPrettyNormal: <cn=Subschema> 591c0422 <<< dnPrettyNormal: <cn=Subschema>, <cn=subschema> ber_scanf fmt ({mm}) ber: ber_scanf fmt ({M}}) ber: 591c0422 => send_search_entry: conn 1000 dn="cn=Subschema" ber_flush2: 78881 bytes to sd 13 591c0422 <= send_search_entry: conn 1000 exit. 591c0422 send_ldap_result: conn=1000 op=2 p=3 591c0422 send_ldap_response: msgid=3 tag=101 err=0 ber_flush2: 14 bytes to sd 13 591c0422 connection_get(13): got connid=1000 591c0422 connection_read(13): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 94 contents: 591c0422 op tag 0x63, time 1495008290 ber_get_next 591c0422 conn=1000 op=3 do_search ber_scanf fmt ({miiiib) ber: 591c0422 >>> dnPrettyNormal: <o=metacloud.org> 591c0422 <<< dnPrettyNormal: <o=metacloud.org>, <o=metacloud.org> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: 591c0422 => get_ctrls ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: 591c0422 => get_ctrls: oid="1.2.840.113556.1.4.319" (noncritical) ber_scanf fmt ({im}) ber: 591c0422 <= get_ctrls: n=1 rc=0 err="" 591c0422 ==> limits_get: conn=1000 op=3 self="[anonymous]" this="o=metacloud.org" 591c0422 => mdb_search 591c0422 mdb_dn2entry("o=metacloud.org") 591c0422 => mdb_dn2id("o=metacloud.org") 591c0422 <= mdb_dn2id: got id=0x1 591c0422 => mdb_entry_decode: 591c0422 <= mdb_entry_decode 591c0422 search_candidates: base="o=metacloud.org" (0x00000001) scope=2 591c0422 => mdb_presence_candidates (objectClass) 591c0422 mdb_search_candidates: id=-1 first=1 last=1 591c0422 => send_search_entry: conn 1000 dn="o=metacloud.org" ber_flush2: 26 bytes to sd 13 591c0422 <= send_search_entry: conn 1000 exit. 591c0422 send_ldap_result: conn=1000 op=3 p=3 591c0422 send_ldap_response: msgid=4 tag=101 err=0 ber_flush2: 51 bytes to sd 13 591c0422 connection_get(13): got connid=1000 591c0422 connection_read(13): checking for input on id=1000 ber_get_next ber_get_next: tag 0x30 len 94 contents: 591c0422 op tag 0x63, time 1495008290 ber_get_next 591c0422 conn=1000 op=4 do_search ber_scanf fmt ({miiiib) ber: 591c0422 >>> dnPrettyNormal: <o=metacloud.org> 591c0422 <<< dnPrettyNormal: <o=metacloud.org>, <o=metacloud.org> ber_scanf fmt (m) ber: ber_scanf fmt ({M}}) ber: 591c0422 => get_ctrls ber_scanf fmt ({m) ber: ber_scanf fmt (m) ber: 591c0422 => get_ctrls: oid="1.2.840.113556.1.4.319" (noncritical) ber_scanf fmt ({im}) ber: 591c0422 <= get_ctrls: n=1 rc=0 err="" 591c0422 ==> limits_get: conn=1000 op=4 self="[anonymous]" this="o=metacloud.org" 591c0422 => mdb_search 591c0422 mdb_dn2entry("o=metacloud.org") 591c0422 => mdb_dn2id("o=metacloud.org") 591c0422 <= mdb_dn2id: got id=0x1 591c0422 => mdb_entry_decode: 591c0422 <= mdb_entry_decode 591c0422 search_candidates: base="o=metacloud.org" (0x00000001) scope=2 591c0422 => mdb_presence_candidates (objectClass) 591c0422 mdb_search_candidates: id=-1 first=1 last=1 591c0422 send_ldap_result: conn=1000 op=4 p=3 591c0422 send_ldap_response: msgid=5 tag=101 err=0 ber_flush2: 59 bytes to sd 13 Segmentation fault This is the stacktrace from 'bt full': #0 __GI___libc_free (mem=0xfe8) at malloc.c:2929 ar_ptr = <optimized out> p = <optimized out> hook = 0x0 #1 0x00000000004c250c in mdb_entry_return (op=0x7fffe00028f0, e=0x7fffe0002f18) at id2entry.c:516 No locals. #2 0x00000000004a9e18 in mdb_search (op=0x7fffe00028f0, rs=0x7fffef8f8a60) at search.c:1216 mdb = 0x7ffff7f26010 cursor = 1 nsubs = 1 lastid = 18446744073709551615 candidates = {18446744073709551615, 1, 1, 0 <repeats 130217 times>, 140737212540096, 140737212540080, 5713008, 5713012, 0, 140737338453865, 0, 140737338460570, 140737212538944, 0, 0, 0, 0, 0, 140737338460570, 0, 0, 0, 0, 140737338634910, 140737212540256, 140737212540240, 5361072, 5361115, 0, 140737338453865, 48, 0, 140737212539104, 0, 140737212540016, 0, 8, 0, 140737338460570, 0, 18446744073709551615, 140737338460570, 5713008, 140737338460570, 0, 5713008, 47244640256, 18446744073709551615, 140737212540448, 140737212540432, 5713008, 5713012, 0, 140737338453865, 140737212540183, 140737338460570, 140737212539296, 0, 0, 8589934592, 18446744073709551615, 140737338460570, 140737338460570, 140737212540544, 5713008, 5713012, 0, 140737338634910, 140737212540608, 140737212540592, 5446504, 5446541, 0, 140737338453865, 48, 140733193388032, 140737212539456, 140733193388032, 140737212540368, 0, 8, 0, 140737212539408, 0, 18446744073709551615, 140737338460570, 0, 140737338460570, 48, 5713008, 47244640256, 18446744069414584320, 0, 0, 32, 0, 140733193388032, 0, 140733193388032, 4294967295, 140737338460570, 0, 0, 8589934592, 18446744073709551615, 140733193388047, 0, 140737338460570, 32, 5446520, 47244640256, 73, 5446543, 210453397503, 140737338460570, 0, 0, 4294967296, 18446744073709551615, 15, 0, 206158430232, 140737212545312, 140737212545088, 47244640256, 57, 5364455, 14, 8, 140737338460570, 140737212539792, 5352752, 47261417471, 140733193388057, 5352765, 206158430232, 140737212545424, 140737212545200, 0, 0, 0, 0, 32, 206158430232, 140737212545488, 140737212545264, 0, 4294967295, 140737338460570, 0, 0, 0, 18446744073709551615, 8, 0, 140737338460570, 0, 5345026, 0, 28, 5345030, 0, 0, 0, 0, 0, 0, 0, 0, 206158430232, 140737212545696, 140737212545472, 0 <repeats 16 times>, 3630521632041285941, 140737212540096, 140737212540640, 140737212540640, 5713008, 140737212540392, 0, 9, 140737212540640...} iscopes = {0 <repeats 65536 times>} e = 0x0 base = 0x7fffe0002f18 matched = 0x0 mask = 4159 isc = {mt = 0x7fffe0112e10, mc = 0x7fffe0108d10, id = 0, scopes = 0x7fffed2f5010, sctmp = 0x7fffec2f4010, numrdns = 0, nscope = 0, oscope = 2, rdns = {{bv_len = 0, bv_val = 0x0} <repeats 2048 times>}, nrdns = {{bv_len = 0, bv_val = 0x0} <repeats 2048 times>}} mci = 0x7fffe0106640 mcd = 0x7fffe0108d10 wwctx = {txn = 0x7fffe0112e10, mcd = 0x0, key = 0, data = {mv_size = 0, mv_data = 0x0}, flag = 0, nentries = 0} cb = {sc_next = 0x0, sc_response = 0x0, sc_cleanup = 0x0, sc_private = 0x0, sc_writewait = 0x4a9590 <mdb_writewait>} opinfo = {moi_oe = {oe_next = {sle_next = 0x0}, oe_key = 0x7ffff7f26010}, moi_txn = 0x7fffe0112e10, moi_ref = 1, moi_flag = 1 '\001'} moi = 0x7fffef767870 ltid = 0x7fffe0112e10 #3 0x0000000000425049 in fe_op_search (op=0x7fffe00028f0, rs=0x7fffef8f8a60) at search.c:402 bd = 0x7a4a00 <slap_frontendDB> #4 0x0000000000424a56 in do_search (op=0x7fffe00028f0, rs=0x7fffef8f8a60) at search.c:247 base = {bv_len = 15, bv_val = 0x7fffe0108b37 "o=metacloud.org"} siz = 1 #5 0x0000000000422ab0 in connection_operation (ctx=0x7fffef8f8c10, arg_v=0x7fffe00028f0) at connection.c:1144 rc = 80 cancel = <optimized out> op = 0x7fffe00028f0 rs = {sr_type = REP_RESULT, sr_tag = 101, sr_msgid = 5, sr_err = 0, sr_matched = 0x0, sr_text = 0x0, sr_ref = 0x0, sr_ctrls = 0x0, sr_un = { sru_search = {r_entry = 0x0, r_attr_flags = 0, r_operational_attrs = 0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}, sru_sasl = { r_sasldata = 0x0}, sru_extended = {r_rspoid = 0x0, r_rspdata = 0x0}}, sr_flags = 0} tag = 99 opidx = SLAP_OP_SEARCH conn = 0x7ffff0cfe5d8 memctx = 0x7fffe0000a80 memctx_null = 0x0 memsiz = <optimized out> __PRETTY_FUNCTION__ = "connection_operation" #6 0x0000000000422da3 in connection_read_thread (ctx=0x7fffef8f8c10, argv=0xd) at connection.c:1290 No locals. #7 0x00000000004e2b54 in ldap_int_thread_pool_wrapper (xpool=0x859540) at tpool.c:963 pq = 0x859540 pool = 0x859430 task = 0x7fffe8000a10 work_list = <optimized out> ctx = {ltu_pq = 0x859540, ltu_id = 140737212552960, ltu_key = {{ltk_key = 0x420e00 <conn_counter_init>, ltk_data = 0x7fffe0002700, ltk_free = 0x420ec0 <conn_counter_destroy>}, {ltk_key = 0x473ad0 <slap_sl_mem_init>, ltk_data = 0x7fffe0000a80, ltk_free = 0x4739a0 <slap_sl_mem_destroy>}, {ltk_key = 0x435530 <slap_op_free>, ltk_data = 0x0, ltk_free = 0x435490 <slap_op_q_destroy>}, { ltk_key = 0x8c6510, ltk_data = 0x7fffe0112e10, ltk_free = 0x4c17d0 <mdb_reader_free>}, {ltk_key = 0x4a9620 <search_stack>, ltk_data = 0x7fffec2f4010, ltk_free = 0x4a9700 <search_stack_free>}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0} <repeats 23 times>, { ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x80}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0}}} kctx = <optimized out> keyslot = 339 hash = <optimized out> pool_lock = 0 freeme = 0 __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper" #8 0x00007ffff7474064 in start_thread (arg=0x7fffef8f9700) at pthread_create.c:309 __res = <optimized out> pd = 0x7fffef8f9700 now = <optimized out> unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140737212552960, 7043768931833361287, 1, 140737354125408, 8754224, 140737212552960, -7043733612690394233, -7043752925372992633}, mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}} not_first_call = <optimized out> pagesize_m1 = <optimized out> sp = <optimized out> freesize = <optimized out> __PRETTY_FUNCTION__ = "start_thread" #9 0x00007ffff71a962d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 No locals. quit Please let me know if you need any further information to reproduce this bug. I'm filing this as a major critical security issue because if it should be really that easy to kill a slapd that you have any access to, I'm not feeling well to disclose this information into the public. Best regards Karsten [1]: https://netix.dl.sourceforge.net/project/ldap-csvexport/ldap-csvexport-1.9.tar.gz
Shorter reproducer: ftp://ftp.openldap.org/incoming/20170517_rtandy_crasher.pl Patch: ftp://ftp.openldap.org/incoming/20170517_rtandy_Fix-double-free-of-search-base-with-page-size-0.patch
Pushed to master.
changed notes changed state Open to Test moved from Incoming to Software Bugs
changed notes changed state Test to Release
changed notes
published 8655 marked public
For the record, CVE-2017-9287 was assigned to this issue.
fixed in master fixed in RE25 fixed in RE24 (2.4.45)
changed notes changed state Release to Closed