Issue 7439 - crash in rwm when tree is syncrepl synced and database ldap with rwm inside same tree
Summary: crash in rwm when tree is syncrepl synced and database ldap with rwm inside s...
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: overlays (show other issues)
Version: 2.4.33
Hardware: All All
: --- normal
Target Milestone: 2.5.1
Assignee: Ondřej Kuzník
URL:
Keywords:
: 9192 (view as issue list)
Depends on:
Blocks:
 
Reported: 2012-11-15 21:24 UTC by Elan Ruusamäe
Modified: 2021-03-02 19:40 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.
Description Elan Ruusamäe 2012-11-15 21:24:06 UTC 
Full_Name: Elan Ruusam�e
Version: 2.4.33
OS: PLD Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (82.131.56.149)


i'm setting up my tree so that People has one subtree via database ldap as
ou=something,ou=People,dc=example (subordinate), and and i have also whole
dc=example setup replica as syncrepl. and if i have both (syncrepl and the
database ldap) enabled slapd crashes

also the database ldap is rwm rewritten to match tree it's linked into

--- slapd.conf ---:
include         /usr/share/openldap/schema/core.schema
include         /usr/share/openldap/schema/cosine.schema
include         /usr/share/openldap/schema/inetorgperson.schema
include         /usr/share/openldap/schema/nis.schema
include         /usr/share/openldap/schema/misc.schema
include         /usr/share/openldap/schema/rfc2739.schema
include         /usr/share/openldap/schema/courier.schema
include         /usr/share/openldap/schema/horde.schema
include         /usr/share/openldap/schema/openssh-lpk.schema
include         /usr/share/openldap/schema/samba.schema
include         /usr/share/openldap/schema/sudo.schema
include         /etc/openldap/schema/local.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
allow           bind_v2
loglevel        -1
modulepath      /usr/lib64/openldap
moduleload      back_bdb.la
moduleload      back_ldap.la
moduleload      back_monitor.la
moduleload      back_relay.la
moduleload      rwm.la
moduleload      syncprov.la
moduleload      translucent.la
include /etc/openldap/slapd-ad.conf
include /etc/openldap/slapd-db.conf


--- slapd-ad.conf ---:
database ldap
suffix "ou=Basement,ou=People,dc=example,dc=net"
uri "ldap://a.b.c.d/"
idassert-bind bindmethod=simple
binddn=CN=glen,OU=Serviceaccounts,OU=Technical,DC=example,DC=org
credentials=OBFUSCATED
idle-timeout 1800
subordinate
chase-referrals no
rebind-as-user yes
overlay rwm
rwm-suffixmassage "ou=Basement,ou=People,dc=example,dc=net"
"ou=Technical,dc=example,dc=org"
rwm-map objectclass account user
rwm-map attribute uidNumber employeeID
rwm-map attribute gidNumber primaryGroupID
rwm-map attribute uid  sAMAccountName
rwm-map attribute physicalDeliveryOfficeName
rwm-map attribute cn name
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute company company
rwm-map attribute entry entry
rwm-map attribute title title
rwm-map attribute givenName givenName
rwm-map attribute homeDirectory homeDirectory
rwm-map attribute displayName displayName
rwm-map attribute dn distinguishedName
rwm-map attribute userPassword unicodePassword
rwm-map attribute departmentNumber department
rwm-map attribute member member
rwm-map attribute manager managedby
rwm-map attribute sambaProfilePath profilePath
rwm-map attribute *

--- slapd-db.conf ---:
database        bdb
suffix          "dc=example,dc=net"
rootdn          "cn=Manager,dc=example,dc=net"
rootpw          OBFUSCATED
directory       /var/lib/openldap-data
index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub
index entryCSN,entryUUID eq
dbconfig set_cachesize 0 268435456 1
dbconfig set_lg_bsize 2097152
include /etc/openldap/slapd-syncrepl.conf


--- slapd-syncrepl.conf ---:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
sizelimit 10000
syncrepl rid=7 provider=ldap://ldap searchbase="dc=example,dc=net"
    type=refreshOnly
    interval=00:00:01:00
    retry="120 +"
    scope=sub
    attrs="*"
    bindmethod=simple
    binddn="cn=replica,ou=Service Users,dc=example,dc=net"
    credentials=OBFUSCATED

trace obtained as (altho glibc MALLOC_CHECK_ kicks in and gdb has no chance):
# gdb --args slapd -u slapd -g slapd -h "ldap:/// ldapi:///"  -d -1
(gdb) r
...
50a55ca9 => access_allowed: search access to
"uid=user1,ou=People,dc=example,dc=net" "entryUUID" requested
50a55ca9 <= root access granted
50a55ca9 => access_allowed: search access granted by manage(=mwrscxd)
50a55ca9 <= test_filter 6
50a55ca9 => bdb_dn2id_children("uid=user1,ou=people,dc=example,dc=net")
50a55ca9 <= bdb_dn2id_children("uid=user1,ou=people,dc=example,dc=net"): no 
(-30989)
50a55ca9 send_ldap_result: conn=-1 op=0 p=3
50a55ca9 send_ldap_result: err=0 matched="" text=""
50a55ca9 ==> rewrite_context_apply [depth=1]
string='ou=Basement,ou=People,dc=example,dc=net'
50a55ca9 ==> rewrite_rule_apply rule='((.+),)?ou=Basement,[ ]?ou=People,[
]?dc=delfi,[ ]?dc=net$' string='ou=Basement,ou=People,dc=example,dc=net' [1
pass(es)]
50a55ca9 ==> rewrite_context_apply [depth=1]
res={0,'ou=Serviceaccounts,ou=Technical,dc=example,dc=org'}
50a55ca9 [rw] searchDN: "ou=Basement,ou=People,dc=example,dc=net" ->
"ou=Serviceaccounts,ou=Technical,dc=example,dc=org"
50a55ca9 >>> dnPrettyNormal:
<ou=Serviceaccounts,ou=Technical,dc=example,dc=org>
=> ldap_bv2dn(ou=Serviceaccounts,ou=Technical,dc=example,dc=org,0)
<= ldap_bv2dn(ou=Serviceaccounts,ou=Technical,dc=example,dc=org)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=Serviceaccounts,ou=Technical,dc=example,dc=org)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(ou=serviceaccounts,ou=technical,dc=example,dc=org)=0
50a55ca9 <<< dnPrettyNormal:
<ou=Serviceaccounts,ou=Technical,dc=example,dc=org>,
<ou=serviceaccounts,ou=technical,dc=example,dc=org>
*** glibc detected *** /usr/sbin/slapd: free(): invalid pointer:
0x00007fffd011c037 ***
50a55ca9 daemon: epoll: listen=11 active_threads=0 tvp=zero
50a55ca9 daemon: epoll: listen=12 active_threads=0 tvp=zero
50a55ca9 daemon: epoll: listen=13 active_threads=0 tvp=zero
======= Backtrace: =========
/lib64/libc.so.6(+0x79df6)[0x7ffff61d8df6]
/usr/sbin/slapd(ava_free+0x2e)[0x5555555ac43e]
/usr/sbin/slapd(filter_free_x+0x13a)[0x55555559317a]
/usr/lib64/openldap/rwm-2.4.so.2(+0x9c6d)[0x7ffff1d82c6d]
/usr/lib64/openldap/rwm-2.4.so.2(rwm_filter_map_rewrite+0x26)[0x7ffff1d839c6]
/usr/lib64/openldap/rwm-2.4.so.2(+0x5461)[0x7ffff1d7e461]
/usr/sbin/slapd(overlay_op_walk+0x4a)[0x5555555fc23a]
/usr/sbin/slapd(+0xa83cb)[0x5555555fc3cb]
/usr/sbin/slapd(+0xa6812)[0x5555555fa812]
/usr/sbin/slapd(overlay_op_walk+0x4a)[0x5555555fc23a]
/usr/sbin/slapd(+0xa83cb)[0x5555555fc3cb]
/usr/sbin/slapd(+0x9d253)[0x5555555f1253]
/usr/sbin/slapd(+0xa11b8)[0x5555555f51b8]
/usr/lib64/libldap_r-2.4.so.2(+0x119b3)[0x7ffff7b9a9b3]
/lib64/libpthread.so.0(+0x8034)[0x7ffff6512034]
/lib64/libc.so.6(clone+0x6d)[0x7ffff62477ad]
======= Memory map: ========
555555554000-55555567c000 r-xp 00000000 fd:00 20850901                  
/usr/sbin/slapd
55555587c000-55555587f000 r--p 00128000 fd:00 20850901                  
/usr/sbin/slapd
55555587f000-555555886000 rw-p 0012b000 fd:00 20850901                  
/usr/sbin/slapd
555555886000-555555c3f000 rw-p 00000000 00:00 0                          [heap]
7fffd0000000-7fffd015e000 rw-p 00000000 00:00 0
7fffd015e000-7fffd4000000 ---p 00000000 00:00 0
7fffd67fe000-7fffd77ff000 rw-p 00000000 00:00 0
7fffd77ff000-7fffd7800000 ---p 00000000 00:00 0
7fffd7800000-7fffd8000000 rw-p 00000000 00:00 0
7fffd8000000-7fffd8021000 rw-p 00000000 00:00 0
7fffd8021000-7fffdc000000 ---p 00000000 00:00 0
7fffdc3a7000-7fffdc3bc000 r-xp 00000000 fd:00 21096302                  
/lib64/libgcc_s.so.1
7fffdc3bc000-7fffdc5bb000 ---p 00015000 fd:00 21096302                  
/lib64/libgcc_s.so.1
7fffdc5bb000-7fffdc5bc000 rw-p 00014000 fd:00 21096302                  
/lib64/libgcc_s.so.1
7fffdc5bc000-7fffdc5bd000 ---p 00000000 00:00 0
7fffdc5bd000-7fffdcdbd000 rw-p 00000000 00:00 0
7fffdcdbd000-7fffdcdc5000 rw-s 00000000 fd:00 33596447                  
/var/lib/openldap-data/__db.006
7fffdcdc5000-7fffdce77000 rw-s 00000000 fd:00 33596446                  
/var/lib/openldap-data/__db.005
7fffdce77000-7fffdd0b7000 rw-s 00000000 fd:00 38665430                  
/var/lib/openldap-data/__db.004
7fffdd0b7000-7ffff10b9000 rw-s 00000000 fd:00 38665429                  
/var/lib/openldap-data/__db.003
7ffff10b9000-7ffff1965000 rw-s 00000000 fd:00 33952840                  
/var/lib/openldap-data/__db.002
7ffff1965000-7ffff196b000 r-xp 00000000 fd:00 36390022                  
/usr/lib64/openldap/translucent-2.4.so.2.8.5
7ffff196b000-7ffff1b6a000 ---p 00006000 fd:00 36390022                  
/usr/lib64/openldap/translucent-2.4.so.2.8.5
7ffff1b6a000-7ffff1b6b000 r--p 00005000 fd:00 36390022                  
/usr/lib64/openldap/translucent-2.4.so.2.8.5
7ffff1b6b000-7ffff1b6c000 rw-p 00006000 fd:00 36390022                  
/usr/lib64/openldap/translucent-2.4.so.2.8.5
7ffff1b6c000-7ffff1b78000 r-xp 00000000 fd:00 36390017                  
/usr/lib64/openldap/syncprov-2.4.so.2.8.5
7ffff1b78000-7ffff1d77000 ---p 0000c000 fd:00 36390017                  
/usr/lib64/openldap/syncprov-2.4.so.2.8.5
7ffff1d77000-7ffff1d78000 r--p 0000b000 fd:00 36390017                  
/usr/lib64/openldap/syncprov-2.4.so.2.8.5
7ffff1d78000-7ffff1d79000 rw-p 0000c000 fd:00 36390017                  
/usr/lib64/openldap/syncprov-2.4.so.2.8.5
7ffff1d79000-7ffff1d87000 r-xp 00000000 fd:00 36389997                  
/usr/lib64/openldap/rwm-2.4.so.2.8.5
7ffff1d87000-7ffff1f86000 ---p 0000e000 fd:00 36389997                  
/usr/lib64/openldap/rwm-2.4.so.2.8.5
7ffff1f86000-7ffff1f87000 r--p 0000d000 fd:00 36389997                  
/usr/lib64/openldap/rwm-2.4.so.2.8.5
7ffff1f87000-7ffff1f88000 rw-p 0000e000 fd:00 36389997                  
/usr/lib64/openldap/rwm-2.4.so.2.8.5
7ffff1f88000-7ffff1f8b000 r-xp 00000000 fd:00 36390027                  
/usr/lib64/openldap/back_relay-2.4.so.2.8.5
7ffff1f8b000-7ffff218a000 ---p 00003000 fd:00 36390027                  
/usr/lib64/openldap/back_relay-2.4.so.2.8.5
7ffff218a000-7ffff218b000 r--p 00002000 fd:00 36390027                  
/usr/lib64/openldap/back_relay-2.4.so.2.8.5
7ffff218b000-7ffff218c000 rw-p 00003000 fd:00 36390027                  
/usr/lib64/openldap/back_relay-2.4.so.2.8.5
7ffff218c000-7ffff21a4000 r-xp 00000000 fd:00 36390012                  
/usr/lib64/openldap/back_monitor-2.4.so.2.8.5
7ffff21a4000-7ffff23a4000 ---p 00018000 fd:00 36390012                  
/usr/lib64/openldap/back_monitor-2.4.so.2.8.5
7ffff23a4000-7ffff23a5000 r--p 00018000 fd:00 36390012                  
/usr/lib64/openldap/back_monitor-2.4.so.2.8.5
7ffff23a5000-7ffff23a7000 rw-p 00019000 fd:00 36390012                  
/usr/lib64/openldap/back_monitor-2.4.so.2.8.5
7ffff23a7000-7ffff23ab000 rw-p 00000000 00:00 0
7ffff23ab000-7ffff23cf000 r-xp 00000000 fd:00 36390007                  
/usr/lib64/openldap/back_ldap-2.4.so.2.8.5
7ffff23cf000-7ffff25ce000 ---p 00024000 fd:00 36390007                  
/usr/lib64/openldap/back_ldap-2.4.so.2.8.5
7ffff25ce000-7ffff25cf000 r--p 00023000 fd:00 36390007                  
/usr/lib64/openldap/back_ldap-2.4.so.2.8.5
7ffff25cf000-7ffff25d1000 rw-p 00024000 fd:00 36390007                  
/usr/lib64/openldap/back_ldap-2.4.so.2.8.5
7ffff25d1000-7ffff25d2000 rw-p 00000000 00:00 0
7ffff25d2000-7ffff26ff000 r-xp 00000000 fd:00 36389991                  
/usr/lib64/libslapd_db-4.6.so
7ffff26ff000-7ffff28ff000 ---p 0012d000 fd:00 36389991                  
/usr/lib64/libslapd_db-4.6.so
7ffff28ff000-7ffff2901000 r--p 0012d000 fd:00 36389991                  
/usr/lib64/libslapd_db-4.6.so
7ffff2901000-7ffff2904000 rw-p 0012f000 fd:00 36389991                  
/usr/lib64/libslapd_db-4.6.so
7ffff2904000-7ffff292f000 r-xp 00000000 fd:00 36390002                  
/usr/lib64/openldap/back_bdb-2.4.so.2.8.5
7ffff292f000-7ffff2b2f000 ---p 0002b000 fd:00 36390002                  
/usr/lib64/openldap/back_bdb-2.4.so.2.8.5
7ffff2b2f000-7ffff2b30000 r--p 0002b000 fd:00 36390002                  
/usr/lib64/openldap/back_bdb-2.4.so.2.8.5
7ffff2b30000-7ffff2b31000 rw-p 0002c000 fd:00 36390002                  
/usr/lib64/openldap/back_bdb-2.4.so.2.8.5
7ffff2b31000-7ffff2b4a000 rw-p 00000000 00:00 0
7ffff2b4a000-7ffff2b4e000 r-xp 00000000 fd:00 38016672                  
/usr/lib64/sasl2/libplain.so.2.0.25
7ffff2b4e000-7ffff2d4d000 ---p 00004000 fd:00 38016672                  
/usr/lib64/sasl2/libplain.so.2.0.25
7ffff2d4d000-7ffff2d4e000 rw-p 00003000 fd:00 38016672                  
/usr/lib64/sasl2/libplain.so.2.0.25
7ffff2d4e000-7ffff2d52000 r-xp 00000000 fd:00 37882936                  
/usr/lib64/sasl2/liblogin.so.2.0.25
7ffff2d52000-7ffff2f51000 ---p 00004000 fd:00 37882936                  
/usr/lib64/sasl2/liblogin.so.2.0.25
7ffff2f51000-7ffff2f52000 rw-p 00003000 fd:00 37882936                  
/usr/lib64/sasl2/liblogin.so.2.0.25
Program received signal SIGABRT, Aborted.
[Switching to Thread 0x7fffd7fff700 (LWP 15473)]
0x00007ffff6194395 in raise () from /lib64/libc.so.6
(gdb)
Comment 1 Quanah Gibson-Mount 2017-03-29 23:11:32 UTC 
moved from Incoming to Software Bugs
Comment 2 Quanah Gibson-Mount 2021-01-14 18:21:17 UTC 
Ondrej to investigate
Comment 3 Ondřej Kuzník 2021-01-19 12:23:19 UTC 
Managed to repro with -DSLAP_NO_SL_MALLOC:

==317060== Thread 3:
==317060== Invalid free() / delete / delete[] / realloc()
==317060==    at 0x48399AB: free (vg_replace_malloc.c:538)
==317060==    by 0x48CAC24: ber_memfree_x (memory.c:152)
==317060==    by 0x4E0CFC: slap_sl_free (sl_malloc.c:499)
==317060==    by 0x4830D6: ava_free (ava.c:50)
==317060==    by 0x459DB4: filter_free_x (filter.c:554)
==317060==    by 0x52F9F92: rwm_int_filter_map_rewrite (rwmmap.c:772)
==317060==    by 0x52F8AAF: rwm_filter_map_rewrite (rwmmap.c:824)
==317060==    by 0x52EF17D: rwm_op_search (rwm.c:976)
==317060==    by 0x508D20: overlay_op_walk (backover.c:691)
==317060==    by 0x50BE40: over_op_func (backover.c:766)
==317060==    by 0x50B031: over_op_search (backover.c:796)
==317060==    by 0x5085B3: glue_sub_search (backglue.c:377)
==317060==    by 0x505407: glue_op_search (backglue.c:534)
==317060==    by 0x508D20: overlay_op_walk (backover.c:691)
==317060==    by 0x50BE40: over_op_func (backover.c:766)
==317060==    by 0x50B031: over_op_search (backover.c:796)
==317060==    by 0x4FD3D9: syncrepl_entry (syncrepl.c:4007)
==317060==    by 0x4F79C6: do_syncrep2 (syncrepl.c:1475)
==317060==    by 0x4EF8D4: do_syncrepl (syncrepl.c:2067)
==317060==    by 0x48A51FD: ldap_int_thread_pool_wrapper (tpool.c:1051)
==317060==  Address 0x5bef807 is 7 bytes inside a block of size 24 alloc'd
==317060==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==317060==    by 0x48CAD9C: ber_memalloc_x (memory.c:228)
==317060==    by 0x48C4205: ber_get_stringbv (decode.c:519)
==317060==    by 0x48C53FB: ber_scanf (decode.c:827)
==317060==    by 0x4861B97: ldap_pvt_get_controls (controls.c:238)
==317060==    by 0x4877E4F: ldap_get_entry_controls (getentry.c:106)
==317060==    by 0x4F6A4A: do_syncrep2 (syncrepl.c:1284)
==317060==    by 0x4EF8D4: do_syncrepl (syncrepl.c:2067)
==317060==    by 0x48A51FD: ldap_int_thread_pool_wrapper (tpool.c:1051)
==317060==    by 0x4CCEEA6: start_thread (pthread_create.c:477)
==317060==    by 0x4DE5DEE: clone (clone.S:95)

Don't know if rwm should stop freeing parts of provided filters or syncrepl should allocate the avas. Probably the former...
Comment 4 Howard Chu 2021-01-19 13:57:31 UTC 
(In reply to Ondřej Kuzník from comment #3)
> Managed to repro with -DSLAP_NO_SL_MALLOC:

> Don't know if rwm should stop freeing parts of provided filters or syncrepl
> should allocate the avas. Probably the former...

Right, rwm should probably stash the incoming filter and restore it on return.
Comment 5 Ondřej Kuzník 2021-01-19 16:48:27 UTC 
(In reply to Howard Chu from comment #4)
> Right, rwm should probably stash the incoming filter and restore it on
> return.

The overlay seems quite confused in what it wants to do, parts of it want to maintain the original filter as is (rwm_callback_get, rwm_op_rollback) while parts are very intrusive (rwm_int_filter_map_rewrite).

I'll see if I can change how rwm_int_filter_map_rewrite mangles the op/its filter.
Comment 6 Quanah Gibson-Mount 2021-01-20 23:53:25 UTC 
trunk/RE25:

  • 58dfef01 
by Ondřej Kuzník at 2021-01-20T11:39:17+00:00 
ITS#7439 Do not free parts of original filter
Comment 7 Quanah Gibson-Mount 2021-03-02 19:40:28 UTC 
*** Issue 9192 has been marked as a duplicate of this issue. ***