8087 – Segmentation fault in MDB at idl.c:91 using searches

Issue 8087 - Segmentation fault in MDB at idl.c:91 using searches

Summary: Segmentation fault in MDB at idl.c:91 using searches

Status:	VERIFIED FEEDBACK

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	slapd (show other issues)
Version:	unspecified
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	OpenLDAP project

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-03-24 17:30 UTC by francisco@garnelo.eu
Modified:	2021-08-03 18:13 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description francisco@garnelo.eu 2015-03-24 17:30:09 UTC

Full_Name: Francisco Garnelo
Version: slapd 2.4.40
OS: FreeBSD 10.1-STABLE
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (194.237.142.21)



Hi, when I try to access with a LDAP browser (Apache DS) and the browser begin
to enumerate the items in differents branches, the server crashes; this not
takes more than 30 seconds from last restart.

I experimented a similar issue with SLES 12(if not it is the same) and openldap
2.4.40 (from suse repositories) version, but in this system I could not take
evidences.

The database has more than 3GB of size and MDB is configured to support 100GB as
the maximum size.

The same databa w works fine ining BDB using an old openldap version.

#############
# Versions: #
#############

root@XXXX:/usr/local/etc/openldap # /usr/local/libexec/slapd -VVV
@(#) $OpenLDAP: slapd 2.4.40 (Mar 24 2015 17:18:46) $
        root@XXXX:/usr/rtrts/net/openldap24-server/work/openldap-2.4.40/servers/slapd

Included static overlays:
    dynlist
    seqmod
    syncprov
Included static backends:
    config
    ldif
    relay

root@xxxx:/usr/local/etc/openldap # uname -a
FreeBSD xxxx 10.1-STABLE FreeBSD 10.1-STABLE #0 r278906: Tue Feb 17 19:09:13 UTC
2015     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64



######################
# cn=config export:  #
######################

version: 1

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcAttributeOptions: lang-
olcAuthzPolicy: none
olcConfigDir: slapd.d
olcConfigFile: slapd.conf
olcIdleTimeout: 0
olcIndexIntLen: 8
olcIndexSubstrAnyLen: 4
olcIndexSubstrAnyStep: 2
olcIndexSubstrIfMaxLen: 4
olcIndexSubstrIfMinLen: 2
olcListenerThreads: 1
olcLocalSSF: 71
olcLogLevel: 0
olcPidFile: /var/run/openldap/slapd.pid
olcReadOnly: FALSE
olcReverseLookup: FALSE
olcSizeLimit: unlimited
olcThreads: 20
olcTLSCACertificateFile: /usr/local/etc/openldap/certs/public/ca.crt
olcTLSCertificateFile: /usr/local/etc/openldap/certs/public/server.crt
olcTLSCertificateKeyFile: /usr/local/etc/openldap/certs/private/server.key
olcTLSCRLCheck: none
olcTLSProtocolMin: 0.0
olcTLSVerifyClient: never
olcToolThreads: 2
olcWriteTimeout: 0

dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_mdb database  config
olcModulePath: /usr/local/libexec/openldap

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

### -- omitted content -- ###

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /r%r/local/etc/openldap/schema/rfc2307bis.schema

### -- omitted content -- ###


dn: olcDatabase={-1}frontend,cn=config
objectClass: olcFrontendConfig
objectClass: olcDatabaseConfig
olcDatabase: {-1}frontend
olcAccess: {0}to dn.base=""  by * read
olcAccess: {1}to dn.base%%2"cn=subsemema"  by * read
olcAccess: {2}to attrs=shadowLastChange  by self write  by * read
olcAccess: {3}to *  by * read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 0
olcMonitoring: FALSE
olcReadOnly: FALSE
olcSchemaDN: cn=Subschema
olcSizeLimit: unlimited
olcSyncUseSubentry: FALSE

dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to *  by * none
olcAddContentAcl: TRUE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcMonitoring: FALSE
olcReadOnly: FALSE
olcRootDN: cn=config
olcRootPW: XXXXX
olcSyncUseSubentry: FALSE

dn: olcDatabase={1}mdb,cn=config
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
olcDatabase: {1}mdb
olcDbDirectory:2F2Fvar/db/openldap-data.mdb
olcDbIndex: objectClass eq
olcRootDN: cn=lalala,dc=yyyyyyy,dc=com
olcRootPW: XXXXXXX
olcSuffix: dc=yyyyyyy,dc=com


########
# GDB: #
########

551194b6 => mdb_dn2id("lelreleID=6666999999@lol.com,ou=molon,dc=yyyyyyy,%3=com")
551194b6 <= mdb_entry_decode
551194b6 <= mdb_dn2id: got id=0x92b0
551194b6 => mdb_entry_decode:
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 <= mdb_entry_decode
551194b6 mdb_dn2entry("lelreleID=6666999999@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b6 => mdb_entry_decode:
551194b6 => mdb_dn2id("lelreleID=6666999999@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b6 <= mdb_entry_decode
551194b6 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 <= mdb_dn2id: got id=0x92b0
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 <=dbdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b6 => mdb_entry_decode:
551194b6 <= mdb_entry_decode
551194b6 <= mdb_entry_decode
551194b6 mdb_dn2entry("lelreleID=luser123@odin.lala,ou=molon,dc=yyyyyyy,dc=com")
551194b8 => mdb_dn2id("lelreleID=luser123@odin.lala,ou=molon,dc=yyyyyyy,dc=com")
551194b8 <= mdb_dn2id: got id=0x931e
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b6 => mdb_entry_decode:
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 <= mdb_entry_decode
551194b7 daemon: activity on 1 descriptor
551194b8 daemon: activity on:519194b8  11r551194b8
551194b8 daemon: read activity on 11
551194b8 mdb_dn2entry("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b8 => mdb_dn2id("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b7 => mdb_entry_decode:
551194b7 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 <= mdb_dn2id: got id=0x9321
551194b8 mdb_dn2entry("loloId=50,ou=fry,dc=yyyyyyy,dc=com")
551194b8 => mdb_entry_decode:
551194b8 => mdb_dn2id("loloId=50,ou=fry,dc=yyyyyyy,dc=com")
551194b8 <= mdb_entry_decode
551194b8 => mdb_entry_decode:
551194b8 daemon: select: listen=6 active_threads=0 tvp=NULL
551194b8 daemon: select: listen=7 active_threads=0 tvp=NULL
551194b8 <= mdb_dn2id: got id=0xf
551194b6 <= mdb_entry_decode
551194b8 => mdb_entry_dece:3A
551194b8 <= mdb_entry_decode
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 <= mdb_entry_decode
551194b8 <= mdb_entry_decode
551194b8 => mdb_entry_decode:
551194b8 mdb_dn2entry("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b8 => mdb_dn2id("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b8 <= mdb_entry_decode
551194b8 mdb_dn2entry("lelreleID=262280000000000@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 => mdb_entry_decode:
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 => mdb_entry_decode:
551194b8 <= mdb_dn2id: got id=0x9321
551194b8 <= mdb_entry_decode
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 => mdb_dn2id("lelreleID=262280000000000@lol.com,ou=molon,dc=yyyyyyy,dc=com")
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 <= mdb_dn2id: got id=0x25
551194b8 => mdb_entry_decode:
551194b8 <= mdb_entry_decode
551194b8 => mdb_entry_decode:
551194b8 mdb_dn2entry("loloId=50,ou=fry,dc=yyyyyyy,dc=com")
551194b8 <= mdb_entry_decode
[New Thread 2103c12400 (LWP 100750/slapd)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 2103c12400 (LWP 100750/slapd)]
0x00000008024a579f in mdb_idl_search (ids=0x210a980000, id=37) at idl.c:91
91                      val = IDL_CMP( id, ids[cursor] );
Current language:  auto; currently minimal

--------------

Thanks, Francisco Garnelo

Comment 1 Howard Chu 2015-04-04 18:04:18 UTC

francisco@garnelo.eu wrote:
> Full_Name: Francisco Garnelo
> Version: slapd 2.4.40
> OS: FreeBSD 10.1-STABLE
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (194.237.142.21)

Thanks for the report. Pretty sure this has already been fixed in RE24 for 2.4.41. Can you please test with the 2.4 release engineering branch and confirm whether the problem is still present?
>
>
>
> Hi, when I try to access with a LDAP browser (Apache DS) and the browser begin
> to enumerate the items in differents branches, the server crashes; this not
> takes more than 30 seconds from last restart.
>
> I experimented a similar issue with SLES 12(if not it is the same) and openldap
> 2.4.40 (from suse repositories) version, but in this system I could not take
> evidences.
>
> The database has more than 3GB of size and MDB is configured to support 100GB as
> the maximum size.
>
> The same databa w works fine ining BDB using an old openldap version.
>
> #############
> # Versions: #
> #############
>
> root@XXXX:/usr/local/etc/openldap # /usr/local/libexec/slapd -VVV
> @(#) $OpenLDAP: slapd 2.4.40 (Mar 24 2015 17:18:46) $
>          root@XXXX:/usr/rtrts/net/openldap24-server/work/openldap-2.4.40/servers/slapd
>
> Included static overlays:
>      dynlist
>      seqmod
>      syncprov
> Included static backends:
>      config
>      ldif
>      relay
>
> root@xxxx:/usr/local/etc/openldap # uname -a
> FreeBSD xxxx 10.1-STABLE FreeBSD 10.1-STABLE #0 r278906: Tue Feb 17 19:09:13 UTC
> 2015     root@releng1.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64
>
>
>
> ######################
> # cn=config export:  #
> ######################
>
> version: 1
>
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/openldap/slapd.args
> olcAttributeOptions: lang-
> olcAuthzPolicy: none
> olcConfigDir: slapd.d
> olcConfigFile: slapd.conf
> olcIdleTimeout: 0
> olcIndexIntLen: 8
> olcIndexSubstrAnyLen: 4
> olcIndexSubstrAnyStep: 2
> olcIndexSubstrIfMaxLen: 4
> olcIndexSubstrIfMinLen: 2
> olcListenerThreads: 1
> olcLocalSSF: 71
> olcLogLevel: 0
> olcPidFile: /var/run/openldap/slapd.pid
> olcReadOnly: FALSE
> olcReverseLookup: FALSE
> olcSizeLimit: unlimited
> olcThreads: 20
> olcTLSCACertificateFile: /usr/local/etc/openldap/certs/public/ca.crt
> olcTLSCertificateFile: /usr/local/etc/openldap/certs/public/server.crt
> olcTLSCertificateKeyFile: /usr/local/etc/openldap/certs/private/server.key
> olcTLSCRLCheck: none
> olcTLSProtocolMin: 0.0
> olcTLSVerifyClient: never
> olcToolThreads: 2
> olcWriteTimeout: 0
>
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModuleLoad: {0}back_mdb database  config
> olcModulePath: /usr/local/libexec/openldap
>
> dn: cn=schema,cn=config
> objectClass: olcSchemaConfig
> cn: schema
>
> ### -- omitted content -- ###
>
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /r%r/local/etc/openldap/schema/rfc2307bis.schema
>
> ### -- omitted content -- ###
>
>
> dn: olcDatabase={-1}frontend,cn=config
> objectClass: olcFrontendConfig
> objectClass: olcDatabaseConfig
> olcDatabase: {-1}frontend
> olcAccess: {0}to dn.base=""  by * read
> olcAccess: {1}to dn.base%%2"cn=subsemema"  by * read
> olcAccess: {2}to attrs=shadowLastChange  by self write  by * read
> olcAccess: {3}to *  by * read
> olcAddContentAcl: FALSE
> olcLastMod: TRUE
> olcMaxDerefDepth: 0
> olcMonitoring: FALSE
> olcReadOnly: FALSE
> olcSchemaDN: cn=Subschema
> olcSizeLimit: unlimited
> olcSyncUseSubentry: FALSE
>
> dn: olcDatabase={0}config,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: {0}config
> olcAccess: {0}to *  by * none
> olcAddContentAcl: TRUE
> olcLastMod: TRUE
> olcMaxDerefDepth: 15
> olcMonitoring: FALSE
> olcReadOnly: FALSE
> olcRootDN: cn=config
> olcRootPW: XXXXX
> olcSyncUseSubentry: FALSE
>
> dn: olcDatabase={1}mdb,cn=config
> objectClass: olcMdbConfig
> objectClass: olcDatabaseConfig
> olcDatabase: {1}mdb
> olcDbDirectory:2F2Fvar/db/openldap-data.mdb
> olcDbIndex: objectClass eq
> olcRootDN: cn=lalala,dc=yyyyyyy,dc=com
> olcRootPW: XXXXXXX
> olcSuffix: dc=yyyyyyy,dc=com
>
>
> ########
> # GDB: #
> ########
>
> 551194b6 => mdb_dn2id("lelreleID=6666999999@lol.com,ou=molon,dc=yyyyyyy,%3=com")
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_dn2id: got id=0x92b0
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_entry_decode
> 551194b6 mdb_dn2entry("lelreleID=6666999999@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_dn2id("lelreleID=6666999999@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_dn2id: got id=0x92b0
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 <=dbdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b6 => mdb_entry_decode:
> 551194b6 <= mdb_entry_decode
> 551194b6 <= mdb_entry_decode
> 551194b6 mdb_dn2entry("lelreleID=luser123@odin.lala,ou=molon,dc=yyyyyyy,dc=com")
> 551194b8 => mdb_dn2id("lelreleID=luser123@odin.lala,ou=molon,dc=yyyyyyy,dc=com")
> 551194b8 <= mdb_dn2id: got id=0x931e
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b6 => mdb_entry_decode:
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 <= mdb_entry_decode
> 551194b7 daemon: activity on 1 descriptor
> 551194b8 daemon: activity on:519194b8  11r551194b8
> 551194b8 daemon: read activity on 11
> 551194b8 mdb_dn2entry("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b8 => mdb_dn2id("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b7 => mdb_entry_decode:
> 551194b7 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 <= mdb_dn2id: got id=0x9321
> 551194b8 mdb_dn2entry("loloId=50,ou=fry,dc=yyyyyyy,dc=com")
> 551194b8 => mdb_entry_decode:
> 551194b8 => mdb_dn2id("loloId=50,ou=fry,dc=yyyyyyy,dc=com")
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_entry_decode:
> 551194b8 daemon: select: listen=6 active_threads=0 tvp=NULL
> 551194b8 daemon: select: listen=7 active_threads=0 tvp=NULL
> 551194b8 <= mdb_dn2id: got id=0xf
> 551194b6 <= mdb_entry_decode
> 551194b8 => mdb_entry_dece:3A
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 <= mdb_entry_decode
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_entry_decode:
> 551194b8 mdb_dn2entry("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b8 => mdb_dn2id("lelreleID=6666999990@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b8 <= mdb_entry_decode
> 551194b8 mdb_dn2entry("lelreleID=262280000000000@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_entry_decode:
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_dn2id: got id=0x9321
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_dn2id("lelreleID=262280000000000@lol.com,ou=molon,dc=yyyyyyy,dc=com")
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 <= mdb_dn2id: got id=0x25
> 551194b8 => mdb_entry_decode:
> 551194b8 <= mdb_entry_decode
> 551194b8 => mdb_entry_decode:
> 551194b8 mdb_dn2entry("loloId=50,ou=fry,dc=yyyyyyy,dc=com")
> 551194b8 <= mdb_entry_decode
> [New Thread 2103c12400 (LWP 100750/slapd)]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 2103c12400 (LWP 100750/slapd)]
> 0x00000008024a579f in mdb_idl_search (ids=0x210a980000, id=37) at idl.c:91
> 91                      val = IDL_CMP( id, ids[cursor] );
> Current language:  auto; currently minimal
>
> --------------
>
> Thanks, Francisco Garnelo
>
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Comment 2 Howard Chu 2015-04-16 02:00:17 UTC

changed state Open to Feedback