8689 – invalid rwm configuration causes slapd to SEGV

Issue 8689 - invalid rwm configuration causes slapd to SEGV

Summary: invalid rwm configuration causes slapd to SEGV

Status:	VERIFIED DUPLICATE of issue 8964

Alias:	None

Product:	OpenLDAP
Classification:	Unclassified
Component:	overlays (show other issues)
Version:	2.4.45
Hardware:	All All

Importance:	--- normal
Target Milestone:	---
Assignee:	Howard Chu

URL:
Keywords:

Depends on:
Blocks:

Reported:	2017-07-10 16:18 UTC by Quanah Gibson-Mount
Modified:	2021-01-13 21:10 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this issue.

Description Quanah Gibson-Mount 2017-07-10 16:18:24 UTC

Full_Name: Quanah Gibson-Mount
Version: 2.4.45
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.148.239)


If you incorrectly configure slapo-rwm so that it has an invalid mapping, slapd
will crash after a search is performed against the mapped base.  For example:

rwm-rewriteRule "(.+,)?dc=example2,[ ]?dc=com$" "$1dc-example, dc=com"
rwm-rewriteRule "(.+,)?dc=example2,dc=com$" "$1dc-example,dc=com"

(note that it has dc-example,dc=com instead of dc=example,dc=com)

It might be helpful? to parse the rewrite rules for validity, but that may be
difficult to do.

Thread 4 "slapd" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fcd66999700 (LWP 844)]
slap_sl_free (ptr=0x7fcd5c001178, ctx=0x7fcd5c000a80) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/sl_malloc.c:515
515     /home/build/sold-2.4.45.1/openldap/servers/slapd/sl_malloc.c: No such
file or directory.
(gdb) bt
#0  slap_sl_free (ptr=0x7fcd5c001178, ctx=0x7fcd5c000a80) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/sl_malloc.c:515
#1  0x0000000000431c03 in do_search (op=0x7fcd580028d0, rs=0x7fcd66998b10) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/search.c:257
#2  0x000000000042ff77 in connection_operation (ctx=0x7fcd66998c00,
arg_v=0x7fcd580028d0) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/connection.c:1158
#3  0x00007fcdac4fc3bb in ldap_int_thread_pool_wrapper (xpool=0x26e6fc0) at
/home/build/sold-2.4.45.1/openldap/libraries/libldap_r/tpool.c:963
#4  0x00007fcdac0c56ba in start_thread (arg=0x7fcd66999700) at
pthread_create.c:333
#5  0x00007fcdab1283dd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Thread 4 (Thread 0x7fcd66999700 (LWP 844)):
#0  slap_sl_free (ptr=0x7fcd5c001178, ctx=0x7fcd5c000a80) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/sl_malloc.c:515
        nextp = 0x6520e534bd7384d0
        size = 7286935691776455520
        p = 0x7fcd5c001170
        tmpp = <optimized out>
        ctx = 0x7fcd5c000a80
        ptr = 0x7fcd5c001178
        sh = 0x7fcd5c000a80
        p = 0x7fcd5c001178
#1  0x0000000000431c03 in do_search (op=0x7fcd580028d0, rs=0x7fcd66998b10) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/search.c:257
        base = {bv_len = 18, bv_val = 0x7fcd58000a87 "dc=example2,dc=com"}
        siz = 0
        off = <optimized out>
        i = <optimized out>
#2  0x000000000042ff77 in connection_operation (ctx=0x7fcd66998c00,
arg_v=0x7fcd580028d0) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/connection.c:1158
        rc = 80
        cancel = <optimized out>
        op = 0x7fcd580028d0
        rs = {sr_type = REP_RESULT, sr_tag = 101, sr_msgid = 2, sr_err = -1,
sr_matched = 0x0, sr_text = 0x7fcda7ba945d "searchDN massage error", sr_ref =
0x0, sr_ctrls = 0x0, sr_un = {
            sru_search = {r_entry = 0x0, r_attr_flags = 0, r_operational_attrs =
0x0, r_attrs = 0x0, r_nentries = 0, r_v2ref = 0x0}, sru_sasl = {r_sasldata =
0x0}, sru_extended = {
              r_rspoid = 0x0, r_rspdata = 0x0}}, sr_flags = 0}
        tag = 99
        opidx = SLAP_OP_SEARCH
        conn = 0x7fcdac7e5b90
        memctx = 0x7fcd5c000a80
        memctx_null = 0x0
        memsiz = 1048576
        __PRETTY_FUNCTION__ = "connection_operation"
#3  0x00007fcdac4fc3bb in ldap_int_thread_pool_wrapper (xpool=0x26e6fc0) at
/home/build/sold-2.4.45.1/openldap/libraries/libldap_r/tpool.c:963
        pq = 0x26e6fc0
        pool = 0x26e6ee0
        task = 0x7fcd600008c0
        work_list = <optimized out>
        ctx = {ltu_pq = 0x26e6fc0, ltu_id = 140520166364928, ltu_key = {{ltk_key
= 0x42e3a0 <conn_counter_init>, ltk_data = 0x7fcd5c000970, ltk_free = 0x42e480
<conn_counter_destroy>}, {
              ltk_key = 0x484c30 <slap_sl_mem_init>, ltk_data = 0x7fcd5c000a80,
ltk_free = 0x484b00 <slap_sl_mem_destroy>}, {ltk_key = 0x4436d0 <slap_op_free>,
ltk_data = 0x7fcd5c000b70,
              ltk_free = 0x4436a0 <slap_op_q_destroy>}, {ltk_key = 0x0, ltk_data
= 0x0, ltk_free = 0x0} <repeats 29 times>}}
        kctx = <optimized out>
        keyslot = <optimized out>
        hash = <optimized out>
        pool_lock = 0
        freeme = 0
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#4  0x00007fcdac0c56ba in start_thread (arg=0x7fcd66999700) at
pthread_create.c:333
        __res = <optimized out>
        pd = 0x7fcd66999700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140520166364928,
1493515270220219122, 0, 140520183139599, 140520166365632, 4391152,
-1503985625800834318, -1503832697886014734},
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data =
{prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#5  0x00007fcdab1283dd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.

Thread 3 (Thread 0x7fcd6719a700 (LWP 843)):
#0  pthread_cond_wait@@GLIBC_2.3.2 () at
../sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
No locals.
#1  0x00007fcdac4fcc65 in ldap_pvt_thread_cond_wait (cond=<optimized out>,
mutex=<optimized out>) at
/home/build/sold-2.4.45.1/openldap/libraries/libldap_r/thr_posix.c:277
No locals.
#2  0x00007fcdac4fc45f in ldap_int_thread_pool_wrapper (xpool=0x26e6fc0) at
/home/build/sold-2.4.45.1/openldap/libraries/libldap_r/tpool.c:945
        pq = 0x26e6fc0
        pool = 0x26e6ee0
        task = 0x0
        work_list = <optimized out>
        ctx = {ltu_pq = 0x26e6fc0, ltu_id = 140520174757632, ltu_key = {{ltk_key
= 0x42e3a0 <conn_counter_init>, ltk_data = 0x7fcd580026a0, ltk_free = 0x42e480
<conn_counter_destroy>}, {
              ltk_key = 0x484c30 <slap_sl_mem_init>, ltk_data = 0x7fcd580027b0,
ltk_free = 0x484b00 <slap_sl_mem_destroy>}, {ltk_key = 0x4436d0 <slap_op_free>,
ltk_data = 0x7fcd58002d10,
              ltk_free = 0x4436a0 <slap_op_q_destroy>}, {ltk_key = 0x0, ltk_data
= 0x0, ltk_free = 0x0} <repeats 29 times>}}
        kctx = <optimized out>
        keyslot = <optimized out>
        hash = <optimized out>
        pool_lock = 0
        freeme = 0
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#3  0x00007fcdac0c56ba in start_thread (arg=0x7fcd6719a700) at
pthread_create.c:333
        __res = <optimized out>
        pd = 0x7fcd6719a700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140520174757632,
1493515270220219122, 0, 140520183139647, 140520174758336, 4370320,
-1503984526826077454, -1503832697886014734},
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data =
{prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#4  0x00007fcdab1283dd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.

Thread 2 (Thread 0x7fcd6799b700 (LWP 804)):
#0  0x00007fcdab1289d3 in epoll_wait () at
../sysdeps/unix/syscall-template.S:84
No locals.
#1  0x000000000042b7c0 in slapd_daemon_task (ptr=<optimized out>) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/daemon.c:2539
        ns = <optimized out>
        at = <optimized out>
        nfds = <optimized out>
        revents = 0x26c0ff0
        tvp = 0x0
        cat = {tv_sec = 0, tv_usec = 0}
        i = <optimized out>
        nwriters = <optimized out>
        now = <optimized out>
        tv = {tv_sec = 0, tv_usec = 0}
        tdelta = 1
        rtask = <optimized out>
        l = <optimized out>
        last_idle_check = 1499703215
        ebadf = 0
        tid = 0
#2  0x00007fcdac0c56ba in start_thread (arg=0x7fcd6799b700) at
pthread_create.c:333
        __res = <optimized out>
        pd = 0x7fcd6799b700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140520183150336,
1493515270220219122, 0, 140735119107759, 140520183151040, 0,
-1503983425703836942, -1503832697886014734},
              mask_was_saved = 0}}, priv = {pad = {0x0, 0x0, 0x0, 0x0}, data =
{prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
        __PRETTY_FUNCTION__ = "start_thread"
#3  0x00007fcdab1283dd in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
No locals.

Thread 1 (Thread 0x7fcdac957700 (LWP 803)):
#0  0x00007fcdac0c698d in pthread_join (threadid=140520183150336,
thread_return=thread_return@entry=0x0) at pthread_join.c:90
        __tid = 804
        _buffer = {__routine = 0x7fcdac0c68b0 <cleanup>, __arg = 0x7fcd6799bd28,
__canceltype = 0, __prev = 0x0}
        oldtype = 0
        pd = 0x7fcd6799b700
        self = 0x7fcdac957700
        result = 0
#1  0x00007fcdac4fcbf5 in ldap_pvt_thread_join (thread=<optimized out>,
thread_return=thread_return@entry=0x0) at
/home/build/sold-2.4.45.1/openldap/libraries/libldap_r/thr_posix.c:197
No locals.
#2  0x000000000042d529 in slapd_daemon () at
/home/build/sold-2.4.45.1/openldap/servers/slapd/daemon.c:2932
        i = 0
        rc = 0
#3  0x0000000000415261 in main (argc=7, argv=<optimized out>) at
/home/build/sold-2.4.45.1/openldap/servers/slapd/main.c:1016
        i = <optimized out>
        no_detach = 0
        urls = 0x26ae0d0 "ldap:///"
        username = 0x26ae090 "EXTERNAL"
        groupname = 0x26ae0b0 "\006\362\032\253\315\177"
        sandbox = 0x0
        syslogUser = 160
        pid = <optimized out>
        waitfds = {9, 10}
        g_argc = 7
        g_argv = <optimized out>
        configfile = 0x0
        configdir = 0x0
        serverName = 0x7fff72c838fe "slapd"
        scp = <optimized out>
        scp_entry = <optimized out>
        debug_unknowns = 0x0
        syslog_unknowns = 0x0
        serverNamePrefix = <synthetic pointer>
        l = <optimized out>
        slapd_pid_file_unlink = 1
        slapd_args_file_unlink = 1
        firstopt = <optimized out>
        __PRETTY_FUNCTION__ = "main"

Comment 1 Howard Chu 2021-01-13 17:13:17 UTC

Reproduced in 2.4.45 - 2.4.47, but not present in 2.4.48 or later.
Fixed by ITS#8964

*** This issue has been marked as a duplicate of issue 8964 ***