Logged in as guest
Viewing Software Bugs/6892 Full headers
Major security issue: yes no
Notes: fixed in master fixed in RE24 Notification:
Date: Wed, 06 Apr 2011 23:41:27 +0000 From: ghola@rebelbase.com To: openldap-its@OpenLDAP.org Subject: Segfault in Syncprov overlay
Full_Name: Duncan Idaho Version: 2.4.25 OS: RHEL 5.5 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (204.10.36.147) In my configuration slapd segfaults within a few hours repeatably when a NULL value is somehow passed as a filter to test_filter in the syncprov overlay. I'm running "threads 64" as I have 62 consumers connecting and this was required to prevent unrelated searches from timing out when all the consumers connect at once. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x59832940 (LWP 2042)] test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at filterentry.c:69 69 if ( f->f_choice & SLAPD_FILTER_UNDEFINED ) { (gdb) bt #0 test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at filterentry.c:69 #1 0x00000000004db315 in syncprov_matchops (op=0x59831130, opc=0xbc91750, saveit=1) at syncprov.c:1314 #2 0x00000000004db6b5 in syncprov_op_mod (op=0x59831130, rs=<value optimized out>) at syncprov.c:2124 #3 0x000000000047e62a in overlay_op_walk (op=0x59831130, rs=0x59830f40, which=op_modify, oi=0x8d7b50, on=0x8dc540) at backover.c:659 #4 0x000000000047ec07 in over_op_func (op=0x59831130, rs=0x59830f40, which=op_modify) at backover.c:721 #5 0x000000000047404d in syncrepl_updateCookie (si=0x8d74e0, op=0x59831130, syncCookie=0x59831aa0) at syncrepl.c:3292 #6 0x0000000000479d0d in do_syncrep2 (ctx=<value optimized out>, arg=<value optimized out>) at syncrepl.c:959 #7 do_syncrepl (ctx=<value optimized out>, arg=<value optimized out>) at syncrepl.c:1455 #8 0x000000000041f7aa in connection_read_thread (ctx=0x59831d70, argv=<value optimized out>) at connection.c:1251 #9 0x00000000004ec5ec in ldap_int_thread_pool_wrapper (xpool=0x84de50) at tpool.c:685 #10 0x000000301b20673d in start_thread (arg=<value optimized out>) at pthread_create.c:301 #11 0x000000301aad44bd in clone () from /lib64/libc.so.6 Let me know if I can provide more info.
Date: Thu, 7 Apr 2011 18:21:44 -0700 Subject: Re: (ITS#6892) Segfault in Syncprov overlay From: Duncan Idaho <ghola@rebelbase.com> To: openldap-its@openldap.org
--000e0cd3f872854fb804a05e0ce0 Content-Type: text/plain; charset=ISO-8859-1 More information; This server is both a producer and a consumer. Here are the logs preceeding the crash: Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1007 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1005 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1004 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1003 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1002 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1001 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: slap_graduate_commit_csn: removing 0x20494b70 20110408005040.759389Z#000000#000#000000 Apr 8 00:50:40 test-ldap01 slapd[8732]: conn=1000 op=1 ENTRY dn="widget=ldap02,ou=widgets,dc=domain,dc=net" Apr 8 00:50:40 test-ldap01 slapd[8732]: syncrepl_entry: rid=001 be_modify widget=ldap02,ou=widgets,dc=domain,dc=net (0) Apr 8 00:50:40 test-ldap01 slapd[8732]: slap_queue_csn: queing 0x2055d810 20110408005040.759389Z#000000#000#000000 --000e0cd3f872854fb804a05e0ce0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable More information; This server is both a producer and a consumer.<br><br>Her= e are the logs preceeding the crash:<br><br>Apr=A0 8 00:50:40 test-ldap01 s= lapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D20110408005040.7593= 89Z#000000#000#000000<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid= =3D001,csn=3D20110408005040.759389Z#000000#000#000000<br>Apr=A0 8 00:50:40 = test-ldap01 slapd[8732]: conn=3D1007 op=3D1 ENTRY dn=3D"widget=3Dldap0= 2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet"<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1005 op=3D1 ENTRY dn=3D&q= uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet"<br>Apr=A0 8 00:= 50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D= 20110408005040.759389Z#000000#000#000000<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid= =3D001,csn=3D20110408005040.759389Z#000000#000#000000<br>Apr=A0 8 00:50:40 = test-ldap01 slapd[8732]: conn=3D1004 op=3D1 ENTRY dn=3D"widget=3Dldap0= 2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet"<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1003 op=3D1 ENTRY dn=3D&q= uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet"<br>Apr=A0 8 00:= 50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D= 20110408005040.759389Z#000000#000#000000<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1002 op=3D1 ENTRY dn=3D&q= uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet"<br>Apr=A0 8 00:= 50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D= 20110408005040.759389Z#000000#000#000000<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid= =3D001,csn=3D20110408005040.759389Z#000000#000#000000<br>Apr=A0 8 00:50:40 = test-ldap01 slapd[8732]: conn=3D1001 op=3D1 ENTRY dn=3D"widget=3Dldap0= 2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet"<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: slap_graduate_commit_csn: removi= ng 0x20494b70 20110408005040.759389Z#000000#000#000000<br>Apr=A0 8 00:50:40= test-ldap01 slapd[8732]: conn=3D1000 op=3D1 ENTRY dn=3D"widget=3Dldap= 02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet"<br> Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncrepl_entry: rid=3D001 be_mod= ify widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet (0)<br>Apr=A0 8 00:50= :40 test-ldap01 slapd[8732]: slap_queue_csn: queing 0x2055d810 201104080050= 40.759389Z#000000#000#000000<br> <br> --000e0cd3f872854fb804a05e0ce0--
Date: Fri, 10 Jun 2011 01:59:17 -0700 From: Howard Chu <hyc@symas.com> To: ghola@rebelbase.com CC: openldap-its@openldap.org Subject: Re: (ITS#6892) Segfault in Syncprov overlay
ghola@rebelbase.com wrote: > Full_Name: Duncan Idaho > Version: 2.4.25 > OS: RHEL 5.5 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (204.10.36.147) > > > In my configuration slapd segfaults within a few hours repeatably when a NULL > value is somehow passed as a filter to test_filter in the syncprov overlay. > > I'm running "threads 64" as I have 62 consumers connecting and this was required > to prevent unrelated searches from timing out when all the consumers connect at > once. > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x59832940 (LWP 2042)] > test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at filterentry.c:69 > 69 if ( f->f_choice& SLAPD_FILTER_UNDEFINED ) { > (gdb) bt > #0 test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at filterentry.c:69 > #1 0x00000000004db315 in syncprov_matchops (op=0x59831130, opc=0xbc91750, > saveit=1) at syncprov.c:1314 > #2 0x00000000004db6b5 in syncprov_op_mod (op=0x59831130, rs=<value optimized > out>) at syncprov.c:2124 > #3 0x000000000047e62a in overlay_op_walk (op=0x59831130, rs=0x59830f40, > which=op_modify, oi=0x8d7b50, on=0x8dc540) at backover.c:659 > #4 0x000000000047ec07 in over_op_func (op=0x59831130, rs=0x59830f40, > which=op_modify) at backover.c:721 > #5 0x000000000047404d in syncrepl_updateCookie (si=0x8d74e0, op=0x59831130, > syncCookie=0x59831aa0) at syncrepl.c:3292 > #6 0x0000000000479d0d in do_syncrep2 (ctx=<value optimized out>, arg=<value > optimized out>) at syncrepl.c:959 > #7 do_syncrepl (ctx=<value optimized out>, arg=<value optimized out>) at > syncrepl.c:1455 > #8 0x000000000041f7aa in connection_read_thread (ctx=0x59831d70, argv=<value > optimized out>) at connection.c:1251 > #9 0x00000000004ec5ec in ldap_int_thread_pool_wrapper (xpool=0x84de50) at > tpool.c:685 > #10 0x000000301b20673d in start_thread (arg=<value optimized out>) at > pthread_create.c:301 > #11 0x000000301aad44bd in clone () from /lib64/libc.so.6 > > Let me know if I can provide more info. A patch to avoid this particular crash is now in git master. However, it's still not clear to me why it occurred. Can you get this info from gdb: frame 1 print *ss -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Fri, 10 Jun 2011 14:27:25 -0700 Subject: Re: (ITS#6892) Segfault in Syncprov overlay From: Duncan Idaho <ghola@rebelbase.com> To: Howard Chu <hyc@symas.com> Cc: openldap-its@openldap.org
> A patch to avoid this particular crash is now in git master. However, it's still not clear to me why it occurred. Can you get this info from gdb: > . . . .frame 1 > . . . .print *ss Thanks Howard, here is the info you requested: (gdb) bt #0 test_filter (op=0x40fff7f0, e=0x2aab116ab068, f=0x0) at filterentry.c:69 #1 0x00000000004db315 in syncprov_matchops (op=0x410001b0, opc=0xb096e0, saveit=1) at syncprov.c:1314 #2 0x00000000004db6b5 in syncprov_op_mod (op=0x410001b0, rs=<value optimized out>) at syncprov.c:2124 #3 0x000000000047e62a in overlay_op_walk (op=0x410001b0, rs=0x40ffffc0, which=op_modify, oi=0x8d7ab0, on=0x8dc4f0) at backover.c:659 #4 0x000000000047ec07 in over_op_func (op=0x410001b0, rs=0x40ffffc0, which=op_modify) at backover.c:721 #5 0x000000000047404d in syncrepl_updateCookie (si=0x8d74d0, op=0x410001b0, syncCookie=0x41000b20) at syncrepl.c:3292 #6 0x0000000000478462 in do_syncrep2 (ctx=<value optimized out>, arg=<value optimized out>) at syncrepl.c:1097 #7 do_syncrepl (ctx=<value optimized out>, arg=<value optimized out>) at syncrepl.c:1455 #8 0x00000000004ec5ec in ldap_int_thread_pool_wrapper (xpool=0x84daf0) at tpool.c:685 #9 0x000000301b20673d in start_thread (arg=<value optimized out>) at pthread_create.c:301 #10 0x000000301aad44bd in clone () from /lib64/libc.so.6 (gdb) frame 1 #1 0x00000000004db315 in syncprov_matchops (op=0x410001b0, opc=0xb096e0, saveit=1) at syncprov.c:1314 1314 rc = test_filter( &op2, e, op2.ors_filter ); (gdb) print *ss $1 = {s_next = 0x2aab502177f0, s_base = {bv_len = 16, bv_val = 0x2aab730920e0 "dc=test12,dc=net"}, s_eid = 1, s_op = 0x230ea90, s_rid = 1, s_sid = -1, s_filterstr = {bv_len = 15, bv_val = 0x230f7d0 "(objectClass=*)"}, s_flags = 1, s_inuse = 1, s_res = 0x2aababca90f0, s_restail = 0x2aabc320d920, s_mutex = {__data = {__lock = 0, __count = 0, __owner = 0, __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}}, __size = '\000' <repeats 39 times>, __align = 0}}
Date: Wed, 15 Jun 2011 10:35:03 -0700 Subject: Re: (ITS#6892) Segfault in Syncprov overlay From: Duncan Idaho <ghola@rebelbase.com> To: openldap-its@openldap.org
I'm unable to reproduce this problem with the latest syncrepl.c from git.
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
