OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/6892
Full headers

From: ghola@rebelbase.com
Subject: Segfault in Syncprov overlay
Compose comment
Download message
State:
0 replies:
4 followups: 1 2 3 4

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 06 Apr 2011 23:41:27 +0000
From: ghola@rebelbase.com
To: openldap-its@OpenLDAP.org
Subject: Segfault in Syncprov overlay
Full_Name: Duncan Idaho
Version: 2.4.25
OS: RHEL 5.5
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (204.10.36.147)


In my configuration slapd segfaults within a few hours repeatably when a NULL
value is somehow passed as a filter to test_filter in the syncprov overlay.

I'm running "threads 64" as I have 62 consumers connecting and this was required
to prevent unrelated searches from timing out when all the consumers connect at
once.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x59832940 (LWP 2042)]
test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at filterentry.c:69
69              if ( f->f_choice & SLAPD_FILTER_UNDEFINED ) {
(gdb) bt
#0  test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at filterentry.c:69
#1  0x00000000004db315 in syncprov_matchops (op=0x59831130, opc=0xbc91750,
saveit=1) at syncprov.c:1314
#2  0x00000000004db6b5 in syncprov_op_mod (op=0x59831130, rs=<value optimized
out>) at syncprov.c:2124
#3  0x000000000047e62a in overlay_op_walk (op=0x59831130, rs=0x59830f40,
which=op_modify, oi=0x8d7b50, on=0x8dc540) at backover.c:659
#4  0x000000000047ec07 in over_op_func (op=0x59831130, rs=0x59830f40,
which=op_modify) at backover.c:721
#5  0x000000000047404d in syncrepl_updateCookie (si=0x8d74e0, op=0x59831130,
syncCookie=0x59831aa0) at syncrepl.c:3292
#6  0x0000000000479d0d in do_syncrep2 (ctx=<value optimized out>,
arg=<value
optimized out>) at syncrepl.c:959
#7  do_syncrepl (ctx=<value optimized out>, arg=<value optimized
out>) at
syncrepl.c:1455
#8  0x000000000041f7aa in connection_read_thread (ctx=0x59831d70, argv=<value
optimized out>) at connection.c:1251
#9  0x00000000004ec5ec in ldap_int_thread_pool_wrapper (xpool=0x84de50) at
tpool.c:685
#10 0x000000301b20673d in start_thread (arg=<value optimized out>) at
pthread_create.c:301
#11 0x000000301aad44bd in clone () from /lib64/libc.so.6

Let me know if I can provide more info.

Followup 1

Download message
Date: Thu, 7 Apr 2011 18:21:44 -0700
Subject: Re: (ITS#6892) Segfault in Syncprov overlay
From: Duncan Idaho <ghola@rebelbase.com>
To: openldap-its@openldap.org
--000e0cd3f872854fb804a05e0ce0
Content-Type: text/plain; charset=ISO-8859-1

More information; This server is both a producer and a consumer.

Here are the logs preceeding the crash:

Apr  8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp:
cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp:
cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: conn=1007 op=1 ENTRY
dn="widget=ldap02,ou=widgets,dc=domain,dc=net"
Apr  8 00:50:40 test-ldap01 slapd[8732]: conn=1005 op=1 ENTRY
dn="widget=ldap02,ou=widgets,dc=domain,dc=net"
Apr  8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp:
cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp:
cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: conn=1004 op=1 ENTRY
dn="widget=ldap02,ou=widgets,dc=domain,dc=net"
Apr  8 00:50:40 test-ldap01 slapd[8732]: conn=1003 op=1 ENTRY
dn="widget=ldap02,ou=widgets,dc=domain,dc=net"
Apr  8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp:
cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: conn=1002 op=1 ENTRY
dn="widget=ldap02,ou=widgets,dc=domain,dc=net"
Apr  8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp:
cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp:
cookie=rid=001,csn=20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: conn=1001 op=1 ENTRY
dn="widget=ldap02,ou=widgets,dc=domain,dc=net"
Apr  8 00:50:40 test-ldap01 slapd[8732]: slap_graduate_commit_csn: removing
0x20494b70 20110408005040.759389Z#000000#000#000000
Apr  8 00:50:40 test-ldap01 slapd[8732]: conn=1000 op=1 ENTRY
dn="widget=ldap02,ou=widgets,dc=domain,dc=net"
Apr  8 00:50:40 test-ldap01 slapd[8732]: syncrepl_entry: rid=001 be_modify
widget=ldap02,ou=widgets,dc=domain,dc=net (0)
Apr  8 00:50:40 test-ldap01 slapd[8732]: slap_queue_csn: queing 0x2055d810
20110408005040.759389Z#000000#000#000000

--000e0cd3f872854fb804a05e0ce0
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

More information; This server is both a producer and a
consumer.<br><br>Her=
e are the logs preceeding the crash:<br><br>Apr=A0 8 00:50:40
test-ldap01 s=
lapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D20110408005040.7593=
89Z#000000#000#000000<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=
=3D001,csn=3D20110408005040.759389Z#000000#000#000000<br>Apr=A0 8 00:50:40
=
test-ldap01 slapd[8732]: conn=3D1007 op=3D1 ENTRY dn=3D&quot;widget=3Dldap0=
2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet&quot;<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1005 op=3D1 ENTRY dn=3D&q=
uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet&quot;<br>Apr=A0
8 00:=
50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D=
20110408005040.759389Z#000000#000#000000<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=
=3D001,csn=3D20110408005040.759389Z#000000#000#000000<br>Apr=A0 8 00:50:40
=
test-ldap01 slapd[8732]: conn=3D1004 op=3D1 ENTRY dn=3D&quot;widget=3Dldap0=
2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet&quot;<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1003 op=3D1 ENTRY dn=3D&q=
uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet&quot;<br>Apr=A0
8 00:=
50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D=
20110408005040.759389Z#000000#000#000000<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: conn=3D1002 op=3D1 ENTRY dn=3D&q=
uot;widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet&quot;<br>Apr=A0
8 00:=
50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=3D001,csn=3D=
20110408005040.759389Z#000000#000#000000<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncprov_sendresp: cookie=3Drid=
=3D001,csn=3D20110408005040.759389Z#000000#000#000000<br>Apr=A0 8 00:50:40
=
test-ldap01 slapd[8732]: conn=3D1001 op=3D1 ENTRY dn=3D&quot;widget=3Dldap0=
2,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet&quot;<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: slap_graduate_commit_csn: removi=
ng 0x20494b70 20110408005040.759389Z#000000#000#000000<br>Apr=A0 8
00:50:40=
 test-ldap01 slapd[8732]: conn=3D1000 op=3D1 ENTRY dn=3D&quot;widget=3Dldap=
02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet&quot;<br>
Apr=A0 8 00:50:40 test-ldap01 slapd[8732]: syncrepl_entry: rid=3D001 be_mod=
ify widget=3Dldap02,ou=3Dwidgets,dc=3Ddomain,dc=3Dnet (0)<br>Apr=A0 8
00:50=
:40 test-ldap01 slapd[8732]: slap_queue_csn: queing 0x2055d810 201104080050=
40.759389Z#000000#000#000000<br>
<br>

--000e0cd3f872854fb804a05e0ce0--



Followup 2

Download message
Date: Fri, 10 Jun 2011 01:59:17 -0700
From: Howard Chu <hyc@symas.com>
To: ghola@rebelbase.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#6892) Segfault in Syncprov overlay
ghola@rebelbase.com wrote:
> Full_Name: Duncan Idaho
> Version: 2.4.25
> OS: RHEL 5.5
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (204.10.36.147)
>
>
> In my configuration slapd segfaults within a few hours repeatably when a
NULL
> value is somehow passed as a filter to test_filter in the syncprov overlay.
>
> I'm running "threads 64" as I have 62 consumers connecting and this was
required
> to prevent unrelated searches from timing out when all the consumers
connect at
> once.
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x59832940 (LWP 2042)]
> test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at filterentry.c:69
> 69              if ( f->f_choice&  SLAPD_FILTER_UNDEFINED ) {
> (gdb) bt
> #0  test_filter (op=0x59830770, e=0x2aab11861068, f=0x0) at
filterentry.c:69
> #1  0x00000000004db315 in syncprov_matchops (op=0x59831130, opc=0xbc91750,
> saveit=1) at syncprov.c:1314
> #2  0x00000000004db6b5 in syncprov_op_mod (op=0x59831130, rs=<value
optimized
> out>) at syncprov.c:2124
> #3  0x000000000047e62a in overlay_op_walk (op=0x59831130, rs=0x59830f40,
> which=op_modify, oi=0x8d7b50, on=0x8dc540) at backover.c:659
> #4  0x000000000047ec07 in over_op_func (op=0x59831130, rs=0x59830f40,
> which=op_modify) at backover.c:721
> #5  0x000000000047404d in syncrepl_updateCookie (si=0x8d74e0,
op=0x59831130,
> syncCookie=0x59831aa0) at syncrepl.c:3292
> #6  0x0000000000479d0d in do_syncrep2 (ctx=<value optimized out>,
arg=<value
> optimized out>) at syncrepl.c:959
> #7  do_syncrepl (ctx=<value optimized out>, arg=<value optimized
out>) at
> syncrepl.c:1455
> #8  0x000000000041f7aa in connection_read_thread (ctx=0x59831d70,
argv=<value
> optimized out>) at connection.c:1251
> #9  0x00000000004ec5ec in ldap_int_thread_pool_wrapper (xpool=0x84de50) at
> tpool.c:685
> #10 0x000000301b20673d in start_thread (arg=<value optimized out>) at
> pthread_create.c:301
> #11 0x000000301aad44bd in clone () from /lib64/libc.so.6
>
> Let me know if I can provide more info.

A patch to avoid this particular crash is now in git master. However, it's 
still not clear to me why it occurred. Can you get this info from gdb:
	frame 1
	print *ss


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 3

Download message
Date: Fri, 10 Jun 2011 14:27:25 -0700
Subject: Re: (ITS#6892) Segfault in Syncprov overlay
From: Duncan Idaho <ghola@rebelbase.com>
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@openldap.org
> A patch to avoid this particular crash is now in git master. However, it's
still not clear to me why it occurred. Can you get this info from gdb:
> . . . .frame 1
> . . . .print *ss

Thanks Howard, here is the info you requested:

(gdb) bt
#0  test_filter (op=0x40fff7f0, e=0x2aab116ab068, f=0x0) at filterentry.c:69
#1  0x00000000004db315 in syncprov_matchops (op=0x410001b0,
opc=0xb096e0, saveit=1) at syncprov.c:1314
#2  0x00000000004db6b5 in syncprov_op_mod (op=0x410001b0, rs=<value
optimized out>) at syncprov.c:2124
#3  0x000000000047e62a in overlay_op_walk (op=0x410001b0,
rs=0x40ffffc0, which=op_modify, oi=0x8d7ab0,
    on=0x8dc4f0) at backover.c:659
#4  0x000000000047ec07 in over_op_func (op=0x410001b0, rs=0x40ffffc0,
which=op_modify) at backover.c:721
#5  0x000000000047404d in syncrepl_updateCookie (si=0x8d74d0,
op=0x410001b0, syncCookie=0x41000b20)
    at syncrepl.c:3292
#6  0x0000000000478462 in do_syncrep2 (ctx=<value optimized out>,
arg=<value optimized out>)
    at syncrepl.c:1097
#7  do_syncrepl (ctx=<value optimized out>, arg=<value optimized
out>)
at syncrepl.c:1455
#8  0x00000000004ec5ec in ldap_int_thread_pool_wrapper
(xpool=0x84daf0) at tpool.c:685
#9  0x000000301b20673d in start_thread (arg=<value optimized out>) at
pthread_create.c:301
#10 0x000000301aad44bd in clone () from /lib64/libc.so.6
(gdb) frame 1
#1  0x00000000004db315 in syncprov_matchops (op=0x410001b0,
opc=0xb096e0, saveit=1) at syncprov.c:1314
1314				rc = test_filter( &op2, e, op2.ors_filter );
(gdb) print *ss
$1 = {s_next = 0x2aab502177f0, s_base = {bv_len = 16, bv_val =
0x2aab730920e0 "dc=test12,dc=net"},
  s_eid = 1, s_op = 0x230ea90, s_rid = 1, s_sid = -1, s_filterstr =
{bv_len = 15,
    bv_val = 0x230f7d0 "(objectClass=*)"}, s_flags = 1, s_inuse = 1,
s_res = 0x2aababca90f0,
  s_restail = 0x2aabc320d920, s_mutex = {__data = {__lock = 0, __count
= 0, __owner = 0, __nusers = 0,
      __kind = 0, __spins = 0, __list = {__prev = 0x0, __next = 0x0}},
    __size = '\000' <repeats 39 times>, __align = 0}}



Followup 4

Download message
Date: Wed, 15 Jun 2011 10:35:03 -0700
Subject: Re: (ITS#6892) Segfault in Syncprov overlay
From: Duncan Idaho <ghola@rebelbase.com>
To: openldap-its@openldap.org
I'm unable to reproduce this problem with the latest syncrepl.c from git.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org