OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/7414
Full headers

From: jvcelak@redhat.com
Subject: rwm: ldapmodify, slapd segmentation fault
 Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification: 


Date: Thu, 11 Oct 2012 14:24:26 +0000
From: jvcelak@redhat.com
To: openldap-its@OpenLDAP.org
Subject: rwm: ldapmodify, slapd segmentation fault

Full_Name: Jan Vcelak
Version: 2.4.33
OS: Linux
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (209.132.186.34)


Hello,

it is possible to crash slapd in certain configuration with rwm overlay enabled,
using specific ldapmodify. This problem seems to be present for a very long
time.

Configuration used (slapd.ldif):

dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/lib64/openldap
olcModuleload: rwm.la

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///etc/openldap/schema/core.ldif
include: file:///etc/openldap/schema/cosine.ldif
include: file:///etc/openldap/schema/inetorgperson.ldif

dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
olcDatabase: frontend

dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=com
olcRootPW: secret
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub

dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0}rwm-rewriteEngine "on"
olcRwmRewrite: {1}rwm-rewriteContext "bindDN"
olcRwmRewrite: {2}rwm-rewriteRule "cn=([a-z]+),ou=People,dc=my-domain,dc=com"
"uid=$1,ou=People,dc=my-domain,dc=com"


Set up and start the server. Add the initial data:

dn: dc=my-domain,dc=com
objectClass: dcObject
objectClass: organizationalUnit
description: Root LDAP entry
dc: my-domain
ou: rootobject

dn: cn=Manager,dc=my-domain,dc=com
objectClass: organizationalRole
cn: Manager

dn: ou=People,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalunit
ou: People

dn: cn=test1,ou=People,dc=my-domain,dc=com
objectClass: inetOrgPerson
cn: test1
sn: test


Perform following modify operation:

dn: cn=test1,ou=People,dc=my-domain,dc=com
changetype: modrdn
newrdn: cn=test2
deleteoldrdn: 1
newsuperior: ou=People,dc=my-domain,dc=com


The slapd daemon will crash, here is the full backtrace:

#0  rwm_op_rollback (op=op@entry=0x7fffe8000930, ros=0x7fffe8001738,
rs=<optimized out>) at rwm.c:110
No locals.
#1  0x00007ffff210f1c2 in rwm_op_cleanup (op=0x7fffe8000930, rs=<optimized
out>)
at rwm.c:165
        cb = 0x7fffe8001718
        ros = <optimized out>
#2  0x00005555555a606b in slap_cleanup_play (op=op@entry=0x7fffe8000930,
rs=rs@entry=0x7ffff1106930) at result.c:541
        sc_next = 0x7ffff11065c0
        sc_nextp = 0x7fffe8001718
        sc = 0x7fffe8001718
        scp = 0x7ffff1106018
#3  0x00005555555a6573 in send_ldap_response (op=op@entry=0x7fffe8000930,
rs=rs@entry=0x7ffff1106930) at result.c:733
        berbuf = {
          buffer = "\000\000\001\000\001\000\000\000\377\377\377\377\377\377\377\377",
'\000' <repeats 24 times>,
"F\030\000\350\377\177\000\000\024(\000\350\377\177\000\000\000\000\000\000\000\000\000\000F\030\000\350\377\177\000\000\320\016\000\350\377\177\000\000P\373\275UUU\000\000\200v\357\367\377\177\000\000\001\000\000\000hw\001",
'\000' <repeats 17 times>"\266, \252r\367\377\177", '\000' <repeats 11
times>,
"a\370<\316m]\037\200*\227\367\377\177\000\000\001\000\000\000UU\000\000\321\323vP\000\000\000\000\350\n\000\350\377\177\000\000\003",
'\000' <repeats 23 times>"\225,
\362\227\367\311\362\245\303\000\000\000\000\000\000\000\000+\246fUUU\000\000\030..UUU\000\000\223\204+\366\377\177\000\000\060\065\020\350\377\177\000\000\000a\370<\316m]\037",
ialign = 65536, lalign = 4295032832, 
          falign = 9.18354962e-41, dalign = 2.1220281700514382e-314, palign =
0x100010000 <Address 0x100010000 out of bounds>}
        ber = <optimized out>
        rc = 32768
        bytes = <optimized out>
        __PRETTY_FUNCTION__ = "send_ldap_response"
#4  0x00005555555a7126 in slap_send_ldap_result (op=0x7fffe8000930,
rs=0x7ffff1106930) at result.c:860
        tmp = 0x0
        otext = 0x0
        oref = 0x0
        __PRETTY_FUNCTION__ = "slap_send_ldap_result"
#5  0x0000555555621a50 in hdb_modrdn (op=0x7fffe8000930, rs=0x7ffff1106930) at
modrdn.c:789
        bdb = 0x5555559fa4f0
        children = 0x55555599d260
        entry = 0x55555599cfc0
        p_dn = {bv_len = 29, bv_val = 0x7fffe8102399
"ou=People,dc=my-domain,dc=com"}
        p_ndn = {bv_len = 29, bv_val = 0x7fffe81023c9 ""}
        new_dn = {bv_len = 38, bv_val = 0x0}
        new_ndn = {bv_len = 38, bv_val = 0x0}
        e = <optimized out>
        p = <optimized out>
        ei = 0x7fffe8103f00
        eip = 0x7fffe410a0a0
        nei = 0x7fffe410a0a0
        neip = 0x0
        textbuf = "0\t\000\350\377\177\000\000\000e\020\361\377\177\000\000
i\23

Message of length 35251 truncated

Followup 1

Download message
Date: Thu, 11 Oct 2012 08:04:41 -0700
From: Howard Chu <hyc@symas.com>
To: jvcelak@redhat.com
CC: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7414) rwm: ldapmodify, slapd segmentation fault

jvcelak@redhat.com wrote:
> Full_Name: Jan Vcelak
> Version: 2.4.33
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (209.132.186.34)
>
>
> Hello,
>
> it is possible to crash slapd in certain configuration with rwm overlay
enabled,
> using specific ldapmodify. This problem seems to be present for a very long
> time.
>
> Configuration used (slapd.ldif):
>
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> olcArgsFile: /var/run/openldap/slapd.args
> olcPidFile: /var/run/openldap/slapd.pid
>
> dn: cn=module,cn=config
> objectClass: olcModuleList
> cn: module
> olcModulepath: /usr/lib64/openldap
> olcModuleload: rwm.la
>
> dn: cn=schema,cn=config
> objectClass: olcSchemaConfig
> cn: schema
>
> include: file:///etc/openldap/schema/core.ldif
> include: file:///etc/openldap/schema/cosine.ldif
> include: file:///etc/openldap/schema/inetorgperson.ldif
>
> dn: olcDatabase=frontend,cn=config
> objectClass: olcDatabaseConfig
> olcDatabase: frontend
>
> dn: olcDatabase=hdb,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcHdbConfig
> olcDatabase: hdb
> olcSuffix: dc=my-domain,dc=com
> olcRootDN: cn=Manager,dc=my-domain,dc=com
> olcRootPW: secret
> olcDbDirectory: /var/lib/ldap
> olcDbIndex: objectClass eq,pres
> olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
>
> dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcRwmConfig
> olcOverlay: rwm
> olcRwmRewrite: {0}rwm-rewriteEngine "on"
> olcRwmRewrite: {1}rwm-rewriteContext "bindDN"
> olcRwmRewrite: {2}rwm-rewriteRule
"cn=([a-z]+),ou=People,dc=my-domain,dc=com"
> "uid=$1,ou=People,dc=my-domain,dc=com"
>
>
> Set up and start the server. Add the initial data:
>
> dn: dc=my-domain,dc=com
> objectClass: dcObject
> objectClass: organizationalUnit
> description: Root LDAP entry
> dc: my-domain
> ou: rootobject
>
> dn: cn=Manager,dc=my-domain,dc=com
> objectClass: organizationalRole
> cn: Manager
>
> dn: ou=People,dc=my-domain,dc=com
> objectClass: top
> objectClass: organizationalunit
> ou: People
>
> dn: cn=test1,ou=People,dc=my-domain,dc=com
> objectClass: inetOrgPerson
> cn: test1
> sn: test
>
>
> Perform following modify operation:
>
> dn: cn=test1,ou=People,dc=my-domain,dc=com
> changetype: modrdn
> newrdn: cn=test2
> deleteoldrdn: 1
> newsuperior: ou=People,dc=my-domain,dc=com
>
>
> The slapd daemon will crash, here is the full backtrace:

Thanks for the detailed report. Fixed now in master.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Followup 2

Download message
Date: Fri, 12 Oct 2012 02:32:43 -0400 (EDT)
From: Jan Vcelak <jvcelak@redhat.com>
To: hyc@symas.com
Cc: openldap-its@openldap.org
Subject: Re: (ITS#7414) rwm: ldapmodify, slapd segmentation fault

> > The slapd daemon will crash, here is the full backtrace:
> 
> Thanks for the detailed report. Fixed now in master.
>

Thank you for the very fast resolution.

Jan
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org