Logged in as guest
Viewing Software Bugs/7469 Full headers
Major security issue: yes no
Notes: fixed in master fixed in RE24 Notification:
Date: Tue, 11 Dec 2012 01:07:44 +0000 From: quanah@openldap.org To: openldap-its@OpenLDAP.org Subject: MDB double free when slapcatting a subtree
Full_Name: Quanah Gibson-Mount Version: RE24 12/10/2012 OS: Linux 2.6 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (74.196.25.250) zimbra@zre-ldap001:~$ /opt/zimbra/openldap/sbin/slapcat -F /opt/zimbra/data/ldap/config -b "" -s "cn=zimbra" -l /tmp/z.ldif *** glibc detected *** /opt/zimbra/openldap/sbin/slapcat: double free or corruption (fasttop): 0x00000000025a8310 *** ======= Backtrace: ========= /lib/libc.so.6(+0x77806)[0x7fbe15574806] /lib/libc.so.6(cfree+0x73)[0x7fbe1557b0d3] /opt/zimbra/openldap-2.4.33.3z/lib/liblber-2.4.so.2(ber_memfree_x+0x39)[0x7fbe16b63e91] /opt/zimbra/openldap/sbin/slapcat(ch_free+0x49)[0x463bef] /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/back_mdb-2.4.so.2(mdb_entry_return+0xb9)[0x7fbe129f387a] /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/back_mdb-2.4.so.2(mdb_entry_release+0x41)[0x7fbe129f38ec] /opt/zimbra/openldap/sbin/slapcat(overlay_entry_release_ov+0x201)[0x4d421e] /opt/zimbra/openldap/sbin/slapcat[0x4d430d] /opt/zimbra/openldap/sbin/slapcat(be_entry_release_rw+0x50)[0x4507ca] /opt/zimbra/openldap/sbin/slapcat(slapcat+0x536)[0x4d9815] /opt/zimbra/openldap/sbin/slapcat(main+0x161)[0x4158f0] /lib/libc.so.6(__libc_start_main+0xfd)[0x7fbe1551bc4d] /opt/zimbra/openldap/sbin/slapcat[0x415139] ======= Memory map: ======== 00400000-00555000 r-xp 00000000 fb:00 7352232 /opt/zimbra/openldap-2.4.33.3z/sbin/slapd 00755000-00756000 r--p 00155000 fb:00 7352232 /opt/zimbra/openldap-2.4.33.3z/sbin/slapd 00756000-0075f000 rw-p 00156000 fb:00 7352232 /opt/zimbra/openldap-2.4.33.3z/sbin/slapd 0075f000-007b2000 rw-p 00000000 00:00 0 0203d000-025e8000 rw-p 00000000 00:00 0 [heap] 7faa0c000000-7faa0c021000 rw-p 00000000 00:00 0 7faa0c021000-7faa10000000 ---p 00000000 00:00 0 7faa11959000-7faa1196f000 r-xp 00000000 fb:00 262196 /lib/libgcc_s.so.1 7faa1196f000-7faa11b6e000 ---p 00016000 fb:00 262196 /lib/libgcc_s.so.1 7faa11b6e000-7faa11b6f000 r--p 00015000 fb:00 262196 /lib/libgcc_s.so.1 7faa11b6f000-7faa11b70000 rw-p 00016000 fb:00 262196 /lib/libgcc_s.so.1 7faa11b75000-7fbe11b75000 r--s 00000000 fb:00 7351893 /opt/zimbra/data/ldap/mdb/db/data.mdb 7fbe11b75000-7fbe11d76000 rw-p 00000000 00:00 0 7fbe11d76000-7fbe11d78000 r-xp 00000000 fb:00 7352301 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/noopsrch.so.0.0.0 7fbe11d78000-7fbe11f77000 ---p 00002000 fb:00 7352301 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/noopsrch.so.0.0.0 7fbe11f77000-7fbe11f78000 r--p 00001000 fb:00 7352301 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/noopsrch.so.0.0.0 7fbe11f78000-7fbe11f79000 rw-p 00002000 fb:00 7352301 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/noopsrch.so.0.0.0 7fbe11f79000-7fbe11f80000 r-xp 00000000 fb:00 7352321 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/unique-2.4.so.2.8.5 7fbe11f80000-7fbe12180000 ---p 00007000 fb:00 7352321 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/unique-2.4.so.2.8.5 7fbe12180000-7fbe12181000 r--p 00007000 fb:00 7352321 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/unique-2.4.so.2.8.5 7fbe12181000-7fbe12182000 rw-p 00008000 fb:00 7352321 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/unique-2.4.so.2.8.5 7fbe12182000-7fbe1218a000 r-xp 00000000 fb:00 7352272 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/dynlist-2.4.so.2.8.5 7fbe1218a000-7fbe12389000 ---p 00008000 fb:00 7352272 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/dynlist-2.4.so.2.8.5 7fbe12389000-7fbe1238a000 r--p 00007000 fb:00 7352272 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/dynlist-2.4.so.2.8.5 7fbe1238a000-7fbe1238b000 rw-p 00008000 fb:00 7352272 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/dynlist-2.4.so.2.8.5 7fbe1238b000-7fbe12398000 r-xp 00000000 fb:00 7352348 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/accesslog-2.4.so.2.8.5 7fbe12398000-7fbe12597000 ---p 0000d000 fb:00 7352348 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/accesslog-2.4.so.2.8.5 7fbe12597000-7fbe12598000 r--p 0000c000 fb:00 7352348 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/accesslog-2.4.so.2.8.5 7fbe12598000-7fbe12599000 rw-p 0000d000 fb:00 7352348 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/accesslog-2.4.so.2.8.5 7fbe12599000-7fbe125a9000 r-xp 00000000 fb:00 7352294 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/syncprov-2.4.so.2.8.5 7fbe125a9000-7fbe127a8000 ---p 00010000 fb:00 7352294 /opt/zimbra/openldap-2.4.33.3z/sbin/openldap/syncprov-2.4.so.2.8.5 7fbe127a8000-7fbe127a9000 r--p 0000f000 fb:00 7352294 /opt/z
Date: Mon, 10 Dec 2012 17:09:09 -0800 From: Quanah Gibson-Mount <quanah@zimbra.com> To: openldap-its@OpenLDAP.org Subject: Re: (ITS#7469) MDB double free when slapcatting a subtree
--On Tuesday, December 11, 2012 1:07 AM +0000 openldap-its@OpenLDAP.org wrote: #0 0x00007ffff633fa75 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 pid = <value optimized out> selftid = <value optimized out> #1 0x00007ffff63435c0 in *__GI_abort () at abort.c:92 act = {__sigaction_handler = {sa_handler = 0x7fffffffd850, sa_sigaction = 0x7fffffffd850}, sa_mask = {__val = {140737488345360, 140737488350338, 43, 140737325127087, 3, 140737488345370, 6, 140737325127091, 2, 140737488345358, 2, 140737325118168, 1, 140737325127087, 3, 140737488345364}}, sa_flags = 12, sa_restorer = 0x7ffff64555b3} sigs = {__val = {32, 0 <repeats 15 times>}} #2 0x00007ffff637974b in __libc_message (do_abort=<value optimized out>, fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189 ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area = 0x7fffffffe290, reg_save_area = 0x7fffffffe1a0}} ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area = 0x7fffffffe290, reg_save_area = 0x7fffffffe1a0}} fd = 8 on_2 = <value optimized out> list = <value optimized out> nlist = 1024 cp = <value optimized out> written = false #3 0x00007ffff6383806 in malloc_printerr (action=3, str=0x7ffff64572f0 "double free or corruption (fasttop)", ptr=<value optimized out>) at malloc.c:6266 buf = "0000000000d1d310" cp = 0x7ffff644d300 "0123456789abcdefghijklmnopqrstuvwxyz" #4 0x00007ffff638a0d3 in *__GI___libc_free (mem=<value optimized out>) at malloc.c:3738 ar_ptr = 0x7ffff668ae40 p = 0x7ffff644d300 #5 0x00007ffff7972e91 in ber_memfree_x (p=0xd1d310, ctx=0x0) at memory.c:152 __PRETTY_FUNCTION__ = "ber_memfree_x" #6 0x0000000000463bef in ch_free (ptr=0xd1d310) at ch_malloc.c:139 ctx = 0x0 #7 0x00007ffff380287a in mdb_entry_return (op=0x7fffffffe6b0, e=0xd1d330) at id2entry.c:243 No locals. #8 0x00007ffff38028ec in mdb_entry_release (op=0x7fffffffe6b0, e=0xd1d330, rw=0) at id2entry.c:265 mdb = 0x8c0600 moi = 0x0 rc = 0 #9 0x00000000004d421e in overlay_entry_release_ov (op=0x7fffffffe6b0, e=0xd1d330, rw=0, on=0x0) at backover.c:434 oi = 0x8b9850 be = 0x8b3490 db = {bd_info = 0x0, bd_self = 0x0, be_ctrls = '\000' <repeats 32 times>, be_flags = 140737347270259, be_restrictops = 0, be_requires = 0, be_ssf_set = {sss_ssf = 4294960368, sss_transport = 32767, sss_tls = 0, sss_sasl = 0, sss_update_ssf = 0, sss_update_transport = 0, sss_update_tls = 8121104, sss_update_sasl = 0, sss_simple_bind = 0}, be_suffix = 0x7fffffffe4f0, be_nsuffix = 0x7fffffffe4d0, be_schemadn = {bv_len = 140737347270493, bv_val = 0x7fffffffe4f0 "\017"}, be_schemandn = {bv_len = 0, bv_val = 0x0}, be_rootdn = {bv_len = 8121104, bv_val = 0x0}, be_rootndn = {bv_len = 76, bv_val = 0x7fffffffe520 "\300\345\377\377\377\177"}, be_rootpw = {bv_len = 140737349714310, bv_val = 0x7972616e69623b <Address 0x7972616e69623b out of bounds>}, be_max_deref_depth = 8121104, be_def_limit = {lms_t_soft = 0, lms_t_hard = 15, lms_s_soft = 0, lms_s_hard = 8121104, lms_s_unchecked = 0, lms_s_pr = -6720, lms_s_pr_hide = 32767, lms_s_pr_total = 4280592}, be_limits = 0x7fffffffea30, be_acl = 0x4c, be_dfltaccess = -6720, be_extra_anlist = 0x7ffff7bc86ec, be_update_ndn = {bv_len = 76, bv_val = 0xf <Address 0xf out of bounds>}, be_update_refs = 0x7febf29d2fec, be_pending_csn_list = 0x7beb10, be_pcl_mutex = {__data = {__lock = 0, __count = 1, __owner = 7733832, __nusers = 0, __kind = 0, __spins = 0, __list = {__prev = 0x4, __next = 0x20}}, __size = "\000\000\000\000\001\000\000\000H\002v", '\000' <repeats 13 times>, "\004\000\000\000\000\000\000\000 \000\000\000\000\000\000", __align = 4294967296}, be_syncinfo = 0x10, be_pb = 0xd3c897, be_cf_ocs = 0x0, be_private = 0x7febf29d2ffb, be_next = {stqe_next = 0x7febf29d2ffb}} bi = 0x8b9850 rc = 32768 #10 0x00000000004d430d in over_entry_release_rw (op=0x7fffffffe6b0, e=0xd1d330, rw=0) at backover.c:463 oi = 0x8b9850 on = 0x8bee10 __PRETTY_FUNCTION__ = "over_entry_release_rw" #11 0x00000000004507ca in be_entry_release_rw (op=0x7fffffffe6b0, e=0xd1d330, rw=0) at backend.c:886 No locals. #12 0x00000000004d9815 in slapcat (argc=9, argv=0x7fffffffea38) at slapcat.c:152 data = 0xd3c730 "dn:: AAAAAAAA\nobjectClass: organization\nobjectClass: dcObject\no: com domain\ndc: com\nstructuralObjectClass: organization\nentryUUID: acf761e8-d5d2-1031-88ffda6f3a93b\ncreatorsName: uid=zimbra,cn=admi"... len = 376 e = 0xd1d330 id = 33 rc = 0 op = {o_hdr = 0x0, o_tag = 0, o_time = 0, o_tincr = 0, o_bd = 0x
Date: Mon, 10 Dec 2012 17:19:12 -0800 From: Quanah Gibson-Mount <quanah@zimbra.com> To: openldap-its@OpenLDAP.org Subject: Re: (ITS#7469) MDB double free when slapcatting a subtree
--On Tuesday, December 11, 2012 1:07 AM +0000 openldap-its@OpenLDAP.org wrote: zimbra@zre-ldap001:~$ valgrind /opt/zimbra/openldap/sbin/slapcat -F /opt/zimbra/data/ldap/config -b "" -s dc=com -l /tmp/blah.ldif ==3554== Memcheck, a memory error detector ==3554== Copyright (C) 2002-2010, and GNU GPL'd, by Julian Seward et al. ==3554== Using Valgrind-3.6.0.SVN and LibVEX; rerun with -h for copyright info ==3554== Command: /opt/zimbra/openldap/sbin/slapcat -F /opt/zimbra/data/ldap/config -b -s dc=com -l /tmp/blah.ldif ==3554== ==3554== Invalid read of size 8 ==3554== at 0x66A63C4: __strspn_sse42 (smmintrin.h:510) ==3554== by 0x4E681F8: ldap_pvt_strtok (string.c:92) ==3554== by 0x499C4E: str2anlist (ad.c:936) ==3554== by 0x47388B: parse_acl (aclparse.c:473) ==3554== by 0x41A454: config_generic (bconfig.c:1825) ==3554== by 0x42E1DB: config_set_vals (config.c:345) ==3554== by 0x42E73A: config_add_vals (config.c:418) ==3554== by 0x42F45B: config_parse_add (config.c:689) ==3554== by 0x425A1B: config_add_internal (bconfig.c:5182) ==3554== by 0x421E40: config_ldif_resp (bconfig.c:3990) ==3554== by 0x453E2B: slap_response_play (result.c:507) ==3554== by 0x455A44: slap_send_search_entry (result.c:1011) ==3554== Address 0x6afc0f8 is 8 bytes inside a block of size 13 alloc'd ==3554== at 0x4C275D8: malloc (vg_replace_malloc.c:236) ==3554== by 0x509AFD5: ber_memalloc_x (memory.c:228) ==3554== by 0x509B910: ber_strdup_x (memory.c:638) ==3554== by 0x463B0E: ch_strdup (ch_malloc.c:121) ==3554== by 0x499BA2: str2anlist (ad.c:924) ==3554== by 0x47388B: parse_acl (aclparse.c:473) ==3554== by 0x41A454: config_generic (bconfig.c:1825) ==3554== by 0x42E1DB: config_set_vals (config.c:345) ==3554== by 0x42E73A: config_add_vals (config.c:418) ==3554== by 0x42F45B: config_parse_add (config.c:689) ==3554== by 0x425A1B: config_add_internal (bconfig.c:5182) ==3554== by 0x421E40: config_ldif_resp (bconfig.c:3990) ==3554== ==3554== Invalid read of size 8 ==3554== at 0x66A63AD: __strspn_sse42 (emmintrin.h:679) ==3554== by 0x4E681F8: ldap_pvt_strtok (string.c:92) ==3554== by 0x499E1F: str2anlist (ad.c:938) ==3554== by 0x47388B: parse_acl (aclparse.c:473) ==3554== by 0x41A454: config_generic (bconfig.c:1825) ==3554== by 0x42E1DB: config_set_vals (config.c:345) ==3554== by 0x42E73A: config_add_vals (config.c:418) ==3554== by 0x42F45B: config_parse_add (config.c:689) ==3554== by 0x425A1B: config_add_internal (bconfig.c:5182) ==3554== by 0x421E40: config_ldif_resp (bconfig.c:3990) ==3554== by 0x453E2B: slap_response_play (result.c:507) ==3554== by 0x455A44: slap_send_search_entry (result.c:1011) ==3554== Address 0xa57bbc8 is 40 bytes inside a block of size 46 alloc'd ==3554== at 0x4C275D8: malloc (vg_replace_malloc.c:236) ==3554== by 0x509AFD5: ber_memalloc_x (memory.c:228) ==3554== by 0x509B910: ber_strdup_x (memory.c:638) ==3554== by 0x463B0E: ch_strdup (ch_malloc.c:121) ==3554== by 0x499BA2: str2anlist (ad.c:924) ==3554== by 0x47388B: parse_acl (aclparse.c:473) ==3554== by 0x41A454: config_generic (bconfig.c:1825) ==3554== by 0x42E1DB: config_set_vals (config.c:345) ==3554== by 0x42E73A: config_add_vals (config.c:418) ==3554== by 0x42F45B: config_parse_add (config.c:689) ==3554== by 0x425A1B: config_add_internal (bconfig.c:5182) ==3554== by 0x421E40: config_ldif_resp (bconfig.c:3990) ==3554== 50c689a0 mdb_db_open: database "" cannot be opened, err 22. Restore from backup! 50c689a0 backend_startup_one (type=mdb, suffix=""): bi_db_open failed! (22) slap_startup failed ==3554== ==3554== HEAP SUMMARY: ==3554== in use at exit: 3,904,527 bytes in 46,449 blocks ==3554== total heap usage: 89,842 allocs, 43,393 frees, 31,218,836 bytes allocated ==3554== ==3554== LEAK SUMMARY: ==3554== definitely lost: 0 bytes in 0 blocks ==3554== indirectly lost: 0 bytes in 0 blocks ==3554== possibly lost: 0 bytes in 0 blocks ==3554== still reachable: 3,904,527 bytes in 46,449 blocks ==3554== suppressed: 0 bytes in 0 blocks ==3554== Rerun with --leak-check=full to see details of leaked memory ==3554== ==3554== For counts of detected and suppressed errors, rerun with: -v ==3554== ERROR SUMMARY: 8 errors from 2 contexts (suppressed: 59 from 5) --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
