[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6478) slapd crashes with segfault
We had some of this crashes on LDAP slaves in the past:
In /var/log/messages
2010-12-05T11:22:57.643777+01:00 ts2mstsv001 kernel: 6>slapd[18900000000000=
0025 rip 0000003be707p 000000
Stack trace when crash occurred (search for entry 0xe932208 in back db (BD=
B) response is contained a corrupted address)
#0 0x0000003be7075b50 in strcpy () from /lib64/libc.so.6
#1 0x00002b5ffe3debeb in template_response (op=3D0xfa01aa0, rs=3D0x4813bc6=
0) at /usr/include/bits/string3.h:118
#2 0x00000000004a34eb in over_back_response (op=3D0xfa01aa0, rs=3D0x4813bc=
60) at ../servers/slapd/backover.c:237
#3 0x0000000000449865 in slap_response_play (op=3D0xfa01aa0, rs=3D0x4813bc=
60) at ../servers/slapd/result.c:402
#4 0x000000000044bfcc in slap_send_search_entry (op=3D0xfa01aa0, rs=3D0x48=
13bc60) at ../servers/slapd/result.c:887
#5 0x00000000004b695f in bdb_search (op=3D0xfa01aa0, rs=3D0x4813bc60) at s=
ervers/slapd/back-bdb/search.c:961
#6 0x00000000004a37c2 in overlay_op_walk (op=3D0xfa01aa0, rs=3D0x4813bc60,=
which=3Dop_search, oi=3D0xe5df160, on=3D0x0) at ../servers/slapd/backover.=
c:669
#7 0x00000000004a3d58 in over_op_func (op=3D0xfa01aa0, rs=3D0x4813bc60, wh=
ich=3Dop_search) at ../servers/slapd/backover.c:721
#8 0x000000000043c4e6 in fe_op_search (op=3D0xfa01aa0, rs=3D0x4813bc60) at=
../servers/slapd/search.c:376
#9 0x00000000004a37c2 in overlay_op_walk (op=3D0xfa01aa0, rs=3D0x4813bc60,=
which=3Dop_search, oi=3D0xe577ec0, on=3D0x0) at ../servers/slapd/backover.=
c:669
#10 0x00000000004a3d58 in over_op_func (op=3D0xfa01aa0, rs=3D0x4813bc60, wh=
ich=3Dop_search) at ../servers/slapd/backover.c:721
#11 0x000000000043cc95 in do_search (op=3D0xfa01aa0, rs=3D0x4813bc60) at ..=
/servers/slapd/search.c:227
#12 0x0000000000439ff4 in connection_operation (ctx=3D0x4813bdb0, arg_v=3D<=
value optimized out>) at ../servers/slapd/connection.c:1109
#13 0x000000000043a651 in connection_read_thread (ctx=3D0x4813bdb0, argv=3D=
<value optimized out>) at ../servers/slapd/connection.c:1245
#14 0x00000000005330a8 in ldap_int_thread_pool_wrapper (xpool=3D0xe546600) =
at ../libraries/libldap_r/tpool.c:685
#15 0x0000003be7c062e7 in start_thread () from /lib64/libpthread.so.0
#16 0x0000003be70ce3bd in clone () from /lib64/libc.so.6
(gdb) fr 11
#11 0x000000000043cc95 in do_search (op=3D0xfa01aa0, rs=3D0x4813bc60) at ..=
/servers/slapd/search.c:227
227 ../servers/slapd/search.c: No such file or directory.
in ../servers/slapd/search.c
(gdb) p * op
$55 =3D {o_hdr =3D 0xfa01c10, o_tag =3D 99, o_time =3D 1291544577, o_tincr =
=3D 140, o_bd =3D 0x47fb9ea0, o_req_dn =3D {bv_len =3D 41, bv_val =3D 0x102=
51e00 "ou=3Dcms,ou=3Dprofiles,ou=3Dmmo,c=3Dde,o=3Dvodafone"},
o_req_ndn =3D {bv_len =3D 41, bv_val =3D 0x10251ee0 "ou=3Dcms,ou=3Dprofil=
es,ou=3Dmmo,c=3Dde,o=3Dvodafone"}, o_request =3D {oq_add =3D {rs_modlist =
=3D 0x2, rs_e =3D 0x500000064}, oq_bind =3D {rb_method =3D 2,
rb_cred =3D {bv_len =3D 21474836580, bv_val =3D 0x0}, rb_edn =3D {bv_=
len =3D 0, bv_val =3D 0x10251fc0 "\020"}, rb_ssf =3D 270868336, rb_mech =3D=
{bv_len =3D 18,
bv_val =3D 0x10251f98 "(uid=3D491710471677)"}}, oq_compare =3D {rs_=
ava =3D 0x2}, oq_modify =3D {rs_mods =3D {rs_modlist =3D 0x2, rs_no_opattrs=
=3D 100 'd'}, rs_increment =3D 0}, oq_modrdn =3D {
rs_mods =3D {rs_modlist =3D 0x2, rs_no_opattrs =3D 100 'd'}, rs_delet=
eoldrdn =3D 0, rs_newrdn =3D {bv_len =3D 0, bv_val =3D 0x10251fc0 "\020"}, =
rs_nnewrdn =3D {bv_len =3D 270868336,
bv_val =3D 0x12 <Address 0x12 out of bounds>}, rs_newSup =3D 0x1025=
1f98, rs_nnewSup =3D 0x0}, oq_search =3D {rs_scope =3D 2, rs_deref =3D 0, r=
s_slimit =3D 100, rs_tlimit =3D 5,
rs_limit =3D 0x0, rs_attrsonly =3D 0, rs_attrs =3D 0x10251fc0, rs_fil=
ter =3D 0x10251f70, rs_filterstr =3D {bv_len =3D 18, bv_val =3D 0x10251f98 =
"(uid=3D491710471677)"}}, oq_abandon =3D {
rs_msgid =3D 2}, oq_cancel =3D {rs_msgid =3D 2}, oq_extended =3D {rs_=
reqoid =3D {bv_len =3D 2, bv_val =3D 0x500000064 <Address 0x500000064 out o=
f bounds>}, rs_flags =3D 0, rs_reqdata =3D 0x0},
oq_pwdexop =3D {rs_extended =3D {rs_reqoid =3D {bv_len =3D 2, bv_val =
=3D 0x500000064 <Address 0x500000064 out of bounds>}, rs_flags =3D 0, rs_re=
qdata =3D 0x0}, rs_old =3D {bv_len =3D 270868416,
bv_val =3D 0x10251f70 "=A3"}, rs_new =3D {bv_len =3D 18, bv_val =3D=
0x10251f98 "(uid=3D491710471677)"}, rs_mods =3D 0x0, rs_modtail =3D 0x0}},=
o_abandon =3D 0, o_cancel =3D 0, o_groups =3D 0x0,
o_do_not_cache =3D 0 '\0', o_is_auth_check =3D 0 '\0', o_dont_replicate =
=3D 0 '\0', o_acl_priv =3D ACL_NONE, o_nocaching =3D 0 '\0', o_delete_glue_=
parent =3D 0 '\0', o_no_schema_check =3D 0 '\0',
o_no_subordinate_glue =3D 0 '\0', o_ctrlflag =3D '\0' <repeats 31 times>,=
o_controls =3D 0xfa01d58, o_authz =3D {sai_method =3D 128, sai_mech =3D {b=
v_len =3D 0, bv_val =3D 0x0}, sai_dn =3D {
bv_len =3D 51, bv_val =3D 0x2aaab89f0a50 "uid=3Dadmin,ou=3Dcms,ou=3Dp=
rofiles,ou=3Dmmo,c=3Dde,o=3Dvodafone"}, sai_ndn =3D {bv_len =3D 51,
bv_val =3D 0x2aaab8a04e20 "uid=3Dadmin,ou=3Dcms,ou=3Dprofiles,ou=3Dmm=
o,c=3Dde,o=3Dvodafone"}, sai_ssf =3D 0, sai_transport_ssf =3D 0, sai_tls_ss=
f =3D 0, sai_sasl_ssf =3D 0}, o_ber =3D 0x2aaac8098630,
o_res_ber =3D 0x0, o_callback =3D 0x4813a740, o_ctrls =3D 0x0, o_csn =3D =
{bv_len =3D 0, bv_val =3D 0x0}, o_private =3D 0x0, o_extra =3D {slh_first =
=3D 0x4813a480}, o_next =3D {stqe_next =3D 0x0}}
(gdb) p * rs
$56 =3D {sr_type =3D REP_SEARCH, sr_tag =3D 0, sr_msgid =3D 0, sr_err =3D 0=
, sr_matched =3D 0x0, sr_text =3D 0x0, sr_ref =3D 0x0, sr_ctrls =3D 0x0, sr=
_un =3D {sru_search =3D {r_entry =3D 0xe932208,
r_attr_flags =3D 17, r_operational_attrs =3D 0x0, r_attrs =3D 0x10251=
fc0, r_nentries =3D 0, r_v2ref =3D 0x0}, sru_sasl =3D {r_sasldata =3D 0xe93=
2208}, sru_extended =3D {
r_rspoid =3D 0xe932208 "\2002\a", r_rspdata =3D 0x11}}, sr_flags =3D =
4}
Frame analysis (function called)
(gdb) fr 0
#0 0x0000003be7075b50 in strcpy () from /lib64/libc.so.6
(gdb) info registers
rax 0x1 1
rbx 0x1 1
rcx 0x3 3
rdx 0x47f37648 1207137864
rsi 0x25 37
rdi 0x47f37648 1207137864
rbp 0x47f265e4 0x47f265e4
rsp 0x47a25518 0x47a25518
r8 0xfefefefefefefeff -72340172838076673
r9 0x4813bdd0 1209253328
r10 0x2aaab8000020 46912719814688
r11 0x206 518
r12 0xe5e2ae0 241052384
r13 0x0 0
r14 0xfa01aa0 262150816
r15 0x6 6
rip 0x3be7075b50 0x3be7075b50 <strcpy+16>
eflags 0x10217 [ CF PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x63 99
gs 0x0 0
(gdb) disas=20
Dump of assembler code for function strcpy:
0x0000003be7075b40 <strcpy+0>: mov %rsi,%rcx
0x0000003be7075b43 <strcpy+3>: and $0x7,%ecx
0x0000003be7075b46 <strcpy+6>: mov %rdi,%rdx
0x0000003be7075b49 <strcpy+9>: je 0x3be7075b66 <strcpy+38>
0x0000003be7075b4b <strcpy+11>: neg %ecx
0x0000003be7075b4d <strcpy+13>: add $0x8,%ecx
0x0000003be7075b50 <strcpy+16>: mov (%rsi),%al
rsi is a parameter of strcpy.=20
rsi should be an address but we have 0x25 which is an invalid address. So c=
rash 2010-12-05T11:22:57.643777+01:00 ts2mstsv001 kernel: 6>slapd[189000000=
000000025 rip 0000003be707p 000000
rsi is not modified in strcpy, then, check rsi calculation in template_resp=
onse
(gdb) fr 1
#1 0x00002b5ffe3debeb in template_response (op=3D0xfa01aa0, rs=3D0x4813bc6=
0) at /usr/include/bits/string3.h:118
118 return __builtin___strcpy_chk (__dest, __src, __bos (__dest));
(gdb) info registers
rax 0x1 1
rbx 0x1 1
rcx 0x3 3
rdx 0x47f37648 1207137864
rsi 0x25 37
rdi 0x47f37648 1207137864
rbp 0x47f265e4 0x47f265e4
rsp 0x47a25520 0x47a25520
r8 0xfefefefefefefeff -72340172838076673
r9 0x4813bdd0 1209253328
r10 0x2aaab8000020 46912719814688
r11 0x206 518
r12 0xe5e2ae0 241052384
r13 0x0 0
r14 0xfa01aa0 262150816
r15 0x6 6
rip 0x2b5ffe3debeb 0x2b5ffe3debeb <template_response+3787>
eflags 0x10217 [ CF PF AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x63 99
gs 0x0 0
(gdb) disass 0x00002b5ffe3debeb
Dump of assembler code for function template_response:
...
0x00002b5ffe3deb86 <template_response+3686>: lea 0x5010c4(%rsp),%rbp
0x00002b5ffe3deb8e <template_response+3694>: xor %r15d,%r15d
0x00002b5ffe3deb91 <template_response+3697>: xor %r13d,%r13d
0x00002b5ffe3deb94 <template_response+3700>: mov %rdx,0x30(%rsp)
0x00002b5ffe3deb99 <template_response+3705>: mov %rcx,0x28(%rsp)
0x00002b5ffe3deb9e <template_response+3710>: jmp 0x2b5ffe3dec07 <temp=
late_response+3815>
0x00002b5ffe3deba0 <template_response+3712>: mov 0x511900(%rsp),%rax
0x00002b5ffe3deba8 <template_response+3720>: test %rax,%rax
0x00002b5ffe3debab <template_response+3723>: je 0x2b5ffe3debeb <temp=
late_response+3787>
0x00002b5ffe3debad <template_response+3725>: mov 0x8(%rax),%rsi
0x00002b5ffe3debb1 <template_response+3729>: test %rsi,%rsi
0x00002b5ffe3debb4 <template_response+3732>: je 0x2b5ffe3debeb <temp=
late_response+3787>
0x00002b5ffe3debb6 <template_response+3734>: cmpq $0x7ff,(%rax)
0x00002b5ffe3debbd <template_response+3741>: ja 0x2b5ffe3df966 <temp=
late_response+7238>
0x00002b5ffe3debc3 <template_response+3747>: movslq 0x512124(%rsp),%rdi
0x00002b5ffe3debcb <template_response+3755>: mov 0x28(%rsp),%rdx
0x00002b5ffe3debd0 <template_response+3760>: lea 0x1(%rdi),%eax
0x00002b5ffe3debd3 <template_response+3763>: shl $0xb,%rdi
0x00002b5ffe3debd7 <template_response+3767>: lea 0x808(%rdi,%rdx,1),%=
rdi
0x00002b5ffe3debdf <template_response+3775>: mov %eax,0x512124(%rsp)
0x00002b5ffe3debe6 <template_response+3782>: callq 0x2b5ffe3dc688 <strc=
py@plt>
0x00002b5ffe3debeb <template_response+3787>: lea 0x1(%r13),%eax
(gdb) p *(long **)($rsp+0x511900)
$17 =3D (long *) 0x2aaab4859d00
(gdb) x/20x 0x2aaab4859d00
0x2aaab4859d00: 0x00000000 0x00000000 0x00000025 0x00000000
rsi is broken, not a valid address.
Wolfgang Hummel