[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#7469) MDB double free when slapcatting a subtree
--On Tuesday, December 11, 2012 1:07 AM +0000 openldap-its@OpenLDAP.org
wrote:
#0 0x00007ffff633fa75 in *__GI_raise (sig=<value optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
pid = <value optimized out>
selftid = <value optimized out>
#1 0x00007ffff63435c0 in *__GI_abort () at abort.c:92
act = {__sigaction_handler = {sa_handler = 0x7fffffffd850,
sa_sigaction = 0x7fffffffd850}, sa_mask = {__val = {140737488345360,
140737488350338, 43, 140737325127087, 3,
140737488345370, 6, 140737325127091, 2, 140737488345358, 2,
140737325118168, 1, 140737325127087, 3, 140737488345364}}, sa_flags = 12,
sa_restorer = 0x7ffff64555b3}
sigs = {__val = {32, 0 <repeats 15 times>}}
#2 0x00007ffff637974b in __libc_message (do_abort=<value optimized out>,
fmt=<value optimized out>) at ../sysdeps/unix/sysv/linux/libc_fatal.c:189
ap = {{gp_offset = 40, fp_offset = 48, overflow_arg_area =
0x7fffffffe290, reg_save_area = 0x7fffffffe1a0}}
ap_copy = {{gp_offset = 16, fp_offset = 48, overflow_arg_area =
0x7fffffffe290, reg_save_area = 0x7fffffffe1a0}}
fd = 8
on_2 = <value optimized out>
list = <value optimized out>
nlist = 1024
cp = <value optimized out>
written = false
#3 0x00007ffff6383806 in malloc_printerr (action=3, str=0x7ffff64572f0
"double free or corruption (fasttop)", ptr=<value optimized out>) at
malloc.c:6266
buf = "0000000000d1d310"
cp = 0x7ffff644d300 "0123456789abcdefghijklmnopqrstuvwxyz"
#4 0x00007ffff638a0d3 in *__GI___libc_free (mem=<value optimized out>) at
malloc.c:3738
ar_ptr = 0x7ffff668ae40
p = 0x7ffff644d300
#5 0x00007ffff7972e91 in ber_memfree_x (p=0xd1d310, ctx=0x0) at
memory.c:152
__PRETTY_FUNCTION__ = "ber_memfree_x"
#6 0x0000000000463bef in ch_free (ptr=0xd1d310) at ch_malloc.c:139
ctx = 0x0
#7 0x00007ffff380287a in mdb_entry_return (op=0x7fffffffe6b0, e=0xd1d330)
at id2entry.c:243
No locals.
#8 0x00007ffff38028ec in mdb_entry_release (op=0x7fffffffe6b0, e=0xd1d330,
rw=0) at id2entry.c:265
mdb = 0x8c0600
moi = 0x0
rc = 0
#9 0x00000000004d421e in overlay_entry_release_ov (op=0x7fffffffe6b0,
e=0xd1d330, rw=0, on=0x0) at backover.c:434
oi = 0x8b9850
be = 0x8b3490
db = {bd_info = 0x0, bd_self = 0x0, be_ctrls = '\000' <repeats 32
times>, be_flags = 140737347270259, be_restrictops = 0, be_requires = 0,
be_ssf_set = {sss_ssf = 4294960368,
sss_transport = 32767, sss_tls = 0, sss_sasl = 0,
sss_update_ssf = 0, sss_update_transport = 0, sss_update_tls = 8121104,
sss_update_sasl = 0, sss_simple_bind = 0},
be_suffix = 0x7fffffffe4f0, be_nsuffix = 0x7fffffffe4d0,
be_schemadn = {bv_len = 140737347270493, bv_val = 0x7fffffffe4f0 "\017"},
be_schemandn = {bv_len = 0, bv_val = 0x0},
be_rootdn = {bv_len = 8121104, bv_val = 0x0}, be_rootndn =
{bv_len = 76, bv_val = 0x7fffffffe520 "\300\345\377\377\377\177"},
be_rootpw = {bv_len = 140737349714310,
bv_val = 0x7972616e69623b <Address 0x7972616e69623b out of
bounds>}, be_max_deref_depth = 8121104, be_def_limit = {lms_t_soft = 0,
lms_t_hard = 15, lms_s_soft = 0,
lms_s_hard = 8121104, lms_s_unchecked = 0, lms_s_pr = -6720,
lms_s_pr_hide = 32767, lms_s_pr_total = 4280592}, be_limits =
0x7fffffffea30, be_acl = 0x4c,
be_dfltaccess = -6720, be_extra_anlist = 0x7ffff7bc86ec,
be_update_ndn = {bv_len = 76, bv_val = 0xf <Address 0xf out of bounds>},
be_update_refs = 0x7febf29d2fec,
be_pending_csn_list = 0x7beb10, be_pcl_mutex = {__data = {__lock
= 0, __count = 1, __owner = 7733832, __nusers = 0, __kind = 0, __spins = 0,
__list = {__prev = 0x4,
__next = 0x20}}, __size =
"\000\000\000\000\001\000\000\000H\002v", '\000' <repeats 13 times>,
"\004\000\000\000\000\000\000\000 \000\000\000\000\000\000",
__align = 4294967296}, be_syncinfo = 0x10, be_pb = 0xd3c897,
be_cf_ocs = 0x0, be_private = 0x7febf29d2ffb, be_next = {stqe_next =
0x7febf29d2ffb}}
bi = 0x8b9850
rc = 32768
#10 0x00000000004d430d in over_entry_release_rw (op=0x7fffffffe6b0,
e=0xd1d330, rw=0) at backover.c:463
oi = 0x8b9850
on = 0x8bee10
__PRETTY_FUNCTION__ = "over_entry_release_rw"
#11 0x00000000004507ca in be_entry_release_rw (op=0x7fffffffe6b0,
e=0xd1d330, rw=0) at backend.c:886
No locals.
#12 0x00000000004d9815 in slapcat (argc=9, argv=0x7fffffffea38) at
slapcat.c:152
data = 0xd3c730 "dn:: AAAAAAAA\nobjectClass:
organization\nobjectClass: dcObject\no: com domain\ndc:
com\nstructuralObjectClass: organization\nentryUUID:
acf761e8-d5d2-1031-88ffda6f3a93b\ncreatorsName: uid=zimbra,cn=admi"...
len = 376
e = 0xd1d330
id = 33
rc = 0
op = {o_hdr = 0x0, o_tag = 0, o_time = 0, o_tincr = 0, o_bd =
0x8b3490, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = {bv_len = 0,
bv_val = 0x0}, o_request = {oq_add = {
rs_modlist = 0x0, rs_e = 0x0}, oq_bind = {rb_method = 0,
rb_cred = {bv_len = 0, bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0},
rb_ssf = 0, rb_mech = {bv_len = 0,
bv_val = 0x0}}, oq_compare = {rs_ava = 0x0}, oq_modify =
{rs_mods = {rs_modlist = 0x0, rs_no_opattrs = 0 '\000'}, rs_increment = 0},
oq_modrdn = {rs_mods = {
rs_modlist = 0x0, rs_no_opattrs = 0 '\000'},
rs_deleteoldrdn = 0, rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn =
{bv_len = 0, bv_val = 0x0}, rs_newSup = 0x0,
rs_nnewSup = 0x0}, oq_search = {rs_scope = 0, rs_deref = 0,
rs_slimit = 0, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly = 0, rs_attrs =
0x0, rs_filter = 0x0, rs_filterstr = {
bv_len = 0, bv_val = 0x0}}, oq_abandon = {rs_msgid = 0},
oq_cancel = {rs_msgid = 0}, oq_extended = {rs_reqoid = {bv_len = 0, bv_val
= 0x0}, rs_flags = 0,
rs_reqdata = 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid =
{bv_len = 0, bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, rs_old =
{bv_len = 0, bv_val = 0x0}, rs_new = {
bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, rs_modtail =
0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0
'\000', o_is_auth_check = 0 '\000',
o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching =
0 '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000',
o_no_subordinate_glue = 0 '\000',
o_ctrlflag = '\000' <repeats 31 times>, o_controls = 0x0, o_authz
= {sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len
= 0, bv_val = 0x0}, sai_ndn = {
bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf =
0, sai_tls_ssf = 0, sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0,
o_callback = 0x0, o_ctrls = 0x0, o_csn = {
bv_len = 0, bv_val = 0x0}, o_private = 0x0, o_extra =
{slh_first = 0x0}, o_next = {stqe_next = 0x0}}
progname = 0x51a858 "slapcat"
requestBSF = 1
doBSF = 0
__PRETTY_FUNCTION__ = "slapcat"
#13 0x00000000004158f0 in main (argc=9, argv=0x7fffffffea38) at main.c:410
i = 1
no_detach = 0
rc = 1
urls = 0x0
username = 0x0
groupname = 0x0
sandbox = 0x0
syslogUser = 160
pid = 0
waitfds = {-154148864, 32767}
g_argc = 9
g_argv = 0x7fffffffea38
configfile = 0x0
configdir = 0x0
serverName = 0x7fffffffeca6 "slapcat"
serverMode = 1
scp = 0x0
scp_entry = 0x0
debug_unknowns = 0x0
syslog_unknowns = 0x0
serverNamePrefix = 0x4f9aa8 ""
l = 140737323823448
slapd_pid_file_unlink = 0
slapd_args_file_unlink = 0
firstopt = 1
__PRETTY_FUNCTION__ = "main"
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration