[Bug 1593378] Re: crash in slap_bv2ad using repeated tags

Eric Desrochers eric.desrochers at canonical.com
Tue Jun 21 13:58:36 UTC 2016


The user that originally reported the issue on Ubuntu package have tested a "Test package". 
The "Test package" I have builded can be found here : ppa:slashd/fix1593378.

Users feedback :

"We tested the hotfix and looks like it works, the sldap on the CIC with
the fix didn`t crash."

Eric


** Description changed:

  [SRU JUSTIFICATION]
  
  [Impact]
  
  The effect of the bug on users is that the program (slapd) terminated
  with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
  using multiple language tags.
  
  GDB output:
  ...
  Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  ...
  
  (gdb) bt
  #0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  #1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
  ...
  
  In frame #1 the 'tags' struct is corrupt.
  
  Line #272 checks for duplication and jumps to the done label (line #294)
  when a duplicate is found. The code increases 'ntags' without filling in
  the tags struct with values. In later iterations this could lead to
  copying and using uninitialised memory.
  
  [Test Case]
  
  One way to reproduce the issue :
  
  $ ldapsearch -D
  "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>"
  -x -W -b
  "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>"
  "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
  
  Explanation :
  
  Reference:
  http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
  
  -D binddn
  Use the Distinguished Name binddn to bind to the LDAP directory.
  For SASL binds, the server is expected to ignore this value.
  
  -x
  Use simple authentication instead of SASL.
  
  -W
  Prompt  for  simple  authentication.   This  is  used instead of
  specifying the password on the command line.
  
  -b searchbase
  Use searchbase as the starting point for the search  instead  of the default.
  
  [Regression Potential]
  
  The patch is already in place in Debian & Wily and late Ubuntu release
  version.
  
+ A hotfix has been tested by the user that originally reported the issue.
+ The hotfix solves the issue.
+ 
  [Other Info]
  
  Upstream OpenLDAP Bug         :
  http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
  
  Upstream OpenLDAP Commit      :
  af8f1e0 ITS#7941 fix for repeated tags
  
  Upstream OpenLDAP Commit Web  :
  http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
  
  (The commit has been introduced first in upstream branch :
  OPENLDAP_REL_ENG_2_4_40~6)
  
  [Original Description]
  
  Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  210	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
  (gdb) bt
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  #1  0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
  #2  0x00007f674ae4d235 in get_filter (op=op at entry=0x7f672c000a80, ber=<optimized out>, filt=filt at entry=0x7f672c000af0, text=text at entry=0x7f6741e0f980)
      at ../../../../servers/slapd/filter.c:190
  #3  0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
  #4  0x00007f674ae496dc in connection_operation (ctx=ctx at entry=0x7f6741e0fb90, arg_v=arg_v at entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
  #5  0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
  #6  0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
  #7  0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
  #8  0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1593378

Title:
  crash in slap_bv2ad using repeated tags

Status in openldap package in Ubuntu:
  Fix Released
Status in openldap source package in Trusty:
  In Progress

Bug description:
  [SRU JUSTIFICATION]

  [Impact]

  The effect of the bug on users is that the program (slapd) terminated
  with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
  using multiple language tags.

  GDB output:
  ...
  Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  ...

  (gdb) bt
  #0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  #1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
  ...

  In frame #1 the 'tags' struct is corrupt.

  Line #272 checks for duplication and jumps to the done label (line
  #294) when a duplicate is found. The code increases 'ntags' without
  filling in the tags struct with values. In later iterations this could
  lead to copying and using uninitialised memory.

  [Test Case]

  One way to reproduce the issue :

  $ ldapsearch -D
  "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>"
  -x -W -b
  "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>"
  "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-
  de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de
  ;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-
  de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-
  de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn
  ;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
  encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
  ;lang-encn;lang-de"

  Explanation :

  Reference:
  http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch

  -D binddn
  Use the Distinguished Name binddn to bind to the LDAP directory.
  For SASL binds, the server is expected to ignore this value.

  -x
  Use simple authentication instead of SASL.

  -W
  Prompt  for  simple  authentication.   This  is  used instead of
  specifying the password on the command line.

  -b searchbase
  Use searchbase as the starting point for the search  instead  of the default.

  [Regression Potential]

  The patch is already in place in Debian & Wily and late Ubuntu release
  version.

  A hotfix has been tested by the user that originally reported the issue.
  The hotfix solves the issue.

  [Other Info]

  Upstream OpenLDAP Bug         :
  http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9

  Upstream OpenLDAP Commit      :
  af8f1e0 ITS#7941 fix for repeated tags

  Upstream OpenLDAP Commit Web  :
  http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0

  (The commit has been introduced first in upstream branch :
  OPENLDAP_REL_ENG_2_4_40~6)

  [Original Description]

  Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  210	../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
  (gdb) bt
  #0  __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
  #1  0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
  #2  0x00007f674ae4d235 in get_filter (op=op at entry=0x7f672c000a80, ber=<optimized out>, filt=filt at entry=0x7f672c000af0, text=text at entry=0x7f6741e0f980)
      at ../../../../servers/slapd/filter.c:190
  #3  0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
  #4  0x00007f674ae496dc in connection_operation (ctx=ctx at entry=0x7f6741e0fb90, arg_v=arg_v at entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
  #5  0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
  #6  0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
  #7  0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
  #8  0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions



More information about the Ubuntu-sponsors mailing list