[Bug 1593378] Re: crash in slap_bv2ad using repeated tags
Eric Desrochers
eric.desrochers at canonical.com
Tue Jun 21 13:58:36 UTC 2016
The user that originally reported the issue on Ubuntu package have tested a "Test package".
The "Test package" I have builded can be found here : ppa:slashd/fix1593378.
Users feedback :
"We tested the hotfix and looks like it works, the sldap on the CIC with
the fix didn`t crash."
Eric
** Description changed:
[SRU JUSTIFICATION]
[Impact]
The effect of the bug on users is that the program (slapd) terminated
with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line #294)
when a duplicate is found. The code increases 'ntags' without filling in
the tags struct with values. In later iterations this could lead to
copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D
"cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>"
-x -W -b
"dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>"
"cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn
;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de
;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"
Explanation :
Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release
version.
+ A hotfix has been tested by the user that originally reported the issue.
+ The hotfix solves the issue.
+
[Other Info]
Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
(The commit has been introduced first in upstream branch :
OPENLDAP_REL_ENG_2_4_40~6)
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op at entry=0x7f672c000a80, ber=<optimized out>, filt=filt at entry=0x7f672c000af0, text=text at entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx at entry=0x7f6741e0fb90, arg_v=arg_v at entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1593378
Title:
crash in slap_bv2ad using repeated tags
Status in openldap package in Ubuntu:
Fix Released
Status in openldap source package in Trusty:
In Progress
Bug description:
[SRU JUSTIFICATION]
[Impact]
The effect of the bug on users is that the program (slapd) terminated
with signal SIGSEGV, Segmentation fault when ldapsearch tries to query
using multiple language tags.
GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...
In frame #1 the 'tags' struct is corrupt.
Line #272 checks for duplication and jumps to the done label (line
#294) when a duplicate is found. The code increases 'ntags' without
filling in the tags struct with values. In later iterations this could
lead to copying and using uninitialised memory.
[Test Case]
One way to reproduce the issue :
$ ldapsearch -D
"cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>"
-x -W -b
"dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>"
"cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-
de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de
;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-
de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-
de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn
;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn
;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-
encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de
;lang-encn;lang-de"
Explanation :
Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-x
Use simple authentication instead of SASL.
-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.
-b searchbase
Use searchbase as the starting point for the search instead of the default.
[Regression Potential]
The patch is already in place in Debian & Wily and late Ubuntu release
version.
A hotfix has been tested by the user that originally reported the issue.
The hotfix solves the issue.
[Other Info]
Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9
Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags
Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0
(The commit has been introduced first in upstream branch :
OPENLDAP_REL_ENG_2_4_40~6)
[Original Description]
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv at entry=0x7f6741e0e830, ad=ad at entry=0x7f6741e0e848, text=text at entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op at entry=0x7f672c000a80, ber=<optimized out>, filt=filt at entry=0x7f672c000af0, text=text at entry=0x7f6741e0f980)
at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx at entry=0x7f6741e0fb90, arg_v=arg_v at entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1593378/+subscriptions
More information about the Ubuntu-sponsors
mailing list