slapd crashed with SIGSEGV in lutil_str2bin() when using mdb

Bug #1216650 reported by Roel Standaert on 2013-08-25
28
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Medium
Unassigned
Precise
Medium
Roel Standaert

Bug Description

[Impact]
When OpenLDAP is used with mdb as its backend, this bug is very likely to occur: when a numeric field that is indexed (could be uidNumber, for example) is removed. This impedes the normal operation of slapd, as it becomes impossible to delete these entries and
any attempt to do so crashes slapd with a segmentation fault.

[Test Case]
1. Install OpenLDAP (apt-get install slapd ldap-utils)
2. Run testbug.sh as root (WARNING: this will wipe /etc/ldap/slapd.d and /var/lib/ldap, do this on a clean install)
3. Run "ldapdelete -x -D cn=admin,dc=example,dc=com -w test -H ldap:/// 'uid=johndoe,dc=example,dc=com'"
4. - Expected result: The delete action succeeds, "ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com 'uid=johndoe'" should return nothing.
   - Actual result: slapd crashes with SIGSEGV (see /var/log/syslog). The entry is not deleted.

[Regression Potential]
The fix introduces new variables local in function scope. It also removes the side effects
caused by temporarily changing an input variable. Because changing the input variable is not the intended behavior, and this fix only introduces temporary variables in function scope, it can be considered as a safe change. Also, this is the only fix in a long time to utils.c, and didn't cause any problems upstream.

[Other Info]
When I try to remove certain entries from OpenLDAP, slapd crashes with a segmentation fault, when using the mdb backend. When I looked at the backtrace, it appeared to be this issue:
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7174
which is fixed in later versions of Ubuntu (it was fixed in OpenLDAP 2.4.30), but not in precise.

It was fixed upstream in this commit:
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=92ed65d298e47822b9e3ed7d4f9d8b938bf8b780

The bug occurred on a production server (where the bug first occurred) and in a VM using a dump of that server's directory.

I've downloaded the source package, applied Ubuntu-specific patches and the above patch, and the bug does seem to be absent from the compiled result.

ProblemType: Crash
DistroRelease: Ubuntu 12.04
Package: slapd 2.4.28-1.1ubuntu4.3
ProcVersionSignature: Ubuntu 3.5.0-23.35~precise1-generic 3.5.7.2
Uname: Linux 3.5.0-23-generic x86_64
ApportVersion: 2.0.1-0ubuntu17.4
Architecture: amd64
Date: Sun Aug 25 18:59:12 2013
ExecutablePath: /usr/sbin/slapd
InstallationMedia: Ubuntu-Server 12.04.2 LTS "Precise Pangolin" - Release amd64 (20130214)
MarkForUpload: True
ProcCmdline: /usr/sbin/slapd -h ldap:///\ ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
ProcEnviron:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_US.utf8
SegvAnalysis:
 Segfault happened at: 0x7f208d8ea3b2 <lutil_str2bin+290>: movb $0x0,0x0(%rbp)
 PC (0x7f208d8ea3b2) ok
 source "$0x0" ok
 destination "0x0(%rbp)" (0x7f0c879633d3) in non-writable VMA region: 0x7f0c871b5000-0x7f20871b5000 r--s /var/lib/ldap/data.mdb
 Stack memory exhausted (SP below stack segment)
SegvReason: writing VMA /var/lib/ldap/data.mdb
Signal: 11
SourcePackage: openldap
StacktraceTop:
 lutil_str2bin (in=<optimized out>, out=0x7f0c76ffd430, ctx=0x7f0c70000ea0) at ../../../../libraries/liblutil/utils.c:812
 integerVal2Key (in=<optimized out>, tmp=<optimized out>, ctx=<optimized out>, key=<optimized out>) at ../../../../servers/slapd/schema_init.c:2545
 integerIndexer (use=<optimized out>, flags=<optimized out>, syntax=<optimized out>, mr=<optimized out>, prefix=<optimized out>, values=0x7f0c70001bb8, keysp=0x7f0c76ffd570, ctx=0x7f0c70000ea0) at ../../../../servers/slapd/schema_init.c:2634
 indexer (op=0x7f0c70000900, txn=<optimized out>, ai=<optimized out>, atname=0x7f208f9657b8, vals=0x7f0c70001bb8, id=4103, opid=2, mask=4, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:211
 index_at_values (op=0x7f0c70000900, txn=0x7f0c70100f80, type=0x7f208f965750, tags=0x7f208f965900, vals=0x7f0c70001bb8, id=4103, opid=2, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:337
Title: slapd crashed with SIGSEGV in lutil_str2bin()
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

Related branches

Roel Standaert (s-roel) wrote :

StacktraceTop:
 lutil_str2bin (in=<optimized out>, out=0x7f0c76ffd430, ctx=0x7f0c70000ea0) at ../../../../libraries/liblutil/utils.c:812
 integerVal2Key (in=<optimized out>, tmp=<optimized out>, ctx=<optimized out>, key=<optimized out>) at ../../../../servers/slapd/schema_init.c:2545
 integerIndexer (use=<optimized out>, flags=<optimized out>, syntax=<optimized out>, mr=<optimized out>, prefix=<optimized out>, values=0x7f0c70001bb8, keysp=0x7f0c76ffd570, ctx=0x7f0c70000ea0) at ../../../../servers/slapd/schema_init.c:2634
 indexer (op=0x7f0c70000900, txn=<optimized out>, ai=<optimized out>, atname=0x7f208f9657b8, vals=0x7f0c70001bb8, id=4103, opid=2, mask=4, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:211
 index_at_values (op=0x7f0c70000900, txn=0x7f0c70100f80, type=0x7f208f965750, tags=0x7f208f965900, vals=0x7f0c70001bb8, id=4103, opid=2, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:337

Changed in openldap (Ubuntu):
importance: Undecided → Medium

StacktraceTop:
 lutil_str2bin (in=<optimized out>, out=0x7f0c76ffd430, ctx=0x7f0c70000ea0) at ../../../../libraries/liblutil/utils.c:812
 integerVal2Key (in=<optimized out>, tmp=<optimized out>, ctx=<optimized out>, key=<optimized out>) at ../../../../servers/slapd/schema_init.c:2545
 integerIndexer (use=<optimized out>, flags=<optimized out>, syntax=<optimized out>, mr=<optimized out>, prefix=<optimized out>, values=0x7f0c70001bb8, keysp=0x7f0c76ffd570, ctx=0x7f0c70000ea0) at ../../../../servers/slapd/schema_init.c:2634
 indexer (op=0x7f0c70000900, txn=<optimized out>, ai=<optimized out>, atname=0x7f208f9657b8, vals=0x7f0c70001bb8, id=4103, opid=2, mask=4, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:211
 index_at_values (op=0x7f0c70000900, txn=0x7f0c70100f80, type=0x7f208f965750, tags=0x7f208f965900, vals=0x7f0c70001bb8, id=4103, opid=2, ad=<optimized out>) at ../../../../../servers/slapd/back-mdb/index.c:337

tags: removed: need-amd64-retrace
Roel Standaert (s-roel) on 2013-08-29
information type: Private → Public
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openldap (Ubuntu):
status: New → Confirmed
Roel Standaert (s-roel) wrote :

Here's the linked patch as a file.

Dave Gilbert (ubuntu-treblig) wrote :

Triaged: Has the upstream patch to fix it.

Changed in openldap (Ubuntu):
status: Confirmed → Triaged

The attachment "its-7174-lutil_str2bin-cant-modify-input-strings.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
Roel Standaert (s-roel) wrote :

Here's a test scenario that will fail on 12.04 (but not when the patch is applied), and will not fail on 12.10 and up:

[Test Case]
1. Install OpenLDAP (apt-get install slapd ldap-utils)
2. Run testbug.sh as root (WARNING: this will wipe /etc/ldap/slapd.d and /var/lib/ldap, do this on a clean install)
3. Run "ldapdelete -x -D cn=admin,dc=example,dc=com -w test -H ldap:/// 'uid=johndoe,dc=example,dc=com'
4. - Expected result: The delete action succeeds, "ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com 'uid=johndoe'" should return nothing.
   - Actual result: slapd crashes with SIGSEGV (see /var/log/syslog). The entry is not deleted.

Roel Standaert (s-roel) on 2013-08-30
description: updated
description: updated
Roel Standaert (s-roel) on 2013-08-30
description: updated
description: updated
Roel Standaert (s-roel) on 2013-08-30
description: updated
Dave Gilbert (ubuntu-treblig) wrote :

Marking Fix released because original description said that it's already fixed:
'which is fixed in later versions of Ubuntu (it was fixed in OpenLDAP 2.4.30), but not in precise.'

Changed in openldap (Ubuntu):
status: Triaged → Fix Released
Changed in openldap (Ubuntu Precise):
status: New → Triaged
importance: Undecided → Medium
Roel Standaert (s-roel) on 2013-09-01
Changed in openldap (Ubuntu Precise):
assignee: nobody → Roel Standaert (s-roel)
Roel Standaert (s-roel) on 2013-09-07
Changed in openldap (Ubuntu Precise):
status: Triaged → In Progress
Robie Basak (racb) wrote :

I've reviewed and tested this. I failed to reproduce in Saucy as expected. I reproduced in Precise, verified that this patch fixes the bug, and reviewed the patch itself. Uploaded, with some help from cjwatson and infinity for ~ubuntu-server-dev packageset permissions.

Robie Basak (racb) wrote :

I made one modification: I added dep3 headers to the quilt patch. Please see http://dep.debian.net/deps/dep3/ for details.

Hello Roel, or anyone else affected,

Accepted openldap into precise-proposed. The package will build now and be available at http://launchpad.net/ubuntu/+source/openldap/2.4.28-1.1ubuntu4.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openldap (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Roel Standaert (s-roel) wrote :

I tested version 2.4.28-1.1ubuntu4.4 and slapd doesn't crash anymore. Delete operations are performed correctly.

Robie Basak (racb) wrote :

Thank you for your testing.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.28-1.1ubuntu4.4

---------------
openldap (2.4.28-1.1ubuntu4.4) precise-proposed; urgency=low

  * Backport fix for back-mdb, fixes crash when deleting an entry
    that contains an indexed numeric attribute (LP: #1216650):
    - d/patches/its-7174-lutil_str2bin-cant-modify-input-strings.patch:
      Upstream patch to make sure that lutil_str2bin does not
      attempt to modify its input.
 -- Roel Standaert <email address hidden> Sat, 31 Aug 2013 08:29:45 +0200

Changed in openldap (Ubuntu Precise):
status: Fix Committed → Fix Released

The verification of this Stable Release Update has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers