crash in slap_bv2ad using repeated tags

Bug #1593378 reported by Eric Desrochers on 2016-06-16
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openldap (Ubuntu)
Medium
Eric Desrochers
Trusty
Medium
Eric Desrochers

Bug Description

[SRU JUSTIFICATION]

[Impact]

The effect of the bug on users is that the program (slapd) terminated with signal SIGSEGV, Segmentation fault when ldapsearch tries to query using multiple language tags.

GDB output:
...
Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
...

(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
...

In frame #1 the 'tags' struct is corrupt.

Line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found. The code increases 'ntags' without filling in the tags struct with values. In later iterations this could lead to copying and using uninitialised memory.

[Test Case]

One way to reproduce the issue :

$ ldapsearch -D "cn=<BINDDN_COMMON_NAME>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>,dc=<BINDDN_DOMAIN_COMPONENT>" -x -W -b "dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>,dc=<SEARCHPATH_DOMAIN_COMPONENT>" "cn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de"

Explanation :

Reference:
http://manpages.ubuntu.com/cgi-bin/search.py?q=ldapsearch

-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.

-x
Use simple authentication instead of SASL.

-W
Prompt for simple authentication. This is used instead of
specifying the password on the command line.

-b searchbase
Use searchbase as the starting point for the search instead of the default.

[Regression Potential]

The patch is already in place in Debian & Wily and late Ubuntu release version.

A hotfix has been tested by the user that originally reported the issue.
The hotfix solves the issue.

[Other Info]

Upstream OpenLDAP Bug :
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=7941;page=9

Upstream OpenLDAP Commit :
af8f1e0 ITS#7941 fix for repeated tags

Upstream OpenLDAP Commit Web :
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commitdiff;h=af8f1e0

(The commit has been introduced first in upstream branch : OPENLDAP_REL_ENG_2_4_40~6)

[Original Description]

Core was generated by `/usr/sbin/slapd -h ldap://<IP>:389 ldap://<IP>:389/ ldapi:/// -g o'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
210 ../sysdeps/x86_64/multiarch/../strcmp.S: No such file or directory.
(gdb) bt
#0 __strncasecmp_l_ssse3 () at ../sysdeps/x86_64/multiarch/../strcmp.S:210
#1 0x00007f674ae8cab2 in slap_bv2ad (bv=bv@entry=0x7f6741e0e830, ad=ad@entry=0x7f6741e0e848, text=text@entry=0x7f6741e0f980) at ../../../../servers/slapd/ad.c:268
#2 0x00007f674ae4d235 in get_filter (op=op@entry=0x7f672c000a80, ber=<optimized out>, filt=filt@entry=0x7f672c000af0, text=text@entry=0x7f6741e0f980)
    at ../../../../servers/slapd/filter.c:190
#3 0x00007f674ae4b985 in do_search (op=0x7f672c000a80, rs=0x7f6741e0f960) at ../../../../servers/slapd/search.c:127
#4 0x00007f674ae496dc in connection_operation (ctx=ctx@entry=0x7f6741e0fb90, arg_v=arg_v@entry=0x7f672c000a80) at ../../../../servers/slapd/connection.c:1150
#5 0x00007f674ae49a40 in connection_read_thread (ctx=0x7f6741e0fb90, argv=0x19) at ../../../../servers/slapd/connection.c:1286
#6 0x00007f674a9a7aba in ?? () from /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
#7 0x00007f67498dc182 in start_thread (arg=0x7f6741e10700) at pthread_create.c:312
#8 0x00007f674960947d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111

Eric Desrochers (slashd) wrote :

I think this upstream commit could be a possible candidate to fix that issue :

commit 0659ef45d486b5daaafc020cb67b561a8029036d
Author: Howard Chu <email address hidden>
Date: Thu Sep 18 00:33:33 2014 +0100

    ITS#7941 fix for repeated tags

    Make sure ntags isn't incremented if we're skippnig the tag

diff --git a/servers/slapd/ad.c b/servers/slapd/ad.c
index 78a8b15..246b900 100644
--- a/servers/slapd/ad.c
+++ b/servers/slapd/ad.c
@@ -271,6 +271,7 @@ int slap_bv2ad(

                                if( rc == 0 && (unsigned)optlen == tags[i].bv_len ) {
                                        /* duplicate (ignore) */
+ ntags--;
                                        goto done;

                                } else if ( rc > 0 ||

Eric Desrochers (slashd) on 2016-06-16
Changed in openldap (Ubuntu):
importance: Undecided → Medium
Eric Desrochers (slashd) wrote :

line #272 checks for duplication and jumps to the done label (line #294) when a duplicate is found.

The code increases 'ntags' without filling in the tags struct with values.
In later iterations this could lead to copying and using uninitialised memory.

Eric Desrochers (slashd) on 2016-06-17
Changed in openldap (Ubuntu):
assignee: nobody → Eric Desrochers (slashd)
Eric Desrochers (slashd) wrote :
Download full text (13.9 KiB)

In frame #1

(gdb) p tags
$2 = {{bv_len = 7,
    bv_val = 0x7f672c104866 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9,
    bv_val = 0x7f672c10486e "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7,
    bv_val = 0x7f672c10488a "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9,
    bv_val = 0x7f672c104880 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7,
    bv_val = 0x7f672c10489c "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9,
    bv_val = 0x7f672c1048a4 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7,
    bv_val = 0x7f672c1048c0 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9,
    bv_val = 0x7f672c1048b6 "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 2, bv_val = 0x7f6741e0df70 "240.0.0.2"}, {bv_len = 7,
    bv_val = 0x7f672c1048d2 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9,
    bv_val = 0x7f672c1048da "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_len = 0, bv_val = 0x0}, {bv_len = 7,
    bv_val = 0x7f672c1048f6 "lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;la"...}, {bv_len = 9,
    bv_val = 0x7f672c1048ec "lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;lang-encn;lang-de;la"...}, {bv_l...

Eric Desrochers (slashd) on 2016-06-17
Changed in openldap (Ubuntu Trusty):
assignee: nobody → Eric Desrochers (slashd)
tags: added: sts
Changed in openldap (Ubuntu Trusty):
importance: Undecided → Medium
Eric Desrochers (slashd) on 2016-06-17
Changed in openldap (Ubuntu):
status: New → Fix Released
Eric Desrochers (slashd) on 2016-06-20
description: updated
description: updated
Eric Desrochers (slashd) wrote :

Here's the debdiff for Trusty which is a cherry picked patch from upstream VCS.

Changed in openldap (Ubuntu Trusty):
status: New → In Progress
Eric Desrochers (slashd) on 2016-06-20
tags: added: ubuntu-sponsors
tags: added: patch sts-sponsor sts-sru
Eric Desrochers (slashd) wrote :

The user that originally reported the issue on Ubuntu package have tested a "Test package".
The "Test package" I have builded can be found here : ppa:slashd/fix1593378.

Users feedback :

"We tested the hotfix and looks like it works, the sldap on the CIC with the fix didn`t crash."

Eric

description: updated

Hello Eric, or anyone else affected,

Accepted openldap into trusty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.31-1+nmu2ubuntu8.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in openldap (Ubuntu Trusty):
status: In Progress → Fix Committed
tags: added: verification-needed
Eric Desrochers (slashd) on 2016-06-24
tags: removed: sts-sponsor
Robie Basak (racb) wrote :

Unsubscribing ~ubuntu-sponsors as it looks like this has already been uploaded.

Eric Desrochers (slashd) on 2016-06-30
tags: added: verification-done
removed: verification-needed
Eric Desrochers (slashd) wrote :

The following has been brought to my attention by a user :

"I got verification from the system test, the fix solves the ldap issue.
Thank you for the fix"

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.31-1+nmu2ubuntu8.3

---------------
openldap (2.4.31-1+nmu2ubuntu8.3) trusty; urgency=medium

  * Fix segfault issue in slap_bv2ad (LP: #1593378)
    - d/p/its-7941-fix-for-repeated-tags.patch: Cherry picked
    patch from upstream VCS.

 -- Eric Desrochers <email address hidden> Fri, 24 Jun 2016 11:05:23 +0200

Changed in openldap (Ubuntu Trusty):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openldap has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Louis Bouchard (louis) on 2016-11-09
tags: removed: sts-sru
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers