slapd segfault on filter parse error

Bug #1838370 reported by Kseniya Blashchuk on 2019-07-30
48
This bug affects 8 people
Affects Status Importance Assigned to Milestone
openldap
Fix Released
Undecided
Unassigned
openldap (Debian)
Fix Released
Unknown
openldap (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Lucas Kanashiro
Bionic
Undecided
Lucas Kanashiro
Disco
Undecided
Lucas Kanashiro

Bug Description

[Impact]

Users willing to use the slapd rwm overlay will face a slapd segmentation fault when trying to rewrite some rules. Backporting this fix will allow users using stable releases to take advantage of this feature without crashing slapd. This issue was fixed by upstream not freeing the rwm overlay filter memory without prior checking.

[Test Case]

In this test case, the rwm overlay will be used and a rule will be created to deny any search request for uid=root, then the 'ldapsearch' will be invoked to trigger the failure. It is important to mention that the 'ldapsearch' command should fail regardless the presence of the bug in the package, the target here is the slapd crash. To reproduce this bug one can follow the procedure below in Ubuntu xenial, bionic or disco:

$ sudo apt-get update

Use debconf to pre-seed slapd questions before install it:

$ debconf-set-selections << EOF
slapd slapd/no_configuration boolean false
slapd slapd/domain string example.com
slapd shared/organization string example.com
slapd slapd/password1 password test
slapd slapd/password2 password test
slapd slapd/backend select MDB
slapd slapd/move_old_database boolean false
EOF
$ sudo apt-get install slapd ldap-utils -y

Create a file called 'add-rwm.ldif' with the following content:

$ cat add-rwm.ldif
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm

dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"

With this file in place, run:

$ sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif

Now, to trigger the crash:

$ ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error

slapd process will die, and /var/crash will have a crash file for slapd. You can run the following command to confirm the error:

$ cat /var/log/syslog | grep filter_free
Aug 9 19:51:05 popular-gorilla slapd[1479]: filter_free: unknown filter type=28530

-> Expected behavior

In this test case, as mentioned before, the 'ldapsearch' command should fail but the 'slapd' process should not die. As result, we don't expect a slapd crash report in /var/crash directory.

[Regression Potential]

Since the fix is a patch provided by upstream (reviewed by maintainers and us) simple mistakes like typos are not expected. The patch impacts only the rwm module which is not loaded by default. So any regression would affect only the users that make use of this overlay. If an user is not using rwm overlay and is facing any issue, it should be related to other problems related to LDAP directory services.

[Original message]

Hello!
We have faced slapd crash, seems an attacker was trying to brute force one
of our services and uid parsing failures caused slapd crash:

Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH
base="ou=test,dc=test,dc=com" scope=2 deref=0
filter="(&(uid=aistar123<>!n)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SRCH attr=objectClass uid
userPassword uidNumber gidNumber gecos homeDirectory loginShell
krbPrincipalName cn memberOf modifyTimestamp modifyTimestamp
shadowLastChange shadowMin shadow
Max shadowWarning shadowInactive shadowExpire shadowFlag krbLastPwdChange
krbPasswordExpiration pwdAttribute authorizedService accountExpires
userAccountControl nsAccountLock host loginDisabled loginExpirationTime
loginAllowedTimeMap sshPublic
Key
Jul 26 18:59:47 slapd[1252]: conn=1466 op=13 SEARCH RESULT tag=101 err=0
nentries=0 text=massaged filter parse error
Jul 26 18:59:47 kernel: [ 9441.554161] slapd[2367]: segfault at 18 ip
00007fc8d18ec512 sp 00007fc8889e2810 error 4 in libc-2.23.so
[7fc8d1868000+1c0000]

Another faulty filter example:
filter="(&(uid=sql<>?)(objectClass=posixAccount)(&(uidNumber=*)(!(uidNumber=0))))"
filter="(&(uid=fugeone<>?123)(objectClass=posixAccount)(uid=*)(&(uidNumber=*)(!(uidNumber=0))))"

$ lsb_release -rd
Description: Ubuntu 16.04.5 LTS
Release: 16.04

$ slapd -VVV
@(#) $OpenLDAP: slapd (Ubuntu) (May 22 2018 13:54:12) $
buildd@lcy01-amd64-019
:/build/openldap-t_Ta0O/openldap-2.4.42+dfsg/debian/build/servers/slapd

Included static backends:
    config
    ldif

$ apt-cache policy slapd
slapd:
  Installed: 2.4.42+dfsg-2ubuntu3.3
  Candidate: 2.4.42+dfsg-2ubuntu3.5
  Version table:
     2.4.42+dfsg-2ubuntu3.5 500
        500 http://nl.archive.ubuntu.com/ubuntu xenial-updates/main amd64
Packages
 *** 2.4.42+dfsg-2ubuntu3.3 100
        100 /var/lib/dpkg/status
     2.4.42+dfsg-2ubuntu3.2 500
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64
Packages
     2.4.42+dfsg-2ubuntu3 500
        500 http://nl.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

 affects ubuntu/openldap

Related branches

Hello, thank you for the report.

I was able to reproduce the crash locally by intentionally
mis-configuring the rwm overlay.

Could you please provide a copy of your rwm overlay configuration? I
would like to see what the actual parse failure was in your instance.

Changed in openldap (Ubuntu):
status: New → Confirmed
Ryan Tandy (rtandy) wrote :

Looks like this is fixed upstream already: https://openldap.org/its/?findid=8964 fixed in 2.4.48.

Cherry-picking upstream commit d40b357f5da9a94d2f4f541c21bde02610d9cd3b fixes the crash for me.

Changed in openldap:
status: New → Fix Released
Bryce Harrington (bryce) wrote :
Bryce Harrington (bryce) on 2019-07-31
tags: added: server-next
tags: added: patch
tags: added: bitesize
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openldap (Ubuntu Bionic):
status: New → Confirmed
Changed in openldap (Ubuntu Disco):
status: New → Confirmed
Changed in openldap (Ubuntu Xenial):
status: New → Confirmed
Kseniya Blashchuk (ksyblast) wrote :

Is there any information when it's gonna be fixed in Ubuntu?

Ryan Tandy (rtandy) wrote :

This has already been fixed as of 2.4.48+dfsg-1ubuntu1. I'm not sure why the upload didn't automatically close the bug.

Changed in openldap (Ubuntu):
status: Confirmed → Fix Released
Andreas Hasenack (ahasenack) wrote :

Hm, I forgot to re-add the bug reference after a few iterating over another change, sorry. But this is a good SRU candidate.

Andreas Hasenack (ahasenack) wrote :

Here is a quick reproducer.

sudo apt update
sudo apt install slapd ldap-utils -y

Reconfigure the slapd package. When asked about a domain, use "example.com". Choose a password, and accept defaults for everything else:

sudo dpkg-reconfigure slapd

Create a file called add-rwm.ldif with these contents:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: rwm

dn: olcOverlay=rwm,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: {0} rwm-rewriteEngine "on"
olcRwmRewrite: {1} rwm-rewriteContext "searchFilter"
olcRwmRewrite: {2} rwm-rewriteRule "(.*)(uid=root)(.*)" "$1$2$3" "#"

Then run:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f add-rwm.ldif

And then, to trigger the crash:
ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root

slapd will die, and /var/crash will have a crash file for slapd.

description: updated
Bryce Harrington (bryce) on 2019-08-10
description: updated
description: updated
description: updated
Changed in openldap (Ubuntu Xenial):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in openldap (Ubuntu Bionic):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)
Changed in openldap (Ubuntu Disco):
assignee: nobody → Lucas Kanashiro (lucaskanashiro)

Hello Kseniya, or anyone else affected,

Accepted openldap into disco-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.47+dfsg-3ubuntu2.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-disco to verification-done-disco. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-disco. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openldap (Ubuntu Disco):
status: Confirmed → Fix Committed
tags: added: verification-needed verification-needed-disco
Changed in openldap (Ubuntu Bionic):
status: Confirmed → Fix Committed
tags: added: verification-needed-bionic
Brian Murray (brian-murray) wrote :

Hello Kseniya, or anyone else affected,

Accepted openldap into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.45+dfsg-1ubuntu1.4 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in openldap (Ubuntu Xenial):
status: Confirmed → Fix Committed
tags: added: verification-needed-xenial
Brian Murray (brian-murray) wrote :

Hello Kseniya, or anyone else affected,

Accepted openldap into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/openldap/2.4.42+dfsg-2ubuntu3.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

I installed the package available in disco-proposed as you can see below:

root@openldap-disco-sru:~# apt policy slapd
slapd:
  Installed: 2.4.47+dfsg-3ubuntu2.2
  Candidate: 2.4.47+dfsg-3ubuntu2.2
  Version table:
 *** 2.4.47+dfsg-3ubuntu2.2 500
        500 http://archive.ubuntu.com/ubuntu disco-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.47+dfsg-3ubuntu2.1 500
        500 http://archive.ubuntu.com/ubuntu disco-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu disco-security/main amd64 Packages
     2.4.47+dfsg-3ubuntu2 500
        500 http://archive.ubuntu.com/ubuntu disco/main amd64 Packages

And after executing the steps presented in the Test case section, the slapd process did not die:

root@openldap-disco-sru:~# ps aux | grep slapd
openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
root 2453 0.0 0.0 7980 1544 ? S+ 19:06 0:00 grep --color=auto slapd
root@openldap-disco-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-disco-sru:~# ps aux | grep slapd
openldap 1994 0.0 4.5 2003840 728176 ? Ssl 19:05 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
root 2457 0.0 0.0 7980 684 ? S+ 19:06 0:00 grep --color=auto slapd

The PID of the slapd process is the same. Moreover, there is no sign of crash in the syslog output nor a crash file in /var/crash:

root@openldap-disco-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-disco-sru:~# ls /var/crash/ | grep slapd

tags: removed: verification-needed-disco

I installed the package available in bionic-proposed as you can see below:

root@openldap-bionic-sru:~# apt policy slapd
slapd:
  Installed: 2.4.45+dfsg-1ubuntu1.4
  Candidate: 2.4.45+dfsg-1ubuntu1.4
  Version table:
 *** 2.4.45+dfsg-1ubuntu1.4 500
        500 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.45+dfsg-1ubuntu1.3 500
        500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
     2.4.45+dfsg-1ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu bionic/main amd64 Packages

And after executing the steps presented in the Test case section, the slapd process did not die:

root@openldap-bionic-sru:~# ps aux | grep slapd
openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
root 1488 0.0 0.0 14852 840 ? S+ 18:52 0:00 grep --color=auto slapd
root@openldap-bionic-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-bionic-sru:~# ps aux | grep slapd
openldap 1029 0.0 4.5 2106104 730124 ? Ssl 18:51 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
root 1492 0.0 0.0 14852 804 ? S+ 18:52 0:00 grep --color=auto slapd

The PID of the slapd process is the same. Moreover, there is no sign of crash in the syslog output nor a crash file in /var/crash:

root@openldap-bionic-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-bionic-sru:~# ls /var/crash/ | grep slapd

tags: removed: verification-needed-bionic

I installed the package available in xenial-proposed as you can see below:

root@openldap-xenial-sru:~# apt policy slapd
slapd:
  Installed: 2.4.42+dfsg-2ubuntu3.7
  Candidate: 2.4.42+dfsg-2ubuntu3.7
  Version table:
 *** 2.4.42+dfsg-2ubuntu3.7 500
        500 http://archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     2.4.42+dfsg-2ubuntu3.6 500
        500 http://archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu xenial-security/main amd64 Packages
     2.4.42+dfsg-2ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu xenial/main amd64 Packages

And after executing the steps presented in the Test case section, the slapd
process did not die:

root@openldap-xenial-sru:~# ps aux | grep slapd
openldap 2078 0.0 4.5 2094540 730664 ? Ssl 19:02 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
root 2147 0.0 0.0 14616 904 ? S+ 19:03 0:00 grep --color=auto slapd
root@openldap-xenial-sru:~# ldapsearch -x -h localhost -b dc=example,dc=com -LLL uid=root
Server is unwilling to perform (53)
Additional information: searchFilter/searchFilterAttrDN massage error
root@openldap-xenial-sru:~# ps aux | grep slapd
openldap 2078 0.0 4.5 2094540 730576 ? Ssl 19:02 0:00 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
root 2151 0.0 0.0 14616 860 ? S+ 19:03 0:00 grep --color=auto slapd

The PID of the slapd process is the same. Moreover, there is no sign of crash in
the syslog output nor a crash file in /var/crash:

root@openldap-xenial-sru:~# cat /var/log/syslog | grep filter_free
root@openldap-xenial-sru:~# ls /var/crash/ | grep slapd

tags: added: verification-done-bionic verification-done-disco verification-done-xenial
removed: verification-needed verification-needed-xenial
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.45+dfsg-1ubuntu1.4

---------------
openldap (2.4.45+dfsg-1ubuntu1.4) bionic; urgency=medium

  * d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP: #1838370)

 -- Lucas Kanashiro <email address hidden> Thu, 08 Aug 2019 15:08:36 -0300

Changed in openldap (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for openldap has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.47+dfsg-3ubuntu2.2

---------------
openldap (2.4.47+dfsg-3ubuntu2.2) disco; urgency=medium

  * d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP: #1838370)

 -- Lucas Kanashiro <email address hidden> Thu, 08 Aug 2019 15:04:04 -0300

Changed in openldap (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openldap - 2.4.42+dfsg-2ubuntu3.7

---------------
openldap (2.4.42+dfsg-2ubuntu3.7) xenial; urgency=medium

  * d/p/rwm-do-not-free-original-filter.patch: Fix slapd segfault (LP: #1838370)

 -- Lucas Kanashiro <email address hidden> Thu, 08 Aug 2019 16:33:06 -0300

Changed in openldap (Ubuntu Xenial):
status: Fix Committed → Fix Released
Changed in openldap (Debian):
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.