heap-use-after-free in slapi_sdn_common_ancestor

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/49473

• Created at 2017-11-28 16:37:52 by firstyear (@Firstyear)
• Assigned to mreynolds (@mreynolds389)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1517968

---

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1517968

Description of problem:
=================================================================
==12884== ERROR: AddressSanitizer: heap-use-after-free on address
0x600e0014cb70 at pc 0x7f36c786e615 bp 0x7f3680ed4c70 sp 0x7f3680ed4c60
READ of size 8 at 0x600e0014cb70 thread T35
    0 0x7f36c786e614 in slapi_sdn_common_ancestor
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2523
    1 0x7f36c7874937 in dse_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2431
    2 0x7f36c785f486 in op_shared_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:324
    3 0x7f36c785fa1a in do_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:97
    4 0x55d6ad486e38 in ??
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:614
    5 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:216
    6 0x7f36c7eec867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    7 0x7f36c5397dd4 in start_thread
/usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
    8 0x7f36c4a459bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc
/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x600e0014cb70 is located 64 bytes inside of 72-byte region
[0x600e0014cb30,0x600e0014cb78)
freed by thread T35 here:
    0 0x7f36c7ee8dd9 in __interceptor_free _asan_rtl_
    1 0x7f36c78576c8 in slapi_ch_free
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:270
    2 0x7f36c78751e7 in dse_remove_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:321
    3 0x7f36c7875639 in slapi_config_remove_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2618
    4 0x7f36bc4b890c in cb_delete_monitor_callback /usr/src/debug/389-ds-base-
1.3.7.5/ldap/servers/plugins/chainingdb/cb_monitor.c:236
    5 0x7f36bc4b32ec in cb_instance_delete_config_callback /usr/src/debug/389-
ds-base-1.3.7.5/ldap/servers/plugins/chainingdb/cb_instance.c:1759
    6 0x7f36c786e520 in slapi_sdn_common_ancestor
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2543
    7 0x7f36c7874937 in dse_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2431
    8 0x7f36c785f486 in op_shared_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:324
    9 0x7f36c785fa1a in do_delete
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/delete.c:97
    10 0x55d6ad486e38 in ??
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:614
    11 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/
../../../nspr/pr/src/pthreads/ptthread.c:216
previously allocated by thread T33 here:
    0 0x7f36c7ee8ff5 in calloc _asan_rtl_
    1 0x7f36c7857288 in slapi_ch_calloc
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:180
    2 0x7f36c7874bd2 in dse_register_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:214
    3 0x7f36c787546a in slapi_config_register_callback_plugin
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2597
    4 0x7f36c787551d in slapi_config_register_callback
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/dse.c:2567
    5 0x7f36bc4afb97 in cb_instance_add_monitor_later /usr/src/debug/389-ds-ba
se-1.3.7.5/ldap/servers/plugins/chainingdb/cb_instance.c:1788
    6 0x7f36c7888544 in slapd_versatile_strerror
/usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/eventq.c:278
    7 0x7f36c59f7c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:216
Thread T35 created by T0 here:
    0 0x7f36c7edda0a in __interceptor_pthread_create _asan_rtl_
    1 0x7f36c59f795b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:457
    2 0x0
Thread T33 created by T0 here:
    0 0x7f36c7edda0a in __interceptor_pthread_create _asan_rtl_
    1 0x7f36c59f795b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/.
./../../nspr/pr/src/pthreads/ptthread.c:457
Shadow bytes around the buggy address:
  0x0c0240021910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0240021940: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c0240021950: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c0240021960: fd fa fa fa fa fa fd fd fd fd fd fd fd fd[fd]fa
  0x0c0240021970: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c0240021980: fa fa fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0240021990: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
  0x0c02400219a0: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c02400219b0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==12884== ABORTING

Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-10.el7.x86_64

Problem has occurred in chainingdb test suite in TET.

[389-ds-bot]

Comment from firstyear (@Firstyear) at 2017-11-28 16:37:53

Metadata Update from @Firstyear:

• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1517968

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2018-02-13 18:46:36

Metadata Update from @mreynolds389:

• Custom field component adjusted to None
• Custom field origin adjusted to None
• Custom field reviewstatus adjusted to None
• Custom field type adjusted to None
• Custom field version adjusted to None
• Issue set to the milestone: 1.3.7.0 (was: 0.0 NEEDS_TRIAGE)

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-08-23 20:03:11

Metadata Update from @mreynolds389:

• Issue set to the milestone: 1.4.2 (was: 1.3.7.0)

[389-ds-bot]

Comment from vashirov (@vashirov) at 2020-03-11 15:36:37

Metadata Update from @vashirov:

• Issue set to the milestone: 1.4.3 (was: 1.4.2)

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2020-03-12 15:39:25

Metadata Update from @mreynolds389:

• Issue assigned to mreynolds389