search

389ds / 389-ds-base

The enterprise-class Open Source LDAP server for Linux
https://www.port389.org/
Other
209 stars 88 forks source link

Password change fails when using cracklib dictionary check on a subtree/user password policy #6270

Open jjw24 opened 1 month ago

jjw24 commented 1 month ago

Issue Description

When I have a subtree or user password policy applied with pwdchecksyntax and pwddictcheck both on and pwddictpath pointing to cracklib dictionary, changing the password of users with the policy applied will fail with a 'No such file or directory' error (see screenshot). The dictionary file definitely exists at the right location.

Same error also if the subtree policy inherits from global policy that has all three options set.

This however, is not an issue if only used with a global policy and not applied at subtree/user level.

Package Version and Platform:

Steps to Reproduce Steps to reproduce the behavior:

  1. dsconf -D "cn=Directory Manager" -W ldap://localhost:389 localpwp addsubtree "ou=users,dc=test,dc=com,dc=au"
  2. dsconf -D "cn=Directory Manager" -W ldap://localhost:389 localpwp set --pwdchecksyntax=on --pwddictcheck=on --pwddictpath=/usr/share/cracklib/pw_dict "ou=users,dc=test,dc=com,dc=au"
  3. Change password for any user in the 'users' OU
  4. See the error with symbols and 'No such file or directory' text (refer to below error image)

Expected results

Password change successful after running it through cracklib dictionary check

Screenshots CLI: image

389ds log: cracklib issue

Additional context

I have not being able to test this on a different platform.

vashirov commented 1 month ago

Hi, thank you for the detailed steps, I can reproduce the issue. Could you please try creating the pwpolicy without pwddictpath? By default it uses pw_dict already.

vashirov commented 1 month ago

AddressSanitizer detects heap use after free:

=================================================================
==2234230==ERROR: AddressSanitizer: heap-use-after-free on address 0x503000b24e90 at pc 0xffffa8e988d0 bp 0xfffae560a590 sp 0xfffae560a650
READ of size 4 at 0x503000b24e90 thread T16
    #0 0xffffa8e988cc in printf_common(void*, char const*, std::__va_list) (/lib64/libasan.so.8+0x988cc) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #1 0xffffa8eb9adc in vsnprintf (/lib64/libasan.so.8+0xb9adc) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #2 0xffffa8ebb790 in __snprintf_chk (/lib64/libasan.so.8+0xbb790) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #3 0xffffa75e0630 in PWOpen (/lib64/libcrack.so.2+0x10630) (BuildId: de7c98f0095ec4c44157373e7586fa81d69a3c2a)
    #4 0xffffa75e2df0 in FascistCheckUser (/lib64/libcrack.so.2+0x12df0) (BuildId: de7c98f0095ec4c44157373e7586fa81d69a3c2a)
    #5 0xffffa8a526a4 in check_pw_syntax_ext ldap/servers/slapd/pw.c:1173
    #6 0xffffa8a00c38 in op_shared_allow_pw_change ldap/servers/slapd/modify.c:1307
    #7 0xffffa8a02c4c in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x202c4c) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #8 0xaaaae5db1d78 in connection_dispatch_operation ldap/servers/slapd/connection.c:654
    #9 0xaaaae5db1d78 in connection_threadmain ldap/servers/slapd/connection.c:1921
    #10 0xffffa8390f3c in _pt_root (/lib64/libnspr4.so+0x30f3c) (BuildId: 03df7b5493521980be22facb72da0c6b4334e7db)
    #11 0xffffa8e64788 in asan_thread_start(void*) (/lib64/libasan.so.8+0x64788) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #12 0xffffa86b67d4 in start_thread (/lib64/libc.so.6+0x967d4) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)
    #13 0xffffa8721b88 in thread_start (/lib64/libc.so.6+0x101b88) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)

0x503000b24e90 is located 0 bytes inside of 28-byte region [0x503000b24e90,0x503000b24eac)
freed by thread T16 here:
    #0 0xffffa8edff38 in free.part.0 (/lib64/libasan.so.8+0xdff38) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #1 0xffffa8956d54 in slapi_ch_free (/usr/lib64/dirsrv/libslapd.so.0+0x156d54) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #2 0xffffa8ab2880 in value_done (/usr/lib64/dirsrv/libslapd.so.0+0x2b2880) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #3 0xffffa8ab28f8 in slapi_value_free (/usr/lib64/dirsrv/libslapd.so.0+0x2b28f8) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #4 0xffffa8ab29a0 in valuearray_free_ext (/usr/lib64/dirsrv/libslapd.so.0+0x2b29a0) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #5 0xffffa8ab2ad0 in slapi_valueset_done (/usr/lib64/dirsrv/libslapd.so.0+0x2b2ad0) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #6 0xffffa895f5cc in attr_done (/usr/lib64/dirsrv/libslapd.so.0+0x15f5cc) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #7 0xffffa895f798 in slapi_attr_free (/usr/lib64/dirsrv/libslapd.so.0+0x15f798) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #8 0xffffa895f8f8 in attrlist_free ldap/servers/slapd/attrlist.c:23
    #9 0xffffa898dd2c in slapi_entry_free (/usr/lib64/dirsrv/libslapd.so.0+0x18dd2c) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #10 0xffffa8a4f320 in new_passwdPolicy (/usr/lib64/dirsrv/libslapd.so.0+0x24f320) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #11 0xffffa8a00b90 in op_shared_allow_pw_change ldap/servers/slapd/modify.c:1182
    #12 0xffffa8a02c4c in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x202c4c) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #13 0xaaaae5db1d78 in connection_dispatch_operation ldap/servers/slapd/connection.c:654
    #14 0xaaaae5db1d78 in connection_threadmain ldap/servers/slapd/connection.c:1921
    #15 0xffffa8390f3c in _pt_root (/lib64/libnspr4.so+0x30f3c) (BuildId: 03df7b5493521980be22facb72da0c6b4334e7db)
    #16 0xffffa8e64788 in asan_thread_start(void*) (/lib64/libasan.so.8+0x64788) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #17 0xffffa86b67d4 in start_thread (/lib64/libc.so.6+0x967d4) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)
    #18 0xffffa8721b88 in thread_start (/lib64/libc.so.6+0x101b88) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)

previously allocated by thread T16 here:
    #0 0xffffa8ee1098 in malloc (/lib64/libasan.so.8+0xe1098) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #1 0xffffa89676e8 in slapi_ch_malloc (/usr/lib64/dirsrv/libslapd.so.0+0x1676e8) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #2 0xffffa8aa9b74 in ber_bvcpy.part.0 (/usr/lib64/dirsrv/libslapd.so.0+0x2a9b74) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #3 0xffffa8aa9fa4 in slapi_value_set_berval (/usr/lib64/dirsrv/libslapd.so.0+0x2a9fa4) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #4 0xffffa8ab2fcc in value_init (/usr/lib64/dirsrv/libslapd.so.0+0x2b2fcc) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #5 0xffffa8ab3100 in value_new (/usr/lib64/dirsrv/libslapd.so.0+0x2b3100) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #6 0xffffa8ab3d50 in slapi_value_dup (/usr/lib64/dirsrv/libslapd.so.0+0x2b3d50) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #7 0xffffa8ab4988 in valueset_set_valueset (/usr/lib64/dirsrv/libslapd.so.0+0x2b4988) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #8 0xffffa896bc70 in slapi_attr_dup (/usr/lib64/dirsrv/libslapd.so.0+0x16bc70) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #9 0xffffa898f724 in slapi_entry_dup (/usr/lib64/dirsrv/libslapd.so.0+0x18f724) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #10 0xffffa8a3cab4 in slapi_search_internal_get_entry (/usr/lib64/dirsrv/libslapd.so.0+0x23cab4) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #11 0xffffa8a4dfdc in get_entry (/usr/lib64/dirsrv/libslapd.so.0+0x24dfdc) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #12 0xffffa8a4eaa4 in new_passwdPolicy (/usr/lib64/dirsrv/libslapd.so.0+0x24eaa4) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #13 0xffffa8a00b90 in op_shared_allow_pw_change ldap/servers/slapd/modify.c:1182
    #14 0xffffa8a02c4c in do_modify (/usr/lib64/dirsrv/libslapd.so.0+0x202c4c) (BuildId: 3e55dd8b3e122cd7525ab61b97468e93745d11ce)
    #15 0xaaaae5db1d78 in connection_dispatch_operation ldap/servers/slapd/connection.c:654
    #16 0xaaaae5db1d78 in connection_threadmain ldap/servers/slapd/connection.c:1921
    #17 0xffffa8390f3c in _pt_root (/lib64/libnspr4.so+0x30f3c) (BuildId: 03df7b5493521980be22facb72da0c6b4334e7db)
    #18 0xffffa8e64788 in asan_thread_start(void*) (/lib64/libasan.so.8+0x64788) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #19 0xffffa86b67d4 in start_thread (/lib64/libc.so.6+0x967d4) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)
    #20 0xffffa8721b88 in thread_start (/lib64/libc.so.6+0x101b88) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)

Thread T16 created by T0 here:
    #0 0xffffa8eda444 in pthread_create (/lib64/libasan.so.8+0xda444) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50)
    #1 0xffffa8390c20 in _PR_CreateThread (/lib64/libnspr4.so+0x30c20) (BuildId: 03df7b5493521980be22facb72da0c6b4334e7db)
    #2 0xaaaae5d9f8d8 in init_op_threads ldap/servers/slapd/connection.c:476
    #3 0xaaaae5db4044 in slapd_daemon ldap/servers/slapd/daemon.c:1030
    #4 0xaaaae5d962a4 in main (/usr/sbin/ns-slapd+0x362a4) (BuildId: c7d73ee8b3f501c77c66ba3583b0dff2923cd21d)
    #5 0xffffa8650a18 in __libc_start_call_main (/lib64/libc.so.6+0x30a18) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)
    #6 0xffffa8650af8 in __libc_start_main@GLIBC_2.17 (/lib64/libc.so.6+0x30af8) (BuildId: 49fb62765aad3b48dc063c732d67f72709cf294b)
    #7 0xaaaae5d99eec in _start (/usr/sbin/ns-slapd+0x39eec) (BuildId: c7d73ee8b3f501c77c66ba3583b0dff2923cd21d)

SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.8+0x988cc) (BuildId: 9ba6a9fd500e68505d958a188186c1052f951e50) in printf_common(void*, char const*, std::__va_list)
Shadow bytes around the buggy address:
  0x503000b24c00: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x503000b24c80: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x503000b24d00: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x503000b24d80: fd fa fa fa fd fd fd fd fa fa fd fd fd fa fa fa
  0x503000b24e00: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
=>0x503000b24e80: fa fa[fd]fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x503000b24f00: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x503000b24f80: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x503000b25000: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x503000b25080: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x503000b25100: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2234230==ABORTING

For some reason I can't get better symbols, addr2line fails too, even though all debuginfo data is installed.

progier389 commented 1 month ago

Indeed there is a problem about how new_passwdPolicy handles pwdpolicy->pw_dict_path (It store directly in the policy the refereence to the entry attribute value instead of duplicating the string.)

jjw24 commented 1 month ago

Hi, thank you for the detailed steps, I can reproduce the issue. Could you please try creating the pwpolicy without pwddictpath? By default it uses pw_dict already.

Hi there, thank you for spending the time looking into this. Can confirm creating the subtree pwdpolicy without pwddictpath works.