invalid sizelimits in aci group evaluation

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/47704

• Created at 2014-02-18 22:46:40 by lkrispen (@elkris)
• Closed as Fixed
• Assigned to nobody
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1065971
  • https://bugzilla.redhat.com/show_bug.cgi?id=1072098

---

aci group evaluation fails in some cases because a negative search size limit is applied

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-02-18 22:47:21

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1065971 (''Red Hat Enterprise Linux 7'')

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-02-18 22:49:01

Info from bugzilla, not the full content was copied

--- Additional comment from Ludwig on 2014-02-17 03:35:22 EST ---

I think the core of the failure is
[13/Feb/2014:07:24:23 -0500] NSACLPlugin - GroupEval:Looked at too many entries:(0, 1)

Evaluating groupd is limited to a specific number of members (for some reasons decided long,long ago) and it does a comparison:

if (info.c_idx > max_memberlimit &&
max_memberlimit != -1 ) {
slapi_log_error( SLAPI_LOG_ACL, plugin_name,
"GroupEval:Looked at too many entries:(%d, %d)\n",
info.c_idx, info.lu_idx);
this means info.c_idx is 0 and greater max_memberlimit, which means max_meberlimit is < -1, which does not make sense.
But max_memberlimit is derived from search_sizelimit, which is only correctly defined and set for search operations and we are in an add. So there could be problems of memory initialization, if it is 0 or gt 0 everything is fine, otherwise we get the failure.

In my opinion there are two problems in DS:
1] the use of searchsizelinit to control the group evaluation
2] the use of a limit at all. If groups are used in acis then they should be evaluated independent of their size, it is the responsibility of the administrator

--- Additional comment from Martin Kosek on 2014-02-17 04:50:23 EST ---

Right, I also wondered about this line in Comment 45. It really seems that max_memberlimit is lower than -1.

Ludwig, can you attach with gdb to this process and see what really happens? I can lend you my VMs to be able to quickly debug and see what happens.

--- Additional comment from Ludwig on 2014-02-17 07:12:42 EST ---

Running with gdb shows that the values for max_memberlimit vary:
(gdb) p aclpb->aclpb_max_member_sizelimit
$4 = 5000
(gdb) p aclpb->aclpb_max_member_sizelimit
$5 = 100
(gdb) p aclpb->aclpb_max_member_sizelimit
$6 = 100
(gdb) p aclpb->aclpb_max_member_sizelimit
$7 = -1442862096

when it is negative it is related to an extended operation:
0 acllas__user_ismember_of_group (aclpb=, groupDN=groupDN@entry=0x7f7acf0d8a08 "cn=Manage host keytab,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", clientDN=,
cache_status=cache_status@entry=3, clientCert=) at ldap/servers/plugins/acl/acllas.c:2152
1 0x00007f7ac45cc2c2 in acllas_eval_one_group (groupbuf=groupbuf@entry=0x7f7acf0d8a08 "cn=Manage host keytab,cn=permissions,cn=pbac,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", lasinfo=0x7f7aa9ff57d0,
lasinfo=0x7f7aa9ff57d0) at ldap/servers/plugins/acl/acllas.c:4438
2 0x00007f7ac45d014c in DS_LASGroupDnEval (errp=, attr_name=, comparator=CMP_OP_EQ, attr_pattern=, cachable=, LAS_cookie=,
subject=0x7f7acedc82d0, resource=0x0, auth_info=0x0, global_auth=0x0) at ldap/servers/plugins/acl/acllas.c:920
3 0x00007f7ac438f495 in ACLEvalAce (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, ace=0x7f7acf0141d0, cachable=cachable@entry=0x7f7aa9ff7978, autharray=0x0, global_auth=global_auth@entry=0x0)
at lib/libaccess/oneeval.cpp:254
4 0x00007f7ac438ff59 in ACL_INTEvalTestRights (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, rights=0x7f7aa9ffa5b8, rights@entry=0x7f7aa9ffa5b0,
map_generic=map_generic@entry=0x7f7ac47e0ad0 <ds_map_generic>, deny_type=deny_type@entry=0x7f7aa9ffa598, deny_response=deny_response@entry=0x7f7aa9ffa5a0, acl_tag=acl_tag@entry=0x7f7aa9ffa5a8,
expr_num=expr_num@entry=0x7f7aa9ffa594, cachable=cachable@entry=0x7f7aa9ffa500) at lib/libaccess/oneeval.cpp:782
5 0x00007f7ac4390496 in ACL_EvalTestRights (errp=errp@entry=0x0, acleval=acleval@entry=0x7f7acef03000, rights=rights@entry=0x7f7aa9ffa5b0, map_generic=map_generic@entry=0x7f7ac47e0ad0 <ds_map_generic>,
deny_type=deny_type@entry=0x7f7aa9ffa598, deny_response=deny_response@entry=0x7f7aa9ffa5a0, acl_tag=acl_tag@entry=0x7f7aa9ffa5a8, expr_num=expr_num@entry=0x7f7aa9ffa594) at lib/libaccess/oneeval.cpp:992
6 0x00007f7ac45c1049 in acl__TestRights (aclpb=aclpb@entry=0x7f7acef10d30, access=access@entry=8, right=right@entry=0x7f7aa9ffa688, result_reason=result_reason@entry=0x7f7aa9ffa690,
map_generic=0x7f7ac47e0ad0 <ds_map_generic>) at ldap/servers/plugins/acl/acl.c:3102
7 0x00007f7ac45c3c91 in acl_access_allowed (pb=, e=e@entry=0x7f7acf2e8210, attr=attr@entry=0x7f7ac1ee64c3 "krbPrincipalKey", val=, access=access@entry=8)
at ldap/servers/plugins/acl/acl.c:593
8 0x00007f7ac45d5f27 in acl_access_allowed_main (pb=, e=0x7f7acf2e8210, attrs=, val=, access=8, flags=, errbuf=0x0)
at ldap/servers/plugins/acl/aclplugin.c:383
9 0x00007f7acd1a0bec in plugin_call_acl_plugin (pb=pb@entry=0x7f7acf2e82f0, e=e@entry=0x7f7acf2e8210, attrs=attrs@entry=0x7f7aa9ffa7c0, val=val@entry=0x0, access=access@entry=8, flags=flags@entry=0,
errbuf=errbuf@entry=0x0) at ldap/servers/slapd/plugin_acl.c:90
10 0x00007f7acd1a10d7 in slapi_access_allowed (pb=pb@entry=0x7f7acf2e82f0, e=e@entry=0x7f7acf2e8210, attr=attr@entry=0x7f7ac1ee64c3 "krbPrincipalKey", val=val@entry=0x0, access=access@entry=8)
at ldap/servers/slapd/plugin_acl.c:237
11 0x00007f7ac1ee144f in ipapwd_setkeytab (pb=pb@entry=0x7f7acf2e82f0, krbcfg=0x7f7acf2f4bc0) at ipa_pwd_extop.c:803
12 0x00007f7ac1ee20d4 in ipapwd_extop (pb=0x7f7acf2e82f0) at ipa_pwd_extop.c:1188
13 0x00007f7acd19cda2 in plugin_call_exop_plugins (pb=pb@entry=0x7f7acf2e82f0, oid=0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1") at ldap/servers/slapd/plugin.c:467
14 0x00007f7acd6649b9 in do_extended (pb=0x7f7acf2e82f0) at ldap/servers/slapd/extendop.c:364
15 0x00007f7acd65f2f3 in connection_dispatch_operation (pb=, op=0x7f7acf2e85a0, conn=0x7f7ab8a917a8) at ldap/servers/slapd/connection.c:650
16 connection_threadmain () at ldap/servers/slapd/connection.c:2372
17 0x00007f7acb781740 in _pt_root (arg=0x7f7acf031f60) at ../../../nspr/pr/src/pthreads/ptthread.c:204
18 0x00007f7acb122df3 in start_thread (arg=0x7f7aa9ffb700) at pthread_create.c:308
19 0x00007f7acae5039d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

The value used for the memberlimit comes from the search_sizelimot in the operation, but the structur is in a union and overlayed by the actual extende op.

(gdb) p *(((Slapi_PBlock *)0x7f7acf2e82f0)->pb_op)
$8 = {o_ber = 0x7f7acf2e81b0, o_msgid = 4, o_tag = 119, o_time = 1392634681, o_interval = 0, o_isroot = 0, o_sdn = {flag = 10 '\n',
udn = 0x7f7acf0a9530 "uid=builduser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", dn = 0x7f7acf2f3a80 "uid=builduser,cn=users,cn=accounts,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com", ndn = 0x0,
ndn_len = 72}, o_authtype = 0x7f7aceeacb70 "SASL GSSAPI", o_ssf = 56, o_opid = 3, o_connid = 16, o_handler_data = 0x0, o_result_handler = 0x0, o_search_entry_handler = 0x0, o_search_referral_handler = 0x0,
o_csngen_handler = 0x0, o_replica_attr_handler = 0x0, o_next = 0x0, o_status = 0, o_searchattrs = 0x0, o_flags = 960, o_extension = 0x7f7acf1e4910, o_target_spec = 0x0, o_abandoned_op = 0, o_params = {
operation_type = 512, target_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, csn = 0x0, request_controls = 0x0, p = {p_add = {target_entry = 0x7f7acf1c81a0, parentuniqueid = 0x7f7aa9ffabf0 "$\001"},
p_bind = {bind_method = -820215392, bind_creds = 0x7f7aa9ffabf0, bind_saslmechanism = 0x0, bind_ret_saslcreds = 0x0}, p_compare = {compare_ava = {ava_type = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1",
ava_value = {bv_len = 140164814842864, bv_val = 0x0}, ava_private = 0x0}}, p_modify = {modify_mods = 0x7f7acf1c81a0}, p_modrdn = {modrdn_newrdn = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1",
modrdn_deloldrdn = -1442862096, modrdn_newsuperior_address = {udn = 0x0, uniqueid = 0x0, sdn = 0x0}, modrdn_mods = 0x0},

p_search = {search_scope = -820215392, search_deref = 32634,
search_sizelimit = -1442862096, search_timelimit = 32634, search_filter = 0x0, search_strfilter = 0x0, search_attrs = 0x0, search_attrsonly = 0, search_is_and = 0, search_gerattrs = 0x0},

p_abandon = {
abandon_targetmsgid = -820215392},

p_extended = {exop_oid = 0x7f7acf1c81a0 "2.16.840.1.113730.3.8.10.1", exop_value = 0x7f7aa9ffabf0, o_results = {operation_type = 0, opreturn = 0, result_controls = 0x0, result_code = 0, result_text = 0x0, result_matched = 0x0, r = {r_bind = {bind_ret_saslcreds = 0x0}, r_search = {search_result_set = 0x0, search_result_entry = 0x0, opaque_backend_ptr = 0x0, nentries = 0, search_referrals = 0x0, estimate = 0}, r_extended = {exop_ret_oid = 0x0, exop_ret_value = 0x0, o_pagedresults_sizelimit = -1}

so part of a pointer is interpreted as int.

If the group search should be limited this limit has to be defined independently from the search limit

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-02-18 22:52:50

attachment
0001-Ticket-47704-invalid-sizelimits-in-aci-group-evaluat.patch

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-02-18 23:32:14

git push origin 389-ds-base-1.3.1
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

git push origin 389-ds-base-1.3.1
Enter passphrase for key '/home/elkris/.ssh/id_rsa_fedora':
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

git push origin 389-ds-base-1.3.1
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.13 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
b45fb44..377266e 389-ds-base-1.3.1 -> 389-ds-base-1.3.1

[389-ds-bot]

Comment from nhosoi (@nhosoi) at 2014-03-09 20:08:50

Pushed to 389-ds-base-1.2.11:
2786adb..e0092e3 389-ds-base-1.2.11 -> 389-ds-base-1.2.11
commit e0092e3

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-06-10 23:48:49

fix was not committed to 1.3.2

[389-ds-bot]

Comment from lkrispen (@elkris) at 2014-06-11 14:41:28

$git cherry-pick e5b83f5
[389-ds-base-1.3.2 3e5c14a] Ticket 47704 - invalid sizelimits in aci group evaluation
1 file changed, 6 insertions(+)

$ git push origin 389-ds-base-1.3.2
Counting objects: 13, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (7/7), 1.14 KiB, done.
Total 7 (delta 5), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
4cdd7fd..3e5c14a 389-ds-base-1.3.2 -> 389-ds-base-1.3.2

[389-ds-bot]

Comment from lkrispen (@elkris) at 2017-02-11 23:12:04

Metadata Update from @elkris:

• Issue set to the milestone: 1.3.2.18