AddressSanitizer: heap-use-after-free in import_free_job

[389-ds-bot]

Cloned from Pagure issue: https://pagure.io/389-ds-base/issue/50646

• Created at 2019-10-14 16:06:46 by mreynolds (@mreynolds389)
• Closed at 2019-10-16 20:57:49 as fixed
• Assigned to mreynolds (@mreynolds389)
• Associated bugzillas
  • https://bugzilla.redhat.com/show_bug.cgi?id=1758109

---

Ticket was cloned from Red Hat Bugzilla: Bug 1758109

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
The ASAN error was reported during the execution of
dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export

=================================================================
==1150== ERROR: AddressSanitizer: heap-use-after-free on address 0x602a0006a828
at pc 0x7f414d09aef9 bp 0x7f40b0ee1780 sp 0x7f40b0ee1770
READ of size 8 at 0x602a0006a828 thread T73
    0 0x7f414d09aef8 in import_free_job
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:155
    1 0x7f414d09c35f in import_main_offline
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:1611
    2 0x7f4159857bfa in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:201
    3 0x7f415bd61867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    4 0x7f41591f7ea4 in start_thread
/usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:307
    5 0x7f41588a38dc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc
/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
0x602a0006a828 is located 232 bytes inside of 328-byte region
[0x602a0006a740,0x602a0006a888)
freed by thread T0 here:
    0 0x7f415bd5ddd9 in __interceptor_free _asan_rtl_
    1 0x7f415b6c7588 in slapi_ch_free
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/ch_malloc.c:265
    2 0x7f414d099af9 in idl_iterator_dereference_decrement
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:255
    3 0x7f415b7e179f in destroy_task
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:649
    4 0x7f415b7edf56 in task_shutdown
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:3020
    5 0x55f28b15dac7 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/daemon.c:1275
    6 0x55f28b13cde3 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/main.c:1204
    7 0x7f41587c7554 in __libc_start_main
/usr/src/debug/glibc-2.17-c758a686/csu/../csu/libc-start.c:266
previously allocated by thread T16 here:
    0 0x7f415bd5dff5 in calloc _asan_rtl_
    1 0x7f415b6c7148 in slapi_ch_calloc
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/ch_malloc.c:175
    2 0x7f414d09fa5b in ldbm_back_ldif2ldbm_deluxe
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/back-ldbm/import.c:1648
    3 0x7f414d10e425 in ldbm_back_ldif2ldbm /usr/src/debug/389-ds-base-1.3.10.
1/ldap/servers/slapd/back-ldbm/ldif2ldbm.c:809
    4 0x7f415b7e668d in task_import_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/task.c:1041
    5 0x7f415b6de430 in dse_call_callback
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/dse.c:2553
    6 0x7f415b6e3b49 in dse_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/dse.c:2250
    7 0x7f415b6b160b in op_shared_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/add.c:679
    8 0x7f415b6b328f in do_add
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/add.c:236
    9 0x55f28b151797 in ??
/usr/src/debug/389-ds-base-1.3.10.1/ldap/servers/slapd/connection.c:610
    10 0x7f4159857bfa in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/..
/../../nspr/pr/src/pthreads/ptthread.c:201
Thread T73 created by T16 here:
    0 0x7f415bd52a0a in __interceptor_pthread_create _asan_rtl_
    1 0x7f41598578cb in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:433
    2 0x0
Thread T16 created by T0 here:
    0 0x7f415bd52a0a in __interceptor_pthread_create _asan_rtl_
    1 0x7f41598578cb in PR_Select /usr/src/debug/nspr-4.21/pr/src/pthreads/../
../../nspr/pr/src/pthreads/ptthread.c:433
    2 0x0
Shadow bytes around the buggy address:
  0x0c05c00054b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c00054e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c05c00054f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c05c0005500: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c05c0005510: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005520: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c05c0005550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==1150== ABORTING

Version-Release number of selected component (if applicable):
389-ds-base-1.3.10.1-2


How reproducible:
1 out of 10 runs

Steps to Reproduce:

Run dirsrvtests/tests/suites/basic/basic_test.py::test_basic_import_export

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-14 16:06:47

Metadata Update from @mreynolds389:

• Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1758109

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-15 17:10:22

Filed PR:

#3705

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-15 17:10:22

Metadata Update from @mreynolds389:

• Custom field origin adjusted to None
• Custom field reviewstatus adjusted to None

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-16 20:29:25

4673148 - 1.4.1

6304942..4898470 389-ds-base-1.4.0 -> 389-ds-base-1.4.0

e185f7c..9e88768 389-ds-base-1.3.10 -> 389-ds-base-1.3.10

Going to work on front-port to 1.4.2 (master branch) next...

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-16 20:29:33

Metadata Update from @mreynolds389:

• Issue assigned to mreynolds389

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-16 20:57:39

Commit 7a0a090c relates to this ticket

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-16 20:57:49

c95f6cf..7a0a090 master -> master

[389-ds-bot]

Comment from mreynolds (@mreynolds389) at 2019-10-16 20:57:50

Metadata Update from @mreynolds389:

• Issue close_status updated to: fixed
• Issue status updated to: Closed (was: Open)

[389-ds-bot]

Comment from vashirov (@vashirov) at 2020-02-12 17:32:48

Metadata Update from @vashirov:

• Issue set to the milestone: None (was: 0.0 NEEDS_TRIAGE)