openldap-bugs January 2015

openldap-bugs@openldap.org

22 participants
114 discussions

Re: (ITS#8028) NULL pointer dereference in ldap_new_connection()
by hyc＠symas.com 20 Jan '15

20 Jan '15

rohanskurane(a)gmail.com wrote: > Full_Name: Rohan Kurane > Version: 2.4.40 > OS: BSD 7.2 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (64.80.217.3) > > > In ldap_new_connection() in request.c, while setting up a connection to the LDAP > server, there is a possibility of dereferencing a NULL pointer in > lc->locnn_server Fixed in git master. Please don't send HTML emails, they're particularly unreadable with embedded code like this. > > if ( connect ) { > LDAPURLDesc **srvp, *srv = NULL; > > async % LDADAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); > > for ( srvp = srvlist; *srvp != NULL; srvp = &(*srvp)->lud_next ) { > int rc; > > rc = ldap_int_open_connection( ld, lc, *srvp, async ); > if ( rc != -1 ) { > srv = *srvp; > > 9%9 if ( ld->ld_urllist_proc && ( !async || rc != -2 ) ) { > ld->ld_urllist_proc( ld, srvlist, srvp, ld->ld_urllist_params ); > } > > break; > } > } > > if ( srv == NULL ) { > if ( !use_ldsb ) { > ber_sockbuf_free( lc->lconn_sb ); > %%D > LDAP_FREE( (char *)lc ); > ld->ld_errno = LDAP_SERVER_DOWN; > return( NULL ); > } > > lc->lconn_server = ldap_url_dup( srv ); > } > > ldap_url_dup() does a bunch of malloc's to set up lc->lconn_server. If any of > those malloc's fail, it returns NULL. The code does not check for a NULL > lconn_server pointer and tries to reference lud_exts. That can cause a > segmentation fault. > > if ( connect ) { > #ifdef HAVE_TLS > if ( lc->lconn_server->lud_exts ) { > int rc, ext = find_tls_ext( lc->lconn_server ); > if ( ext ) { > LDAPConn *savedefconn; > > Even thou this should not happen, is this a known issue and are there any plans > to fix the openldap library ? > > Thank you > > -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8028) NULL pointer dereference in ldap_new_connection()
by rohanskurane＠gmail.com 20 Jan '15

20 Jan '15

Full_Name: Rohan Kurane Version: 2.4.40 OS: BSD 7.2 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (64.80.217.3) In ldap_new_connection() in request.c, while setting up a connection to the LDAP server, there is a possibility of dereferencing a NULL pointer in lc->locnn_server if ( connect ) { LDAPURLDesc **srvp, *srv = NULL; async % LDADAP_BOOL_GET( &ld->ld_options, LDAP_BOOL_CONNECT_ASYNC ); for ( srvp = srvlist; *srvp != NULL; srvp = &(*srvp)->lud_next ) { int rc; rc = ldap_int_open_connection( ld, lc, *srvp, async ); if ( rc != -1 ) { srv = *srvp; 9%9 if ( ld->ld_urllist_proc && ( !async || rc != -2 ) ) { ld->ld_urllist_proc( ld, srvlist, srvp, ld->ld_urllist_params ); } break; } } if ( srv == NULL ) { if ( !use_ldsb ) { ber_sockbuf_free( lc->lconn_sb ); %%D LDAP_FREE( (char *)lc ); ld->ld_errno = LDAP_SERVER_DOWN; return( NULL ); } lc->lconn_server = ldap_url_dup( srv ); } ldap_url_dup() does a bunch of malloc's to set up lc->lconn_server. If any of those malloc's fail, it returns NULL. The code does not check for a NULL lconn_server pointer and tries to reference lud_exts. That can cause a segmentation fault. if ( connect ) { #ifdef HAVE_TLS if ( lc->lconn_server->lud_exts ) { int rc, ext = find_tls_ext( lc->lconn_server ); if ( ext ) { LDAPConn *savedefconn; Even thou this should not happen, is this a known issue and are there any plans to fix the openldap library ? Thank you

1 0

Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
by hyc＠symas.com 19 Jan '15

19 Jan '15

1 0

Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
by michael＠stroeder.com 19 Jan '15

19 Jan '15

hyc(a)symas.com wrote: > As I read the grammar in the draft section 2.2 the attributeList is not > OPTIONAL so this is definitely not a valid request. But this invalid request must not crash slapd with slapo-deref installed. Ciao, Michael.

1 0

Re: (ITS#8027) ldapsearch -E deref=member: crashes slapd
by hyc＠symas.com 19 Jan '15

19 Jan '15

ryan(a)nardis.ca wrote: > Full_Name: Ryan Tandy > Version: master (7df548d), RE24 (2b14bbc) > OS: Debian unstable > URL: > Submission from: (NULL) (142.32.208.227) > > > If you use the deref control but leave the list of requested attributes empty, > slapd crashes. > > ldapsearch [...] -E deref=member: > > #0 0x0000000000516ef0 in deref_parseCtrl (op=0x7fffec000940, rs=0x7ffff57eeac0, > ctrl=0x7fffec001238) at deref.c:225 > #1 0x000000000046a84d in slap_parse_ctrl (op=0x7fffec000940, rs=0x7ffff57eeac0, > control=0x7fffec001238, text=0x7ffff57eeae0) > at controls.c:693 > #2 0x000000000046b0f5 in get_ctrls2 (op=0x7fffec000940, rs=0x7ffff57eeac0, > sendres=1, ctag=160) at controls.c:886 > #3 0x000000000046a8ff in get_ctrls (op=0x7fffec000940, rs=0x7ffff57eeac0, > sendres=1) at controls.c:723 > #4 0x000000000042e94e in do_search (op=0x7fffec000940, rs=0x7ffff57eeac0) at > search.c:195 > #5 0x000000000042bdf3 in connection_operation (ctx=0x7ffff57eebf0, > arg_v=0x7fffec000940) at connection.c:1134 > #6 0x000000000042c3a3 in connection_read_thread (ctx=0x7ffff57eebf0, argv=0xb) > at connection.c:1280 > #7 0x0000000000538938 in ldap_int_thread_pool_wrapper (xpool=0x892bc0) at > tpool.c:958 > #8 0x00007ffff79b00a4 in start_thread (arg=0x7ffff57ef700) at > pthread_create.c:309 > #9 0x00007ffff76e4ccd in clone () at > ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 > > (line numbers are from master) > > The ldapsearch manpage implies this probably isn't valid, but it still accepted > it. (FWIW, I tried it just to see whether it would return all attributes or > none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is > considered a valid request. As I read the grammar in the draft section 2.2 the attributeList is not OPTIONAL so this is definitely not a valid request. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#8027) ldapsearch -E deref=member: crashes slapd
by ryan＠nardis.ca 19 Jan '15

19 Jan '15

Full_Name: Ryan Tandy Version: master (7df548d), RE24 (2b14bbc) OS: Debian unstable URL: Submission from: (NULL) (142.32.208.227) If you use the deref control but leave the list of requested attributes empty, slapd crashes. ldapsearch [...] -E deref=member: #0 0x0000000000516ef0 in deref_parseCtrl (op=0x7fffec000940, rs=0x7ffff57eeac0, ctrl=0x7fffec001238) at deref.c:225 #1 0x000000000046a84d in slap_parse_ctrl (op=0x7fffec000940, rs=0x7ffff57eeac0, control=0x7fffec001238, text=0x7ffff57eeae0) at controls.c:693 #2 0x000000000046b0f5 in get_ctrls2 (op=0x7fffec000940, rs=0x7ffff57eeac0, sendres=1, ctag=160) at controls.c:886 #3 0x000000000046a8ff in get_ctrls (op=0x7fffec000940, rs=0x7ffff57eeac0, sendres=1) at controls.c:723 #4 0x000000000042e94e in do_search (op=0x7fffec000940, rs=0x7ffff57eeac0) at search.c:195 #5 0x000000000042bdf3 in connection_operation (ctx=0x7ffff57eebf0, arg_v=0x7fffec000940) at connection.c:1134 #6 0x000000000042c3a3 in connection_read_thread (ctx=0x7ffff57eebf0, argv=0xb) at connection.c:1280 #7 0x0000000000538938 in ldap_int_thread_pool_wrapper (xpool=0x892bc0) at tpool.c:958 #8 0x00007ffff79b00a4 in start_thread (arg=0x7ffff57ef700) at pthread_create.c:309 #9 0x00007ffff76e4ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 (line numbers are from master) The ldapsearch manpage implies this probably isn't valid, but it still accepted it. (FWIW, I tried it just to see whether it would return all attributes or none.) I couldn't tell from draft-ldap-deref-00 whether an empty attr list is considered a valid request.

1 0

(ITS#8026) net-nds/openldap - powerpc-apple-darwin9-gcc: Undefined symbols for architecture ppc: "_slapi_pblock_set"
by daniel.ibnzayd＠inquisitor.com 19 Jan '15

19 Jan '15

Full_Name: Daniel Ibn Zayd Version: 2.4.38-r2 OS: PPC URL: https://bugs.gentoo.org/show_bug.cgi?id=536306 Submission from: (NULL) (166.84.1.2) Both of the latest builds marked stable for ppc (openldap-2.4.35-r1 and openldap-2.4.38-r2) error out when they get to the libaddrdnvalues-plugin: * Building contrib-module: addrdnvalues plugin Undefined symbols for architecture ppc: "_slapi_pblock_set", referenced from: _addrdnvalues_preop_init in cclXT5Cy.o "_slapi_log_error", referenced from: _addrdnvalues_preop_init in cclXT5Cy.o _addrdnvalues_preop_add in cclXT5Cy.o "_slapi_pblock_get", referenced from: _addrdnvalues_preop_add in cclXT5Cy.o "_slapi_entry_add_rdn_values", referenced from: _addrdnvalues_preop_add in cclXT5Cy.o "_slapi_send_ldap_result", referencefrfrom: _addrdnvalues_preop_add in cclXT5Cy.o "_ldap_err2string", referenced from: _addrdnvalues_preop_add in cclXT5Cy.o ld: symbol(s) not found for architecture ppc I've researched the plug-in and its components searching for possible fixes but have not turned up anything. Any clues here are greatly appreciated. PS: This is a Gentoo Prefix set up I am working with. https://bugs.gentoo.org/show_bug.cgi?id=536306

1 0

Re: (ITS#7971) LMDB: Uncarefully appointment when beginning a readonly txn.
by h.b.furuseth＠usit.uio.no 16 Jan '15

16 Jan '15

On 18/10/14 00:46, leo(a)yuriev.ru wrote: > (...) > - ti->mti_readers[i].mr_pid = pid; > - ti->mti_readers[i].mr_tid = tid; > + r = &ti->mti_readers[i]; > + r->mr_txnid = (txnid_t)-1; > + r->mr_tid = tid; > + r->mr_pid = pid; /* should be written last, see ITS#. */ > if (i == nr) > ti->mti_numreaders = ++nr; > /* Save numreaders for un-mutexed mdb_env_close() */ > env->me_numreaders = nr; Actually that too is too early to set mr_pid: We must be sure env_close() will reset it. But it is also too late, we must get rid of any garbage value in md_pid at once to protect it from other processes' env_close(). Fixing. Also, I'll rename the confusingly named me_numreaders to me_close_readers and drop some confused code using it.

1 0

Re: (ITS#8025) OpenLDAP authorisation on a client causes policykit GUI features to fail
by hyc＠symas.com 16 Jan '15

16 Jan '15

hyc(a)symas.com wrote: > There's nothing here that indicates any connection to OpenLDAP either. > Bug in pam_ldap, closing this ITS. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#7969) LMDB: Globally shared fields of meta-data are not 'volatile'.
by hyc＠openldap.org 16 Jan '15

16 Jan '15

This discussion should be moved to the openldap-devel list as there's more being discussed now than the patch itself. Леонид Юрьев wrote: > 2015-01-14 8:49 GMT+03:00 Hallvard Breien Furuseth <h.b.furuseth(a)usit.uio.no>: >> On 13/01/15 19:23, Hallvard Breien Furuseth wrote: >>> >>> Yes, that didn't come out right. I don't mind inserting the >>> volatile, but I don't know that it helps either. As far as I >>> understand if it was broken without volatile, then it's still >>> broken with it - just hopefully less likely to break. And LMDB >>> couldn't be releaseed with your original unportable sync code >>> along with the volatile. >> >> >> Sorry, nevermind. Of course when the writer does sync well enough, >> volatile + the txn_renew loop will have to do for a sync primitive in >> the reader. > >> I suppose this requires that sync in the writer thread >> will shake other threads as well, it won't be private to the writer. > > In general this is wrong, more precisely depend on 'volatile' on > shared variables and usage of barriers/fences by the readers. Actually 'volatile' is meaningless at the hardware level. It only serves to prevent the compiler from reordering or eliminating accesses. In the case of LMDB the compiler cannot eliminate accesses because they are to global memory, and the compiler cannot determine anything about the liveness or side-effects of global memory accesses. > Sync-ops due lock/release a mutex by writer issue a memory-barrier for > its own thread. > With this compiler must update all modified variables, which shaded in > the CPU registers. > Next a hardware write-barrier (aka release) in the mutex-release code > enforce all changes to be visible for other threads (e.g. flush the > cache). > But 'be visible' here mean 'publish' and other threads can access > these changes, but if want this. > In general, to see changes made by the writer, all other threads > should issue a read-barrier (aka acquire). > On most arches such barrier just inform compiler that memory was > changed and variables which cached in the registers must be reloaded. > But in some cases (like Itanium) this barrier will be taken in account > for instruction scheduling. > For 'volatile' compiler should generate barriers each time on read or > write such variables. No. volatile doesn't generate hardware barriers. > More general, memory-barriers are very important to HPC, distributed > computing and for super-computers. > For example read-barriers may pull changes from internode-bus or other > nodes, and write-barriers - publish the local changes. > So, the one way to avoid a race bugs - thinking in terms of > publish/pull changes. "race bug" by definition occurs when multiple writers may modify a particular memory object, causing its value to be indeterminate to an observer. By definition, no such bugs can occur in LMDB because only single writers can ever modify any memory object. In the case of arbitrary readers viewing writes, these are the possible cases: 1) reader is on same CPU as writer, writes cached there is no issue, the reader sees what the writer wrote. 2) reader is on same CPU as writer, writes not cached there is no issue, the reader must fetch data from global memory 3) reader is on different CPU, writes not cached there is no issue, the reader's CPU must fetch the data from global memory - same as (2) 4) reader is on different CPU, writes are cached the reader may see the cached/stale data, or the CPU may fetch the new data from global memory Only case (4) has any ambiguity, and LMDB's reader table is specifically designed not to care about the ambiguity. I.e., whether fresh or stale data is seen is irrelevant, LMDB will operate correctly because it does not fresh data. Correct processing of the reader table only depends on the oldest data in the table, so staleness is an asset here. Correct processing of changes to the meta page requires exclusion from other writers, so the write mutex is used. This also guarantees that all changes to the meta page are flushed to global memory before the next writer begins. In ITS#7970 you discuss a "heisenbug" which can theoretically occur if multiple write txns complete in the span of 2 memory accesses by a reader. In practice such a bug cannot occur because the act of completing a write txn involves multiple blocking calls (I/O system calls, mutex acquisition/release, etc.) which will force writers to pause relative to any readers in question. In contrast the reader performs no blocking calls at all, and in the window of vulnerability it is performing only 2 single-word memory accesses. Demonstrating the bug by manually inserting yield()s only proves the point - without those manually inserted yields you cannot actually trigger any situation where the reader thread will be descheduled between those two instructions. You discuss the ramifications of such a bug as the writer potentially overwriting pages that the reader needs. None of this can actually occur in current LMDB code, again by design. The fact that you encountered these issues while debugging your LIFO patch only reflects on the problems I already pointed out with the LIFO approach. Hallvard and I had this exact same discussion a few years ago; his example used the debugger to pause the reader at that point. Certainly, if you go out of your way to manually halt the reader at a specific instruction you can break the reader. Without outside intervention it won't happen. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

← Newer
1
2
3
4
5
6
7
8
...
12
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs January 2015