Re: (ITS#8081) syncprov crash in syncprov_op_mod - openldap-bugs

18 Mar 2015


      On Wed, Mar 18, 2015 at 05:06:33AM +0000, ryan@nardis.ca wrote:
...
I get the following crash on master and RE24. not every time, but most times.
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe6ffe700 (LWP 25923)]
0x0000000000511d45 in syncprov_op_mod (op=0x7fffd41024a0, rs=0x7fffe6ffdae0) at
syncprov.c:2129
2129						if ( m2->mi_op->o_threadctx == op->o_threadctx ) {
Same testcase, different crash:
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffecde1700 (LWP 1747)]
0x000000000051ae5e in syncprov_op_cleanup (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at syncprov.c:1418
1418			mt->mt_mods = mt->mt_mods->mi_next;
(gdb) bt
#0  0x000000000051ae5e in syncprov_op_cleanup (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at syncprov.c:1418
#1  0x00000000004417f3 in slap_cleanup_play (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at result.c:567
#2  0x0000000000441fac in send_ldap_response (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at result.c:759
#3  0x0000000000442793 in slap_send_ldap_result (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at result.c:886
#4  0x00000000004e472a in mdb_modify (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at modify.c:672
#5  0x00000000004baadd in overlay_op_walk (op=0x7fffe0000aa0, rs=0x7fffecde0ac0, which=op_modify, oi=0x8aae60, on=0x0) at backover.c:696
#6  0x00000000004bad01 in over_op_func (op=0x7fffe0000aa0, rs=0x7fffecde0ac0, which=op_modify) at backover.c:749
#7  0x00000000004bae35 in over_op_modify (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at backover.c:788
#8  0x000000000044bacb in fe_op_modify (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at modify.c:303
#9  0x000000000044b37e in do_modify (op=0x7fffe0000aa0, rs=0x7fffecde0ac0) at modify.c:177
#10 0x000000000042bdf3 in connection_operation (ctx=0x7fffecde0bf0, arg_v=0x7fffe0000aa0) at connection.c:1134
#11 0x000000000042c3a3 in connection_read_thread (ctx=0x7fffecde0bf0, argv=0xb) at connection.c:1280
#12 0x000000000053772e in ldap_int_thread_pool_wrapper (xpool=0x883b40) at tpool.c:958
#13 0x00007ffff77ad0a4 in start_thread (arg=0x7fffecde1700) at pthread_create.c:309
#14 0x00007ffff74e204d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
Looks like at this point mt either points to garbage, or is itself 
garbage.
Reverting 8eb9aa7d resolves both crashes.