(ITS#7627) [Patch] Fix segfault in slaptest - openldap-bugs

19 Jun 2013


      Full_Name: Jan Synacek
Version: master
OS: Linux - Fedora 18
URL: http://jsynacek.fedorapeople.org/openldap/slaptest/0001-Fix-segfault-in-slap...
Submission from: (NULL) (209.132.186.34)
Consider the following configuration:
http://jsynacek.fedorapeople.org/openldap/slaptest/slapd-segfault.conf
When an overlay is specified after the 'database monitor', slaptest segfaults.
I'm not sure whether such configuration makes much sense, however I think that
slaptest shouldn't segfault.
To reproduce, use the above config and run:
slapd -Tt -f slapd-segfault.conf -F /path/to/a/dir
Backtrace:
#0  0x0000003385009b70 in pthread_mutex_lock () from /usr/lib64/libpthread.so.0
#1  0x00007ffff7da524d in ldap_pvt_thread_mutex_lock (mutex=0x25) at
thr_posix.c:296
#2  0x00000000005574b9 in monitor_cache_get (mi=0x1d, ndn=0x7fffffffde30,
ep=0x7fffffffde28) at cache.c:161
#3  0x000000000051a10d in monitor_back_unregister_entry_attrs (ndn_in=0x908230,
target_a=0x0, target_cb=0xa70030, 
    nbase=0x0, scope=0, filter=0x0) at init.c:1520
#4  0x000000000051a5b0 in monitor_back_unregister_entry_callback (ndn=0x908230,
cb=0xa70030, nbase=0x0, scope=0, 
    filter=0x0) at init.c:1632
#5  0x00000000004f6f19 in bdb_monitor_db_close (be=0x907d70) at monitor.c:500
#6  0x00000000004ef0b4 in bdb_db_close (be=0x907d70, cr=0x0) at init.c:595
#7  0x0000000000454ad5 in backend_shutdown (be=0x907d70) at backend.c:383
#8  0x00000000004814a9 in slap_shutdown (be=0x0) at init.c:232
#9  0x00000000004de90d in slap_tool_destroy () at slapcommon.c:936
#10 0x00000000004e0435 in slaptest (argc=6, argv=0x7fffffffe228) at
slaptest.c:116
#11 0x000000000041a9f5 in main (argc=6, argv=0x7fffffffe228) at main.c:665
Notice the corrupt 'mi' pointer in frame #2.
The segfault does not always appear, so here is the corresponding valgrind
output:
==6751== Memcheck, a memory error detector
==6751== Copyright (C) 2002-2012, and GNU GPL'd, by Julian Seward et al.
==6751== Using Valgrind-3.8.1 and LibVEX; rerun with -h for copyright info
==6751== Command: /home/jsynacek/work/2-upstream/openldap-git/servers/slapd/.libs/lt-slapd
-Tt -f slapd-segfault.conf -F ./testconf
==6751== 
51c1a34e bdb_db_open: database "dc=example,dc=com": unclean shutdown detected;
attempting recovery.
51c1a34e bdb_db_open: warning - no DB_CONFIG file found in directory
/var/lib/ldap: (2).
Expect poor performance for suffix "dc=example,dc=com".
51c1a34e bdb_db_open: database "dc=example,dc=com": recovery skipped in
read-only mode. Run manual recovery if errors are encountered.
config file testing succeeded
==6751== Conditional jump or move depends on uninitialised value(s)
==6751==    at 0x519E9D: monitor_back_unregister_entry_attrs (init.c:1473)
==6751==    by 0x51A5AF: monitor_back_unregister_entry_callback (init.c:1632)
==6751==    by 0x4F6F18: bdb_monitor_db_close (monitor.c:500)
==6751==    by 0x4EF0B3: bdb_db_close (init.c:595)
==6751==    by 0x454AD4: backend_shutdown (backend.c:383)
==6751==    by 0x4814A8: slap_shutdown (init.c:232)
==6751==    by 0x4DE90C: slap_tool_destroy (slapcommon.c:936)
==6751==    by 0x4E0434: slaptest (slaptest.c:116)
==6751==    by 0x41A9F4: main (main.c:665)
==6751== 
==6751== Conditional jump or move depends on uninitialised value(s)
==6751==    at 0x5573EA: monitor_cache_get (cache.c:150)
==6751==    by 0x51A10C: monitor_back_unregister_entry_attrs (init.c:1520)
==6751==    by 0x51A5AF: monitor_back_unregister_entry_callback (init.c:1632)
==6751==    by 0x4F6F18: bdb_monitor_db_close (monitor.c:500)
==6751==    by 0x4EF0B3: bdb_db_close (init.c:595)
==6751==    by 0x454AD4: backend_shutdown (backend.c:383)
==6751==    by 0x4814A8: slap_shutdown (init.c:232)
==6751==    by 0x4DE90C: slap_tool_destroy (slapcommon.c:936)
==6751==    by 0x4E0434: slaptest (slaptest.c:116)
==6751==    by 0x41A9F4: main (main.c:665)
==6751== 
==6751== Use of uninitialised value of size 8
==6751==    at 0x3385009B70: pthread_mutex_lock (in
/usr/lib64/libpthread-2.16.so)
==6751==    by 0x4C2524C: ldap_pvt_thread_mutex_lock (thr_posix.c:296)
==6751==    by 0x5574B8: monitor_cache_get (cache.c:161)
==6751==    by 0x51A10C: monitor_back_unregister_entry_attrs (init.c:1520)
==6751==    by 0x51A5AF: monitor_back_unregister_entry_callback (init.c:1632)
==6751==    by 0x4F6F18: bdb_monitor_db_close (monitor.c:500)
==6751==    by 0x4EF0B3: bdb_db_close (init.c:595)
==6751==    by 0x454AD4: backend_shutdown (backend.c:383)
==6751==    by 0x4814A8: slap_shutdown (init.c:232)
==6751==    by 0x4DE90C: slap_tool_destroy (slapcommon.c:936)
==6751==    by 0x4E0434: slaptest (slaptest.c:116)
==6751==    by 0x41A9F4: main (main.c:665)
==6751== 
==6751== Invalid read of size 4
==6751==    at 0x3385009B70: pthread_mutex_lock (in
/usr/lib64/libpthread-2.16.so)
==6751==    by 0x4C2524C: ldap_pvt_thread_mutex_lock (thr_posix.c:296)
==6751==    by 0x5574B8: monitor_cache_get (cache.c:161)
==6751==    by 0x51A10C: monitor_back_unregister_entry_attrs (init.c:1520)
==6751==    by 0x51A5AF: monitor_back_unregister_entry_callback (init.c:1632)
==6751==    by 0x4F6F18: bdb_monitor_db_close (monitor.c:500)
==6751==    by 0x4EF0B3: bdb_db_close (init.c:595)
==6751==    by 0x454AD4: backend_shutdown (backend.c:383)
==6751==    by 0x4814A8: slap_shutdown (init.c:232)
==6751==    by 0x4DE90C: slap_tool_destroy (slapcommon.c:936)
==6751==    by 0x4E0434: slaptest (slaptest.c:116)
==6751==    by 0x41A9F4: main (main.c:665)
==6751==  Address 0x37 is not stack'd, malloc'd or (recently) free'd
==6751== 
==6751== 
==6751== Process terminating with default action of signal 11 (SIGSEGV)
==6751==  Access not within mapped region at address 0x37
==6751==    at 0x3385009B70: pthread_mutex_lock (in
/usr/lib64/libpthread-2.16.so)
==6751==    by 0x4C2524C: ldap_pvt_thread_mutex_lock (thr_posix.c:296)
==6751==    by 0x5574B8: monitor_cache_get (cache.c:161)
==6751==    by 0x51A10C: monitor_back_unregister_entry_attrs (init.c:1520)
==6751==    by 0x51A5AF: monitor_back_unregister_entry_callback (init.c:1632)
==6751==    by 0x4F6F18: bdb_monitor_db_close (monitor.c:500)
==6751==    by 0x4EF0B3: bdb_db_close (init.c:595)
==6751==    by 0x454AD4: backend_shutdown (backend.c:383)
==6751==    by 0x4814A8: slap_shutdown (init.c:232)
==6751==    by 0x4DE90C: slap_tool_destroy (slapcommon.c:936)
==6751==    by 0x4E0434: slaptest (slaptest.c:116)
==6751==    by 0x41A9F4: main (main.c:665)
==6751==  If you believe this happened as a result of a stack
==6751==  overflow in your program's main thread (unlikely but
==6751==  possible), you can try to increase the size of the
==6751==  main thread stack using the --main-stacksize= flag.
==6751==  The main thread stack size used in this run was 8388608.
==6751== 
==6751== HEAP SUMMARY:
==6751==     in use at exit: 1,784,260 bytes in 10,532 blocks
==6751==   total heap usage: 20,806 allocs, 10,274 frees, 4,333,045 bytes
allocated
==6751== 
==6751== LEAK SUMMARY:
==6751==    definitely lost: 16 bytes in 1 blocks
==6751==    indirectly lost: 0 bytes in 0 blocks
==6751==      possibly lost: 0 bytes in 0 blocks
==6751==    still reachable: 1,784,244 bytes in 10,531 blocks
==6751==         suppressed: 0 bytes in 0 blocks
==6751== Rerun with --leak-check=full to see details of leaked memory
==6751== 
==6751== For counts of detected and suppressed errors, rerun with: -v
==6751== Use --track-origins=yes to see where uninitialised values come from
==6751== ERROR SUMMARY: 11 errors from 9 contexts (suppressed: 2 from 2)
I'm not sure if my patch is correct. I feel it's more like a workaround, so feel
free to modify it if that's the case.