[Bug 9249] New: A dollar sign ($) at the end of the 2nd argument of olcAuthzRegexp crashes slapd
https://bugs.openldap.org/show_bug.cgi?id=9249
Bug ID: 9249 Summary: A dollar sign ($) at the end of the 2nd argument of olcAuthzRegexp crashes slapd Product: OpenLDAP Version: 2.4.47 Hardware: All OS: Linux Status: UNCONFIRMED Severity: normal Priority: --- Component: slapd Assignee: bugs@openldap.org Reporter: kop@karlpinc.com Target Milestone: ---
The following ldif, fed to ldapmodify, crashes slapd.
dn: cn=config changetype: modify replace: olcAuthzRegexp olcAuthzRegexp: "^([^,]+),cn=PLAIN,cn=auth" "$1,ou=People,dc=example,dc=com$"
Happens on Debian 10 with openldap 2.4.47 and RHEL 8 with openldap 2.4.46.
Doing ldapmodify -d -1 seems to crash only 1 out of 3 times, but it always crashes without the -d -1.
https://bugs.openldap.org/show_bug.cgi?id=9249
Ryan Tandy ryan@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords| |OL_2_5_REQ Ever confirmed|0 |1 Status|UNCONFIRMED |CONFIRMED
--- Comment #1 from Ryan Tandy ryan@openldap.org --- Confirmed in git master.
5ea9fd90 conn=1000 op=1 MOD attr=olcAuthzRegexp free(): double free detected in tcache 2
Thread 3 "slapd" received signal SIGABRT, Aborted. [Switching to Thread 0x7ffff62b2700 (LWP 872)] __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 #1 0x00007ffff7dd1535 in __GI_abort () at abort.c:79 #2 0x00007ffff7e28508 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7ffff7f3328d "%s\n") at ../sysdeps/posix/libc_fatal.c:181 #3 0x00007ffff7e2ec1a in malloc_printerr (str=str@entry=0x7ffff7f34f58 "free(): double free detected in tcache 2") at malloc.c:5341 #4 0x00007ffff7e306fd in _int_free (av=0x7fffe8000020, p=0x7fffe8105080, have_lock=<optimized out>) at malloc.c:4193 #5 0x000055555562a4d5 in rewrite_subst_compile (info=0x7fffe8104dc0, str=str@entry=0x7fffe8104cad "\$1,ou=People,dc=example,dc=com$") at subst.c:228 #6 0x00005555556291ac in rewrite_rule_compile (info=<optimized out>, context=0x7fffe8104f20, pattern=0x7fffe8104c91 "^([^,]+),cn=PLAIN,cn=auth", result=0x7fffe8104cad "\$1,ou=People,dc=example,dc=com$", flagstring=0x55555567e881 ":@") at rule.c:149 #7 0x00005555555c8698 in slap_sasl_regexp_rewrite_config (rwinfo=rwinfo@entry=0x7ffff62ac3a8, match=match@entry=0x7fffe8104c91 "^([^,]+),cn=PLAIN,cn=auth", replace=replace@entry=0x7fffe8104cad "\$1,ou=People,dc=example,dc=com$", context=0x55555567e8a1 "authid", lineno=0, fname=0x555555665206 "sasl-regexp") at saslauthz.c:1480 #8 0x00005555555cb428 in slap_sasl_regexp_config (match=0x7fffe8104c91 "^([^,]+),cn=PLAIN,cn=auth", replace=0x7fffe8104cad "\$1,ou=People,dc=example,dc=com$", valx=0) at saslauthz.c:1508 #9 0x00005555555692e1 in config_generic (c=0x7ffff62af6b0) at bconfig.c:1872 #10 0x0000555555575e43 in config_set_vals (Conf=0x5555556e42e0 <config_back_cf_table+640>, c=0x7ffff62af6b0) at config.c:375 #11 0x0000555555576a83 in config_parse_add (ct=ct@entry=0x5555556e42e0 <config_back_cf_table+640>, c=c@entry=0x7ffff62af6b0, valx=valx@entry=0) at config.c:728 #12 0x000055555556d49f in config_modify_add (ct=ct@entry=0x5555556e42e0 <config_back_cf_table+640>, ca=ca@entry=0x7ffff62af6b0, i=i@entry=0, ad=<optimized out>) at bconfig.c:5914 #13 0x000055555556dca3 in config_modify_internal (ca=0x7ffff62af6b0, rs=<optimized out>, op=<optimized out>, ce=<optimized out>) at bconfig.c:6173 #14 config_back_modify (op=<optimized out>, rs=<optimized out>) at bconfig.c:6321 #15 0x0000555555596c6e in fe_op_modify (op=0x7fffe8002bf0, rs=0x7ffff62b1a60) at modify.c:302 #16 0x000055555559895c in do_modify (op=0x7fffe8002bf0, rs=0x7ffff62b1a60) at modify.c:174 #17 0x0000555555580521 in connection_operation (ctx=ctx@entry=0x7ffff62b1bb0, arg_v=arg_v@entry=0x7fffe8002bf0) at connection.c:1174 #18 0x0000555555580ffd in connection_read_thread (ctx=0x7ffff62b1bb0, argv=0xb) at connection.c:1325 #19 0x0000555555634438 in ldap_int_thread_pool_wrapper (xpool=0x5555557888c0) at tpool.c:1048 #20 0x00007ffff7f77fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486 #21 0x00007ffff7ea84cf in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
https://bugs.openldap.org/show_bug.cgi?id=9249
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|--- |2.5.0
https://bugs.openldap.org/show_bug.cgi?id=9249
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Keywords|OL_2_5_REQ | Resolution|--- |TEST Status|CONFIRMED |RESOLVED
--- Comment #2 from Quanah Gibson-Mount quanah@openldap.org --- Commits: • 88e569d8 by Howard Chu at 2020-08-23T19:32:51+00:00 ITS#9249 librewrite: fix malloc/free corruption
If substitution parsing fails, would attempt to free a mapping that hadn't been allocated yet.
Also, on failure, caller in saslauthz would attempt to free a rwinfo struct that hadn't been allocated.
https://bugs.openldap.org/show_bug.cgi?id=9249
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Target Milestone|2.5.0 |2.4.52 Resolution|TEST |FIXED
--- Comment #3 from Quanah Gibson-Mount quanah@openldap.org --- RE24:
Commits: • d0f6b606 by Howard Chu at 2020-08-26T15:01:51+00:00 ITS#9249 librewrite: fix malloc/free corruption
If substitution parsing fails, would attempt to free a mapping that hadn't been allocated yet.
Also, on failure, caller in saslauthz would attempt to free a rwinfo struct that hadn't been allocated.
https://bugs.openldap.org/show_bug.cgi?id=9249
Quanah Gibson-Mount quanah@openldap.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED
-
openldap-its@openldap.org