Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1518069 - heap-buffer-overflow in ss_unescape
Summary: heap-buffer-overflow in ss_unescape
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: 389-ds-base
Version: 7.5
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: ---
Assignee: mreynolds
QA Contact: Viktor Ashirov
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-11-28 06:46 UTC by Viktor Ashirov
Modified: 2018-04-10 14:23 UTC (History)
4 users (show)

Fixed In Version: 389-ds-base-1.3.7.5-11.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-10 14:22:34 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0811 None None None 2018-04-10 14:23:27 UTC

Description Viktor Ashirov 2017-11-28 06:46:19 UTC
Description of problem:
=================================================================                                                              
==21829== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6004009380b6 at pc 0x7f9979a37d62 bp 0x7f9929d5a610 sp 0x7f9929d5a600
READ of size 1 at 0x6004009380b6 thread T57                    
    #0 0x7f9979a37d61 in ss_unescape /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:316          
    #1 0x7f9979a37eed in ss_filter_value /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:351      
    #2 0x7f9979a3a164 in ss_filter_values /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:411     
    #3 0x7f99809d963b in attempt_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:590        
    #4 0x7f99809da6fe in plugin_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:616         
    #5 0x7f998094706d in get_filter_internal /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:310                
    #6 0x7f998094a701 in get_filter /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:56                          
    #7 0x55c62bcd5378 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:184                          
    #8 0x55c62bcaf15a in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648  
    #9 0x7f997eab1c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216     
    #10 0x7f9980fa6867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_                                                     
    #11 0x7f997e451dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308                            
    #12 0x7f997daff9bc in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113 
0x6004009380b6 is located 0 bytes to the right of 6-byte region [0x6004009380b0,0x6004009380b6)                                
allocated by thread T57 here:  
    #0 0x7f9980fa2ef9 in malloc _asan_rtl_                     
    #1 0x7f9980910f07 in slapi_ch_malloc /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/ch_malloc.c:95                  
    #2 0x7f9979a3a069 in ss_filter_values /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/plugins/collation/orfilter.c:405     
    #3 0x7f99809d963b in attempt_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:590        
    #4 0x7f99809da6fe in plugin_mr_filter_create /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/plugin_mr.c:616         
    #5 0x7f998094706d in get_filter_internal /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:310                
    #6 0x7f998094a701 in get_filter /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/filter.c:56                          
    #7 0x55c62bcd5378 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:184                          
    #8 0x55c62bcaf15a in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648  
    #9 0x7f997eab1c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216     
Thread T57 created by T0 here: 
    #0 0x7f9980f97a0a in __interceptor_pthread_create _asan_rtl_                                                               
    #1 0x7f997eab195b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457     
    #2 0x0                     
Shadow bytes around the buggy address:                         
  0x0c010011efc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                              
  0x0c010011efd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                              
  0x0c010011efe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa                                                              
  0x0c010011eff0: fa fa fa fa fa fa fd fa fa fa fd fa fa fa fd fa                                                              
  0x0c010011f000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 01 fa                                                              
=>0x0c010011f010: fa fa 00 00 fa fa[06]fa fa fa 00 04 fa fa 03 fa                                                              
  0x0c010011f020: fa fa 03 fa fa fa 03 fa fa fa fd fd fa fa 00 01                                                              
  0x0c010011f030: fa fa 00 04 fa fa fd fd fa fa 07 fa fa fa fd fa                                                              
  0x0c010011f040: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd                                                              
  0x0c010011f050: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd                                                              
  0x0c010011f060: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd                                                              
Shadow byte legend (one shadow byte represents 8 application bytes):                                                           
  Addressable:           00    
  Partially addressable: 01 02 03 04 05 06 07                  
  Heap left redzone:     fa    
  Heap righ redzone:     fb    
  Freed Heap region:     fd    
  Stack left redzone:    f1    
  Stack mid redzone:     f2    
  Stack right redzone:   f3    
  Stack partial redzone: f4    
  Stack after return:    f5    
  Stack use after scope: f8    
  Global redzone:        f9    
  Global init order:     f6    
  Poisoned by user:      f7    
  ASan internal:         fe    
==21829== ABORTING           

Version-Release number of selected component (if applicable):
389-ds-base-1.3.7.5-10.el7.x86_64

Comment 2 wibrown@redhat.com 2017-11-28 14:52:42 UTC
Hmm again. I don't understand this issue. I think I need to see the filter that caused the crash to really understand this ....

Comment 3 wibrown@redhat.com 2017-11-28 14:58:17 UTC
I think it's a filter with an or and a wild card in it if that helps ....

Comment 4 wibrown@redhat.com 2017-11-28 15:37:23 UTC
Upstream ticket:
https://pagure.io/389-ds-base/issue/49471

Comment 5 Viktor Ashirov 2017-11-29 17:19:56 UTC
'(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)'

Comment 7 thierry bordaz 2017-12-08 10:46:42 UTC
Fix pushed upstream -> POST

Comment 9 Viktor Ashirov 2018-01-10 13:51:40 UTC
Build tested:
389-ds-base-1.3.7.5-11.el7.x86_64 (rebuilt with ASAN)

[root@qeos-46 tests]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com '(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (description:2.16.840.1.113730.3.3.2.1.1.6:=\*German\*)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
[root@qeos-46 tests]# ldapsearch -D "cn=Directory Manager" -w Secret123 -b dc=example,dc=com '(description:2.16.840.1.113730.3.3.2.1.1.6:=\*German)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (description:2.16.840.1.113730.3.3.2.1.1.6:=\*German)
# requesting: ALL
#


# numResponses: 0
ldap_result: Can't contact LDAP server (-1)


Server crashes with the following ASAN backtrace:
=================================================================
==12186== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6006008de8bf at pc 0x7f2c9dcc39b8 bp 0x7f2c7b70df00 sp 0x7f2c7b70def0
READ of size 1 at 0x6006008de8bf thread T32
    #0 0x7f2c9dcc39b7 in ?? ldap/servers/plugins/collation/collate.c:259
    #1 0x7f2c9dcca21d in ss_filter_match ldap/servers/plugins/collation/orfilter.c:196
    #2 0x7f2ca4df3e0d in test_ava_filter ldap/servers/slapd/filterentry.c:521
    #3 0x7f2ca4df469a in test_ava_filter ldap/servers/slapd/filterentry.c:879
    #4 0x7f2ca4df6426 in slapi_vattr_filter_test_ext ldap/servers/slapd/filterentry.c:771
    #5 0x7f2c98cc050e in ldbm_back_next_search_entry_ext ldap/servers/slapd/back-ldbm/ldbm_search.c:1669
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
    #6 0x7f2ca4e4bec2 in iterate ldap/servers/slapd/opshared.c:1221
    #7 0x7f2ca4e4f2f2 in op_shared_search ldap/servers/slapd/opshared.c:811
    #8 0x5625a1eebc52 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:332
    #9 0x5625a1ec50aa in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648
    #10 0x7f2ca2f56c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
    #11 0x7f2ca544c867 in _ZN6__asan10AsanThread11ThreadStartEv _asan_rtl_
    #12 0x7f2ca28f6dd4 in start_thread /usr/src/debug/glibc-2.17-c758a686/nptl/pthread_create.c:308
    #13 0x7f2ca1fa494c in __clone /usr/src/debug////////glibc-2.17-c758a686/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:113
0x6006008de8bf is located 1 bytes to the left of 24-byte region [0x6006008de8c0,0x6006008de8d8)
allocated by thread T32 here:
    #0 0x7f2ca5448ef9 in malloc _asan_rtl_
    #1 0x7f2ca4db6f07 in slapi_ch_malloc ldap/servers/slapd/ch_malloc.c:95
    #2 0x7f2c9dccb320 in ss_filter_keys ldap/servers/plugins/collation/orfilter.c:470
addr2line: Dwarf Error: Unable to read alt ref 25981.
    #3 0x7f2ca4e7f63b in attempt_mr_filter_create ldap/servers/slapd/plugin_mr.c:590
    #4 0x7f2ca4e8059b in plugin_mr_filter_create ldap/servers/slapd/plugin_mr.c:612
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 25981.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
addr2line: Dwarf Error: Unable to read alt ref 4366.
    #5 0x7f2ca4deab45 in slapi_filter_dup ldap/servers/slapd/filter.c:699
    #6 0x7f2c98cbd447 in ldbm_back_search ldap/servers/slapd/back-ldbm/ldbm_search.c:891
    #7 0x7f2ca4e4ecfb in op_shared_search ldap/servers/slapd/opshared.c:755
    #8 0x5625a1eebc52 in do_search /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/search.c:332
    #9 0x5625a1ec50aa in connection_dispatch_operation /usr/src/debug/389-ds-base-1.3.7.5/ldap/servers/slapd/connection.c:648
    #10 0x7f2ca2f56c8a in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:216
Thread T32 created by T0 here:
    #0 0x7f2ca543da0a in __interceptor_pthread_create _asan_rtl_
    #1 0x7f2ca2f5695b in PR_Select /usr/src/debug/nspr-4.17.0/pr/src/pthreads/../../../nspr/pr/src/pthreads/ptthread.c:457
    #2 0x0
Shadow bytes around the buggy address:
  0x0c0140113cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0140113d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0140113d10: fa fa 00 00 00 00 fa[fa]00 00 00 fa fa fa 00 00
  0x0c0140113d20: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
  0x0c0140113d30: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 06
  0x0c0140113d40: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c0140113d50: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c0140113d60: fd fd fd fd fa fa fd fd fd fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==12186== ABORTING

Marking as ASSIGNED.

Comment 10 thierry bordaz 2018-01-10 14:15:29 UTC
I think https://bugzilla.redhat.com/show_bug.cgi?id=1518069#c0 and https://bugzilla.redhat.com/show_bug.cgi?id=1518069#c9 could be different bug.

The first one was a crash when parsing a filter, ss_unescape was assuming the remaining part of a buffer was >= 3.

The second crash looks to be when evaluating a filter but not sure the condition of the crash.

Comment 11 thierry bordaz 2018-01-10 18:00:51 UTC
Just a note: I think the crashing routine is not in collate.c
Looking at the process and the offset in the loaded libraries, I think we are in libicu

==11599== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x600600a7508f at pc 0x7fc0b2ad99b8 bp 0x7fc08b0d0f00 sp 0x7fc08b0d0ef0
READ of size 1 at 0x600600a7508f thread T40
    #0 0x7fc0b2ad99b7 in ?? ldap/servers/plugins/collation/collate.c:259 << OR libICU
    #1 0x7fc0b2ae021d in ss_filter_match ldap/servers/plugins/collation/orfilter.c:196
    #2 0x7fc0b9c09e0d in test_ava_filter ldap/servers/slapd/filterentry.c:521
    #3 0x7fc0b9c0a69a in test_ava_filter ldap/servers/slapd/filterentry.c:879
    #4 0x7fc0b9c0c426 in slapi_vattr_filter_test_ext ldap/servers/slapd

Comment 12 thierry bordaz 2018-01-11 11:54:10 UTC
I was wrong, the head of the stack is in SetUnicodeStringFromUTF_8 (collate.c).
I initially thought symbols were broken because the stack is weird for example ss_filter_match does call collation_index (not inlined) that later calls SetUnicodeStringFromUTF_8. But others functions of the backstack are missing.


I think I identified the reason of the violation and will prepare a patch.
It is a different issue that this current bug. Could you open a separated bug to handle it ?

Comment 13 Viktor Ashirov 2018-01-11 12:11:08 UTC
Thank you for your investigation, Thierry!
Sure, I will open a new bugzilla. And since original bug is fixed, I'm marking this as VERIFIED.

Comment 14 Viktor Ashirov 2018-01-11 12:15:27 UTC
New bug: https://bugzilla.redhat.com/show_bug.cgi?id=1533458

Comment 17 errata-xmlrpc 2018-04-10 14:22:34 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0811


Note You need to log in before you can comment on or make changes to this bug.