erthink/ReOpenLDAP

current devel: tests/progs/slapd_bind use after free

erthink opened this issue · 0 comments

erthink commented 
=================================================================
==26976==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000009b0 at pc 0x556c7be7caa3 bp 0x7ffc0dcc7900 sp 0x7ffc0dcc70a8
READ of size 7 at 0x6040000009b0 thread T0
    #0 0x556c7be7caa2 in __interceptor_memcpy.part.234 (/home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd_bind+0x8baa2)
    #1 0x556c7bf41b3a in ber_write /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/libraries/libreldap/io.c:110
    #2 0x556c7bf2e690 in ber_put_ostring /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/libraries/libreldap/encode.c:233
    #3 0x556c7bf2f94d in ber_printf /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/libraries/libreldap/encode.c:559
    #4 0x556c7bf627f8 in ldap_build_bind_req /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/libraries/libreldap/sasl.c:83
    #5 0x556c7bf62ad7 in ldap_sasl_bind /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/libraries/libreldap/sasl.c:159
    #6 0x556c7bf6368f in ldap_sasl_bind_s /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/libraries/libreldap/sasl.c:198
    #7 0x556c7bf24a0a in tester_init_ld /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd-common.c:538
    #8 0x556c7be203d2 in do_base /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd-bind.c:383
    #9 0x556c7be203d2 in main /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd-bind.c:187
    #10 0x7fbcac1171c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #11 0x556c7be240b9 in _start (/home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd_bind+0x330b9)

0x6040000009b0 is located 32 bytes inside of 48-byte region [0x604000000990,0x6040000009c0)
freed by thread T0 here:
    #0 0x556c7bee1b08 in __interceptor_free (/home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd_bind+0xf0b08)
    #1 0x556c7be20991 in do_base /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd-bind.c:505
    #2 0x556c7be20991 in main /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd-bind.c:187

previously allocated by thread T0 here:
    #0 0x556c7bee1ea0 in __interceptor_malloc (/home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd_bind+0xf0ea0)
    #1 0x556c7bf47885 in ber_memalloc_x /home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/libraries/libreldap/memory.c:124
    #2 0x60400000092f  (<unknown module>)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/ly/Projects/reopenldap.git/@ci-buzz.pool/@8.devel/src/tests/progs/slapd_bind+0x8baa2) in __interceptor_memcpy.part.234
Shadow bytes around the buggy address:
  0x0c087fff80e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c087fff80f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8100: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8110: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c087fff8120: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x0c087fff8130: fa fa fd fd fd fd[fd]fd fa fa fd fd fd fd fd fd
  0x0c087fff8140: fa fa fd fd fd fd fd fd fa fa f7 f7 f7 f7 05 f7
  0x0c087fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c087fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26976==ABORTING
commit 096d09faf6d4ba197fa716625463bca1ea0fcc00
Author: Leo Yuriev <leo@yuriev.ru>
Date:   2018-02-01 19:13:05 +0300

    syncprov: fixes for delta-syncrepl with empty accesslog (ITS#8100).
    
    Update syncprov contextCSNs when context entry is added.
    Fix accesslog to properly tag Add op when adding context entry.
    
    Note: This commit differs significantly from Howard's ca7f697e14087234e44c96fb7edd81cfb14183dc.