[Pkg-openldap-devel] Bug#895450: slapd: segfault in back_mdb
Ferenc Wágner
wferi at debian.org
Wed Apr 11 16:41:08 UTC 2018
Package: slapd
Version: 2.4.44+dfsg-5+deb9u1
Severity: normal
Dear Maintainer,
A partial replica slave crashed with
Apr 3 14:53:51 birch kernel: [1906479.552078] slapd[4515]: segfault at 4c ip 00007f71abdbfc9b sp 00007f716f184780 error 4 in back_mdb-2.4.so.2.10.7[7f71abdb0000+39000]
Unfortunately it didn't create a core file, but I lifted the limit now.
Based on the very little data in the kernel message, it was caused by a wrong
pointer in the mdb_modify_internal() function at offset 299:
96 for ( ml = modlist; ml != NULL; ml = ml->sml_next ) {
0x000000000000fc8e <+286>: mov 0x30(%rbx),%rbx /* ml = ml->sml_next */
0x000000000000fc92 <+290>: test %rbx,%rbx /* exit if NULL */
0x000000000000fc95 <+293>: je 0x10410 <mdb_modify_internal+2208>
97 int match;
98 mod = &ml->sml_mod; /* mod = ml */
99 switch( mod->sm_op ) {
0x000000000000fc9b <+299>: movzwl 0x1c(%rbx),%eax /* read mod->sm_op */
0x000000000000fc9f <+303>: test %ax,%ax /* test for LDAP_MOD_ADD */
0x000000000000fca2 <+306>: jne 0xfc88 <mdb_modify_internal+280>
As far as I understand it, ml (in %rbx) must have been 0x30=0x4c-0x1c
there, which is an invalid value. By coincidence, the offset of
sml_next is also 0x30 in the structure pointed to by ml, because the
size of struct Modification (ml->sml_mod) is 0x30 bytes. I can't see
how these quantities could enter %rbx, though, just noting it.
Does this ring any bells? This crash does not happen frequently, so I
decided to report this little info now, but I'll add more as I got any.
--
Thanks,
Feri.
More information about the Pkg-openldap-devel
mailing list