View Issue Details

IDProjectCategoryView StatusLast Update
0011191CentOS-7openldappublic2021-01-25 08:21
Reporterdelder Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
Status newResolutionopen 
Platformx86_64OSCentOSOS Version7.2.1511
Product Version7.2.1511 
Summary0011191: Slapd Crash on Nessus SSL/TLS Scan
DescriptionWith the following OpenLDAP packages installed and OpenLDAP configured with SSL/TLS support, I'm able to obtain a crash every time I run a Nessus PCI scan against the system.

openldap-2.4.40-9.el7_2.x86_64
nss-3.21.0-9.el7_2.x86_64

OpenLDAP is configured with the following encryption/security related settings:

olcDisallows: bind_anon
olcSecurity: ssf=128
olcTLSCACertificatePath: /etc/openldap/certs
olcTLSCertificateFile: /etc/openldap/certs/cert.crt
olcTLSCertificateKeyFile: /etc/openldap/certs/key.key
olcTLSCipherSuite: HIGH
olcTLSProtocolMin: 3.2

I've tried different values but the result is the same. OpenLDAP is working perfectly for multi-master replication between 4 nodes and TLS is working perfectly but some SSL/TLS check being performed by Nessus is able to trigger a segfault every time a scan is run.

[ 845.917117] slapd[737]: segfault at 10 ip 00007feffa619c65 sp 00007fefde472550 error 4 in libnss3.so[7feffa5d3000+11e000]
[ 1760.644126] slapd[4223]: segfault at 10 ip 00007f1a9959fc65 sp 00007f1a677fd550 error 4 in libnss3.so[7f1a99559000+11e000]
[ 2132.832150] slapd[5699]: segfault at 10 ip 00007fef3089fc65 sp 00007fef0c823550 error 4 in libnss3.so[7fef30859000+11e000]

Steps To Reproduce1) Configure OpenLDAP for SSL/TLS
2) Run Nessus PCI scan (safe checks enabled)
3) slapd segfaults
Additional Informationgdb trace:

Program received signal SIGPIPE, Broken pipe.
[Switching to Thread 0x7fef0effd700 (LWP 4882)]
0x00007fef3064b1cd in write () at ../sysdeps/unix/syscall-template.S:81
81 T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
(gdb) backtrace full
#0 0x00007fef3064b1cd in write () at ../sysdeps/unix/syscall-template.S:81
No locals.
#1 0x00007fef31163308 in sb_debug_write (sbiod=0x7feef8301ac0, buf=0x7feef80f8bb0, len=37) at sockbuf.c:854
        ret = <optimized out>
        ebuf = " \000\000\000\000\000\000\000 ؈0\357\177\000\000\b\000\000\000\000\000\000\000\265\213\017\370\356\177\000\000\240Ś\b ", '\000' <repeats 19 times>, " ", '\000' <repeats 16 times>, "\005\026uV\355\226\b\020\320[2\357\177\000\000`v\017\370\356\177\000\000\020[\017\370\356\177\000\000\005\000\000\000\000\000\000\000\002", '\000' <repeats 14 times>
#2 0x00007fef313a7877 in tlsm_PR_Send (fd=<optimized out>, buf=0x7feef80f8bb0, len=37, timeout=<optimized out>, flags=<optimized out>) at tls_m.c:3162
        p = 0x7feef82c3a40
        rc = <optimized out>
#3 0x00007fef2f5d30dc in ssl_DefSend (ss=ss@entry=0x7feef80f5a70, buf=0x7feef80f8bb0 "\025\003\001", len=37, flags=flags@entry=0) at ssldef.c:94
        rv = <optimized out>
        lower = 0x7feef8301a80
        sent = 0
#4 0x00007fef2f5c2dbd in ssl3_SendRecord (ss=ss@entry=0x7feef80f5a70, epoch=epoch@entry=0, type=type@entry=content_alert, pIn=0x7fef0effc892 "Z2\357\177", pIn@entry=0x7fef0effc890 "\001", nIn=0, nIn@entry=2,
    flags=flags@entry=0) at ssl3con.c:3011
        sent = <optimized out>
        contentLen = 2
        spaceNeeded = <optimized out>
        numRecords = <optimized out>
        wrBuf = 0x7feef80f5b10
        rv = <optimized out>
        totalSent = 0
        capRecordVersion = 0
#5 0x00007fef2f5c3362 in SSL3_SendAlert (ss=ss@entry=0x7feef80f5a70, level=level@entry=alert_warning, desc=desc@entry=close_notify) at ssl3con.c:3304
        sent = <optimized out>
        bytes = "\001"
        rv = SECSuccess
#6 0x00007fef2f5d8e6d in ssl_SecureShutdown (ss=0x7feef80f5a70, nsprHow=2) at sslsecur.c:1188
        osfd = 0x7feef8301a80
        rv = <optimized out>
        sslHow = 3
#7 0x00007fef2f5dce46 in ssl_Shutdown (fd=<optimized out>, how=2) at sslsock.c:2343
        ss = 0x7feef80f5a70
        rv = <optimized out>
#8 0x00007fef313a742f in tlsm_sb_close (sbiod=<optimized out>) at tls_m.c:3392
        p = <optimized out>
#9 0x00007fef311644d2 in ber_int_sb_close (sb=sb@entry=0x7fef041a4fb0) at sockbuf.c:383
        p = 0x7feef830c880
        __PRETTY_FUNCTION__ = "ber_int_sb_close"
#10 0x00007fef311645c4 in ber_sockbuf_free (sb=0x7fef041a4fb0) at sockbuf.c:74
        __PRETTY_FUNCTION__ = "ber_sockbuf_free"
#11 0x00007fef31827671 in slapd_remove (s=35, sb=0x7fef041a4fb0, wasactive=<optimized out>, wake=0, locked=<optimized out>) at daemon.c:908
        waswriter = <optimized out>
        wasreader = <optimized out>
        id = 0
        __PRETTY_FUNCTION__ = "slapd_remove"
#12 0x00007fef3182c28f in connection_destroy (c=0x7fef325bd010) at connection.c:705
        connid = 1033
        close_reason = 0x7fef319366d0 <conn_lost_str> "connection lost"
        sb = 0x7fef041a4fb0
---Type <return> to continue, or q <return> to quit---
        sd = 35
#13 connection_close (c=0x7fef325bd010) at connection.c:855
        c = 0x7fef325bd010
#14 0x00007fef3182d2ff in connection_read (cri=<synthetic pointer>, s=<optimized out>) at connection.c:1477
        rc = <optimized out>
        c = 0x7fef325bd010
#15 connection_read_thread (ctx=0x7fef0effcbd0, argv=0x23) at connection.c:1284
        rc = <optimized out>
        cri = {op = 0x0, func = 0x0, arg = 0x0, ctx = <optimized out>, nullop = <optimized out>}
        s = <optimized out>
#16 0x00007fef3137ceda in ldap_int_thread_pool_wrapper (xpool=0x7fef32511fb0) at tpool.c:688
        pool = 0x7fef32511fb0
        task = 0x7fef1000e160
        work_list = <optimized out>
        ctx = {ltu_id = 140664725559040, ltu_key = {{ltk_key = 0x7fef318854c0 <slap_sl_mem_init>, ltk_data = 0x7fef040008c0, ltk_free = 0x7fef31885380 <slap_sl_mem_destroy>}, {ltk_key = 0x7fef3182adc0 <conn_counter_init>,
              ltk_data = 0x7fef04190270, ltk_free = 0x7fef3182aea0 <conn_counter_destroy>}, {ltk_key = 0x7fef31841590 <slap_op_free>, ltk_data = 0x7fef041a44f0, ltk_free = 0x7fef318414f0 <slap_op_q_destroy>}, {
              ltk_key = 0x7fef3279d0b0, ltk_data = 0x7fef041dd990, ltk_free = 0x7fef318f8e00 <bdb_reader_free>}, {ltk_key = 0x0, ltk_data = 0x0, ltk_free = 0x0} <repeats 28 times>}}
        kctx = <optimized out>
        keyslot = <optimized out>
        hash = <optimized out>
        __PRETTY_FUNCTION__ = "ldap_int_thread_pool_wrapper"
#17 0x00007fef30644dc5 in start_thread (arg=0x7fef0effd700) at pthread_create.c:308
        __res = <optimized out>
        pd = 0x7fef0effd700
        now = <optimized out>
        unwind_buf = {cancel_jmp_buf = {{jmp_buf = {140664725559040, -6420730494051238253, 0, 140664725559744, 140664725559040, 140665308591776, 6429704708516920979, 6429622301025943187}, mask_was_saved = 0}}, priv = {pad = {
              0x0, 0x0, 0x0, 0x0}, data = {prev = 0x0, cleanup = 0x0, canceltype = 0}}}
        not_first_call = <optimized out>
        pagesize_m1 = <optimized out>
        sp = <optimized out>
        freesize = <optimized out>
#18 0x00007fef2fb05ced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113
No locals.
(gdb) info registers
rax 0xffffffffffffffe0 -32
rbx 0x0 0
rcx 0xffffffffffffffff -1
rdx 0x25 37
rsi 0x7feef80f8bb0 140664340712368
rdi 0x23 35
rbp 0x0 0x0
rsp 0x7fef0effcf20 0x7fef0effcf20
r8 0xffffffff 4294967295
r9 0x0 0
r10 0x7fef089abf00 140664618270464
r11 0x293 659
r12 0x0 0
r13 0x7fef0effd9c0 140664725559744
r14 0x7fef0effd700 140664725559040
r15 0x7fef31c036a0 140665308591776
rip 0x7fef30644dc5 0x7fef30644dc5 <start_thread+197>
eflags 0x293 [ CF AF SF IF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/16i $pc
=> 0x7fef30644dc5 <start_thread+197>: mov %rax,%fs:0x630
   0x7fef30644dce <start_thread+206>: callq 0x7fef30644b30 <__nptl_deallocate_tsd>
   0x7fef30644dd3 <start_thread+211>: callq 0x7fef30642620 <__libc_thread_freeres@plt>
   0x7fef30644dd8 <start_thread+216>: lock decl 0x20f481(%rip) # 0x7fef30854260 <__nptl_nthreads>
   0x7fef30644ddf <start_thread+223>: sete %al
   0x7fef30644de2 <start_thread+226>: test %al,%al
   0x7fef30644de4 <start_thread+228>: jne 0x7fef30644ea7 <start_thread+423>
   0x7fef30644dea <start_thread+234>: mov 0x8(%rsp),%rax
   0x7fef30644def <start_thread+239>: cmpb $0x0,0x611(%rax)
   0x7fef30644df6 <start_thread+246>: jne 0x7fef30644eef <start_thread+495>
   0x7fef30644dfc <start_thread+252>: mov 0x8(%rsp),%rbx
   0x7fef30644e01 <start_thread+257>: lock orl $0x10,0x308(%rbx)
   0x7fef30644e09 <start_thread+265>: callq 0x7fef30642690 <__getpagesize@plt>
   0x7fef30644e0e <start_thread+270>: mov 0x690(%rbx),%rdi
   0x7fef30644e15 <start_thread+277>: lea -0x1(%rax),%esi
   0x7fef30644e18 <start_thread+280>: mov %rsp,%rax
(gdb) thread apply all backtrace

Thread 7 (Thread 0x7fef15e89700 (LWP 4879)):
#0 0x00007fef2fb062c3 in epoll_wait () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007fef31827e98 in slapd_daemon_task (ptr=<optimized out>) at daemon.c:2536
#2 0x00007fef30644dc5 in start_thread (arg=0x7fef15e89700) at pthread_create.c:308
#3 0x00007fef2fb05ced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 6 (Thread 0x7fef0ffff700 (LWP 4880)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x00007fef3137cf2b in ldap_int_thread_pool_wrapper (xpool=0x7fef32511fb0) at tpool.c:675
#2 0x00007fef30644dc5 in start_thread (arg=0x7fef0ffff700) at pthread_create.c:308
#3 0x00007fef2fb05ced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 5 (Thread 0x7fef0f7fe700 (LWP 4881)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x00007fef3137cf2b in ldap_int_thread_pool_wrapper (xpool=0x7fef32511fb0) at tpool.c:675
#2 0x00007fef30644dc5 in start_thread (arg=0x7fef0f7fe700) at pthread_create.c:308
#3 0x00007fef2fb05ced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 4 (Thread 0x7fef0effd700 (LWP 4882)):
#0 0x00007fef3064b1cd in write () at ../sysdeps/unix/syscall-template.S:81
#1 0x00007fef31163308 in sb_debug_write (sbiod=0x7feef8301ac0, buf=0x7feef80f8bb0, len=37) at sockbuf.c:854
#2 0x00007fef313a7877 in tlsm_PR_Send (fd=<optimized out>, buf=0x7feef80f8bb0, len=37, timeout=<optimized out>, flags=<optimized out>) at tls_m.c:3162
#3 0x00007fef2f5d30dc in ssl_DefSend (ss=ss@entry=0x7feef80f5a70, buf=0x7feef80f8bb0 "\025\003\001", len=37, flags=flags@entry=0) at ssldef.c:94
#4 0x00007fef2f5c2dbd in ssl3_SendRecord (ss=ss@entry=0x7feef80f5a70, epoch=epoch@entry=0, type=type@entry=content_alert, pIn=0x7fef0effc892 "Z2\357\177", pIn@entry=0x7fef0effc890 "\001", nIn=0, nIn@entry=2,
    flags=flags@entry=0) at ssl3con.c:3011
#5 0x00007fef2f5c3362 in SSL3_SendAlert (ss=ss@entry=0x7feef80f5a70, level=level@entry=alert_warning, desc=desc@entry=close_notify) at ssl3con.c:3304
#6 0x00007fef2f5d8e6d in ssl_SecureShutdown (ss=0x7feef80f5a70, nsprHow=2) at sslsecur.c:1188
#7 0x00007fef2f5dce46 in ssl_Shutdown (fd=<optimized out>, how=2) at sslsock.c:2343
#8 0x00007fef313a742f in tlsm_sb_close (sbiod=<optimized out>) at tls_m.c:3392
#9 0x00007fef311644d2 in ber_int_sb_close (sb=sb@entry=0x7fef041a4fb0) at sockbuf.c:383
#10 0x00007fef311645c4 in ber_sockbuf_free (sb=0x7fef041a4fb0) at sockbuf.c:74
#11 0x00007fef31827671 in slapd_remove (s=35, sb=0x7fef041a4fb0, wasactive=<optimized out>, wake=0, locked=<optimized out>) at daemon.c:908
#12 0x00007fef3182c28f in connection_destroy (c=0x7fef325bd010) at connection.c:705
#13 connection_close (c=0x7fef325bd010) at connection.c:855
#14 0x00007fef3182d2ff in connection_read (cri=<synthetic pointer>, s=<optimized out>) at connection.c:1477
#15 connection_read_thread (ctx=0x7fef0effcbd0, argv=0x23) at connection.c:1284
#16 0x00007fef3137ceda in ldap_int_thread_pool_wrapper (xpool=0x7fef32511fb0) at tpool.c:688
#17 0x00007fef30644dc5 in start_thread (arg=0x7fef0effd700) at pthread_create.c:308
#18 0x00007fef2fb05ced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 3 (Thread 0x7fef0dceb700 (LWP 4886)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x00007fef3137cf2b in ldap_int_thread_pool_wrapper (xpool=0x7fef32511fb0) at tpool.c:675
#2 0x00007fef30644dc5 in start_thread (arg=0x7fef0dceb700) at pthread_create.c:308
#3 0x00007fef2fb05ced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 2 (Thread 0x7fef0d4ea700 (LWP 4887)):
#0 pthread_cond_wait@@GLIBC_2.3.2 () at ../nptl/sysdeps/unix/sysv/linux/x86_64/pthread_cond_wait.S:185
#1 0x00007fef3137cf2b in ldap_int_thread_pool_wrapper (xpool=0x7fef32511fb0) at tpool.c:675
---Type <return> to continue, or q <return> to quit---
#2 0x00007fef30644dc5 in start_thread (arg=0x7fef0d4ea700) at pthread_create.c:308
#3 0x00007fef2fb05ced in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:113

Thread 1 (Thread 0x7fef317d1740 (LWP 4876)):
#0 0x00007fef30645ef7 in pthread_join (threadid=140664841475840, thread_return=thread_return@entry=0x0) at pthread_join.c:92
#1 0x00007fef3137d5f5 in ldap_pvt_thread_join (thread=<optimized out>, thread_return=thread_return@entry=0x0) at thr_posix.c:197
#2 0x00007fef31829d91 in slapd_daemon () at daemon.c:2929
#3 0x00007fef31810b12 in main (argc=<optimized out>, argv=0x7ffee8a69538) at main.c:1016
TagsNo tags attached.
abrt_hash
URL

Activities

cmosmar

cmosmar

2016-08-08 20:49

reporter   ~0027220

i have the same problem:

Aug 7 11:27:54 mwwl3jasauth001 journal: Suppressed 3567 messages from /system.slice/slapd.service

Aug 7 11:27:54 mwwl3jasauth001 kernel: slapd[9092]: segfault at 10 ip 00007f60dbf66c65 sp 00007f60c1143550 error 4 in libnss3.so[7f60dbf20000+11e000]
Aug 7 11:27:54 mwwl3jasauth001 systemd: slapd.service: main process exited, code=killed, status=11/SEGV
Aug 7 11:27:54 mwwl3jasauth001 systemd: Unit slapd.service entered failed state.
Aug 7 11:27:54 mwwl3jasauth001 systemd: slapd.service failed.


Do you already found a solution?
BenShade

BenShade

2016-11-07 13:02

reporter   ~0027859

Nov 4 12:05:03 n000a427 kernel: slapd[17037]: segfault at 10 ip 00007fc240dcdc65 sp 00007fc221b33550 error 4 in libnss3.so[7fc240d87000+11e000]
Nov 4 12:05:03 n000a427 systemd: slapd.service: main process exited, code=killed, status=11/SEGV
Nov 4 12:05:03 n000a427 systemd: Unit slapd.service entered failed state.
Nov 4 12:05:03 n000a427 systemd: slapd.service failed.

I have same problem - Same build as original.
delder

delder

2016-11-22 18:02

reporter   ~0027973

The only workaround I've found is just to restart slapd when it crashes. Adding the following to slapd.service does the trick:

Restart=on-failure
RestartSec=3

It's very concerning though that slapd segfaults so easily from unauthenticated network traffic, the potential to exploit this for more than a DoS attack should be cause for review.
delder

delder

2016-11-22 18:04

reporter   ~0027974

I've tried reproducing this on an OpenSUSE system and was unable to do so. We may just switch some of our services over as the nss linking (instead of openssl) seems to be the cause of this particular issue.
yuge

yuge

2021-01-25 08:21

reporter   ~0038195

Is it possible to avoid this by upgrading the version of OpenLDAP packages?

Issue History

Date Modified Username Field Change
2016-07-19 16:49 delder New Issue
2016-08-08 20:49 cmosmar Note Added: 0027220
2016-11-07 13:02 BenShade Note Added: 0027859
2016-11-22 18:02 delder Note Added: 0027973
2016-11-22 18:04 delder Note Added: 0027974
2021-01-25 08:21 yuge Note Added: 0038195