BDB cursor race condition #7124
Description
Issue Description
ASAN reported crashes in __db_ditem_nolog() with negative-size-param errors:
=================================================================
==109094==ERROR: AddressSanitizer: negative-size-param: (size=-8)
#0 0x7fadfdce4329 in memmove (/usr/lib64/libasan.so.8+0xe4329) (BuildId: 0adabddcb77130fc2ea3840d060eb4e8a9ae0c85)
#1 0x7badf6dcb1e8 in __db_ditem_nolog (/lib64/libdb-5.3.so+0xe51e8) (BuildId: 8d20c7e9865bc743660a55af97fad4f11e754da6)
#2 0x7badf6dcc3db in __db_ditem (/lib64/libdb-5.3.so+0xe63db) (BuildId: 8d20c7e9865bc743660a55af97fad4f11e754da6)
#3 0x7badf6d020f7 in __bamc_physdel.lto_priv.0 (/lib64/libdb-5.3.so+0x1c0f7) (BuildId: 8d20c7e9865bc743660a55af97fad4f11e754da6)
#4 0x7badf6cfc654 in __bamc_close (/lib64/libdb-5.3.so+0x16654) (BuildId: 8d20c7e9865bc743660a55af97fad4f11e754da6)
#5 0x7badf6dc063c in __dbc_close (/lib64/libdb-5.3.so+0xda63c) (BuildId: 8d20c7e9865bc743660a55af97fad4f11e754da6)
#6 0x7badf6dd6c7e in __dbc_close_pp (/lib64/libdb-5.3.so+0xf0c7e) (BuildId: 8d20c7e9865bc743660a55af97fad4f11e754da6)
#7 0x7badf6f69979 in bdb_public_cursor_op ldap/servers/slapd/back-ldbm/db-bdb/bdb_layer.c:6883
#8 0x7badf6ec70b1 in dblayer_cursor_op (/usr/lib64/dirsrv/plugins/libback-ldbm.so+0xf0b1) (BuildId: d6d3dd3b3eb64308d950b7f200a3e0c0af52c064)
#9 0x7badf6ed59c4 in idl_new_fetch ldap/servers/slapd/back-ldbm/idl_new.c:316
#10 0x7badf6ed8955 in index_read_ext_allids ldap/servers/slapd/back-ldbm/index.c:1074
#11 0x7badf6ecd8d6 in keys2idl ldap/servers/slapd/back-ldbm/filterindex.c:1113
#12 0x7badf6ece374 in ava_candidates ldap/servers/slapd/back-ldbm/filterindex.c:315
#13 0x7badf6ecf327 in filter_candidates_ext ldap/servers/slapd/back-ldbm/filterindex.c:99
#14 0x7badf6ece91c in list_candidates ldap/servers/slapd/back-ldbm/filterindex.c:902
#15 0x7badf6ecf06f in filter_candidates_ext ldap/servers/slapd/back-ldbm/filterindex.c:132
#16 0x7badf6ece91c in list_candidates ldap/servers/slapd/back-ldbm/filterindex.c:902
#17 0x7badf6ecf06f in filter_candidates_ext ldap/servers/slapd/back-ldbm/filterindex.c:132
#18 0x7badf6ecffb1 in filter_candidates ldap/servers/slapd/back-ldbm/filterindex.c:162
#19 0x7badf6f02d83 in onelevel_candidates ldap/servers/slapd/back-ldbm/ldbm_search.c:1226
#20 0x7badf6f02d83 in build_candidate_list ldap/servers/slapd/back-ldbm/ldbm_search.c:1083
#21 0x7badf6f02d83 in ldbm_back_search ldap/servers/slapd/back-ldbm/ldbm_search.c:665
#22 0x7fadfd8807a1 in op_shared_search (/usr/lib64/dirsrv/libslapd.so.0+0x807a1) (BuildId: a14622b2d8d9edb0bdaeaf935d826d6afed08fb1)
#23 0x55b06d9cd9b2 in do_search ldap/servers/slapd/search.c:411
#24 0x55b06d9cd9b2 in connection_dispatch_operation ldap/servers/slapd/connection.c:760
#25 0x55b06d9d00b2 in connection_threadmain ldap/servers/slapd/connection.c:2058
#26 0x7fadfdbe0e02 in _pt_root (/lib64/libnspr4.so+0x22e02) (BuildId: 2874c2e4a121e04f5d61efad2b30ed6a1a014792)
#27 0x7fadfdc28ee5 in asan_thread_start(void*) (/usr/lib64/libasan.so.8+0x28ee5) (BuildId: 0adabddcb77130fc2ea3840d060eb4e8a9ae0c85)
#28 0x7fadfd67ff53 in start_thread (/lib64/libc.so.6+0x71f53) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#29 0x7fadfd70332b in __clone3 (/lib64/libc.so.6+0xf532b) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
Address 0x7badad6e9768 is a wild pointer inside of access range of size 0x000000000001.
SUMMARY: AddressSanitizer: negative-size-param (/lib64/libdb-5.3.so+0xe51e8) (BuildId: 8d20c7e9865bc743660a55af97fad4f11e754da6) in __db_ditem_nolog
Thread T15 created by T0 here:
#0 0x7fadfdcde492 in pthread_create (/usr/lib64/libasan.so.8+0xde492) (BuildId: 0adabddcb77130fc2ea3840d060eb4e8a9ae0c85)
#1 0x7fadfdbe0b0a in _PR_CreateThread (/lib64/libnspr4.so+0x22b0a) (BuildId: 2874c2e4a121e04f5d61efad2b30ed6a1a014792)
#2 0x7fadfdbe11c2 in PR_CreateThread (/lib64/libnspr4.so+0x231c2) (BuildId: 2874c2e4a121e04f5d61efad2b30ed6a1a014792)
#3 0x55b06d9d2975 in init_op_threads ldap/servers/slapd/connection.c:501
#4 0x55b06d9d2975 in slapd_daemon ldap/servers/slapd/daemon.c:1209
#5 0x55b06d9c2dda in main (/usr/bin/ns-slapd+0x4dda) (BuildId: 8b68deaa20208d17014b9e0bcb53b7342a9185eb)
#6 0x7fadfd611574 in __libc_start_call_main (/lib64/libc.so.6+0x3574) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#7 0x7fadfd611627 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x3627) (BuildId: 48c4b9b1efb1df15da8e787f489128bf31893317)
#8 0x55b06d9c42f4 in _start (/usr/bin/ns-slapd+0x62f4) (BuildId: 8b68deaa20208d17014b9e0bcb53b7342a9185eb)
==109094==ABORTING
Cursor operations without transaction isolation allowed concurrent page modifications to corrupt cursor state, leading to invalid memory access.
The race condition occurs when:
- T1 opens a cursor without transaction protection
- T2 modifies the same index page
- T1 cursor operates on stale page metadata
__db_ditem_nolog()calculates negative size formemmove()- Crash:
AddressSanitizer: negative-size-param: (size=-8)
Package Version and Platform:
- Platform: RHEL, Fedora (with BDB backend)
- Package and version: all versions
Steps to Reproduce
Steps to reproduce the behavior:
- Load the server with multiple search/modify/del operations that target indexes with multivalued attributes (objectClass, description, telephoneNumber). CI test will be attached to PR.
Expected results
No crash