CVE-2021-4091 - double-free of the virtual attribute context in persistent search (#5219) - Issue 5218
description:
A search is processed by a worker using a private pblock.
If the search is persistent, the worker spawn a thread
and kind of duplicate its private pblock so that the spawn
thread continue to process the persistent search.
Then worker ends the initial search, reinit (free) its private pblock,
and returns monitoring the wait_queue.
When the persistent search completes, it frees the duplicated
pblock.
The problem is that private pblock and duplicated pblock
are referring to a same structure (pb_vattr_context).
That can lead to a double free
Fix:
When cloning the pblock (slapi_pblock_clone) make sure
to transfert the references inside the original (private)
pblock to the target (cloned) one
That includes pb_vattr_context pointer.
Reviewed by: Mark Reynolds, James Chapman, Pierre Rogier (Thanks !)
Co-authored-by: Mark Reynolds <mreynolds@redhat.com>
Origin: upstream, commit:
a3c298f8140d3e4fa1bd5a670f1bb965a21a9b7b
Gbp-Pq: Name CVE-2021-4091-double-free-of-virtual-attribute-ctx.patch
projects / 389-ds-base.git / commit