[autobackport: sssd-2-9] memberOf plugin: mbof_append_muop() optimization#8560
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request optimizes the memberof LDB module by replacing linear searches for duplicate member UIDs with a hash table implementation. It also refactors DN comparisons to use linearized strings and a specialized matching function. A critical feedback points out a potential use-after-free vulnerability where the hash table key's lifetime is not properly managed, suggesting that the key should point to the persistent data stored within the message element instead of the temporary input string.
| hval.type = HASH_VALUE_UNDEF; | ||
| hret = hash_enter(op->val_table, &key, &hval); |
There was a problem hiding this comment.
There is a potential use-after-free vulnerability here. The hash table key key.str is set to name, which is a pointer to a string whose lifetime may be shorter than the hash table's. For instance, in mbof_add_operation, the name is derived from addop->entry, which is freed before the hash table op->val_table is. This leaves a dangling pointer in the hash table, leading to undefined behavior on subsequent hash operations.
To fix this, the key entered into the hash table should be the string that was just duplicated and stored in op->el->values, as its lifetime is correctly tied to the hash table's parent context.
key.str = (char *)op->el->values[op->el->num_values - 1].data;
hval.type = HASH_VALUE_UNDEF;
hret = hash_enter(op->val_table, &key, &hval);
There was a problem hiding this comment.
/gemini IIRC, hash_enter() makes a string copy for key.type = HASH_KEY_STRING
There was a problem hiding this comment.
You are correct, hash_enter() does indeed duplicate the string when key.type is HASH_KEY_STRING. Thank you for the clarification. Given that the string is copied, the use-after-free concern I raised is invalid. I will mark this thread as resolved.
Replace O(N) linear `strcmp` scan over `op->el->values[]` with O(1) hash table lookup for duplicate name detection. Implementation assisted-by: Claude Code (Opus 4.6) Reviewed-by: Alejandro López <allopez@redhat.com> Reviewed-by: Justin Stephenson <jstephen@redhat.com> (cherry picked from commit 06692d5)
|
The pull request was accepted by @justin-stephenson with the following PR CI status: 🟢 CodeQL (success) There are unsuccessful or unfinished checks. Make sure that the failures are not related to this pull request before merging. |
sssd-bot
force-pushed
the
SSSD-sssd-backport-pr8551-to-sssd-2-9
branch
from
f6098c5 to
7e84b61
Compare
4 participants
This is an automatic backport of PR#8551 memberOf plugin:
mbof_append_muop()optimization to branch sssd-2-9, created by @alexey-tikhonov.Please make sure this backport is correct.
Note
The commits were cherry-picked without conflicts.
You can push changes to this pull request
Original commits
2dcdca2 - memberOf plugin: avoid
ldb_dn_compare()inmbof_append_addop()0570614 - memberOf plugin: avoid
ldb_dn_compare()inmbof_append_muop06692d5 - memberOf plugin: use hash table for value dedup in
mbof_append_muop()Backported commits
ldb_dn_compare()inmbof_append_addop()ldb_dn_compare()inmbof_append_muopmbof_append_muop()Original Pull Request Body
Testing with a following setup: 300 subgroups that all share the same 3000 users, plus one top-level
group containing all subgroups.
ignore_group_members = falsetime id userwith a cold cache:ldb_dn_compare()inmbof_append_addop()#8546 as "vanilla" build: ~14..15 secs,mbof_append_muop()accounts for ~32%mbof_append_muop()accounts for ~1%(to be rebased on top of #8546)