Project

General

Profile

Actions
Copy link

Bug #19393

closed

free(): invalid next size error (SIGABRT) in AdminSocketClient::do_request

Added by Brad Hubbard about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
Brad Hubbard
Category:
common
Target version:
-
% Done:

0%

Source:
Development
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

The following code causes an abort due to a memory accounting error.

#include "common/admin_socket.h" 
#include "common/admin_socket_client.h" 
#include "common/ceph_json.h" 
#include "include/types.h" 

#include <string>

int main(int argc, char** argv)
{
    std::string response;
    AdminSocketClient client(argv[1]);
    client.do_request("{\"prefix\":\"perf histogram dump\"}", &response);
    std::cout << response << '\n';

    return 0;

}

gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007fffee68d51a in __GI_abort () at abort.c:89
#2  0x00007fffee6cf200 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fffee7e3cd8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175
#3  0x00007fffee6d888a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7fffee7e3d50 "free(): invalid next size (fast)", action=3) at malloc.c:5046
#4  _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3902
#5  0x00007fffee6dc2bc in __GI___libc_free (mem=<optimized out>) at malloc.c:2982
#6  0x00007fffef4ea91d in __gnu_cxx::new_allocator<char>::deallocate (this=0x7fffffffd460, __p=<optimized out>) at /usr/include/c++/6.3.1/ext/new_allocator.h:110
#7  std::allocator_traits<std::allocator<char> >::deallocate (__a=..., __n=<optimized out>, __p=<optimized out>) at /usr/include/c++/6.3.1/bits/alloc_traits.h:442
#8  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy (__size=<optimized out>, this=0x7fffffffd460) at /usr/include/c++/6.3.1/bits/basic_string.h:186
#9  std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose (this=0x7fffffffd460) at /usr/include/c++/6.3.1/bits/basic_string.h:181
#10 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string (this=0x7fffffffd460, __in_chrg=<optimized out>) at /usr/include/c++/6.3.1/bits/basic_string.h:558
#11 AdminSocketClient::do_request (this=<optimized out>, request=..., result=0x7fffffffdf60) at /home/brad/working/src/ceph/src/common/admin_socket_client.cc:168
#12 0x0000000000401158 in main ()

(gdb) p ntohl(message_size_raw)
$1 = 139252

The error returned by read is EFAULT.

We only assign 65536 bytes for the message buffer in this function.

std::vector<uint8_t> vec(65536, 0);

Address sanitizer shows the following.

=================================================================
==28717==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024800 at pc 0x7faf4a02e0b5 bp 0x7ffe784bc290 sp 0x7ffe784bba38
WRITE of size 139252 at 0x631000024800 thread T0
    #0 0x7faf4a02e0b4 in read (/lib64/libasan.so.3+0x4a0b4)
    #1 0x7faf41a3bf6b in read /usr/include/bits/unistd.h:44
    #2 0x7faf41a3bf6b in safe_read /home/brad/working/src/ceph/src/common/safe_io.c:30
    #3 0x7faf41a3bfb8 in safe_read_exact /home/brad/working/src/ceph/src/common/safe_io.c:48
    #4 0x7faf416f5f0b in AdminSocketClient::do_request(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /home/brad/working/src/ceph/src/common/admin_socket_client.cc:164
    #5 0x401729 in main (/home/brad/working/src/ceph/src/test/test_admin_socket_output+0x401729)
    #6 0x7faf40883400 in __libc_start_main (/lib64/libc.so.6+0x20400)
    #7 0x4010a9 in _start (/home/brad/working/src/ceph/src/test/test_admin_socket_output+0x4010a9)

0x631000024800 is located 0 bytes to the right of 65536-byte region [0x631000014800,0x631000024800)
allocated by thread T0 here:
    #0 0x7faf4a0abea0 in operator new(unsigned long) (/lib64/libasan.so.3+0xc7ea0)
    #1 0x7faf416f598d in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/6.3.1/ext/new_allocator.h:104
    #2 0x7faf416f598d in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/6.3.1/bits/alloc_traits.h:416
    #3 0x7faf416f598d in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/6.3.1/bits/stl_vector.h:170
    #4 0x7faf416f598d in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/6.3.1/bits/stl_vector.h:185
    #5 0x7faf416f598d in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/6.3.1/bits/stl_vector.h:136
    #6 0x7faf416f598d in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, unsigned char const&, std::allocator<unsigned char> const&) /usr/include/c++/6.3.1/bits/stl_vector.h:293
    #7 0x7faf416f598d in AdminSocketClient::do_request(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /home/brad/working/src/ceph/src/common/admin_socket_client.cc:141
    #8 0x19  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.3+0x4a0b4) in read
Shadow bytes around the buggy address:
  0x0c627fffc8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c627fffc8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c627fffc900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c627fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28717==ABORTING
Actions
Copy link
 #1

Updated by Brad Hubbard about 7 years ago

  • Status changed from New to In Progress
Actions
Copy link
 #2

Updated by Kefu Chai about 7 years ago

  • Status changed from In Progress to Fix Under Review
Actions
Copy link
 #3

Updated by Kefu Chai about 7 years ago

  • Status changed from Fix Under Review to Resolved
Actions
Copy link

Also available in: Atom PDF