Actions
Bug #19393
closedfree(): invalid next size error (SIGABRT) in AdminSocketClient::do_request
% Done:
0%
Source:
Development
Tags:
Backport:
Regression:
No
Severity:
2 - major
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
The following code causes an abort due to a memory accounting error.
#include "common/admin_socket.h" #include "common/admin_socket_client.h" #include "common/ceph_json.h" #include "include/types.h" #include <string> int main(int argc, char** argv) { std::string response; AdminSocketClient client(argv[1]); client.do_request("{\"prefix\":\"perf histogram dump\"}", &response); std::cout << response << '\n'; return 0; }
gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58 #1 0x00007fffee68d51a in __GI_abort () at abort.c:89 #2 0x00007fffee6cf200 in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7fffee7e3cd8 "*** Error in `%s': %s: 0x%s ***\n") at ../sysdeps/posix/libc_fatal.c:175 #3 0x00007fffee6d888a in malloc_printerr (ar_ptr=<optimized out>, ptr=<optimized out>, str=0x7fffee7e3d50 "free(): invalid next size (fast)", action=3) at malloc.c:5046 #4 _int_free (av=<optimized out>, p=<optimized out>, have_lock=<optimized out>) at malloc.c:3902 #5 0x00007fffee6dc2bc in __GI___libc_free (mem=<optimized out>) at malloc.c:2982 #6 0x00007fffef4ea91d in __gnu_cxx::new_allocator<char>::deallocate (this=0x7fffffffd460, __p=<optimized out>) at /usr/include/c++/6.3.1/ext/new_allocator.h:110 #7 std::allocator_traits<std::allocator<char> >::deallocate (__a=..., __n=<optimized out>, __p=<optimized out>) at /usr/include/c++/6.3.1/bits/alloc_traits.h:442 #8 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy (__size=<optimized out>, this=0x7fffffffd460) at /usr/include/c++/6.3.1/bits/basic_string.h:186 #9 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose (this=0x7fffffffd460) at /usr/include/c++/6.3.1/bits/basic_string.h:181 #10 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string (this=0x7fffffffd460, __in_chrg=<optimized out>) at /usr/include/c++/6.3.1/bits/basic_string.h:558 #11 AdminSocketClient::do_request (this=<optimized out>, request=..., result=0x7fffffffdf60) at /home/brad/working/src/ceph/src/common/admin_socket_client.cc:168 #12 0x0000000000401158 in main () (gdb) p ntohl(message_size_raw) $1 = 139252
The error returned by read is EFAULT.
We only assign 65536 bytes for the message buffer in this function.
std::vector<uint8_t> vec(65536, 0);
Address sanitizer shows the following.
================================================================= ==28717==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x631000024800 at pc 0x7faf4a02e0b5 bp 0x7ffe784bc290 sp 0x7ffe784bba38 WRITE of size 139252 at 0x631000024800 thread T0 #0 0x7faf4a02e0b4 in read (/lib64/libasan.so.3+0x4a0b4) #1 0x7faf41a3bf6b in read /usr/include/bits/unistd.h:44 #2 0x7faf41a3bf6b in safe_read /home/brad/working/src/ceph/src/common/safe_io.c:30 #3 0x7faf41a3bfb8 in safe_read_exact /home/brad/working/src/ceph/src/common/safe_io.c:48 #4 0x7faf416f5f0b in AdminSocketClient::do_request(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /home/brad/working/src/ceph/src/common/admin_socket_client.cc:164 #5 0x401729 in main (/home/brad/working/src/ceph/src/test/test_admin_socket_output+0x401729) #6 0x7faf40883400 in __libc_start_main (/lib64/libc.so.6+0x20400) #7 0x4010a9 in _start (/home/brad/working/src/ceph/src/test/test_admin_socket_output+0x4010a9) 0x631000024800 is located 0 bytes to the right of 65536-byte region [0x631000014800,0x631000024800) allocated by thread T0 here: #0 0x7faf4a0abea0 in operator new(unsigned long) (/lib64/libasan.so.3+0xc7ea0) #1 0x7faf416f598d in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/6.3.1/ext/new_allocator.h:104 #2 0x7faf416f598d in std::allocator_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/6.3.1/bits/alloc_traits.h:416 #3 0x7faf416f598d in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/6.3.1/bits/stl_vector.h:170 #4 0x7faf416f598d in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/6.3.1/bits/stl_vector.h:185 #5 0x7faf416f598d in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/6.3.1/bits/stl_vector.h:136 #6 0x7faf416f598d in std::vector<unsigned char, std::allocator<unsigned char> >::vector(unsigned long, unsigned char const&, std::allocator<unsigned char> const&) /usr/include/c++/6.3.1/bits/stl_vector.h:293 #7 0x7faf416f598d in AdminSocketClient::do_request(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*) /home/brad/working/src/ceph/src/common/admin_socket_client.cc:141 #8 0x19 (<unknown module>) SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.3+0x4a0b4) in read Shadow bytes around the buggy address: 0x0c627fffc8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffc8c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffc8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffc8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c627fffc8f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c627fffc900:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffc910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffc920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffc930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c627fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28717==ABORTING
Updated by Brad Hubbard about 7 years ago
- Status changed from New to In Progress
Updated by Kefu Chai about 7 years ago
- Status changed from In Progress to Fix Under Review
Updated by Kefu Chai about 7 years ago
- Status changed from Fix Under Review to Resolved
Actions