Project

General

Profile

Bug #22042

Double free in rados_getxattrs_next

Added by Christoph Heer over 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
librados
Target version:
-
Start date:
11/04/2017
Due date:
% Done:

0%

Source:
Tags:
Backport:
jewel, luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:

Description

My application uses the python binding of librados to modify and read xattrs of objects. I noticed that iterating over xattrs performs a double free if an attribute without value or empty string follows an attribute with a value:

  • Error in `python': double free or corruption (fasttop): 0x0000000001b066e0 *** ======= Backtrace: =========
    /lib64/libc.so.6(+0x721af)[0x7f14e61ff1af]
    /lib64/libc.so.6(+0x77706)[0x7f14e6204706]
    /lib64/libc.so.6(+0x78453)[0x7f14e6205453]
    /usr/lib64/librados.so.2(rados_getxattrs_next+0x3f)[0x7f14dbee7e7f]
    /usr/lib64/python2.7/site-packages/rados.so(+0x326bc)[0x7f14e56126bc]
    /usr/lib64/libpython2.7.so.1.0(+0x918df)[0x7f14e67de8df]
    /usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xaac)[0x7f14e683a4dc]
    /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x244)[0x7f14e68447e4]
    /usr/lib64/libpython2.7.so.1.0(PyEval_EvalCode+0x32)[0x7f14e68993e2]
    /usr/lib64/libpython2.7.so.1.0(+0x15260b)[0x7f14e689f60b]
    /usr/lib64/libpython2.7.so.1.0(PyRun_FileExFlags+0x92)[0x7f14e67ba20e]
    /usr/lib64/libpython2.7.so.1.0(PyRun_SimpleFileExFlags+0x304)[0x7f14e67baddc]
    /usr/lib64/libpython2.7.so.1.0(Py_Main+0xc4a)[0x7f14e67c0654]
    /lib64/libc.so.6(__libc_start_main+0xf5)[0x7f14e61ad6e5]

I attached a python script to reproduce the issue.

rados-double-free-reproduce.py View - Python script to reproduce issue (562 Bytes) Christoph Heer, 11/04/2017 08:34 PM


Related issues

Copied to Ceph - Backport #22940: luminous: Double free in rados_getxattrs_next Resolved
Copied to Ceph - Backport #22941: jewel: Double free in rados_getxattrs_next Resolved

History

#1 Updated by Kefu Chai over 1 year ago

  • Status changed from New to Need Review
  • Backport set to jewel, luminous

#2 Updated by Kefu Chai over 1 year ago

  • Status changed from Need Review to Pending Backport

#3 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #22940: luminous: Double free in rados_getxattrs_next added

#4 Updated by Nathan Cutler over 1 year ago

  • Copied to Backport #22941: jewel: Double free in rados_getxattrs_next added

#5 Updated by Kefu Chai about 1 year ago

https://github.com/ceph/ceph/pull/21164 addresses a different issue, but we'd better backport it along with https://github.com/ceph/ceph/pull/20260 .

#6 Updated by Nathan Cutler about 1 year ago

  • Status changed from Pending Backport to Resolved

Also available in: Atom PDF