Actions
Bug #22042
closedDouble free in rados_getxattrs_next
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
librados
Target version:
-
% Done:
0%
Source:
Tags:
Backport:
jewel, luminous
Regression:
No
Severity:
3 - minor
Reviewed:
Description
My application uses the python binding of librados to modify and read xattrs of objects. I noticed that iterating over xattrs performs a double free if an attribute without value or empty string follows an attribute with a value:
- Error in `python': double free or corruption (fasttop): 0x0000000001b066e0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x721af)[0x7f14e61ff1af]
/lib64/libc.so.6(+0x77706)[0x7f14e6204706]
/lib64/libc.so.6(+0x78453)[0x7f14e6205453]
/usr/lib64/librados.so.2(rados_getxattrs_next+0x3f)[0x7f14dbee7e7f]
/usr/lib64/python2.7/site-packages/rados.so(+0x326bc)[0x7f14e56126bc]
/usr/lib64/libpython2.7.so.1.0(+0x918df)[0x7f14e67de8df]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xaac)[0x7f14e683a4dc]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x244)[0x7f14e68447e4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCode+0x32)[0x7f14e68993e2]
/usr/lib64/libpython2.7.so.1.0(+0x15260b)[0x7f14e689f60b]
/usr/lib64/libpython2.7.so.1.0(PyRun_FileExFlags+0x92)[0x7f14e67ba20e]
/usr/lib64/libpython2.7.so.1.0(PyRun_SimpleFileExFlags+0x304)[0x7f14e67baddc]
/usr/lib64/libpython2.7.so.1.0(Py_Main+0xc4a)[0x7f14e67c0654]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f14e61ad6e5]
I attached a python script to reproduce the issue.
Files
Updated by Kefu Chai about 6 years ago
- Status changed from New to Fix Under Review
- Backport set to jewel, luminous
Updated by Kefu Chai about 6 years ago
- Status changed from Fix Under Review to Pending Backport
Updated by Nathan Cutler about 6 years ago
- Copied to Backport #22940: luminous: Double free in rados_getxattrs_next added
Updated by Nathan Cutler about 6 years ago
- Copied to Backport #22941: jewel: Double free in rados_getxattrs_next added
Updated by Kefu Chai about 6 years ago
https://github.com/ceph/ceph/pull/21164 addresses a different issue, but we'd better backport it along with https://github.com/ceph/ceph/pull/20260 .
Updated by Nathan Cutler about 6 years ago
- Status changed from Pending Backport to Resolved
Actions