Bug #22042: Double free in rados_getxattrs_next - Ceph - Ceph

Actions

Copy link

Bug #22042

closed

Double free in rados_getxattrs_next

Added by Christoph Heer over 6 years ago. Updated about 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Category:

librados

Target version:

% Done:

Source:

Tags:

Backport:

jewel, luminous

Regression:

Severity:

3 - minor

Reviewed:

Affected Versions:

v10.2.2

ceph-qa-suite:

Pull request ID:

Crash signature (v1):

Crash signature (v2):

Description

My application uses the python binding of librados to modify and read xattrs of objects. I noticed that iterating over xattrs performs a double free if an attribute without value or empty string follows an attribute with a value:

Error in `python': double free or corruption (fasttop): 0x0000000001b066e0 *** ======= Backtrace: =========
/lib64/libc.so.6(+0x721af)[0x7f14e61ff1af]
/lib64/libc.so.6(+0x77706)[0x7f14e6204706]
/lib64/libc.so.6(+0x78453)[0x7f14e6205453]
/usr/lib64/librados.so.2(rados_getxattrs_next+0x3f)[0x7f14dbee7e7f]
/usr/lib64/python2.7/site-packages/rados.so(+0x326bc)[0x7f14e56126bc]
/usr/lib64/libpython2.7.so.1.0(+0x918df)[0x7f14e67de8df]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalFrameEx+0xaac)[0x7f14e683a4dc]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCodeEx+0x244)[0x7f14e68447e4]
/usr/lib64/libpython2.7.so.1.0(PyEval_EvalCode+0x32)[0x7f14e68993e2]
/usr/lib64/libpython2.7.so.1.0(+0x15260b)[0x7f14e689f60b]
/usr/lib64/libpython2.7.so.1.0(PyRun_FileExFlags+0x92)[0x7f14e67ba20e]
/usr/lib64/libpython2.7.so.1.0(PyRun_SimpleFileExFlags+0x304)[0x7f14e67baddc]
/usr/lib64/libpython2.7.so.1.0(Py_Main+0xc4a)[0x7f14e67c0654]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f14e61ad6e5]

I attached a python script to reproduce the issue.

Files

rados-double-free-reproduce.py (562 Bytes) rados-double-free-reproduce.py

Python script to reproduce issue

Christoph Heer, 11/04/2017 08:34 PM

Related issues 2 (0 open — 2 closed)