Project

General

Profile

Actions
Copy link

Bug #2207

closed

osd: crash when op length is greater than op input data

Added by Josh Durgin about 12 years ago. Updated over 10 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OSD
Target version:
-
% Done:

0%

Source:
Development
Tags:
Backport:
Regression:
Severity:
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):

Description

This could happen due to a malicious or buggy client. I caused this with an accidentally empty request, with positive length:

(gdb) bt
#0  0x00007fbf62b96e2b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:41
#1  0x000000000071ede3 in reraise_fatal (signum=6) at global/signal_handler.cc:59
#2  handle_fatal_signal (signum=6) at global/signal_handler.cc:95
#3  <signal handler called>
#4  0x00007fbf61176165 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#5  0x00007fbf61178f70 in *__GI_abort () at abort.c:92
#6  0x00007fbf61a09dc5 in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/libstdc++.so.6
#7  0x00007fbf61a08166 in ?? () from /usr/lib/libstdc++.so.6
#8  0x00007fbf61a08193 in std::terminate() () from /usr/lib/libstdc++.so.6
#9  0x00007fbf61a0828e in __cxa_throw () from /usr/lib/libstdc++.so.6
#10 0x000000000064a1df in ceph::buffer::list::iterator::copy (this=0x7fbf5260b620, len=2097152, dest=...) at common/buffer.cc:513
#11 0x0000000000556293 in ReplicatedPG::do_osd_ops (this=0x2f8e400, ctx=0x2c99500, ops=<value optimized out>) at osd/ReplicatedPG.cc:1967
#12 0x0000000000560f22 in ReplicatedPG::prepare_transaction (this=0x2f8e400, ctx=0x2c99500) at osd/ReplicatedPG.cc:3095
#13 0x0000000000564e17 in ReplicatedPG::do_op (this=0x2f8e400, op=0x2cb11e0) at osd/ReplicatedPG.cc:884
#14 0x00000000005c4271 in OSD::dequeue_op (this=0x2c13000, pg=0x2f8e400) at osd/OSD.cc:5730
#15 0x00000000006898d7 in ThreadPool::worker (this=0x2c13418) at common/WorkQueue.cc:54
#16 0x00000000005e9dfd in ThreadPool::WorkThread::entry() ()
#17 0x00007fbf62b8e8ba in start_thread (arg=<value optimized out>) at pthread_create.c:300
#18 0x00007fbf6121302d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#19 0x0000000000000000 in ?? ()
Current language:  auto
The current source language is "auto; currently c".
(gdb) frame 10
#10 0x000000000064a1df in ceph::buffer::list::iterator::copy (this=0x7fbf5260b620, len=2097152, dest=...) at common/buffer.cc:513
513        throw end_of_buffer();
Current language:  auto
The current source language is "auto; currently c++".
(gdb) p *this->bl
$1 = {_buffers = {<std::_List_base<ceph::buffer::ptr, std::allocator<ceph::buffer::ptr> >> = {
      _M_impl = {<std::allocator<std::_List_node<ceph::buffer::ptr> >> = {<__gnu_cxx::new_allocator<std::_List_node<ceph::buffer::ptr> >> = {<No data fields>}, <No data fields>}, _M_node = {_M_next = 0x2c9f038, _M_prev = 0x2c9f038}}}, <No data fields>}, _len = 0, append_buffer = {_raw = 0x0, _off = 0, _len = 0}, last_p = {bl = 0x2c9f038, 
    ls = 0x2c9f038, off = 0, p = {_M_node = 0x2c9f038}, p_off = 0}}
Actions
Copy link
 #1

Updated by Ian Colle about 11 years ago

Still exists in current code.

Actions
Copy link
 #2

Updated by Sage Weil over 10 years ago

  • Status changed from New to Resolved
Actions
Copy link

Also available in: Atom PDF