Actions
Bug #2207
closedosd: crash when op length is greater than op input data
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OSD
Target version:
-
% Done:
0%
Source:
Development
Tags:
Backport:
Regression:
Severity:
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
This could happen due to a malicious or buggy client. I caused this with an accidentally empty request, with positive length:
(gdb) bt #0 0x00007fbf62b96e2b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:41 #1 0x000000000071ede3 in reraise_fatal (signum=6) at global/signal_handler.cc:59 #2 handle_fatal_signal (signum=6) at global/signal_handler.cc:95 #3 <signal handler called> #4 0x00007fbf61176165 in *__GI_raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 #5 0x00007fbf61178f70 in *__GI_abort () at abort.c:92 #6 0x00007fbf61a09dc5 in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/libstdc++.so.6 #7 0x00007fbf61a08166 in ?? () from /usr/lib/libstdc++.so.6 #8 0x00007fbf61a08193 in std::terminate() () from /usr/lib/libstdc++.so.6 #9 0x00007fbf61a0828e in __cxa_throw () from /usr/lib/libstdc++.so.6 #10 0x000000000064a1df in ceph::buffer::list::iterator::copy (this=0x7fbf5260b620, len=2097152, dest=...) at common/buffer.cc:513 #11 0x0000000000556293 in ReplicatedPG::do_osd_ops (this=0x2f8e400, ctx=0x2c99500, ops=<value optimized out>) at osd/ReplicatedPG.cc:1967 #12 0x0000000000560f22 in ReplicatedPG::prepare_transaction (this=0x2f8e400, ctx=0x2c99500) at osd/ReplicatedPG.cc:3095 #13 0x0000000000564e17 in ReplicatedPG::do_op (this=0x2f8e400, op=0x2cb11e0) at osd/ReplicatedPG.cc:884 #14 0x00000000005c4271 in OSD::dequeue_op (this=0x2c13000, pg=0x2f8e400) at osd/OSD.cc:5730 #15 0x00000000006898d7 in ThreadPool::worker (this=0x2c13418) at common/WorkQueue.cc:54 #16 0x00000000005e9dfd in ThreadPool::WorkThread::entry() () #17 0x00007fbf62b8e8ba in start_thread (arg=<value optimized out>) at pthread_create.c:300 #18 0x00007fbf6121302d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112 #19 0x0000000000000000 in ?? () Current language: auto The current source language is "auto; currently c". (gdb) frame 10 #10 0x000000000064a1df in ceph::buffer::list::iterator::copy (this=0x7fbf5260b620, len=2097152, dest=...) at common/buffer.cc:513 513 throw end_of_buffer(); Current language: auto The current source language is "auto; currently c++". (gdb) p *this->bl $1 = {_buffers = {<std::_List_base<ceph::buffer::ptr, std::allocator<ceph::buffer::ptr> >> = { _M_impl = {<std::allocator<std::_List_node<ceph::buffer::ptr> >> = {<__gnu_cxx::new_allocator<std::_List_node<ceph::buffer::ptr> >> = {<No data fields>}, <No data fields>}, _M_node = {_M_next = 0x2c9f038, _M_prev = 0x2c9f038}}}, <No data fields>}, _len = 0, append_buffer = {_raw = 0x0, _off = 0, _len = 0}, last_p = {bl = 0x2c9f038, ls = 0x2c9f038, off = 0, p = {_M_node = 0x2c9f038}, p_off = 0}}
Actions