Actions
Bug #6346
closedOSD: do not crash on bad client op input
Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
OSD
Target version:
-
% Done:
0%
Source:
Development
Tags:
Backport:
Regression:
Severity:
3 - minor
Reviewed:
Affected Versions:
ceph-qa-suite:
Pull request ID:
Crash signature (v1):
Crash signature (v2):
Description
(gdb) bt
#0 0x00007f578c77ab7b in raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1 0x00000000009fb6ae in reraise_fatal (signum=6) at global/signal_handler.cc:59
#2 handle_fatal_signal (signum=6) at global/signal_handler.cc:105
#3 <signal handler called>
#4 0x00007f578a848425 in __GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64
#5 0x00007f578a84bb8b in __GI_abort () at abort.c:91
#6 0x00007f578b19a69d in __gnu_cxx::__verbose_terminate_handler() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#7 0x00007f578b198846 in ?? () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#8 0x00007f578b198873 in std::terminate() () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#9 0x00007f578b19896e in __cxa_throw () from /usr/lib/x86_64-linux-gnu/libstdc++.so.6
#10 0x000000000087277f in ceph::__ceph_assert_fail (assertion=0xa1fbb1 "len == data.length()", file=<optimized out>, line=424,
func=0xa26360 "void ObjectStore::Transaction::write(coll_t, const hobject_t&, uint64_t, uint64_t, const bufferlist&)") at common/assert.cc:77
#11 0x00000000005d6ee1 in ObjectStore::Transaction::write (data=..., len=<optimized out>, off=<optimized out>, oid=..., cid=..., this=<optimized out>) at ./os/ObjectStore.h:424
#12 0x000000000063ac68 in ObjectStore::Transaction::write (this=0x3ad1f40, cid=..., oid=..., off=0, len=2459525, data=...) at ./os/ObjectStore.h:424
#13 0x0000000000744e70 in ReplicatedPG::do_osd_ops (this=0x2f7b000, ctx=0x3ad1c00, ops=...) at osd/ReplicatedPG.cc:2672
#14 0x0000000000758bac in ReplicatedPG::prepare_transaction (this=0x2f7b000, ctx=0x3ad1c00) at osd/ReplicatedPG.cc:3956
#15 0x000000000075aabd in ReplicatedPG::execute_ctx (this=0x2f7b000, ctx=0x3ad1c00) at osd/ReplicatedPG.cc:994
#16 0x000000000075f7b5 in ReplicatedPG::do_op (this=0x2f7b000, op=...) at osd/ReplicatedPG.cc:887
#17 0x000000000069f419 in PG::do_request (this=0x2f7b000, op=..., handle=...) at osd/PG.cc:1428
#18 0x00000000005e8580 in OSD::dequeue_op (this=0x2e94000, pg=..., op=..., handle=...) at osd/OSD.cc:7204
#19 0x00000000005fea60 in OSD::OpWQ::_process (this=0x2e94e00, pg=..., handle=...) at osd/OSD.cc:7176
#20 0x000000000063d8fc in ThreadPool::WorkQueueVal<std::pair<boost::intrusive_ptr<PG>, std::tr1::shared_ptr<OpRequest> >, boost::intrusive_ptr<PG> >::_void_process (this=0x2e94e00, handle=...)
at ./common/WorkQueue.h:190
#21 0x0000000000865626 in ThreadPool::worker (this=0x2e94468, wt=0x2e9fb80) at common/WorkQueue.cc:125
#22 0x0000000000867430 in ThreadPool::WorkThread::entry (this=<optimized out>) at common/WorkQueue.h:317
#23 0x00007f578c772e9a in start_thread (arg=0x7f57786b4700) at pthread_create.c:308
#24 0x00007f578a905ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#25 0x0000000000000000 in ?? ()
The values it's looking at are pulled straight from a client-provided bufferlist and we don't seem to do any validation prior to this point. See teuthology run at /a/teuthology-2013-09-17_23:01:16-fs-next-testing-basic-plana/1237.
Actions