[Bugs] [Bug 1283690] core dump in protocol/client:client_submit_request

bugzilla at redhat.com bugzilla at redhat.com
Wed Nov 25 06:38:50 UTC 2015 

https://bugzilla.redhat.com/show_bug.cgi?id=1283690



--- Comment #2 from Vijay Bellur <vbellur at redhat.com> ---
COMMIT: http://review.gluster.org/12665 committed in release-3.6 by Raghavendra
Bhat (raghavendra at redhat.com) 
------
commit 5d264dbcb7cd08337105417014dccc8fda6f169a
Author: Niels de Vos <ndevos at redhat.com>
Date:   Thu Nov 19 16:20:40 2015 +0100

    protocol/client: prevent use-after-free of frame->root

    A regression failure generated a coredump on the glusterfs-client side:

      (gdb) f 0
      #0  0x00007fba6cd76432 in client_submit_request (this=0x7fba68006fc0,
                      req=0x7fba6579aa70, frame=0x7fba5c0058cc,
                      prog=0x7fba6cfb53c0 <clnt3_3_fop_prog>, procnum=41,
                      cbkfn=0x7fba6cd9206d <client3_3_release_cbk>,
                      iobref=0x0, rsphdr=0x0, rsphdr_count=0,
                      rsp_payload=0x0, rsp_payload_count=0, rsp_iobref=0x0,
                      xdrproc=0x7fba79801075 <xdr_gfs3_release_req>) at
     
/home/jenkins/root/workspace/rackspace-regression-2GB-triggered/xlators/protocol/client/src/client.c:324
      324                   frame->root->ngrps = ngroups;
      (gdb) l
      319                   gf_msg_debug (this->name, 0, "rpc_clnt_submit
failed");
      320           }
      321
      322           if (!conf->send_gids) {
      323                   /* restore previous values */
      324                   frame->root->ngrps = ngroups;
      325                   if (ngroups <= SMALL_GROUP_COUNT)
      326                           frame->root->groups_small[0] = gid;
      327           }
      328
      (gdb) p *frame->root
      Cannot access memory at address 0x64185df000000000

    After looking at this in more detail, the flow is like this:

      client_submit_request()
        |
        '- rpc_clnt_submit() // on line 314
             |
             '- cbkfn() // = client3_3_release_cbk
                  |
                  :- STACK_DESTROY (frame->root);
             .----'
        .----'
        |
        :- frame->root->ngrps = ngroups; // on line 324
        '

    So, there is a use-after-free, and it is not needed to restore the
    previous groups in frame->root.

    Cherry picked from commit dc3aa7524e4974f9d02465e2e5dd6ed9b6d319e1:
    > Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2
    > BUG: 1281285 (was incorrect in original patch)
    > Signed-off-by: Niels de Vos <ndevos at redhat.com>
    > Reviewed-on: http://review.gluster.org/12575
    > Reviewed-by: Dan Lambright <dlambrig at redhat.com>
    > Tested-by: NetBSD Build System <jenkins at build.gluster.org>
    > Reviewed-by: Jeff Darcy <jdarcy at redhat.com>

    Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2
    BUG: 1283690
    Signed-off-by: Niels de Vos <ndevos at redhat.com>
    Reviewed-on: http://review.gluster.org/12665
    Tested-by: Gluster Build System <jenkins at build.gluster.com>
    Reviewed-by: Dan Lambright <dlambrig at redhat.com>
    Reviewed-by: Raghavendra Bhat <raghavendra at redhat.com>

-- 
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=042pxenYOG&a=cc_unsubscribe

More information about the Bugs mailing list