[Bugs] [Bug 1531372] New: Use after free in cli_cmd_volume_create_cbk
bugzilla at redhat.com
bugzilla at redhat.com
Fri Jan 5 03:13:39 UTC 2018
https://bugzilla.redhat.com/show_bug.cgi?id=1531372
Bug ID: 1531372
Summary: Use after free in cli_cmd_volume_create_cbk
Product: GlusterFS
Version: 3.12
Component: cli
Assignee: bugs at gluster.org
Reporter: nbalacha at redhat.com
CC: amukherj at redhat.com, bugs at gluster.org
Depends On: 1530910
Blocks: 1531041, 1531371
+++ This bug was initially created as a clone of Bug #1530910 +++
Description of problem:
Nigel (nbabu at redhat.com reported that his ASAN builds were reporting a
use_after_free in the create volume operation:
==19964==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000020010
at pc 0x7faaf981dd75 bp 0x7faaeb171f80 sp 0x7faaeb1716f8
READ of size 1 at 0x612000020010 thread T3
#0 0x7faaf981dd74 (/lib64/libasan.so.4+0x73d74)
#1 0x7faaf989325f (/lib64/libasan.so.4+0xe925f)
#2 0x7faaf981deed (/lib64/libasan.so.4+0x73eed)
#3 0x7faaf984ac4d in __interceptor_vsnprintf (/lib64/libasan.so.4+0xa0c4d)
#4 0x7faaf937c677 in gf_vasprintf
/home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:238
#5 0x7faaf948122c in _gf_event
/home/nigelb/code/glusterfs/libglusterfs/src/events.c:91
#6 0x41602b in cli_cmd_volume_create_cbk
/home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:258
#7 0x410d06 in cli_cmd_process
/home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
#8 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
#9 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)
#10 0x7faaf6cf6e6e in __clone (/lib64/libc.so.6+0x119e6e)
0x612000020010 is located 80 bytes inside of 306-byte region
[0x61200001ffc0,0x6120000200f2)
freed by thread T3 here:
#0 0x7faaf98884b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8)
#1 0x7faaf937d5a1 in __gf_free
/home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:360
#2 0x7faaf92d62e7 in data_destroy
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:227
#3 0x7faaf92d843e in data_unref
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:674
#4 0x7faaf92d7f81 in dict_destroy
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:589
#5 0x7faaf92d82f9 in dict_unref
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:643
#6 0x40eaf6 in cli_local_wipe /home/nigelb/code/glusterfs/cli/src/cli.c:711
#7 0x415f47 in cli_cmd_volume_create_cbk
/home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:256
#8 0x410d06 in cli_cmd_process
/home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
#9 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
#10 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)
previously allocated by thread T3 here:
#0 0x7faaf9888850 in malloc (/lib64/libasan.so.4+0xde850)
#1 0x7faaf937c03c in __gf_malloc
/home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:140
#2 0x47ef20 in cli_cmd_bricks_parse
/home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:177
#3 0x4814ff in cli_cmd_volume_create_parse
/home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:702
#4 0x415aba in cli_cmd_volume_create_cbk
/home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:219
#5 0x410d06 in cli_cmd_process
/home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
#6 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
#7 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)
Thread T3 created by T0 here:
#0 0x7faaf97e1a2f in pthread_create (/lib64/libasan.so.4+0x37a2f)
#1 0x41068c in cli_input_init
/home/nigelb/code/glusterfs/cli/src/input.c:75
#2 0x40eecd in main /home/nigelb/code/glusterfs/cli/src/cli.c:785
#3 0x7faaf6bfe039 in __libc_start_main (/lib64/libc.so.6+0x21039)
RCA:
==========
In cli_cmd_volume_create_cbk:
...
ret = cli_cmd_volume_create_parse (state, words, wordcount, &options,
&bricks);
** This sets bricks in options
ret = dict_set_dynstr (dict, "bricks", bricks);
**
...
CLI_LOCAL_INIT (local, words, frame, options);
** sets local->dict = options **
...
CLI_STACK_DESTROY (frame);
** Frees local->dict. As bricks was a dynstr, it is freed in data_destroy **
if (ret == 0) {
gf_event (EVENT_VOLUME_CREATE, "name=%s;bricks=%s",
(char *)words[2], bricks);
** Tries to use bricks which has been freed **
}
return ret;
Version-Release number of selected component (if applicable):
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
--- Additional comment from Worker Ant on 2018-01-04 01:57:30 EST ---
REVIEW: https://review.gluster.org/19136 (cli: Fixed a use_after_free) posted
(#1) for review on master by N Balachandran
--- Additional comment from Worker Ant on 2018-01-04 08:07:27 EST ---
COMMIT: https://review.gluster.org/19136 committed in master by \"N
Balachandran\" <nbalacha at redhat.com> with a commit message- cli: Fixed a
use_after_free
gf_event in cli_cmd_volume_create_cbk was accessing
memory that had already been freed.
Change-Id: I447c939fa9b31e18819a62c3b356c14cca390787
BUG: 1530910
Signed-off-by: N Balachandran <nbalacha at redhat.com>
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1530910
[Bug 1530910] Use after free in cli_cmd_volume_create_cbk
https://bugzilla.redhat.com/show_bug.cgi?id=1531041
[Bug 1531041] Use after free in cli_cmd_volume_create_cbk
https://bugzilla.redhat.com/show_bug.cgi?id=1531371
[Bug 1531371] Use after free in cli_cmd_volume_create_cbk
--
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.
More information about the Bugs
mailing list