[Bugs] [Bug 1531372] New: Use after free in cli_cmd_volume_create_cbk

Fri Jan 5 03:13:39 UTC 2018

https://bugzilla.redhat.com/show_bug.cgi?id=1531372

            Bug ID: 1531372
           Summary: Use after free in cli_cmd_volume_create_cbk
           Product: GlusterFS
           Version: 3.12
         Component: cli
          Assignee: bugs at gluster.org
          Reporter: nbalacha at redhat.com
                CC: amukherj at redhat.com, bugs at gluster.org
        Depends On: 1530910
            Blocks: 1531041, 1531371

+++ This bug was initially created as a clone of Bug #1530910 +++

Description of problem:

Nigel (nbabu at redhat.com reported that his ASAN builds were reporting a
use_after_free in the create volume operation:

==19964==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000020010
at pc 0x7faaf981dd75 bp 0x7faaeb171f80 sp 0x7faaeb1716f8
READ of size 1 at 0x612000020010 thread T3
    #0 0x7faaf981dd74  (/lib64/libasan.so.4+0x73d74)
    #1 0x7faaf989325f  (/lib64/libasan.so.4+0xe925f)
    #2 0x7faaf981deed  (/lib64/libasan.so.4+0x73eed)
    #3 0x7faaf984ac4d in __interceptor_vsnprintf (/lib64/libasan.so.4+0xa0c4d)
    #4 0x7faaf937c677 in gf_vasprintf
/home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:238
    #5 0x7faaf948122c in _gf_event
/home/nigelb/code/glusterfs/libglusterfs/src/events.c:91
    #6 0x41602b in cli_cmd_volume_create_cbk
/home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:258
    #7 0x410d06 in cli_cmd_process
/home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
    #8 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
    #9 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)
    #10 0x7faaf6cf6e6e in __clone (/lib64/libc.so.6+0x119e6e)

0x612000020010 is located 80 bytes inside of 306-byte region
[0x61200001ffc0,0x6120000200f2)
freed by thread T3 here:
    #0 0x7faaf98884b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8)
    #1 0x7faaf937d5a1 in __gf_free
/home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:360
    #2 0x7faaf92d62e7 in data_destroy
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:227
    #3 0x7faaf92d843e in data_unref
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:674
    #4 0x7faaf92d7f81 in dict_destroy
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:589
    #5 0x7faaf92d82f9 in dict_unref
/home/nigelb/code/glusterfs/libglusterfs/src/dict.c:643
    #6 0x40eaf6 in cli_local_wipe /home/nigelb/code/glusterfs/cli/src/cli.c:711
    #7 0x415f47 in cli_cmd_volume_create_cbk
/home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:256
    #8 0x410d06 in cli_cmd_process
/home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
    #9 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
    #10 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)

previously allocated by thread T3 here:
    #0 0x7faaf9888850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7faaf937c03c in __gf_malloc
/home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:140
    #2 0x47ef20 in cli_cmd_bricks_parse
/home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:177
    #3 0x4814ff in cli_cmd_volume_create_parse
/home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:702
    #4 0x415aba in cli_cmd_volume_create_cbk
/home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:219
    #5 0x410d06 in cli_cmd_process
/home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
    #6 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
    #7 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)

Thread T3 created by T0 here:
    #0 0x7faaf97e1a2f in pthread_create (/lib64/libasan.so.4+0x37a2f)
    #1 0x41068c in cli_input_init
/home/nigelb/code/glusterfs/cli/src/input.c:75
    #2 0x40eecd in main /home/nigelb/code/glusterfs/cli/src/cli.c:785
    #3 0x7faaf6bfe039 in __libc_start_main (/lib64/libc.so.6+0x21039)

RCA:
==========

In cli_cmd_volume_create_cbk:
...

        ret = cli_cmd_volume_create_parse (state, words, wordcount, &options,
                                           &bricks);

  ** This sets bricks in options
        ret = dict_set_dynstr (dict, "bricks", bricks); 
  **

...

      CLI_LOCAL_INIT (local, words, frame, options);  
      ** sets local->dict = options **

...
        CLI_STACK_DESTROY (frame);  
   ** Frees local->dict. As bricks was a dynstr, it is freed in data_destroy **
        if (ret == 0) {
                gf_event (EVENT_VOLUME_CREATE, "name=%s;bricks=%s",
                          (char *)words[2], bricks); 
   ** Tries to use bricks which has been freed **

        }
        return ret;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

--- Additional comment from Worker Ant on 2018-01-04 01:57:30 EST ---

REVIEW: https://review.gluster.org/19136 (cli: Fixed a use_after_free) posted
(#1) for review on master by N Balachandran

--- Additional comment from Worker Ant on 2018-01-04 08:07:27 EST ---

COMMIT: https://review.gluster.org/19136 committed in master by \"N
Balachandran\" <nbalacha at redhat.com> with a commit message- cli: Fixed a
use_after_free

gf_event in cli_cmd_volume_create_cbk was accessing
memory that had already been freed.

Change-Id: I447c939fa9b31e18819a62c3b356c14cca390787
BUG: 1530910
Signed-off-by: N Balachandran <nbalacha at redhat.com>

Referenced Bugs:

https://bugzilla.redhat.com/show_bug.cgi?id=1530910
[Bug 1530910] Use after free in cli_cmd_volume_create_cbk
https://bugzilla.redhat.com/show_bug.cgi?id=1531041
[Bug 1531041] Use after free in cli_cmd_volume_create_cbk
https://bugzilla.redhat.com/show_bug.cgi?id=1531371
[Bug 1531371] Use after free in cli_cmd_volume_create_cbk
-- 
You are receiving this mail because:
You are on the CC list for the bug.
You are the assignee for the bug.