Bug 763714 (GLUSTER-1982)

Summary:

rpc: crash on progver mismatch

Product:

[Community] GlusterFS

Reporter:

Csaba Henk <csaba>

Component:

core

Assignee:

Amar Tumballi <amarts>

Status:

CLOSED CURRENTRELEASE

QA Contact:

Severity:

medium

Docs Contact:

Priority:

low

Version:

mainline

CC:

gluster-bugs, vijay, vraman

Target Milestone:

---

Target Release:

---

Hardware:

All

OS:

All

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Attachments:

Description	Flags
test utility	none
updated patch for metaspoilt	none
metaspoilt patch v3	none

Description Csaba Henk 2010-10-19 16:41:26 UTC

Using a vilified RPC client which sends an RPC message with non-existing program version, glusterd crashes as follows:


[2010-10-19 18:33:00.879773] E [rpcsvc.c:695:rpcsvc_program_actor] rpc-service: RPC program version not available

Program received signal SIGSEGV, Segmentation fault.
rpcsvc_submit_generic (req=0x7ffff7f0803c, proghdr=0x7fffffffdf20, hdrcount=0, payload=0x0, payloadcount=0, iobref=0x6345f8) at rpcsvc.c:1539
1539                    gf_log (GF_RPCSVC, GF_LOG_ERROR, "failed to submit message "
(gdb) bt
#0  rpcsvc_submit_generic (req=0x7ffff7f0803c, proghdr=0x7fffffffdf20, hdrcount=0, payload=0x0, payloadcount=0, iobref=0x6345f8) at rpcsvc.c:1539
#1  0x00007ffff7960ba9 in rpcsvc_error_reply (req=0x7ffff7f0803c) at rpcsvc.c:1577
#2  0x00007ffff795f4e7 in rpcsvc_handle_rpc_call (svc=0x62db18, trans=0x637728, msg=0x62d7f8) at rpcsvc.c:998
#3  0x00007ffff795f872 in rpcsvc_notify (trans=0x637728, mydata=0x62db18, event=RPC_TRANSPORT_MSG_RECEIVED, data=0x62d7f8) at rpcsvc.c:1088
#4  0x00007ffff7965bb6 in rpc_transport_notify (this=0x637728, event=RPC_TRANSPORT_MSG_RECEIVED, data=0x62d7f8) at rpc-transport.c:1142
#5  0x00007ffff5667d00 in socket_event_poll_in (this=0x637728) at socket.c:1619
#6  0x00007ffff56680b9 in socket_event_handler (fd=7, idx=1, data=0x637728, poll_in=1, poll_out=0, poll_err=0) at socket.c:1733
#7  0x00007ffff7bb86c3 in event_dispatch_epoll_handler (event_pool=0x62bd88, events=0x636af8, i=0) at event.c:812
#8  0x00007ffff7bb88d6 in event_dispatch_epoll (event_pool=0x62bd88) at event.c:876
#9  0x00007ffff7bb8c4d in event_dispatch (event_pool=0x62bd88) at event.c:984
#10 0x000000000040646b in main (argc=4, argv=0x7fffffffe458) at glusterfsd.c:1410
(gdb) fr 0
#0  rpcsvc_submit_generic (req=0x7ffff7f0803c, proghdr=0x7fffffffdf20, hdrcount=0, payload=0x0, payloadcount=0, iobref=0x6345f8) at rpcsvc.c:1539
1539                    gf_log (GF_RPCSVC, GF_LOG_ERROR, "failed to submit message "
(gdb) l
1534            ret = rpcsvc_transport_submit (trans, &recordhdr, 1, proghdr, hdrcount,
1535                                           payload, payloadcount, iobref,
1536                                           req->trans_private);
1537
1538            if (ret == -1) {
1539                    gf_log (GF_RPCSVC, GF_LOG_ERROR, "failed to submit message "
1540                            "(XID: 0x%lx, Program: %s, ProgVers: %d, Proc: %d) to "
1541                            "rpc-transport (%s)", req->xid, req->prog->progname,
1542                            req->prog->progver, req->procnum, trans->name);
1543            } else {
(gdb) p req
$1 = (rpcsvc_request_t *) 0x7ffff7f0803c
(gdb) p req->prog
$2 = (rpcsvc_program_t *) 0x0

Comment 1 Csaba Henk 2010-10-20 11:07:27 UTC

Created attachment 359


Instructions.

- extract the tarball
- extract the tarball (inside)
- patch extracted tree with patch (use -p2)
- in tree root, do
  PROGVER=<progver> PAYLOAD=<payload> ruby -I. rex/proto/sunrpc/client.rb

  This will do a gluster portmap query for brick specified in <payload> (default /tmp/ex0), using <progver> for program version (default 1).

Comment 2 Csaba Henk 2010-10-20 13:20:29 UTC

Created attachment 360


my original patch, in the tarball, had a bug.

Comment 3 Csaba Henk 2010-10-21 06:33:28 UTC

Created attachment 361


This now decodes errory reply fine.

Comment 4 Anand Avati 2010-10-26 07:02:11 UTC

PATCH: http://patches.gluster.com/patch/5542 in master (rpcsvc: handle NULL deref in case of program mismatch)