Description of problem: cli (/usr/sbin/gluster) unrefs the options dict, with the side effect of freeing it, and then uses it. When gluster is compiled with -fsanitize=address (gcc or clang), the use-after-free is caught. Version-Release number of selected component (if applicable): all How reproducible: I used `gluster volume create $volname ....` Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: run-time error, not address 0x610000007880 ==21388==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000007880 at pc 0x7ffff6b6e4b3 bp 0x7fffe9326920 sp 0x7fffe9326910 READ of size 4 at 0x610000007880 thread T1 gdb backtrace, note #6 this=0x61000000787c, 0x610000007880 is this->hash_size (gdb) where #0 0x0000000000000000 in ?? () #1 0x00007ffff6f6b343 in ?? () from /lib64/libasan.so.1 #2 0x00007ffff6f6a7b2 in ?? () from /lib64/libasan.so.1 #3 0x00007ffff6f68396 in ?? () from /lib64/libasan.so.1 #4 0x00007ffff6f5c789 in __asan_report_error () from /lib64/libasan.so.1 #5 0x00007ffff6f5d833 in __asan_report_load4 () from /lib64/libasan.so.1 #6 0x00007ffff6b6e4b3 in _dict_lookup (this=0x61000000787c, key=0x7fffeace4ee0 "transport.address-family") at dict.c:200 #7 0x00007ffff6b6f05a in dict_get (this=0x61000000787c, key=0x7fffeace4ee0 "transport.address-family") at dict.c:376 #8 0x00007fffeacdc96f in client_fill_address_family (this=0x61e00000e4a0, sa_family=0x7fffe9326bb0) at name.c:125 #9 0x00007fffeacdee10 in socket_client_get_remote_sockaddr ( this=0x61e00000e4a0, sockaddr=0x7fffe9326bb0, sockaddr_len=0x7fffe9326af0, sa_family=0x7fffe9326ab0) at name.c:480 #10 0x00007fffeacd3d19 in socket_connect (this=0x61e00000e4a0, port=0) at socket.c:2783 #11 0x00007ffff604333c in rpc_transport_connect (this=0x61e00000e4a0, port=0) at rpc-transport.c:399 #12 0x00007ffff604a7cd in rpc_clnt_reconnect (conn_ptr=0x61300000d610) at rpc-clnt.c:419 #13 0x00007ffff6be08b4 in gf_timer_proc (ctx=0x61800000fc80) at timer.c:165 #14 0x00007ffff517af33 in start_thread () from /lib64/libpthread.so.0 #15 0x00007ffff4ac1ded in clone () from /lib64/libc.so.6 (gdb) gluster cli.log entry w/ instrumented dict_destroy() [2014-08-20 15:59:52.805114] T [name.c:106:af_unix_client_bind] 0-glusterfs: bind-path not specified for unix socket, letting connect to assign default value [2014-08-20 15:59:52.805352] E [dict.c:441:dict_destroy] (-->/usr/sbin/gluster(cli_quotad_clnt_rpc_init+0x110) [0x555555590e07] (-->/lib64/libglusterfs.so.0(dict_unref+0xd1) [0x7ffff6b6f9b6] (-->/lib64/libglusterfs.so.0(dict_destroy+0x44) [0x7ffff6b6f6b9]))) 0-dict: dict is 0x61000000787c This is the rpc_opts dict_t at line 528 of cli.c, allocated at line 531, and unreferenced/freed at line 556. On top of the above, both cli_quotad_clnt_rpc_init() in cli.c and then cli_quotad_clnt_init() in cli-quotad-client.c have the same code fragment: ... ret = dict_set_str (options, "transport.address-family", "unix"); if (ret) goto out; ret = dict_set_str (options, "transport-type", "socket"); if (ret) goto out; ret = dict_set_str (options, "transport.socket.connect-path", "/tmp/quotad.socket"); if (ret) goto out; ... suggested fix: --- rpc/rpc-lib/src/rpc-transport.c.orig 2014-08-20 13:17:06.411127002 -0400 +++ rpc/rpc-lib/src/rpc-transport.c 2014-08-20 13:18:12.170125758 -0400 @@ -323,6 +323,7 @@ } trans->options = options; + dict_ref (trans->options); pthread_mutex_init (&trans->lock, NULL); trans->xl = this;
REVIEW: http://review.gluster.org/8504 (cli: -fsanitize heap-use-after-free error) posted (#1) for review on master by Kaleb KEITHLEY (kkeithle)
Hi Kaleb, This looks same as BZ 1129939, No ? Thanks, Santosh
*** This bug has been marked as a duplicate of bug 1129939 ***