1456226 – use-after free on latest version of tcmu-runner

Bug 1456226 - use-after free on latest version of tcmu-runner

Summary: use-after free on latest version of tcmu-runner

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	tcmu-runner
Sub Component:
Version:	rhgs-3.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	RHGS 3.3.0
Assignee:	Pranith Kumar K
QA Contact:	Sweta Anandpara
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1417151
TreeView+	depends on / blocked

Reported:	2017-05-28 02:46 UTC by Pranith Kumar K
Modified:	2017-09-21 04:19 UTC (History)
CC List:	6 users (show)
Fixed In Version:	tcmu-runner-1.2.0-4.el7rhgs
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-21 04:19:33 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Patch to fix the crash (641 bytes, patch) 2017-05-28 02:46 UTC, Pranith Kumar K	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:2773	0	normal	SHIPPED_LIVE	new packages: gluster-block	2017-09-21 08:16:22 UTC

Description Pranith Kumar K 2017-05-28 02:46:07 UTC

Description of problem:
[root@localhost tcmu-runner]# 2017-05-28 07:58:12.948 1343 [ERROR] tcmu_create_glfs_object:405 : glfs_init failed: Success
=================================================================
==1343==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000dc30 at pc 0x7fd8ab4fb93f bp 0x7fff4a7eddf0 sp 0x7fff4a7edde0
READ of size 8 at 0x60300000dc30 thread T0
2017-05-28 07:58:13.930 1343 [ERROR] glfs_check_config:453 : tcmu_create_glfs_object failed
    #0 0x7fd8ab4fb93e in gluster_free_server /root/tcmu-runner/glfs.c:270
    #1 0x7fd8ab4fcc50 in glfs_check_config /root/tcmu-runner/glfs.c:480
    #2 0x7fd8b15330a4 in add_device /root/tcmu-runner/libtcmu.c:243
    #3 0x7fd8b1534500 in open_devices /root/tcmu-runner/libtcmu.c:436
    #4 0x7fd8b1534c5f in tcmulib_initialize /root/tcmu-runner/libtcmu.c:477
    #5 0x418720 in main /root/tcmu-runner/main.c:871
    #6 0x7fd8afe21400 in __libc_start_main (/lib64/libc.so.6+0x20400)
    #7 0x407dd9 in _start (/root/tcmu-runner/tcmu-runner+0x407dd9)

0x60300000dc30 is located 0 bytes inside of 24-byte region [0x60300000dc30,0x60300000dc48)
freed by thread T0 here:
    #0 0x7fd8b181cb00 in free (/lib64/libasan.so.3+0xc6b00)
    #1 0x7fd8ab4fbaa8 in gluster_free_server /root/tcmu-runner/glfs.c:276
    #2 0x7fd8ab4fc878 in tcmu_create_glfs_object /root/tcmu-runner/glfs.c:415
    #3 0x7fd8ab4fca89 in glfs_check_config /root/tcmu-runner/glfs.c:451
    #4 0x7fd8b15330a4 in add_device /root/tcmu-runner/libtcmu.c:243
    #5 0x7fd8b1534500 in open_devices /root/tcmu-runner/libtcmu.c:436
    #6 0x7fd8b1534c5f in tcmulib_initialize /root/tcmu-runner/libtcmu.c:477
    #7 0x418720 in main /root/tcmu-runner/main.c:871
    #8 0x7fd8afe21400 in __libc_start_main (/lib64/libc.so.6+0x20400)

previously allocated by thread T0 here:
    #0 0x7fd8b181d020 in calloc (/lib64/libasan.so.3+0xc7020)
    #1 0x7fd8ab4fbbe5 in parse_imagepath /root/tcmu-runner/glfs.c:299
    #2 0x7fd8ab4fc47c in tcmu_create_glfs_object /root/tcmu-runner/glfs.c:360
    #3 0x7fd8ab4fca89 in glfs_check_config /root/tcmu-runner/glfs.c:451
    #4 0x7fd8b15330a4 in add_device /root/tcmu-runner/libtcmu.c:243
    #5 0x7fd8b1534500 in open_devices /root/tcmu-runner/libtcmu.c:436
    #6 0x7fd8b1534c5f in tcmulib_initialize /root/tcmu-runner/libtcmu.c:477
    #7 0x418720 in main /root/tcmu-runner/main.c:871
    #8 0x7fd8afe21400 in __libc_start_main (/lib64/libc.so.6+0x20400)

SUMMARY: AddressSanitizer: heap-use-after-free /root/tcmu-runner/glfs.c:270 in gluster_free_server
Shadow bytes around the buggy address:
  0x0c067fff9b30: fa fa 00 00 07 fa fa fa 00 00 07 fa fa fa 00 00
  0x0c067fff9b40: 04 fa fa fa 00 00 04 fa fa fa 00 00 00 03 fa fa
  0x0c067fff9b50: 00 00 00 03 fa fa 00 00 04 fa fa fa 00 00 04 fa
  0x0c067fff9b60: fa fa fd fd fd fa fa fa 00 00 04 fa fa fa 00 00
  0x0c067fff9b70: 05 fa fa fa 00 00 04 fa fa fa 00 00 04 fa fa fa
=>0x0c067fff9b80: fd fd fd fa fa fa[fd]fd fd fa fa fa 00 00 00 fa
  0x0c067fff9b90: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9ba0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c067fff9bb0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c067fff9bc0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
  0x0c067fff9bd0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1343==ABORTING


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 2 Pranith Kumar K 2017-05-28 02:46:58 UTC

Created attachment 1282958 [details]
Patch to fix the crash

Comment 3 Pranith Kumar K 2017-05-28 11:37:00 UTC

https://github.com/open-iscsi/tcmu-runner/pull/165

Comment 6 Pranith Kumar K 2017-05-30 11:30:05 UTC

https://github.com/open-iscsi/tcmu-runner/pull/166 is also solving one more problem, this also needs to be ported

Comment 10 Sweta Anandpara 2017-07-14 06:13:16 UTC

Rahul, Please refer comment9 for this bug. Also, bz 1452919 is on similar lines. What is the guidance/process for such bugs?

Comment 12 Sweta Anandpara 2017-07-17 10:56:48 UTC

A round of testing has taken place on glusterfs-3.8.4-33 and gluster-block-0.2.1-6. I do not see any crashes or something unexpected in gluster-block logs. 

Based on comment9 and 11 - developer's inputs as well as release leads', moving this bug to (conditionally) verified.

Comment 15 errata-xmlrpc 2017-09-21 04:19:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2773

Note You need to log in before you can comment on or make changes to this bug.