1456227 – Use after free when doing targetcli clearconfig confirm=True

Bug 1456227 - Use after free when doing targetcli clearconfig confirm=True

Summary: Use after free when doing targetcli clearconfig confirm=True

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Gluster Storage
Classification:	Red Hat Storage
Component:	tcmu-runner
Sub Component:
Version:	rhgs-3.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	RHGS 3.3.0
Assignee:	Pranith Kumar K
QA Contact:	Sweta Anandpara
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1417151
TreeView+	depends on / blocked

Reported:	2017-05-28 03:11 UTC by Pranith Kumar K
Modified:	2023-09-14 03:58 UTC (History)
CC List:	5 users (show)
Fixed In Version:	tcmu-runner-1.2.0-4.el7rhgs
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-09-21 04:19:33 UTC
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Fixes crash in clearconfig (793 bytes, patch) 2017-05-28 03:12 UTC, Pranith Kumar K	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2017:2773	0	normal	SHIPPED_LIVE	new packages: gluster-block	2017-09-21 08:16:22 UTC

Description Pranith Kumar K 2017-05-28 03:11:56 UTC

Description of problem:

[root@localhost tcmu-runner]# targetcli clearconfig confirm=True
=================================================================
==5644==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500000e1b0 at pc 0x7f92228cf987 bp 0x7ffffbb6f980 sp 0x7ffffbb6f128
READ of size 5 at 0x61500000e1b0 thread T0
All configuration cleared
    #0 0x7f92228cf986 in strnlen (/lib64/libasan.so.3+0x47986)
    #1 0x7f9222665bb8 in remove_device /root/tcmu-runner/libtcmu.c:338
    #2 0x7f9222664808 in handle_netlink /root/tcmu-runner/libtcmu.c:72
    #3 0x7f92212fc634  (/lib64/libnl-genl-3.so.200+0x3634)
    #4 0x7f9221510a7b in nl_recvmsgs_report (/lib64/libnl-3.so.200+0x11a7b)
    #5 0x7f9221510ea8 in nl_recvmsgs (/lib64/libnl-3.so.200+0x11ea8)
    #6 0x7f9222666f05 in tcmulib_master_fd_ready /root/tcmu-runner/libtcmu.c:509
    #7 0x415e6b in tcmulib_callback /root/tcmu-runner/main.c:181
    #8 0x7f9221da1e51 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x49e51)
    #9 0x7f9221da21cf  (/lib64/libglib-2.0.so.0+0x4a1cf)
    #10 0x7f9221da24f1 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x4a4f1)
    #11 0x418846 in main /root/tcmu-runner/main.c:899
    #12 0x7f9220f53400 in __libc_start_main (/lib64/libc.so.6+0x20400)
    #13 0x407dd9 in _start (/root/tcmu-runner/tcmu-runner+0x407dd9)

0x61500000e1b0 is located 48 bytes inside of 496-byte region [0x61500000e180,0x61500000e370)
freed by thread T0 here:
    #0 0x7f922294eb00 in free (/lib64/libasan.so.3+0xc6b00)
    #1 0x7f9222665978 in add_device /root/tcmu-runner/libtcmu.c:311
    #2 0x7f9222666500 in open_devices /root/tcmu-runner/libtcmu.c:436
    #3 0x7f9222666c5f in tcmulib_initialize /root/tcmu-runner/libtcmu.c:477
    #4 0x418720 in main /root/tcmu-runner/main.c:871
    #5 0x7f9220f53400 in __libc_start_main (/lib64/libc.so.6+0x20400)

previously allocated by thread T0 here:
    #0 0x7f922294f020 in calloc (/lib64/libasan.so.3+0xc7020)
    #1 0x7f9222664c7f in add_device /root/tcmu-runner/libtcmu.c:191
    #2 0x7f9222666500 in open_devices /root/tcmu-runner/libtcmu.c:436
    #3 0x7f9222666c5f in tcmulib_initialize /root/tcmu-runner/libtcmu.c:477
    #4 0x418720 in main /root/tcmu-runner/main.c:871
    #5 0x7f9220f53400 in __libc_start_main (/lib64/libc.so.6+0x20400)

SUMMARY: AddressSanitizer: heap-use-after-free (/lib64/libasan.so.3+0x47986) in strnlen
Shadow bytes around the buggy address:
  0x0c2a7fff9be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2a7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a7fff9c30: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a7fff9c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c2a7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a7fff9c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5644==ABORTING

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Create some gluster-blocks
2. Gluster volume stop the volume and delete it
3. targetcli clearconfig confirm=True

Actual results:


Expected results:


Additional info:

Comment 2 Pranith Kumar K 2017-05-28 03:12:32 UTC

Created attachment 1282959 [details]
Fixes crash in clearconfig

Comment 3 Pranith Kumar K 2017-05-28 11:37:19 UTC

https://github.com/open-iscsi/tcmu-runner/pull/165

Comment 8 Sweta Anandpara 2017-07-24 09:40:23 UTC

Hit tcmu-runner functionality issue while verifying this bug. Have raised BZ 1474273 for the same. 

Moving this bug to (conditionally) verified as followed with other bugs of gluster-block that were found with address sanitizer.

Comment 11 errata-xmlrpc 2017-09-21 04:19:33 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2773

Comment 12 Red Hat Bugzilla 2023-09-14 03:58:16 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days

Note You need to log in before you can comment on or make changes to this bug.