Bug 1530910
| Summary: | Use after free in cli_cmd_volume_create_cbk | |||
|---|---|---|---|---|
| Product: | [Community] GlusterFS | Reporter: | Nithya Balachandran <nbalacha> | |
| Component: | cli | Assignee: | Nithya Balachandran <nbalacha> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | ||
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | mainline | CC: | amukherj, bugs | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | glusterfs-4.0.0 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1531041 1531371 1531372 (view as bug list) | Environment: | ||
| Last Closed: | 2018-03-15 11:24:53 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1531041, 1531371, 1531372 | |||
REVIEW: https://review.gluster.org/19136 (cli: Fixed a use_after_free) posted (#1) for review on master by N Balachandran COMMIT: https://review.gluster.org/19136 committed in master by \"N Balachandran\" <nbalacha> with a commit message- cli: Fixed a use_after_free gf_event in cli_cmd_volume_create_cbk was accessing memory that had already been freed. Change-Id: I447c939fa9b31e18819a62c3b356c14cca390787 BUG: 1530910 Signed-off-by: N Balachandran <nbalacha> This bug is getting closed because a release has been made available that should address the reported issue. In case the problem is still not fixed with glusterfs-4.0.0, please open a new bug report. glusterfs-4.0.0 has been announced on the Gluster mailinglists [1], packages for several distributions should become available in the near future. Keep an eye on the Gluster Users mailinglist [2] and the update infrastructure for your distribution. [1] http://lists.gluster.org/pipermail/announce/2018-March/000092.html [2] https://www.gluster.org/pipermail/gluster-users/ |
Description of problem: Nigel (nbabu reported that his ASAN builds were reporting a use_after_free in the create volume operation: ==19964==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000020010 at pc 0x7faaf981dd75 bp 0x7faaeb171f80 sp 0x7faaeb1716f8 READ of size 1 at 0x612000020010 thread T3 #0 0x7faaf981dd74 (/lib64/libasan.so.4+0x73d74) #1 0x7faaf989325f (/lib64/libasan.so.4+0xe925f) #2 0x7faaf981deed (/lib64/libasan.so.4+0x73eed) #3 0x7faaf984ac4d in __interceptor_vsnprintf (/lib64/libasan.so.4+0xa0c4d) #4 0x7faaf937c677 in gf_vasprintf /home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:238 #5 0x7faaf948122c in _gf_event /home/nigelb/code/glusterfs/libglusterfs/src/events.c:91 #6 0x41602b in cli_cmd_volume_create_cbk /home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:258 #7 0x410d06 in cli_cmd_process /home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135 #8 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29 #9 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608) #10 0x7faaf6cf6e6e in __clone (/lib64/libc.so.6+0x119e6e) 0x612000020010 is located 80 bytes inside of 306-byte region [0x61200001ffc0,0x6120000200f2) freed by thread T3 here: #0 0x7faaf98884b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8) #1 0x7faaf937d5a1 in __gf_free /home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:360 #2 0x7faaf92d62e7 in data_destroy /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:227 #3 0x7faaf92d843e in data_unref /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:674 #4 0x7faaf92d7f81 in dict_destroy /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:589 #5 0x7faaf92d82f9 in dict_unref /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:643 #6 0x40eaf6 in cli_local_wipe /home/nigelb/code/glusterfs/cli/src/cli.c:711 #7 0x415f47 in cli_cmd_volume_create_cbk /home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:256 #8 0x410d06 in cli_cmd_process /home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135 #9 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29 #10 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608) previously allocated by thread T3 here: #0 0x7faaf9888850 in malloc (/lib64/libasan.so.4+0xde850) #1 0x7faaf937c03c in __gf_malloc /home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:140 #2 0x47ef20 in cli_cmd_bricks_parse /home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:177 #3 0x4814ff in cli_cmd_volume_create_parse /home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:702 #4 0x415aba in cli_cmd_volume_create_cbk /home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:219 #5 0x410d06 in cli_cmd_process /home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135 #6 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29 #7 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608) Thread T3 created by T0 here: #0 0x7faaf97e1a2f in pthread_create (/lib64/libasan.so.4+0x37a2f) #1 0x41068c in cli_input_init /home/nigelb/code/glusterfs/cli/src/input.c:75 #2 0x40eecd in main /home/nigelb/code/glusterfs/cli/src/cli.c:785 #3 0x7faaf6bfe039 in __libc_start_main (/lib64/libc.so.6+0x21039) RCA: ========== In cli_cmd_volume_create_cbk: ... ret = cli_cmd_volume_create_parse (state, words, wordcount, &options, &bricks); ** This sets bricks in options ret = dict_set_dynstr (dict, "bricks", bricks); ** ... CLI_LOCAL_INIT (local, words, frame, options); ** sets local->dict = options ** ... CLI_STACK_DESTROY (frame); ** Frees local->dict. As bricks was a dynstr, it is freed in data_destroy ** if (ret == 0) { gf_event (EVENT_VOLUME_CREATE, "name=%s;bricks=%s", (char *)words[2], bricks); ** Tries to use bricks which has been freed ** } return ret; Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: