Bug 1531041 - Use after free in cli_cmd_volume_create_cbk
Summary: Use after free in cli_cmd_volume_create_cbk
Alias: None
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: cli
Version: rhgs-3.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: RHGS 3.4.0
Assignee: Nithya Balachandran
QA Contact: Sri Vignesh Selvan
Depends On: 1530910 1531371 1531372
Blocks: 1503137
TreeView+ depends on / blocked
Reported: 2018-01-04 13:09 UTC by Atin Mukherjee
Modified: 2018-09-11 09:57 UTC (History)
8 users (show)

Fixed In Version: glusterfs-3.12.2-3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1530910
Last Closed: 2018-09-04 06:40:51 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2607 0 None None None 2018-09-04 06:42:22 UTC

Description Atin Mukherjee 2018-01-04 13:09:31 UTC
+++ This bug was initially created as a clone of Bug #1530910 +++

Description of problem:

Nigel (nbabu@redhat.com reported that his ASAN builds were reporting a use_after_free in the create volume operation:

==19964==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000020010 at pc 0x7faaf981dd75 bp 0x7faaeb171f80 sp 0x7faaeb1716f8
READ of size 1 at 0x612000020010 thread T3
    #0 0x7faaf981dd74  (/lib64/libasan.so.4+0x73d74)
    #1 0x7faaf989325f  (/lib64/libasan.so.4+0xe925f)
    #2 0x7faaf981deed  (/lib64/libasan.so.4+0x73eed)
    #3 0x7faaf984ac4d in __interceptor_vsnprintf (/lib64/libasan.so.4+0xa0c4d)
    #4 0x7faaf937c677 in gf_vasprintf /home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:238
    #5 0x7faaf948122c in _gf_event /home/nigelb/code/glusterfs/libglusterfs/src/events.c:91
    #6 0x41602b in cli_cmd_volume_create_cbk /home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:258
    #7 0x410d06 in cli_cmd_process /home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
    #8 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
    #9 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)
    #10 0x7faaf6cf6e6e in __clone (/lib64/libc.so.6+0x119e6e)

0x612000020010 is located 80 bytes inside of 306-byte region [0x61200001ffc0,0x6120000200f2)
freed by thread T3 here:
    #0 0x7faaf98884b8 in __interceptor_free (/lib64/libasan.so.4+0xde4b8)
    #1 0x7faaf937d5a1 in __gf_free /home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:360
    #2 0x7faaf92d62e7 in data_destroy /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:227
    #3 0x7faaf92d843e in data_unref /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:674
    #4 0x7faaf92d7f81 in dict_destroy /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:589
    #5 0x7faaf92d82f9 in dict_unref /home/nigelb/code/glusterfs/libglusterfs/src/dict.c:643
    #6 0x40eaf6 in cli_local_wipe /home/nigelb/code/glusterfs/cli/src/cli.c:711
    #7 0x415f47 in cli_cmd_volume_create_cbk /home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:256
    #8 0x410d06 in cli_cmd_process /home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
    #9 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
    #10 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)

previously allocated by thread T3 here:
    #0 0x7faaf9888850 in malloc (/lib64/libasan.so.4+0xde850)
    #1 0x7faaf937c03c in __gf_malloc /home/nigelb/code/glusterfs/libglusterfs/src/mem-pool.c:140
    #2 0x47ef20 in cli_cmd_bricks_parse /home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:177
    #3 0x4814ff in cli_cmd_volume_create_parse /home/nigelb/code/glusterfs/cli/src/cli-cmd-parser.c:702
    #4 0x415aba in cli_cmd_volume_create_cbk /home/nigelb/code/glusterfs/cli/src/cli-cmd-volume.c:219
    #5 0x410d06 in cli_cmd_process /home/nigelb/code/glusterfs/cli/src/cli-cmd.c:135
    #6 0x410331 in cli_batch /home/nigelb/code/glusterfs/cli/src/input.c:29
    #7 0x7faaf7427608 in start_thread (/lib64/libpthread.so.0+0x7608)

Thread T3 created by T0 here:
    #0 0x7faaf97e1a2f in pthread_create (/lib64/libasan.so.4+0x37a2f)
    #1 0x41068c in cli_input_init /home/nigelb/code/glusterfs/cli/src/input.c:75
    #2 0x40eecd in main /home/nigelb/code/glusterfs/cli/src/cli.c:785
    #3 0x7faaf6bfe039 in __libc_start_main (/lib64/libc.so.6+0x21039)


In cli_cmd_volume_create_cbk:

        ret = cli_cmd_volume_create_parse (state, words, wordcount, &options,

  ** This sets bricks in options
        ret = dict_set_dynstr (dict, "bricks", bricks); 


      CLI_LOCAL_INIT (local, words, frame, options);  
      ** sets local->dict = options **

        CLI_STACK_DESTROY (frame);  
   ** Frees local->dict. As bricks was a dynstr, it is freed in data_destroy **
        if (ret == 0) {
                gf_event (EVENT_VOLUME_CREATE, "name=%s;bricks=%s",
                          (char *)words[2], bricks); 
   ** Tries to use bricks which has been freed **

        return ret;

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:

Actual results:

Expected results:

Additional info:

--- Additional comment from Worker Ant on 2018-01-04 01:57:30 EST ---

REVIEW: https://review.gluster.org/19136 (cli: Fixed a use_after_free) posted (#1) for review on master by N Balachandran

--- Additional comment from Worker Ant on 2018-01-04 08:07:27 EST ---

COMMIT: https://review.gluster.org/19136 committed in master by \"N Balachandran\" <nbalacha@redhat.com> with a commit message- cli: Fixed a use_after_free

gf_event in cli_cmd_volume_create_cbk was accessing
memory that had already been freed.

Change-Id: I447c939fa9b31e18819a62c3b356c14cca390787
BUG: 1530910
Signed-off-by: N Balachandran <nbalacha@redhat.com>

Comment 2 Atin Mukherjee 2018-01-04 13:12:08 UTC
upstream patch : https://review.gluster.org/19136

Comment 9 errata-xmlrpc 2018-09-04 06:40:51 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.