[jira] [Updated] (ZOOKEEPER-4699) zh->hostname heap-use-after-free in zookeeper_interest

Mon, 19 Feb 2024 22:55:44 -0800 


     [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-4699?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

ASF GitHub Bot updated ZOOKEEPER-4699:
--------------------------------------
    Labels: pull-request-available  (was: )

> zh->hostname heap-use-after-free in zookeeper_interest
> ------------------------------------------------------
>
>                 Key: ZOOKEEPER-4699
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4699
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: c client
>    Affects Versions: 3.8.1
>         Environment: debian 
>            Reporter: whyer
>            Priority: Blocker
>              Labels: pull-request-available
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> we got an asan error. The usage is one separate thread call zoo_set_servers 
> periodically. It will use lock to make (free and reset zh->hostname 
> operation) atomic: 
> {{// NOTE: guard access to{hostname, addr_cur, addrs, addrs_old, 
> addrs_new\}lock_reconfig(zh);}}
> in the mean while the io thread will call zoo_interest function and access 
> zh->hostname in log: {{LOG_WARN(LOGCALLBACK(zh), "Delaying connection after 
> exhaustively trying all servers [%s]",zh->hostname);}} without any lock...
>  
>  
> stack:
> {{=================================================================
> ==450==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004fcbd0 
> at pc 0x7fbc74e9a5ce bp 0x7fbc3ebf4060 sp 0x7fbc3ebf3810
> READ of size 2 at 0x6030004fcbd0 thread T98
> #0 0x7fbc74e9a5cd (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8a5cd)
> #1 0x7fbc74e9c61d in __interceptor_vsnprintf 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8c61d)
> #2 0x55e1ced0cdd6 in log_message 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x1906dd6)
> #3 0x55e1cecfc578 in zookeeper_interest 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x18f6578)
> #4 0x55e1ced0f0b4 in do_io 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x19090b4)
> #5 0x7fbc74bfa4a3 in start_thread 
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
> #6 0x7fbc73656d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
> 0x6030004fcbd0 is located 0 bytes inside of 20-byte region 
> [0x6030004fcbd0,0x6030004fcbe4)
> freed by thread T100 here:
> #0 0x7fbc74ed1a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
> #1 0x55e1cecf9e14 in zoo_set_servers 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x18f3e14)
> #5 0x7fbc74bfa4a3 in start_thread 
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
> previously allocated by thread T100 here:
> #0 0x7fbc74e67f30 in strdup (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x57f30)
> #1 0x55e1cecf9e20 in zoo_set_servers 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x18f3e20)
> #5 0x7fbc74bfa4a3 in start_thread 
> (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
> Thread T98 created by T0 here:
> #0 0x7fbc74e40f59 in __interceptor_pthread_create 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
> #1 0x55e1ced0ea97 in start_threads 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x1908a97)
> #2 0x55e1ced0ed11 in adaptor_init 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x1908d11)
> #3 0x55e1cecf9c9c in zookeeper_init_internal 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x18f3c9c)
> #4 0x55e1cecf9d38 in zookeeper_init 
> (/opt/tiger/{*}{{*}}{{*}}/deploy/bin/{{*}}{{*}}{*}+0x18f3d38)
> #12 0x55e1ce2f2097 in main 
> /tmp/{*}{{*}}{{*}}/{{*}}{*}{{*}}/{{*}}{*}*/main.cc:148
> #13 0x7fbc7358e2e0 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
> Thread T100 created by T0 here:
> #0 0x7fbc74e40f59 in __interceptor_pthread_create 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
> #8 0x55e1ce2f2097 in main 
> /tmp/{*}{{*}}{{*}}/{{*}}{*}{{*}}/{{*}}{*}*/main.cc:148
> #9 0x7fbc7358e2e0 in __libc_start_main 
> (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
> SUMMARY: AddressSanitizer: heap-use-after-free 
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8a5cd)
> Shadow bytes around the buggy address:
> 0x0c0680097920: 00 00 00 07 fa fa 00 00 00 07 fa fa fd fd fd fd
> 0x0c0680097930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c0680097940: fa fa fa fa 00 00 00 07 fa fa 00 00 00 07 fa fa
> 0x0c0680097950: 00 00 00 07 fa fa fa fa fa fa fa fa 00 00 00 07
> 0x0c0680097960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00
> =>0x0c0680097970: 00 07 fa fa fa fa fa fa fa fa[fd]fd fd fa fa fa
> 0x0c0680097980: fd fd fd fa fa fa 00 00 00 07 fa fa fd fd fd fd
> 0x0c0680097990: fa fa fa fa fa fa fa fa 00 00 00 07 fa fa 00 00
> 0x0c06800979a0: 00 07 fa fa fd fd fd fd fa fa 00 00 00 07 fa fa
> 0x0c06800979b0: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
> 0x0c06800979c0: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Container overflow: fc
> Array cookie: ac
> Intra object redzone: bb
> ASan internal: fe
> Left alloca redzone: ca
> Right alloca redzone: cb}}
>  
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to