Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-1993

NULL pointer dereference in __block_destroy after allocation failure

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: WT2.7.0
    • Component/s: None
    • Labels:

      Description

      While simulating out-of-memory conditions in __wt_calloc, I triggered a NULL pointer dereference in __block_destroy.

      Sequence of events:

      1. __wt_block_open calls __wt_calloc_one to initialize a block handle (line 200)
      2. __wt_calloc_one fails with ENOMEM and the err block is jumped to (line 267)
      3. __block_destroy is called with block == NULL, which leads to a NULL pointer dereference (line 133)

      Excerpted code:

      static int
      		 
      __block_destroy(WT_SESSION_IMPL *session, WT_BLOCK *block)
      		 
      {
      		 
      128  	WT_CONNECTION_IMPL *conn;
      		 
      129  	WT_DECL_RET;
      		 
      130  	uint64_t bucket;
      		 
      131
      		 
      132     conn = S2C(session);
      		 
      133     bucket = block->name_hash % WT_HASH_ARRAY_SIZE;
      		 
       
      		 
      [....snip....]
      		 
       
      		 
      int
      		 
      __wt_block_open(WT_SESSION_IMPL *session,
      		 
          const char *filename, const char *cfg[],
      		 
          int forced_salvage, int readonly, uint32_t allocsize, WT_BLOCK **blockp)
      		 
      {
      		 
      	WT_BLOCK *block;
      		 
      	WT_CONFIG_ITEM cval;
      		 
      	WT_CONNECTION_IMPL *conn;
      		 
      	WT_DECL_RET;
      		 
      	uint64_t bucket, hash;
      		 
       
      		 
      [....snip....]
      		 
       
      		 
      199  	/* Basic structure allocation, initialization. */
      		 
      200  	WT_ERR(__wt_calloc_one(session, &block));
      		 
       
      		 
      [....snip....]
      		 
       
      		 
      267  err:	  WT_TRET(__block_destroy(session, block));

      ASan report:

      ==31572== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000008 (pc 0x000002d64834 sp 0x7fff86097be0 bp 0x7fff86097c20 T0)
      		 
      AddressSanitizer can not provide additional info.
      		 
       
      		 
      #0 0x2d64833 in __block_destroy /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/block/block_open.c:133
      		 
      #1 0x2d6585d in __wt_block_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/block/block_open.c:267
      		 
      #2 0x2d63aec in __wt_block_manager_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/block/block_mgr.c:427
      		 
      #3 0x2d9bb03 in __wt_btree_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/btree/bt_handle.c:70
      		 
      #4 0x2e22789 in __wt_conn_btree_open /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/conn/conn_dhandle.c:331
      		 
      #5 0x2f65a28 in __wt_session_get_btree /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/session/session_dhandle.c:456
      		 
      #6 0x2f65636 in __wt_session_get_btree /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/session/session_dhandle.c:447
      		 
      #7 0x2f33606 in __create_file /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:119
      		 
      #8 0x2f372ef in __wt_schema_create /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:631
      		 
      #9 0x2f347a9 in __create_colgroup /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:250
      		 
      #10 0x2f36bb5 in __create_table /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:556
      		 
      #11 0x2f37565 in __wt_schema_create /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/schema/schema_create.c:637
      		 
      #12 0x2f5772c in __session_create /home/s/code/mongo/mongo/src/third_party/wiredtiger/src/session/session_api.c:441
      		 
      #13 0x2054605 in mongo::WiredTigerKVEngine::createRecordStore(mongo::OperationContext*, mongo::StringData, mongo::StringData, mongo::CollectionOptions const&) /home/s/code/mongo/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_kv_engine.cpp:270
      		 
      #14 0x1f568a9 in mongo::KVStorageEngine::KVStorageEngine(mongo::KVEngine*, mongo::KVStorageEngineOptions const&) /home/s/code/mongo/mongo/src/mongo/db/storage/kv/kv_storage_engine.cpp:88
      		 
      #15 0x2051acd in mongo::(anonymous namespace)::WiredTigerFactory::create(mongo::StorageGlobalParams const&, mongo::StorageEngineLockFile const&) const /home/s/code/mongo/mongo/src/mongo/db/storage/wiredtiger/wiredtiger_init.cpp:76
      		 
      #16 0x1f01dae in mongo::ServiceContextMongoD::initializeGlobalStorageEngine() /home/s/code/mongo/mongo/src/mongo/db/service_context_d.cpp:144
      		 
      #17 0x15ae561 in mongo::_initAndListen(int) /home/s/code/mongo/mongo/src/mongo/db/db.cpp:416
      		 
      #18 0x15afb33 in mongo::initAndListen(int) /home/s/code/mongo/mongo/src/mongo/db/db.cpp:594
      		 
      #19 0x15b1304 in mongoDbMain(int, char**, char**) /home/s/code/mongo/mongo/src/mongo/db/db.cpp:823
      		 
      #20 0x15afedd in main /home/s/code/mongo/mongo/src/mongo/db/db.cpp:639
      		 
      #21 0x7fe86d94dec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287
      		 
      #22 0x15ab728 in _start (/home/s/code/mongo/mongo/mongod+0x15ab728)

      Version: 6c49d69bbae5d8807fc205dbca12eecf1a60258b

        Attachments

          Activity

            People

            Assignee:
            keith.bostic Keith Bostic
            Reporter:
            kamran.khan Kamran K.
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: