Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-3658

Fixed-sized strings can be stored without a trailing NUL

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.6.0-rc7, WT3.0.0, 3.7.1
    • Affects Version/s: None
    • Component/s: None
    • None
    • Storage 2017-11-13, Storage 2017-12-04

      Seen when running Python tests with gcc -fsanitize=address (requires LD_PRELOAD=/usr/lib64/libasan.so.4 and ASAN_OPTIONS=detect_leaks=0):

      ERROR: test_pack.test_pack.test_packing (subunit.RemotedTestCase)
      =================================================================
      ==7890==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000214d9 at pc 0x7efcad2f836e bp 0x7fffca858730 sp 0x7fffca857ed8
      READ of size 10 at 0x6020000214d9 thread T0
          #0 0x7efcad2f836d  (/usr/lib64/libasan.so.4+0x5136d)
          #1 0x7efca0a28008 in __pack_write ../src/include/packing.i:345
          #2 0x7efca0a2f970 in __wt_schema_project_merge ../src/schema/schema_project.c:470
          #3 0x7efca08ff2a6 in __wt_apply_single_idx ../src/cursor/cur_table.c:120
          #4 0x7efca08ff61a in __apply_idx ../src/cursor/cur_table.c:154
          #5 0x7efca0904914 in __curtable_insert ../src/cursor/cur_table.c:533
          #6 0x7efca0dc3a5e in _wrap_Cursor_insert /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:4275
          #7 0x7efcacfe2eab in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17feab)
          #8 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #9 0x7efcacfe1432 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17e432)
          #10 0x7efcacfe1d98 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17ed98)
          #11 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #12 0x7efcacf33986  (/lib64/libpython2.7.so.1.0+0xd0986)
          #13 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #14 0x7efcacfdfc42 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17cc42)
          #15 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #16 0x7efcacf337ed  (/lib64/libpython2.7.so.1.0+0xd07ed)
          #17 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #18 0x7efcacf2888d  (/lib64/libpython2.7.so.1.0+0xc588d)
          #19 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #20 0x7efcacfb6a2a  (/lib64/libpython2.7.so.1.0+0x153a2a)
          #21 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #22 0x7efcacfdf453 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17c453)
          #23 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #24 0x7efcacfe1432 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17e432)
          #25 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #26 0x7efcacfe1432 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17e432)
          #27 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #28 0x7efcacf33986  (/lib64/libpython2.7.so.1.0+0xd0986)
          #29 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #30 0x7efcacfdfc42 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17cc42)
          #31 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #32 0x7efcacf337ed  (/lib64/libpython2.7.so.1.0+0xd07ed)
          #33 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #34 0x7efcacf2888d  (/lib64/libpython2.7.so.1.0+0xc588d)
          #35 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #36 0x7efcacfb6a2a  (/lib64/libpython2.7.so.1.0+0x153a2a)
          #37 0x7efcacefca52 in PyObject_Call (/lib64/libpython2.7.so.1.0+0x99a52)
          #38 0x7efcacfdf453 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17c453)
          #39 0x7efcacfe1d98 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17ed98)
          #40 0x7efcacfe1d98 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x17ed98)
          #41 0x7efcacfe43f7 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x1813f7)
          #42 0x7efcacfe4608 in PyEval_EvalCode (/lib64/libpython2.7.so.1.0+0x181608)
          #43 0x7efcacfbc81e  (/lib64/libpython2.7.so.1.0+0x15981e)
          #44 0x7efcacfbc8c9 in PyRun_FileExFlags (/lib64/libpython2.7.so.1.0+0x1598c9)
          #45 0x7efcacfbd8cd in PyRun_SimpleFileExFlags (/lib64/libpython2.7.so.1.0+0x15a8cd)
          #46 0x7efcacfb061d in Py_Main (/lib64/libpython2.7.so.1.0+0x14d61d)
          #47 0x7efcac176509 in __libc_start_main (/lib64/libc.so.6+0x20509)
          #48 0x55d4a4b02779 in _start (/usr/bin/python2.7+0x779)
      
      0x6020000214d9 is located 0 bytes to the right of 9-byte region [0x6020000214d0,0x6020000214d9)
      allocated by thread T0 here:
          #0 0x7efcad385c40 in realloc (/usr/lib64/libasan.so.4+0xdec40)
          #1 0x7efca09ad016 in __realloc_func ../src/os_common/os_alloc.c:130
          #2 0x7efca09ad154 in __wt_realloc_noclear ../src/os_common/os_alloc.c:171
          #3 0x7efca0a75bfe in __wt_buf_grow_worker ../src/support/scratch.c:48
          #4 0x7efca0a2671e in __wt_buf_grow ../src/include/buf.i:18
          #5 0x7efca0a2e667 in __wt_schema_project_slice ../src/schema/schema_project.c:369
          #6 0x7efca0900ab7 in __wt_curtable_set_value ../src/cursor/cur_table.c:258
          #7 0x7efca0dc6a2c in __wt_cursor__set_value /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3480
          #8 0x7efca0dc6a2c in _wrap_Cursor__set_value /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:4747
      
      SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.4+0x5136d)
      Shadow bytes around the buggy address:
        0x0c047fffc240: fa fa 07 fa fa fa 03 fa fa fa 04 fa fa fa 00 fa
        0x0c047fffc250: fa fa fd fd fa fa 04 fa fa fa fd fa fa fa fd fa
        0x0c047fffc260: fa fa 07 fa fa fa fd fa fa fa fd fa fa fa fd fd
        0x0c047fffc270: fa fa fd fd fa fa 00 03 fa fa 00 05 fa fa 00 fa
        0x0c047fffc280: fa fa 00 00 fa fa 02 fa fa fa 00 fa fa fa 04 fa
      =>0x0c047fffc290: fa fa 01 fa fa fa 00 00 fa fa 00[01]fa fa 00 fa
        0x0c047fffc2a0: fa fa 00 fa fa fa 00 01 fa fa fa fa fa fa 00 00
        0x0c047fffc2b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c047fffc2c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c047fffc2d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c047fffc2e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==7890==ABORTING
      

      This is surprising because that test has been around forever and nothing in that area has changed recently.

            Assignee:
            neha.khatri Neha Khatri
            Reporter:
            michael.cahill@mongodb.com Michael Cahill (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: