[WT-3949] Buffer overflow in WT_CURSOR::modify for string values - MongoDB Jira

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major - P3
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 3.6.4, 3.7.3, WT3.1.0
Component/s: None
Labels:
None

Sprint:
Storage Non-NYC 2018-03-12

Description

Build with CC="gcc -fsanitize=address".

Run:

ASAN_OPTIONS=detect_leaks=0,alloc_dealloc_mismatch=0 LD_PRELOAD=/usr/lib64/libasan.so.4 LD_LIBRARY_PATH=`pwd`/.libs python ../test/suite/run.py -v 2 -j 20 cursor12

Generates this trace:

=================================================================

==11207==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ffc1c at pc 0x7f4291209426 bp 0x7ffdfb680b80 sp 0x7ffdfb680b70

WRITE of size 1 at 0x6020001ffc1c thread T0

    #0 0x7f4291209425 in __modify_apply_one ../src/support/modify.c:116

    #1 0x7f4291208bee in __wt_modify_apply_api ../src/support/modify.c:188

    #2 0x7f4290d1ea8b in __wt_btcur_modify ../src/btree/bt_cursor.c:1360

    #3 0x7f4290f1c861 in __curfile_modify ../src/cursor/cur_file.c:333

    #4 0x7f42915f50f7 in __wt_cursor__modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3574

    #5 0x7f42915f50f7 in _wrap_Cursor_modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:5274

    #6 0x7f429dd51c47 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x169c47)

    #7 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)

    #8 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)

    #9 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)

    #10 0x7f429dc9f036  (/lib64/libpython2.7.so.1.0+0xb7036)

    #11 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #12 0x7f429dd4e97e in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x16697e)

    #13 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)

    #14 0x7f429dc9ee9d  (/lib64/libpython2.7.so.1.0+0xb6e9d)

    #15 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #16 0x7f429dc91e1d  (/lib64/libpython2.7.so.1.0+0xa9e1d)

    #17 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #18 0x7f429dd3618a  (/lib64/libpython2.7.so.1.0+0x14e18a)

    #19 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #20 0x7f429dd4e1b1 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x1661b1)

    #21 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)

    #22 0x7f429dd50192 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168192)

    #23 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)

    #24 0x7f429dd50192 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168192)

    #25 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)

    #26 0x7f429dc9f036  (/lib64/libpython2.7.so.1.0+0xb7036)

    #27 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #28 0x7f429dd4e97e in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x16697e)

    #29 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)

    #30 0x7f429dc9ee9d  (/lib64/libpython2.7.so.1.0+0xb6e9d)

    #31 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #32 0x7f429dc91e1d  (/lib64/libpython2.7.so.1.0+0xa9e1d)

    #33 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #34 0x7f429dd3618a  (/lib64/libpython2.7.so.1.0+0x14e18a)

    #35 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)

    #36 0x7f429dd4e1b1 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x1661b1)

    #37 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)

    #38 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)

    #39 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)

    #40 0x7f429dd533a8 in PyEval_EvalCode (/lib64/libpython2.7.so.1.0+0x16b3a8)

    #41 0x7f429dd5939e  (/lib64/libpython2.7.so.1.0+0x17139e)

    #42 0x7f429dd59349 in PyRun_FileExFlags (/lib64/libpython2.7.so.1.0+0x171349)

    #43 0x7f429dd5923d in PyRun_SimpleFileExFlags (/lib64/libpython2.7.so.1.0+0x17123d)

    #44 0x7f429dd5f518 in Py_Main (/lib64/libpython2.7.so.1.0+0x177518)

    #45 0x7f429cef7889 in __libc_start_main (/lib64/libc.so.6+0x20889)

    #46 0x564ae42c4779 in _start (/usr/bin/python2.7+0x779)

0x6020001ffc1c is located 0 bytes to the right of 12-byte region [0x6020001ffc10,0x6020001ffc1c)

allocated by thread T0 here:

    #0 0x7f429e10ac40 in realloc (/usr/lib64/libasan.so.4+0xdec40)

    #1 0x7f42910ce1dd in __realloc_func ../src/os_common/os_alloc.c:130

    #2 0x7f42910ce330 in __wt_realloc_noclear ../src/os_common/os_alloc.c:171

    #3 0x7f429121073a in __wt_buf_grow_worker ../src/support/scratch.c:49

    #4 0x7f429120a3af in __wt_buf_grow ../src/include/buf.i:18

    #5 0x7f4291208ffc in __modify_apply_one ../src/support/modify.c:84

    #6 0x7f4291208bee in __wt_modify_apply_api ../src/support/modify.c:188

    #7 0x7f4290d1ea8b in __wt_btcur_modify ../src/btree/bt_cursor.c:1360

    #8 0x7f4290f1c861 in __curfile_modify ../src/cursor/cur_file.c:333

    #9 0x7f42915f50f7 in __wt_cursor__modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3574

    #10 0x7f42915f50f7 in _wrap_Cursor_modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:5274

    #11 0x7f429dd51c47 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x169c47)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/support/modify.c:116 in __modify_apply_one

Shadow bytes around the buggy address:

  0x0c0480037f30: fa fa fd fd fa fa 07 fa fa fa fd fa fa fa fd fa

  0x0c0480037f40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd

  0x0c0480037f50: fa fa 00 03 fa fa 00 05 fa fa fd fd fa fa 00 00

  0x0c0480037f60: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa

  0x0c0480037f70: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 02 fa

=>0x0c0480037f80: fa fa 00[04]fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0480037f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0480037fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0480037fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0480037fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c0480037fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==11207==ABORTING

Attachments

Activity

People

Assignee:: Michael Cahill

Reporter:: Michael Cahill

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: Mar 02 2018 06:47:56 AM UTC

Updated:: Sep 24 2018 02:32:17 PM UTC

Resolved:: Mar 02 2018 11:36:34 AM UTC