Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-3949

Buffer overflow in WT_CURSOR::modify for string values

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.6.4, 3.7.3, WT3.1.0
    • Component/s: None
    • Labels:
      None
    • Sprint:
      Storage Non-NYC 2018-03-12

      Description

      Build with CC="gcc -fsanitize=address".

      Run:

      ASAN_OPTIONS=detect_leaks=0,alloc_dealloc_mismatch=0 LD_PRELOAD=/usr/lib64/libasan.so.4 LD_LIBRARY_PATH=`pwd`/.libs python ../test/suite/run.py -v 2 -j 20 cursor12

      Generates this trace:

      =================================================================
      ==11207==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ffc1c at pc 0x7f4291209426 bp 0x7ffdfb680b80 sp 0x7ffdfb680b70
      WRITE of size 1 at 0x6020001ffc1c thread T0
          #0 0x7f4291209425 in __modify_apply_one ../src/support/modify.c:116
          #1 0x7f4291208bee in __wt_modify_apply_api ../src/support/modify.c:188
          #2 0x7f4290d1ea8b in __wt_btcur_modify ../src/btree/bt_cursor.c:1360
          #3 0x7f4290f1c861 in __curfile_modify ../src/cursor/cur_file.c:333
          #4 0x7f42915f50f7 in __wt_cursor__modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3574
          #5 0x7f42915f50f7 in _wrap_Cursor_modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:5274
          #6 0x7f429dd51c47 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x169c47)
          #7 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
          #8 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
          #9 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
          #10 0x7f429dc9f036  (/lib64/libpython2.7.so.1.0+0xb7036)
          #11 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #12 0x7f429dd4e97e in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x16697e)
          #13 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
          #14 0x7f429dc9ee9d  (/lib64/libpython2.7.so.1.0+0xb6e9d)
          #15 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #16 0x7f429dc91e1d  (/lib64/libpython2.7.so.1.0+0xa9e1d)
          #17 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #18 0x7f429dd3618a  (/lib64/libpython2.7.so.1.0+0x14e18a)
          #19 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #20 0x7f429dd4e1b1 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x1661b1)
          #21 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
          #22 0x7f429dd50192 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168192)
          #23 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
          #24 0x7f429dd50192 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168192)
          #25 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
          #26 0x7f429dc9f036  (/lib64/libpython2.7.so.1.0+0xb7036)
          #27 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #28 0x7f429dd4e97e in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x16697e)
          #29 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
          #30 0x7f429dc9ee9d  (/lib64/libpython2.7.so.1.0+0xb6e9d)
          #31 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #32 0x7f429dc91e1d  (/lib64/libpython2.7.so.1.0+0xa9e1d)
          #33 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #34 0x7f429dd3618a  (/lib64/libpython2.7.so.1.0+0x14e18a)
          #35 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
          #36 0x7f429dd4e1b1 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x1661b1)
          #37 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
          #38 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
          #39 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
          #40 0x7f429dd533a8 in PyEval_EvalCode (/lib64/libpython2.7.so.1.0+0x16b3a8)
          #41 0x7f429dd5939e  (/lib64/libpython2.7.so.1.0+0x17139e)
          #42 0x7f429dd59349 in PyRun_FileExFlags (/lib64/libpython2.7.so.1.0+0x171349)
          #43 0x7f429dd5923d in PyRun_SimpleFileExFlags (/lib64/libpython2.7.so.1.0+0x17123d)
          #44 0x7f429dd5f518 in Py_Main (/lib64/libpython2.7.so.1.0+0x177518)
          #45 0x7f429cef7889 in __libc_start_main (/lib64/libc.so.6+0x20889)
          #46 0x564ae42c4779 in _start (/usr/bin/python2.7+0x779)
       
      0x6020001ffc1c is located 0 bytes to the right of 12-byte region [0x6020001ffc10,0x6020001ffc1c)
      allocated by thread T0 here:
          #0 0x7f429e10ac40 in realloc (/usr/lib64/libasan.so.4+0xdec40)
          #1 0x7f42910ce1dd in __realloc_func ../src/os_common/os_alloc.c:130
          #2 0x7f42910ce330 in __wt_realloc_noclear ../src/os_common/os_alloc.c:171
          #3 0x7f429121073a in __wt_buf_grow_worker ../src/support/scratch.c:49
          #4 0x7f429120a3af in __wt_buf_grow ../src/include/buf.i:18
          #5 0x7f4291208ffc in __modify_apply_one ../src/support/modify.c:84
          #6 0x7f4291208bee in __wt_modify_apply_api ../src/support/modify.c:188
          #7 0x7f4290d1ea8b in __wt_btcur_modify ../src/btree/bt_cursor.c:1360
          #8 0x7f4290f1c861 in __curfile_modify ../src/cursor/cur_file.c:333
          #9 0x7f42915f50f7 in __wt_cursor__modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3574
          #10 0x7f42915f50f7 in _wrap_Cursor_modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:5274
          #11 0x7f429dd51c47 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x169c47)
       
      SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/support/modify.c:116 in __modify_apply_one
      Shadow bytes around the buggy address:
        0x0c0480037f30: fa fa fd fd fa fa 07 fa fa fa fd fa fa fa fd fa
        0x0c0480037f40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
        0x0c0480037f50: fa fa 00 03 fa fa 00 05 fa fa fd fd fa fa 00 00
        0x0c0480037f60: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
        0x0c0480037f70: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 02 fa
      =>0x0c0480037f80: fa fa 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c0480037f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c0480037fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c0480037fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c0480037fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c0480037fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==11207==ABORTING
      

        Attachments

          Activity

            People

            Assignee:
            michael.cahill Michael Cahill
            Reporter:
            michael.cahill Michael Cahill
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: