Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-3949

Buffer overflow in WT_CURSOR::modify for string values

XMLWordPrintableJSON

    • Type: Icon: Bug Bug
    • Resolution: Fixed
    • Priority: Icon: Major - P3 Major - P3
    • 3.6.4, 3.7.3, WT3.1.0
    • Affects Version/s: None
    • Component/s: None
    • None
    • Storage Non-NYC 2018-03-12

      Build with CC="gcc -fsanitize=address".

      Run:

      ASAN_OPTIONS=detect_leaks=0,alloc_dealloc_mismatch=0 LD_PRELOAD=/usr/lib64/libasan.so.4 LD_LIBRARY_PATH=`pwd`/.libs python ../test/suite/run.py -v 2 -j 20 cursor12

      Generates this trace:

      =================================================================
==11207==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020001ffc1c at pc 0x7f4291209426 bp 0x7ffdfb680b80 sp 0x7ffdfb680b70
WRITE of size 1 at 0x6020001ffc1c thread T0
    #0 0x7f4291209425 in __modify_apply_one ../src/support/modify.c:116
    #1 0x7f4291208bee in __wt_modify_apply_api ../src/support/modify.c:188
    #2 0x7f4290d1ea8b in __wt_btcur_modify ../src/btree/bt_cursor.c:1360
    #3 0x7f4290f1c861 in __curfile_modify ../src/cursor/cur_file.c:333
    #4 0x7f42915f50f7 in __wt_cursor__modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3574
    #5 0x7f42915f50f7 in _wrap_Cursor_modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:5274
    #6 0x7f429dd51c47 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x169c47)
    #7 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
    #8 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
    #9 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
    #10 0x7f429dc9f036  (/lib64/libpython2.7.so.1.0+0xb7036)
    #11 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #12 0x7f429dd4e97e in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x16697e)
    #13 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
    #14 0x7f429dc9ee9d  (/lib64/libpython2.7.so.1.0+0xb6e9d)
    #15 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #16 0x7f429dc91e1d  (/lib64/libpython2.7.so.1.0+0xa9e1d)
    #17 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #18 0x7f429dd3618a  (/lib64/libpython2.7.so.1.0+0x14e18a)
    #19 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #20 0x7f429dd4e1b1 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x1661b1)
    #21 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
    #22 0x7f429dd50192 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168192)
    #23 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
    #24 0x7f429dd50192 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168192)
    #25 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
    #26 0x7f429dc9f036  (/lib64/libpython2.7.so.1.0+0xb7036)
    #27 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #28 0x7f429dd4e97e in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x16697e)
    #29 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
    #30 0x7f429dc9ee9d  (/lib64/libpython2.7.so.1.0+0xb6e9d)
    #31 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #32 0x7f429dc91e1d  (/lib64/libpython2.7.so.1.0+0xa9e1d)
    #33 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #34 0x7f429dd3618a  (/lib64/libpython2.7.so.1.0+0x14e18a)
    #35 0x7f429dc89342 in PyObject_Call (/lib64/libpython2.7.so.1.0+0xa1342)
    #36 0x7f429dd4e1b1 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x1661b1)
    #37 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
    #38 0x7f429dd50b18 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x168b18)
    #39 0x7f429dd53197 in PyEval_EvalCodeEx (/lib64/libpython2.7.so.1.0+0x16b197)
    #40 0x7f429dd533a8 in PyEval_EvalCode (/lib64/libpython2.7.so.1.0+0x16b3a8)
    #41 0x7f429dd5939e  (/lib64/libpython2.7.so.1.0+0x17139e)
    #42 0x7f429dd59349 in PyRun_FileExFlags (/lib64/libpython2.7.so.1.0+0x171349)
    #43 0x7f429dd5923d in PyRun_SimpleFileExFlags (/lib64/libpython2.7.so.1.0+0x17123d)
    #44 0x7f429dd5f518 in Py_Main (/lib64/libpython2.7.so.1.0+0x177518)
    #45 0x7f429cef7889 in __libc_start_main (/lib64/libc.so.6+0x20889)
    #46 0x564ae42c4779 in _start (/usr/bin/python2.7+0x779)

0x6020001ffc1c is located 0 bytes to the right of 12-byte region [0x6020001ffc10,0x6020001ffc1c)
allocated by thread T0 here:
    #0 0x7f429e10ac40 in realloc (/usr/lib64/libasan.so.4+0xdec40)
    #1 0x7f42910ce1dd in __realloc_func ../src/os_common/os_alloc.c:130
    #2 0x7f42910ce330 in __wt_realloc_noclear ../src/os_common/os_alloc.c:171
    #3 0x7f429121073a in __wt_buf_grow_worker ../src/support/scratch.c:49
    #4 0x7f429120a3af in __wt_buf_grow ../src/include/buf.i:18
    #5 0x7f4291208ffc in __modify_apply_one ../src/support/modify.c:84
    #6 0x7f4291208bee in __wt_modify_apply_api ../src/support/modify.c:188
    #7 0x7f4290d1ea8b in __wt_btcur_modify ../src/btree/bt_cursor.c:1360
    #8 0x7f4290f1c861 in __curfile_modify ../src/cursor/cur_file.c:333
    #9 0x7f42915f50f7 in __wt_cursor__modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:3574
    #10 0x7f42915f50f7 in _wrap_Cursor_modify /home/mjc/wt/src/wiredtiger-git/lang/python/wiredtiger_wrap.c:5274
    #11 0x7f429dd51c47 in PyEval_EvalFrameEx (/lib64/libpython2.7.so.1.0+0x169c47)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../src/support/modify.c:116 in __modify_apply_one
Shadow bytes around the buggy address:
  0x0c0480037f30: fa fa fd fd fa fa 07 fa fa fa fd fa fa fa fd fa
  0x0c0480037f40: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c0480037f50: fa fa 00 03 fa fa 00 05 fa fa fd fd fa fa 00 00
  0x0c0480037f60: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fa
  0x0c0480037f70: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 02 fa
=>0x0c0480037f80: fa fa 00[04]fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480037f90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480037fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480037fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480037fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0480037fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11207==ABORTING

            Assignee:
            michael.cahill@mongodb.com Michael Cahill (Inactive)
            Reporter:
            michael.cahill@mongodb.com Michael Cahill (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: