Uploaded image for project: 'WiredTiger'
  1. WiredTiger
  2. WT-6686

stack-buffer-overflow in test/format on 4.2 branch

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major - P3
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None

      Description

      The Jenkins job http://build.wiredtiger.com:8080/job/wiredtiger-test-format-stress-sanitizer-old-branches/2533/console failed on a row-store configuration with a stack buffer overflow.

      =================================================================
      ==7036==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f242acee200 at pc 0x00000064af16 bp 0x7f242acecdb0 sp 0x7f242acecda8
      WRITE of size 8 at 0x7f242acee200 thread T11
          #0 0x64af15 in __wt_struct_unpackv /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/../src/include/packing.i:706:9
          #1 0x643836 in __wt_cursor_get_keyv /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/../src/cursor/cur_std.c:400:19
          #2 0x641556 in __wt_cursor_get_key /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/../src/cursor/cur_std.c:268:11
          #3 0x4fa634 in copy_blocks /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/test/format/../../../test/format/backup.c:274:9
          #4 0x4f7f5c in backup /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/test/format/../../../test/format/backup.c:612:21
          #5 0x7f243470b6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
          #6 0x7f243383da3e in clone /build/glibc-2ORdQG/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
      Address 0x7f242acee200 is located in stack of thread T11 at offset 128 in frame
          #0 0x4fa04f in copy_blocks /mnt/data0/jenkins/workspace/wiredtiger-test-format-stress-sanitizer-old-branches/build_posix/test/format/../../../test/format/backup.c:243
       
        This frame has 6 object(s):
          [32, 40) 'incr_cur' (line 244)
          [64, 72) 'offset' (line 247)
          [96, 104) 'type' (line 247)
          [128, 132) 'size' (line 248) <== Memory access at offset 128 partially overflows this variable
          [144, 656) 'buf' (line 250)
          [720, 1232) 'config' (line 250)
      

      The stack from gdb looks like:

      Thread 1 (Thread 0x7f242acef700 (LWP 7064)):
      ---Type <return> to continue, or q <return> to quit---
      #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      #1  0x00007f243375c8b1 in __GI_abort () at abort.c:79
      #2  0x00000000004e53d7 in __sanitizer::Abort() ()
      #3  0x00000000004e3da1 in __sanitizer::Die() ()
      #4  0x00000000004cbe59 in __asan::ScopedInErrorReport::~ScopedInErrorReport()
          ()
      #5  0x00000000004cd643 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
      #6  0x00000000004ce26b in __asan_report_store8 ()
      #7  0x000000000064af16 in __wt_struct_unpackv (session=0x7f2434da2cf0, 
          buffer=0x602000013f90, size=4, fmt=0xd2e740 <.str.1> "qqq", 
          ap=0x7f242acedf20) at ../src/include/packing.i:706
      #8  0x0000000000643837 in __wt_cursor_get_keyv (cursor=0x615000030500, 
          flags=12800, ap=0x7f242acedf20) at ../src/cursor/cur_std.c:400
      #9  0x0000000000641557 in __wt_cursor_get_key (cursor=0x615000030500)
          at ../src/cursor/cur_std.c:268
      #10 0x00000000004fa635 in copy_blocks (session=0x7f2434da2cf0, 
          bkup_c=0x615000030280, name=0x602000012dd0 "wt.wt")
          at ../../../test/format/backup.c:274
      #11 0x00000000004f7f5d in backup (arg=0x0) at ../../../test/format/backup.c:612
      #12 0x00007f243470b6db in start_thread (arg=0x7f242acef700)
          at pthread_create.c:463
      #13 0x00007f243383da3f in clone ()
          at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              sue.loverso Susan LoVerso
              Reporter:
              sue.loverso Susan LoVerso
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: