Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-19607

Use-after-free bug during memcached bucket

    XMLWordPrintable

Details

    • Untriaged
    • Unknown

    Description

      As identified by threadSanitizer when running `make run-mats` with TSan enabled - we access a const char* which points to a deleted std::string object:

      WARNING: ThreadSanitizer: heap-use-after-free (pid=46208)
      		 
        Read of size 1 at 0x7d08001a97b8 by thread T62:
      		 
          #0 vsnprintf <null> (memcached+0x0000004743d0)
      		 
          #1 logger_log_wrapper(EXTENSION_LOG_LEVEL, void const*, char const*, ...) /home/daver/repos/couchbase/server/memcached/extensions/loggers/file_logger.cc:306 (file_logger.so+0x000000002b6b)
      		 
          #2 DestroyBucketThread::destroy() /home/daver/repos/couchbase/server/memcached/daemon/memcached.cc:2024 (memcached+0x0000004c83ca)
      		 
          #3 DestroyBucketThread::run() /home/daver/repos/couchbase/server/memcached/daemon/memcached.cc:2052 (memcached+0x0000004c8b61)
      		 
          #4 Couchbase::Thread::thread_entry() /home/daver/repos/couchbase/server/platform/src/thread.cc:46 (libplatform.so.0.1.0+0x0000000093cc)
      		 
       
      		 
        Previous write of size 8 at 0x7d08001a97b8 by thread T62:
      		 
          [failed to restore the stack]
      		 
       
      		 
        Thread T62 'mc:bucket_del' (tid=48409, running) created by thread T8 at:
      		 
          #0 pthread_create <null> (memcached+0x0000004621e1)
      		 
          #1 cb_create_named_thread /home/daver/repos/couchbase/server/platform/src/cb_pthreads.cc:104 (libplatform.so.0.1.0+0x000000004b47)
      		 
          #2 process_bin_packet(McbpConnection*) /home/daver/repos/couchbase/server/memcached/daemon/mcbp_executors.cc:4605 (memcached+0x00000050df09)
      		 
          #3 conn_nread(McbpConnection*) /home/daver/repos/couchbase/server/memcached/daemon/statemachine_mcbp.cc:310 (memcached+0x0000005184c1)
      		 
          #4 McbpStateMachine::execute(McbpConnection&) /home/daver/repos/couchbase/server/memcached/daemon/statemachine_mcbp.h:43 (memcached+0x0000004f3a74)
      		 
          #5 run_event_loop /home/daver/repos/couchbase/server/memcached/daemon/connections.cc:147 (memcached+0x0000004f4f76)
      		 
          #6 event_handler(int, short, void*) /home/daver/repos/couchbase/server/memcached/daemon/memcached.cc:841 (memcached+0x0000004c6833)
      		 
          #7 event_persist_closure /home/couchbase/serverjenkins/workspace/cbdeps-platform-build/deps/packages/build/libevent/libevent-prefix/src/libevent/event.c:1319 (libevent_core-2.0.so.5+0x00000000b6b7)
      		 
          #8 CouchbaseThread::run() /home/daver/repos/couchbase/server/platform/src/cb_pthreads.cc:54 (libplatform.so.0.1.0+0x000000004c5a)
      		 
       
      		 
      SUMMARY: ThreadSanitizer: heap-use-after-free ??:0 __interceptor_vsnprintf

      Given this could crash memcached, setting to critical.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            drigby Dave Rigby (Inactive)
            drigby Dave Rigby (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes

                PagerDuty