search

jensdietrich / xshady

vulnerabilities found in shaded projects
Apache License 2.0
5 stars 2 forks source link

`snyk` can hang #40

Open wtwhite opened 11 months ago

wtwhite commented 11 months ago

While testing out the new sca/Makefile in shadedetector, I ran make -j 4 on a fresh clone of this repo to run up to 4 tasks in parallel. However, the snyk task generating a report for CVE-2016-6802 hung:

wtwhite@wtwhite-vuw-vm:~$ ps auxwww -H|grep -C 999 make
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
--snip--
wtwhite   613387  0.0  0.0   9080  2948 pts/2    S+   14:30   0:00       make -k -f /home/wtwhite/code/shadedetector/sca/Makefile -j 4 --output-sync
wtwhite   613403  0.0  0.0   2888   952 pts/2    S+   14:30   0:00         /bin/sh -c cd CVE-2016-6802 && snyk test --json --json-file-output=scan-results/snyk/snyk-report.json
wtwhite   613413  0.0  0.0 1616588 39764 pts/2   Sl+  14:30   0:00           snyk test --json --json-file-output=scan-results/snyk/snyk-report.json
wtwhite   613784  0.0  0.2 11465252 143264 pts/2 Sl+  14:30   0:00             /home/wtwhite/.cache/snyk/snyk-cli/1.1228.0/snyk-linux test --json --json-file-output=scan-results/snyk/snyk-report.json
--snip--

strace shows it's waiting for some futex (not, e.g., for me to type something on stdin):

root@wtwhite-vuw-vm:/home/wtwhite/code/FRESH_xshady/CVE-2016-6802/scan-results/snyk# strace -p 613413
strace: Process 613413 attached
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL

Several minutes later it had made some "progress" but was still waiting on the same futex:

root@wtwhite-vuw-vm:/home/wtwhite/code/FRESH_xshady/CVE-2016-6802/scan-results/snyk# strace -p 613413
strace: Process 613413 attached
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL) = 0
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL) = 0
futex(0x6269278, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL) = 0
futex(0x6269278, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0xc00057c148, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL) = 0
futex(0xc00007a948, FUTEX_WAKE_PRIVATE, 1) = 1
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL    ) = 0
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL) = 0
futex(0x6268ea8, FUTEX_WAIT_PRIVATE, 0, NULL

This looks like a bug in snyk. I would have guessed that it's only likely to happen when multiple instances of snyk are running, but the futex() man page shows that FUTEX_WAIT_PRIVATE indicates a futex completely local to a single process, used to coordinate between threads.

Next step: Raise a ticket with them.

wtwhite commented 11 months ago

Rerunning snyk manually (while the original process was still hung) generated a normal-looking report in 8s.

After I killed the original process, snyk wrote the following to the report file:

wtwhite@wtwhite-vuw-vm:~/code/FRESH_xshady$ cat CVE-2016-6802/scan-results/snyk/snyk-report.json
{
  "ok": false,
  "error": "socket hang up",
  "path": "/home/wtwhite/code/FRESH_xshady/CVE-2016-6802"
}