search

waltligon / orangefs

Official repository for PVFS/OrangeFS
Other
62 stars 7 forks source link

AddressSanitizer: stack-buffer-overflow in dbpf_keyval_read_op_svc #101

Open l392zhan opened 1 year ago

l392zhan commented 1 year ago

Description of problem: There is a stack-buffer-overflow write on key_entry in the function dbpf_keyval_read_op_svc(). Could you please fix the bug? The address sanitizer report and the system calls we used are listed below.

AddressSanitizer report:

==385==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff20beca0 at pc 0x7ffff762e57d bp 0x7ffff20bead0 sp 0x7ffff20be278
WRITE of size 266 at 0x7ffff20beca0 thread T2
    #0 0x7ffff762e57c  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
    #1 0x55555590f6a8 in dbpf_keyval_read_op_svc (/opt/orangefs/sbin/pvfs2-server+0x3bb6a8)
    #2 0x555555937042 in dbpf_do_one_work_cycle (/opt/orangefs/sbin/pvfs2-server+0x3e3042)
    #3 0x55555593660e in dbpf_thread_function (/opt/orangefs/sbin/pvfs2-server+0x3e260e)
    #4 0x7ffff7143608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477
    #5 0x7ffff705f102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)

Address 0x7ffff20beca0 is located in stack of thread T2 at offset 416 in frame
    #0 0x55555590f34e in dbpf_keyval_read_op_svc (/opt/orangefs/sbin/pvfs2-server+0x3bb34e)

  This frame has 4 object(s):
    [48, 64) 'ref' (line 192)
    [80, 96) 'key' (line 194)
    [112, 128) 'data' (line 194)
    [144, 416) 'key_entry' (line 193) <== Memory access at offset 416 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
Thread T2 created by T0 here:
    #0 0x7ffff75cd805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x555555935f80 in dbpf_thread_initialize (/opt/orangefs/sbin/pvfs2-server+0x3e1f80)
    #2 0x55555593a07e in dbpf_initialize (/opt/orangefs/sbin/pvfs2-server+0x3e607e)
    #3 0x55555588fd30 in trove_initialize (/opt/orangefs/sbin/pvfs2-server+0x33bd30)
    #4 0x5555556d07f7 in server_initialize_subsystems (/opt/orangefs/sbin/pvfs2-server+0x17c7f7)
    #5 0x5555556cfb2a in server_initialize (/opt/orangefs/sbin/pvfs2-server+0x17bb2a)
    #6 0x5555556cec75 in main (/opt/orangefs/sbin/pvfs2-server+0x17ac75)
    #7 0x7ffff6f640b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c) 
Shadow bytes around the buggy address:
  0x10007e40fd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e40fd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e40fd60: f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 f2 f2 00 00
  0x10007e40fd70: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e40fd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007e40fd90: 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x10007e40fda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e40fdb0: 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00 f2 f2
  0x10007e40fdc0: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e40fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e40fde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==385==ABORTING

System call series we used (we mounted two clients):

client 1:
open$dir(&(0x7f0000000480)='./file1\x00', 0x52942, 0x0)
lsetxattr$trusted_overlay_origin(0x0, &(0x7f0000000140), 0x0, 0x0, 0x0)
symlink(&(0x7f0000000040)='./file1\x00', &(0x7f00000000c0)='./file1\x00')
setxattr$incfs_size(&(0x7f0000000080)='./file1\x00', &(0x7f0000000100), &(0x7f0000000180)=0xc771, 0x8, 0x3)
chmod(&(0x7f0000000000)='./file1\x00', 0x14)
---
client 2:
open$dir(&(0x7f0000000480)='./file1\x00', 0x52942, 0x0)
lsetxattr$trusted_overlay_origin(0x0, &(0x7f0000000140), 0x0, 0x0, 0x0)
symlink(&(0x7f0000000040)='./file1\x00', &(0x7f0000000080)='./file1\x00')
chmod(&(0x7f0000000000)='./file1\x00', 0x14)
pwrite64(0xffffffffffffffff, &(0x7f0000000000)="c2d42dfb72869f5275cb15ba2d096af25cb5934140eaec4d269e7c1eea30ba2d4ccea4967ddaf570f214210f3234f11dd15667f4f5d103a53f32af9f68c2e218a0424db59f705c37b68659936aa3a14f43d61e29b371986e41ba030a10f3bea8a74566e265342bed0a679ed7586479145242a14c5ea10a6fa23cfdaf4eac62b7c427361f472b560794ba27e72d7b5dcb3c8d42b8f4e5beb70c4270af2e400cbd2a91fd945ddcb680641d2d2ec1b9a99c04a8e6fdd02477885c6dc20b8edb18662ad5f654ad75b024b1d467302099ca88e2f291d1a391b6a27ddbd7a237de795fc8831043b473aa10e4e7901dfcead363799a589cfd4018ae7842dcad75a2ee46ed6b9f3bd34e4e9dfe00408170214d669dd44770dc7ec74d7e7c6ccfe948bdd1f13b3757ea18415f070c8a0b0833f8922c0ab4f2b7ed0699cc4dd992658c11300dfb33c60913a9ccfc6c124835477fa5c1eba1b4507ec2cdd75c8da8a960d5b282bd4df253dac5a11720048d2a002c99ef80ee47270095f8b56f1e431bc6ba8f6b733350bb1ba1a9163a47414d46e2ec869fcdf1606f31789788835ce83db793c45d77704e8ce395aaafa975b991ce433a2213db2af8b70a5564fcfd6f1ebb99b377cd10e29888c1e089d8b16dba0a2fbf86bdeaceb5a18a5a8ce3a91a76d30e813ab11f502e637606cb42e8a5986b8aa159b0cbb26c366b23c99cc186a6ccc0d5661b14bda73b996964c8ec9defc945279698142c98473970faeb649f523292dd0e794ecb9f9de2d70cb591190db87d9d5e744dcdc0edcef71e024aa8fc6276dcf288d350e3fc9eb3d97788a3a895a132dbb86c343af7d9bb09b504a182f1427aeee7133aefd13898ed17bbb21453316815ff8ddc3f28ec3f943eeebee42d786794166c221c70870dd67e50770de48ce6d2682921bec1e0dcc6dab0032f5e832fd3556c61bca7e8fef01ceeff8a8dfb69e2872be1e7fb254fadbab96977397688a105781055e6c171f43c5462e8320edb54c32cb2ec072afedd39275ed072cf57f5a6041525bc36458273112478420f9cc4f3a6050fe56fb9777a7128b156961b9eed0da768ed9b8951f85d7b2f42d168bc64eb39352f97062c6f57c7b556f41b1deb468addbcf80ed72a0cfe6ada14846fdf1de081411bbeaeafec6f926c8101aea129c077d1d2b5873cff347b5fdb10358f8614699174e09087ec2a91ef820cd2168bbb82d8f5dafb8b2526eee88f16c15fc492013d50b405bd01036fe6456c9f6deaa61d9f2ff8c99f4721b7775a821b86ce5928b63dd5e669e3dc893ef1881999723dcb8bbd4dee0f0ff783d51f6fd188a5eb238a7f458c99c64fd43d0fb9b6d4da05a7881245533be4ba951029f677e92c79a54e9c308f37581b1c789e820fa57e4753961e65461f866e41bcf86e24e60674479e53bfc9df5c4fdc0b066d14344232e9a48f1f62ec3402f7f590b82f7a18065f7242ff854e677c37c9f64836cc4683c1f70f21dfdddc11d1e4157bd908bafb2b681784f2804583d1795c4f368f304b43f848e601965484db1c0ddab2795396f7e3f59b5149c2a5013b35422b494c2d4f02fbd8a97c24dcf4d71619a5e6432402bc48f0c6602b775881c69d900f2b632fe4145c6997d60ebbec83a3e1ed3aaa93eb964dfb134743842d534d0befd6b155c669174c6e0c8c712a70cc4086cdac34a546c702f3b092e9c54f0e56e5c294bd5c236c5c474bdaa306a525b844b11a2d93c8a68442f9c9e80d78bd0de40b49ea2d5c72afe0af66ffa95e71ea39c73d093472e540f622b6ccc4ecccc49147c31b2f9c44dbb7dee6dcd775e9f43f15292d0ef43dd91b56ac3c6d7e32bea88a6ded20e3373cdab14fae45a44b0c637f328becf5ed5a063bac84a13b0a21dd1edfb861ae99f804a5bec5e1162042dd944031b3b1bf6172bf05da7138acc8bf21bc83926d4694aec5f2e7d2a4f1a71782825ce70927480043da32e9f33405eb7121e0fbca1f1bd25e96526d06357dadefada54ba2c30c5507697b3cee32450aaeb27c66a01e89fa48c2a3603e89dd91034043caa7fa9e38999e7bf43743e3cc4250842a7f4253281a9f7a78db116e1a77c4d10d1128295d4bbac0e8734592a2eaceb95d8b9245cc63b14042909444db3e33ff270242db92bd38a4f131780b5c7692c8c68161f450eea68cec34bd54697d6b4d9a7429dea106b323ec902cbdcf45bcb240534778bed5ebbd6564f51beb2130bc8951736f94f5cec84dc8b4f08babd2c9aa523c0ce1747c697d0f60f02852657e0c207778545381cacc4f2a55840f7ee4c1d214ac9575b6fb6b2a6826e0c6802fc692f295fb2bfcbbde1bdbbeed9b43796b09e805241215be4764cc3dbfe79c8af77fbda06155300fafbc3dc5aef933a5ed31a35a60dae2868917a0ac98a0a6967102f2674ca049fed8a269d32abe53423fa35177c2148d75920ddc2a27f1450ccc1a45a27e9f732141166b21997da7a8e6697bc0ff6c06a7448c5433cd4d7eba50ab87a68c0fe8de94909b841b8d94fa693e4eb1e81f2f6315be72ffd809aa370f8e8455a5e2d76bdbfb8aa317fe3ac77006d170297caab9c91249706fe9734f7be6d8897287bef9362371da26340b5d19fc00541efaf57727beb2edb7c9b4073b8f92332e9841415649d3f237eb6d941a50fc2e573b2f583fb543696aae3d8cd8feac300241b224799de810b14eb4a113fdcfcd464bd9426029283e3d20272f6e5864ef41d196b6fa5186aa5b9f9ffe389178c1451f1b1226d0ff1a59ee2ae657ac92161a66b453be35e060cd55243903b796a12d3f881ca3ca4a8155ac1a3b4c67eb52bb9c477769c712c89b49d140d6ec36180115f2e027779319114622f24baa76d1c769e8439677d25ee280cae45b6e3482ef4fb3491c1d6d2c885bd05ea163dd874a869b239a58a23f41288ed5b651e1ac6f455d5047ed69a51adbcf47d999302ebbe43c932c0ea4ec5b3ea3d0db0e2ca4ed23c8018aca684c185a3333605bd89311569ee6a99fc90f6349927a899d83e221d4242e75149e3d6fa3380809442f9d350b5f1ce96b7313af27617ee020776a05eeff17886eb9d332e20b3ef2876c63c31413270a1519b3e910e9d181ab644564be3b14c65b42aefcc01dab1faf0acd14c7eae7615025842ad7d3ebb96b59288bd061207e275cc1264e84eaccf64d91cc29fa66387e88371d99258644346c0f65d15b8edb3504d2b038d3c9c0948d976e3225a19d643c421244ec1024ef05d6aba9ef715b36236bff88163be64ed68122394d8bec86f098ebdc9e0f01f3daa09bd8fc2e317783c93086345beffcf4604ce3669e66b20e0322c284b6b1545a309bc28c811f81417239d9f8f37b62b4b9b4d6025c91254f83d9ac549c72ae0dc0b241bab4a51b9ea2190e81a1090df229c5f940002900b7b53ba96aa90fdab45919dfc5282e32dce2fc2276dc64b8aaeaf2c4e8353bf948df073e40243af3db8b5eb88c3be5bd02d07d9d17256014de93dea6ff915d9a4d7a996a5538fc1bde62084420299ca5ba8f336864acea659b5b6a3df4dabe66380d10dbef98e89bc393dda66c5b8f60bdc65844c994dfa824ade1fc8756e062e0607150370b5b3855d3b789444b729d7f96303c2a44bcb7051f3c60fdaea73c96f1c023c219f37def03c0aa55f156360846440617ea76ec45953de34f65f544401e1202c70b472514f6753ec48e15facb1f4a45b4cf6127252199840622f8f2df23f203be5461b0e4a308671f1f7aff52d7dfaa0bf6ff4f3558464e65540c475ae0cba7e338f3eaba626e224a87ee93a5d1900bf043433f09703d5673f136d31e37209ff352ea915d980ebac57200a445613a3b72a0801287ede2fd9f35daafcd661a0f18a0c3e4f6006803d475a5fcd8bd1dd2725f7c2cb9146d676109950fb869b694e644cc62d0a14a69557c49773a6bf01c19e21f55ff87a8f1cd7670a914a7d642154b3f44ee896c1d104eb22210dd218ffb56bb66066a9aa171a69c9722a96e0327e3b015e091ef9e807bd503febd3f450d8e0f400ebc2dbb118d70de6d25df698d5b1fe3fcaa6798712b9bfa16f057e6cc87a0d5bd82289ae062f2513cdd633655d9be66fdd0cb88f562581c5ddfac083fa5a2383207dc56f30ba56b973eb37db90de9daf0d130427c97cc8f118a660002d334e74a0646d5c1b13afc96c89314c2a1979d6fa433cad893737845581119936fb49f4a116e101756984f271f0e8ed7e44e8dd33a2f9cb145507952e7749cb021aeb60dbcfaa904fe755db11366887c81393185d3f432908f3c71f2b58c2d714bfd774cc265339f9176925742a9304053d6fbe05e40342cb33473799145ed67765f1ed8cc2f6baf6ee9ff9daa4776c7f8729ac80eafbaca0e4b56275511d2b012494c714acee4783fe20e110f982fddf52ad3d4ec629916a0ee2da5c569a9fd6c044491dea7eeef528d7b5a88408ef127c0f6a8740c6de552ff72e86d1a8e7b1291c3853a30c8379d9fef0d1d026e223222923bf3b232484941aeb2db44cb6830fa2f702db480a772db0cae238d2d0c4af849ddc0450a63d6ac061be00e48e423c9bdbf082839edd185529c385ccf6df420994353788d2f9256eb2707c91984d73484e5198894f1be8cab591d8e58d4a30c68197cde4531f2921b2e421e57cbc0c142a1c32a6724c7635ba81255807f5cdc5a0f5a7d2aa59f35bbf3917d1cd0c1665de9c35be069076302d994a05e8e2b5a561f40d004e1546ac1bdba7dbad543242cae357610c45f1e04c0ddeaf7177d7419edbcb42461c2b71d79012bb111fd4a2a5b7cde3010874902d57b077ff43db0f2cdfdfbb73da1749e597b173ce5ad8dc66042157e1381e9221b567142722b28715575d8b1440ca19dac4c6210fd3173314e69aec3c0b828afd39245d2278814f7dad7c626ac436cf2fc050a59b5ac1fb6cc065a266c5628e8e47f176422a289c68d8a911e9c46ede23248409c74102d52a020aa6b99d5fded29db8583276eb22555165c042bbd4e9d36c01e912b098b576e5f52a0f66bee28e3c256e1f9635d30e7d48d02fa973fa9b4b92be8ef34fc276c7d6b94813eee5ddb022055001f4f3997185f0d25ba80b5e94e3050803ce168121aead40257b11bd42342fa3c0f74aa00a26807a000d010b94d0b5c4314f4c0dc53ef53b6d7540f5f23316c05e7f82b889bb10ae344fac3931a696ff5535c89bffc69aa2527a11149a1f2df35584756d410fcdf8c5fd811772c282154bc779abb235a51f1261ab2ac457b40062705471db002c564aee6cd753d3b433e2bcca5d581c6b57839bfc77a3d93fb8075a2c72ad97340786cc81155fe0e9276b3660f01be53c8bc3b35faff35b662ce96a268455353f2b4da83b0c96ea6edb4219d22520a96047607cafcc1c3ee2adc24526817b469b576a2720a09f10b3b04c2201d39100e7ad37feadbe1108998dd0fcd407be50b9b26d72a1664a41ba42d35a3345320ac51cbb166dad377a605f48ca4fae5f15f1bc69472e05df37b0ebafd51166d2a098cce035b79220ecd8bb91f6f031b597e95f2eb9348a1dd3f022d6b45e1eee47b1b124746d3583379f89a50aa7bc98f004aff8fe85eccc75bc8225a84f58c4b20c13faa6399ef62243f9ec9d565567048bb13a84494b4d8f78d3d515260c4fbe0124caeb0bb487dbd2f81ef1d99a2d1380457edd81842927979a90e3b030a3f5787c2628ee467c64081be9f24bb85da7097d55dd9e2476245b39442c8f0d2f41613abdd8957", 0x1000, 0x8)
lsetxattr$security_selinux(&(0x7f0000001000)='./file1\x00', &(0x7f0000001040), &(0x7f0000001080)='system_u:object_r:dhcpd_exec_t:s0\x00', 0x22, 0x3)