Skip to content
This repository has been archived by the owner on Jun 23, 2022. It is now read-only.

fix(asan): heap-use-after-free caused by using string_view in fail_point #446

Merged
merged 2 commits into from
Apr 23, 2020
Merged

fix(asan): heap-use-after-free caused by using string_view in fail_point #446

merged 2 commits into from
Apr 23, 2020

Conversation

foreverneverer
Copy link
Contributor

Problem

It will crash because of heap-use-after-free when execute dsn::fail::cfg("db_write_batch_put", "10%return()") in test_batch_writes of pegasus_server_write_test.cpp. The code of pegasus_server is test_batch_writes:

void test_batch_writes()
    {
        dsn::fail::setup();

        dsn::fail::cfg("db_write_batch_put", "10%return()");
        dsn::fail::cfg("db_write_batch_remove", "10%return()");
        dsn::fail::cfg("db_write", "10%return()");
....
    }

Reason

The code call(line 107):

rdsn/src/core/core/fail_point.cpp

Lines 105 to 107 in a0ecf81

sub_match = match[3];
string_view task_type = sub_match.str();
if (task_type.compare("off") == 0) {

and crash at(line 353):

rdsn/include/dsn/utility/string_view.h

Lines 349 to 353 in a0ecf81

int compare(string_view x) const noexcept
{
auto min_length = std::min(length_, x.length_);
if (min_length > 0) {
int r = memcmp(ptr_, x.ptr_, min_length);

The root causes have two aspect:

  • The string_view class has char * member, but only support shallow copying
  • sub_match.str() will generate temporary variable and use this temporary variable to construct the string_view

The actions just as follow:

std::string temp = sub_match.str();
string_view task_type(temp)
// then `temp` will be freed and the `const char *ptr_`  of  the `temp` will be also freed
 memcmp(ptr_, x.ptr_, min_length);// crash here because "ptr_" was freed. line 353 of string_view.h

Solution

The usage of string_view isn't right, we can use std::string

@foreverneverer foreverneverer added the type/sanitize Fixes on errors reported by sanitizers. label Apr 23, 2020
@acelyc111 acelyc111 changed the title fix(asan): heap-use-after-free caused by using string_view in fail_point.cpp fix(asan): heap-use-after-free caused by using string_view in fail_point Apr 23, 2020
@acelyc111 acelyc111 merged commit 52bf975 into XiaoMi:master Apr 23, 2020
@neverchanje neverchanje mentioned this pull request May 14, 2020
Closed
@neverchanje neverchanje mentioned this pull request Jun 10, 2020
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@neverchanje neverchanje neverchanje approved these changes

@acelyc111 acelyc111 acelyc111 approved these changes

Assignees
No one assigned
Labels
2.0.0 type/sanitize Fixes on errors reported by sanitizers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@foreverneverer @neverchanje @acelyc111