Skip to content
This repository has been archived by the owner on Jun 23, 2022. It is now read-only.

fix(asan): heap-buffer-overflow in meta_test_base.h #377

Merged
merged 2 commits into from
Jan 10, 2020
Merged

fix(asan): heap-buffer-overflow in meta_test_base.h #377

merged 2 commits into from
Jan 10, 2020

Conversation

foreverneverer
Copy link
Contributor

@foreverneverer foreverneverer commented Jan 10, 2020
edited
Loading

Related issue

#376

Reason

The 3th argument of utils::factory_store<server_load_balancer>::create(const char *name, ::dsn::provider_type type, T1 t1) is set to meta_test_base type in line 24 of meta_test_base.h.

rdsn/src/dist/replication/test/meta_test/unit_test/meta_test_base.h

Lines 21 to 29 in 7b37038

{
_ms = make_unique<fake_receiver_meta_service>();
_ms->_failure_detector.reset(new meta_server_failure_detector(_ms.get()));
_ms->_balancer.reset(utils::factory_store<server_load_balancer>::create(
_ms->_meta_opts._lb_opts.server_load_balancer_type.c_str(), PROVIDER_TYPE_MAIN, this));
ASSERT_EQ(_ms->remote_storage_initialize(), ERR_OK);
_ms->initialize_duplication_service();
ASSERT_TRUE(_ms->_dup_svc);
_ms->_split_svc = make_unique<meta_split_service>(_ms.get());

Therefore, It will be illegally cast to meta_service type in line 60 of server_load_balancer.h and report heap-buffer-overflow in line 235.

rdsn/src/dist/replication/meta_server/server_load_balancer.h

Lines 54 to 61 in 7b37038

class server_load_balancer
{
public:
template <typename T>
static server_load_balancer *create(meta_service *svc)
{
return new T(svc);
}

rdsn/src/dist/replication/meta_server/server_load_balancer.h

Lines 230 to 240 in 7b37038

public:
simple_load_balancer(meta_service *svc)
: server_load_balancer(svc), _ctrl_assign_delay_ms(nullptr)
{
if (svc != nullptr) {
_mutation_2pc_min_replica_count = svc->get_options().mutation_2pc_min_replica_count;
_replica_assign_delay_ms_for_dropouts =
svc->get_meta_options()._lb_opts.replica_assign_delay_ms_for_dropouts;
config_context::MAX_REPLICA_COUNT_IN_GRROUP =
svc->get_meta_options()._lb_opts.max_replicas_in_group;
} else {

The root cause is that meta_test_base object don’t malloc matching address with meta_service type, and then, it will be report heap-buffer-overflow when visiting the meta_service class member via Illegal address.

Solution

The 3th argument of utils::factory_store<server_load_balancer>::create(const char *name, ::dsn::provider_type type, T1 t1) is set to meta_service type:

_ms = make_unique<fake_receiver_meta_service>();
        _ms->_failure_detector.reset(new meta_server_failure_detector(_ms.get()));
        _ms->_balancer.reset(utils::factory_store<server_load_balancer>::create(
            _ms->_meta_opts._lb_opts.server_load_balancer_type.c_str(),
            PROVIDER_TYPE_MAIN,
            _ms.get())); // this-> _ms.get()

@neverchanje neverchanje added the type/sanitize Fixes on errors reported by sanitizers. label Jan 10, 2020
@foreverneverer foreverneverer mentioned this pull request Jan 10, 2020
Closed
@foreverneverer foreverneverer merged commit d9c2859 into XiaoMi:master Jan 10, 2020
@weekly-digest weekly-digest bot mentioned this pull request Jan 12, 2020
Closed
@neverchanje neverchanje mentioned this pull request Mar 30, 2020
Closed
neverchanje pushed a commit that referenced this pull request Mar 31, 2020
@foreverneverer
fix(asan): heap-buffer-overflow in meta_test_base.h (#377)
1bd71bf
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@levy5307 levy5307 levy5307 approved these changes

@neverchanje neverchanje neverchanje approved these changes

Assignees
No one assigned
Labels
1.12.3 type/sanitize Fixes on errors reported by sanitizers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@foreverneverer @neverchanje @levy5307 @acelyc111