Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

dns: fix exception unsafe behavior in c-ares callbacks. #4307

Merged
merged 3 commits into from
Aug 31, 2018
Merged

dns: fix exception unsafe behavior in c-ares callbacks. #4307

merged 3 commits into from
Aug 31, 2018

Conversation

htuch
Copy link
Member

@htuch htuch commented Aug 30, 2018

Previously, we were taking an exception due to the late validation of update_merge_window duration
in ClusterManagerImpl::scheduleUpdate, which happened under a c-ares strict DNS host resolution
callback. There are several related issues here:

  1. c-ares is exception unsafe, see ares_gethostbyname() and exception safety c-ares/c-ares#219.
  2. We should be validating Durations with PGV, see
    Validate Duration fields in PGV bufbuild/protoc-gen-validate#97.
  3. We should defer the c-ares resolution callbacks to be outside the c-ares callback context for
    exception safety.

This PR addresses (3) by moving callbacks, even when they are "immediate", to a dispatcher post, so
that we never take an exception under a c-ares callback.

A workaround for (2) is provided, in lieu of bufbuild/protoc-gen-validate#97,
which is blocked on our ability to bump PGV version in Envoy, see
lyft/protoc-gen-star#28.

Fixes oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9868.

Risk level: Medium (DNS clusters will have some timing changes).
Testing: Updated DNS implementation unit tests, server fuzz corpus entry added.

Signed-off-by: Harvey Tuch [email protected]

@htuch
dns: fix exception unsafe behavior in c-ares callbacks.
a8886d4 
Previously, we were taking an exception due to the late validation of update_merge_window duration
in ClusterManagerImpl::scheduleUpdate, which happened under a c-ares strict DNS host resolution
callback. There are several related issues here:

1. c-ares is exception unsafe, see c-ares/c-ares#219.
2. We should be validating Durations with PGV, see
   bufbuild/protoc-gen-validate#97.
3. We should defer the c-ares resolution callbacks to be outside the c-ares callback context for
   exception safety.

This PR addresses (3) by moving callbacks, even when they are "immediate", to a dispatcher post, so
that we never take an exception under a c-ares callback.

A workaround for (2) is provided, in lieu of bufbuild/protoc-gen-validate#97,
which is blocked on our ability to bump PGV version in Envoy, see
lyft/protoc-gen-star#28.

Fixes oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=9868.

Risk level: Medium (DNS clusters will have some timing changes).
Testing: Updated DNS implementation unit tests, server fuzz corpus entry added.

Signed-off-by: Harvey Tuch <[email protected]>
@htuch htuch mentioned this pull request Aug 30, 2018
Closed
@htuch
Fix build.
e5b152d 
Signed-off-by: Harvey Tuch <[email protected]>
@ggreenway
Copy link
Contributor

With the original exception, who is supposed to catch it? What does the callstack roughly look like when this happens?

@htuch
Copy link
Member Author

htuch commented Aug 30, 2018

@ggreenway the server initialization code was supposed to catch it; here's the trace:

Direct leak of 8 byte(s) in 1 object(s) allocated from:
--
  | #0 0x4e4858 in __interceptor___strdup _asan_rtl_
  | #1 0x26fefd4 in fake_hostent /builder/home/.cache/bazel/_bazel_root/4e9824db8e7d11820cfa25090ed4ed10/external/envoy_deps_cache_b22e04bff96538ea37e715942da6315c/cares.dep.build/c-ares-cares-1_14_0/ares_gethostbyname.c:290:20
  | #2 0x26fefd4 in ares_gethostbyname /builder/home/.cache/bazel/_bazel_root/4e9824db8e7d11820cfa25090ed4ed10/external/envoy_deps_cache_b22e04bff96538ea37e715942da6315c/cares.dep.build/c-ares-cares-1_14_0/ares_gethostbyname.c:98
  | #3 0x8c0a25 in Envoy::Network::DnsResolverImpl::resolve(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, Envoy::Network::DnsLookupFamily, std::__1::function<void (std::__1::list<std::__1::shared_ptr<Envoy::Network::Address::Instance const>, std::__1::allocator<std::__1::shared_ptr<Envoy::Network::Address::Instance const> > >&&)>) /source/common/network/dns_impl.cc:196:25
  | #4 0x14d1cf4 in Envoy::Upstream::StrictDnsClusterImpl::ResolveTarget::startResolve() /source/common/upstream/upstream_impl.cc:1059:42
  | #5 0x14d18ae in Envoy::Upstream::StrictDnsClusterImpl::startPreInit() /source/common/upstream/upstream_impl.cc:1015:13
  | #6 0x14c74a2 in Envoy::Upstream::ClusterImplBase::initialize(std::__1::function<void ()>) /source/common/upstream/upstream_impl.cc:516:3
  | #7 0x922b26 in Envoy::Upstream::ClusterManagerInitHelper::addCluster(Envoy::Upstream::Cluster&) /source/common/upstream/cluster_manager_impl.cc:50:13
  | #8 0x92628e in Envoy::Upstream::ClusterManagerImpl::ClusterManagerImpl(envoy::config::bootstrap::v2::Bootstrap const&, Envoy::Upstream::ClusterManagerFactory&, Envoy::Stats::Store&, Envoy::ThreadLocal::Instance&, Envoy::Runtime::Loader&, Envoy::Runtime::RandomGenerator&, Envoy::LocalInfo::LocalInfo const&, Envoy::AccessLog::AccessLogManager&, Envoy::Event::Dispatcher&, Envoy::Server::Admin&, Envoy::SystemTimeSource&, Envoy::MonotonicTimeSource&) /source/common/upstream/cluster_manager_impl.cc:292:18
  | #9 0x93d06a in Envoy::Upstream::ProdClusterManagerFactory::clusterManagerFromProto(envoy::config::bootstrap::v2::Bootstrap const&, Envoy::Stats::Store&, Envoy::ThreadLocal::Instance&, Envoy::Runtime::Loader&, Envoy::Runtime::RandomGenerator&, Envoy::LocalInfo::LocalInfo const&, Envoy::AccessLog::AccessLogManager&, Envoy::Server::Admin&) /source/common/upstream/cluster_manager_impl.cc:1179:32
  | #10 0x25ec765 in Envoy::Server::Configuration::MainImpl::initialize(envoy::config::bootstrap::v2::Bootstrap const&, Envoy::Server::Instance&, Envoy::Upstream::ClusterManagerFactory&) /source/server/configuration_impl.cc:56:46
  | #11 0x724ae6 in Envoy::Server::InstanceImpl::initialize(Envoy::Server::Options&, std::__1::shared_ptr<Envoy::Network::Address::Instance const>, Envoy::Server::ComponentFactory&) /source/server/server.cc:280:16
  | #12 0x71ffeb in Envoy::Server::InstanceImpl::InstanceImpl(Envoy::Server::Options&, std::__1::shared_ptr<Envoy::Network::Address::Instance const>, Envoy::TestHooks&, Envoy::Server::HotRestart&, Envoy::Stats::StoreRoot&, Envoy::Thread::BasicLockable&, Envoy::Server::ComponentFactory&, std::__1::unique_ptr<Envoy::Runtime::RandomGenerator, std::__1::default_delete<Envoy::Runtime::RandomGenerator> >&&, Envoy::ThreadLocal::Instance&) /source/server/server.cc:75:5
  | #13 0x5d0dcc in std::__1::__unique_if<Envoy::Server::InstanceImpl>::__unique_single std::__1::make_unique<Envoy::Server::InstanceImpl, testing::NiceMock<Envoy::Server::MockOptions>&, std::__1::shared_ptr<Envoy::Network::Address::Ipv4Instance>, Envoy::DefaultTestHooks&, testing::NiceMock<Envoy::Server::MockHotRestart>&, Envoy::Stats::TestIsolatedStoreImpl&, Envoy::Thread::MutexBasicLockable&, Envoy::Server::TestComponentFactory&, std::__1::unique_ptr<Envoy::Runtime::RandomGeneratorImpl, std::__1::default_delete<Envoy::Runtime::RandomGeneratorImpl> >, Envoy::ThreadLocal::InstanceImpl&>(testing::NiceMock<Envoy::Server::MockOptions>&&&, std::__1::shared_ptr<Envoy::Network::Address::Ipv4Instance>&&, Envoy::DefaultTestHooks&&&, testing::NiceMock<Envoy::Server::MockHotRestart>&&&, Envoy::Stats::TestIsolatedStoreImpl&&&, Envoy::Thread::MutexBasicLockable&&&, Envoy::Server::TestComponentFactory&&&, std::__1::unique_ptr<Envoy::Runtime::RandomGeneratorImpl, std::__1::default_delete<Envoy::Runtime::RandomGeneratorImpl> >&&, Envoy::ThreadLocal::InstanceImpl&&&) /usr/local/include/c++/v1/memory:3114:32
  | #14 0x5cfcc7 in Envoy::Server::TestOneProtoInput(envoy::config::bootstrap::v2::Bootstrap const&) /test/server/server_fuzz_test.cc:39:19
  | #15 0x5cf694 in LLVMFuzzerTestOneInput /test/server/server_fuzz_test.cc:19:1
  | #16 0x38234e2 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:575:15
  | #17 0x380202a in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:280:6
  | #18 0x380d6f5 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:715:9
  | #19 0x37f3c3c in main /src/libfuzzer/FuzzerMain.cpp:20:10
  | #20 0x7ff42b63f82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/libc-start.c:291

@ggreenway
Copy link
Contributor

So with this fix, where does the exception get caught? If we post() it, it won't get caught by server initialization. So where does it go?

@htuch
Copy link
Member Author

htuch commented Aug 30, 2018

There are two things in this PR:

  1. We post to defer it happening under c-ares callback. This then gets picked up by the server's run() and Envoy would take an "unexpected exception, let's shutdown" resolution.
  2. I validate and check for the problem exception condition much earlier (search for the TODO). We should be checking for this condition well before we start doing DNS resolution.

@ggreenway
Copy link
Contributor

So let's say that you hadn't done (2) above so the exception could still be thrown at that time, but you moved it to be post()'d. Isn't that still an exception-unsafe context? I don't think there's any top-level try/catch. So it seems like whether you move it to be post()'d, or call it from the same place it is now, you'd need a try/catch around the call if you want to protect against future incorrect throw's. So what value is there in moving it to be post()'d?

@htuch
Copy link
Member Author

htuch commented Aug 31, 2018

@ggreenway we have top-level try-catch for this, see https://github.com/envoyproxy/envoy/blob/master/source/exe/main_common.cc#L136. The idea in this PR is that it's better to exit via this path if we take an accidental exception vs. the existing situation, where we have a who-knows-what-c-ares is doing scenario.

@ggreenway
Copy link
Contributor

Oh right, I was thinking this was on a worker thread, but this always happens on the main thread.

@htuch htuch merged commit 1d34172 into envoyproxy:master Aug 31, 2018
@htuch htuch deleted the ares-leak branch August 31, 2018 14:41
htuch added a commit to htuch/envoy that referenced this pull request Sep 5, 2018
@htuch
dns: fix callback contract bug in envoyproxy#4307.
a280ce5 
Previously, once the callback was posted to the dispatcher, the
PendingResolution was destructed. This then broke the ability to
cancel() after the post. This PR restores this capability and simplifies
some of the object ownership aspects of PendingResolution post envoyproxy#4307.

Fixes oss-fuzz issue
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10184.

Risk level: Medium (this code has scary complicated lifetime and
  ownership guarantees).
Testing: Additional unit test and corpus entry added.

Signed-off-by: Harvey Tuch <[email protected]>
@htuch htuch mentioned this pull request Sep 5, 2018
Closed
htuch added a commit to htuch/envoy that referenced this pull request Sep 6, 2018
@htuch
Revert "dns: fix exception unsafe behavior in c-ares callbacks. (envo…
19bde10 
…yproxy#4307)"

This reverts commit 1d34172.

Signed-off-by: Harvey Tuch <[email protected]>
htuch added a commit to htuch/envoy that referenced this pull request Sep 6, 2018
@htuch
Preserve non-controversial aspects of envoyproxy#4307.
cf88b8d 
Signed-off-by: Harvey Tuch <[email protected]>
@htuch htuch mentioned this pull request Sep 6, 2018
Merged
ggreenway pushed a commit that referenced this pull request Sep 7, 2018
@htuch @ggreenway
dns: switch to callback exception wrapping. (#4366)
d8ee853 
* Revert "dns: fix exception unsafe behavior in c-ares callbacks. (#4307)"
This reverts commit 1d34172.

* Preserve non-controversial aspects of #4307.
* Exception wrapper for c-ares callback.

Signed-off-by: Harvey Tuch <[email protected]>
rshriram pushed a commit to rshriram/envoy that referenced this pull request Oct 30, 2018
@PiotrSikora @istio-testing
Update Envoy SHA to latest with TCP proxy fixes. (envoyproxy#1964)
490d26f 
Pulling the following changes from github.com/envoyproxy/envoy:

f936fc6 ssl: serialize accesses to SSL socket factory contexts (envoyproxy#4345)
e34dcd6 Fix crash in tcp_proxy (envoyproxy#4323)
ae6a252 router: fix matching when all domains have wildcards (envoyproxy#4326)
aa06142 test: Stop fake_upstream methods from accidentally succeeding (envoyproxy#4232)
5d73187 rbac: update the authenticated.user to a StringMatcher. (envoyproxy#4250)
c6bfc7d time: Event::TimeSystem abstraction to make it feasible to inject time with simulated timers (envoyproxy#4257)
752483e Fixing the fix (envoyproxy#4333)
83487f6 tls: update BoringSSL to ab36a84b (3497). (envoyproxy#4338)
7bc210e test: fixing interactions between waitFor and ignore_spurious_events (envoyproxy#4309)
69474b3 admin: order stats in clusters json admin (envoyproxy#4306)
2d155f9 ppc64le build (envoyproxy#4183)
07efc6d fix static initialization fiasco problem (envoyproxy#4314)
0b7e3b5 test: Remove declared but undefined class methods (envoyproxy#4297)
1485a13 lua: make sure resetting dynamic metadata wrapper when request info is marked dead
d243cd6 test: set to zero when start_time exceeds limit (envoyproxy#4328)
0a1e92a test: fix heap use-after-free in ~IntegrationTestServer. (envoyproxy#4319)
cddc732 CONTRIBUTING: Document 'kick-ci' trick. (envoyproxy#4335)
f13ef24 docs: remove reference to deprecated value field (envoyproxy#4322)
e947a27 router: minor doc fixes in stream idle timeout (envoyproxy#4329)
0c2e998 tcp-proxy: fixing a TCP proxy bug where we attempted to readDisable a closed connection (envoyproxy#4296)
00ffe44 utility: fix strftime overflow handling. (envoyproxy#4321)
af1183c Re-enable TcpProxySslIntegrationTest and make the tests pass again. (envoyproxy#4318)
3553461 fuzz: fix H2 codec fuzzer post envoyproxy#4262. (envoyproxy#4311)
42f6048 Proto string issue fix (envoyproxy#4320)
9c492a0 Support Envoy to fetch secrets using SDS service. (envoyproxy#4256)
a857219 ratelimit: revert `revert rate limit failure mode config` and add tests (envoyproxy#4303)
1d34172 dns: fix exception unsafe behavior in c-ares callbacks. (envoyproxy#4307)
1212423 alts: add gRPC TSI socket (envoyproxy#4153)
f0363ae fuzz: detect client-side resets in H2 codec fuzzer. (envoyproxy#4300)
01aa3f8 test: hopefully deflaking echo integration test (envoyproxy#4304)
1fc0f4b ratelimit: link legacy proto when message is being used (envoyproxy#4308)
aa4481e fix rare List::remove(&target) segfault (envoyproxy#4244)
89e0f23 headers: fixing fast fail of size-validation (envoyproxy#4269)
97eba59 build: bump googletest version. (envoyproxy#4293)
0057e22 fuzz: avoid false positives in HCM fuzzer. (envoyproxy#4262)
9d094e5 Revert ac0bd74 (envoyproxy#4295)
ddb28a4 Add validation context provider (envoyproxy#4264)
3b47cba added histogram latency information to Hystrix dashboard stream (envoyproxy#3986)
cf87d50 docs: update SNI FAQ. (envoyproxy#4285)
f952033 config: fix update empty stat for eds (envoyproxy#4276)
329e591 router: Add ability of custom headers to rely on per-request data (envoyproxy#4219)
68d20b4  thrift: refactor build files and imports (envoyproxy#4271)
5fa8192 access_log: log requested_server_name in tcp proxy (envoyproxy#4144)
fa45bb4 fuzz: libc++ clocks don't like nanos. (envoyproxy#4282)
53f8944 stats: add symbol table for future stat name encoding (envoyproxy#3927)
c987b42 test infra: Remove timeSource() from the ClusterManager api (envoyproxy#4247)
cd171d9 websocket: tunneling websockets (and upgrades in general) over H2 (envoyproxy#4188)
b9dc5d9 router: disallow :path/host rewriting in request_headers_to_add. (envoyproxy#4220)
0c91011 network: skip socket options and source address for UDS client connections (envoyproxy#4252)
da1857d build: fixing a downstream compile error by noting explicit fallthrough (envoyproxy#4265)
9857cfe fuzz: cleanup per-test environment after each fuzz case. (envoyproxy#4253)
52beb06 test: Wrap proto string in std::string before comparison (envoyproxy#4238)
f5e219e extensions/thrift_proxy: Add header matching to thrift router (envoyproxy#4239)
c9ce5d2 fuzz: track read_disable_count bidirectionally in codec_impl_fuzz_test. (envoyproxy#4260)
35103b3 fuzz: use nanoseconds for SystemTime in RequestInfo. (envoyproxy#4255)
ba6ba98 fuzz: make runtime root hermetic in server_fuzz_test. (envoyproxy#4258)
b0a9014 time: Add 'format' test to ensure no one directly instantiates Prod*Time from source. (envoyproxy#4248)
8567460 access_log: support beginning of epoch in START_TIME. (envoyproxy#4254)
28d5f41 proto: unify envoy_proto_library/api_proto_library. (envoyproxy#4233)
f7d3cb6 http: fix allocation bug introduced in envoyproxy#4211. (envoyproxy#4245)

Fixes istio/istio#8310 (once pulled into istio/istio).

Signed-off-by: Piotr Sikora <[email protected]>
@chaoqin-li1123 chaoqin-li1123 mentioned this pull request Apr 16, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ggreenway ggreenway ggreenway approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@htuch @ggreenway