Menu

#3324 mds: valgrind detected an invalid read

5.22.11
fixed
None
defect
mds
lib
major
False
2022-11-04
2022-10-31
No

Valgrind has detected an invalid read from OpenSAF 5.22.06

  • Invalid read:
Object  /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so
Function    __memcpy_chk
File/Line   


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    memcpy
File/Line   /usr/include/bits/string3.h:53


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    ncs_patricia_tree_getnext
File/Line   opensaf/src/base/patricia.c:491


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mds_subtn_res_tbl_query_next_active
File/Line   opensaf/src/mds/mds_c_db.c:2680


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mds_mcm_svc_down
File/Line   opensaf/src/mds/mds_c_api.c:3862


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mdtm_process_discovery_events
File/Line   opensaf/src/mds/mds_dt_tipc.c:1431


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mdtm_process_recv_events
File/Line   opensaf/src/mds/mds_dt_tipc.c:943


Object  /lib64/libpthread-2.22.so
Function    start_thread
File/Line   


Object  /lib64/libc-2.22.so
Function    clone
File/Line   
  • Memory is freed:
Object  /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so
Function    free
File/Line   


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mds_subtn_res_tbl_del
File/Line   opensaf/src/mds/mds_c_db.c:2051


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mds_mcm_svc_down
File/Line   opensaf/src/mds/mds_c_api.c:3862


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mdtm_process_discovery_events
File/Line   opensaf/src/mds/mds_dt_tipc.c:1431


Object  /usr/lib64/libopensaf_core.so.0.2.0
Function    mdtm_process_recv_events
File/Line   opensaf/src/mds/mds_dt_tipc.c:943


Object  /lib64/libpthread-2.22.so
Function    start_thread
File/Line   


Object  /lib64/libc-2.22.so
Function    clone
File/Line   

Related

Wiki: ChangeLog-5.22.11

Discussion

  • Hieu Hong Hoang

    Hieu Hong Hoang - 2022-10-31
    • Description has changed:

    Diff:

    --- old
    +++ new
    @@ -61,7 +61,7 @@
    
     Object /usr/lib64/libopensaf_core.so.0.2.0
     Function   mds_mcm_svc_down
    -File/Line  opensaf/src/mds/mds_c_api.c:3807
    +File/Line  opensaf/src/mds/mds_c_api.c:3862
    
    
     Object /usr/lib64/libopensaf_core.so.0.2.0
    
     
  • Hieu Hong Hoang

    Hieu Hong Hoang - 2022-11-01
     
  • Hieu Hong Hoang

    Hieu Hong Hoang - 2022-11-01

    Reproduced in develop branch.

    ==487== Invalid read of size 1
    ==487==    at 0x4843B60: __memcpy_chk (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==487==    by 0x4891FE3: memcpy (string_fortified.h:34)
    ==487==    by 0x4891FE3: ncs_patricia_tree_getnext (patricia.c:491)
    ==487==    by 0x48AADF8: mds_subtn_res_tbl_query_next_active (mds_c_db.c:2681)
    ==487==    by 0x48BBC7D: mds_svc_op_vdest_mxn_active_delete (mds_svc_op.c:1199)
    ==487==    by 0x48BBC7D: mds_svc_op_down (mds_svc_op.c:861)
    ==487==    by 0x48A60DB: mds_mcm_svc_down (mds_c_api.c:1305)
    ==487==    by 0x48B68EF: mds_mdtm_process_recvdata (mds_dt_trans.c:1150)
    ==487==    by 0x48B78DE: mdtm_process_poll_recv_data_tcp (mds_dt_trans.c:903)
    ==487==    by 0x48B7D0E: mdtm_process_recv_events_tcp (mds_dt_trans.c:995)
    ==487==    by 0x48FE608: start_thread (pthread_create.c:477)
    ==487==    by 0x4A38132: clone (clone.S:95)
    ==487==  Address 0x4eb04c7 is 55 bytes inside a block of size 408 free'd
    ==487==    at 0x483CA3F: free (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)==487==    by 0x48AA282: mds_subtn_res_tbl_del (mds_c_db.c:2051)
    ==487==    by 0x48B99F8: mds_svc_op_subtn_res_tbl_del (mds_svc_op.c:1667)
    ==487==    by 0x48BBA3A: mds_svc_op_vdest_mxn_active_delete (mds_svc_op.c:1169)
    ==487==    by 0x48BBA3A: mds_svc_op_down (mds_svc_op.c:861)
    ==487==    by 0x48A60DB: mds_mcm_svc_down (mds_c_api.c:1305)
    ==487==    by 0x48B68EF: mds_mdtm_process_recvdata (mds_dt_trans.c:1150)
    ==487==    by 0x48B78DE: mdtm_process_poll_recv_data_tcp (mds_dt_trans.c:903)
    ==487==    by 0x48B7D0E: mdtm_process_recv_events_tcp (mds_dt_trans.c:995)
    ==487==    by 0x48FE608: start_thread (pthread_create.c:477)
    ==487==    by 0x4A38132: clone (clone.S:95)
    ==487==  Block was alloc'd at
    ==487==    at 0x483DD99: calloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
    ==487==    by 0x48A9F76: mds_subtn_res_tbl_add (mds_c_db.c:1857)
    ==487==    by 0x48B9980: mds_svc_op_subtn_res_tbl_add (mds_svc_op.c:1660)
    ==487==    by 0x48BB401: mds_svc_op_vdest_mxn_active_add (mds_svc_op.c:906)
    ==487==    by 0x48BB401: mds_svc_op_up (mds_svc_op.c:726)
    ==487==    by 0x48A604B: mds_mcm_svc_up (mds_c_api.c:1266)
    ==487==    by 0x48B678F: mds_mdtm_process_recvdata (mds_dt_trans.c:1137)
    ==487==    by 0x48B78DE: mdtm_process_poll_recv_data_tcp (mds_dt_trans.c:903)
    ==487==    by 0x48B7D0E: mdtm_process_recv_events_tcp (mds_dt_trans.c:995)
    ==487==    by 0x48FE608: start_thread (pthread_create.c:477)
    ==487==    by 0x4A38132: clone (clone.S:95)
    

    Reproduce steps:
    1. Apply the test case patch
    2. Build and deploy OpenSAF.
    3. Run the following command inside a node:
    valgrind --error-exitcode=1 --leak-check=no mdstest 4 13

     

    Last edit: Hieu Hong Hoang 2022-11-01
  • Hieu Hong Hoang

    Hieu Hong Hoang - 2022-11-01
    • status: assigned --> accepted
     
  • Hieu Hong Hoang

    Hieu Hong Hoang - 2022-11-02
    • status: accepted --> review
     
  • Hieu Hong Hoang

    Hieu Hong Hoang - 2022-11-04

    commit 02037580ba403cb0afc66afb1e70c46c7210e21b (HEAD -> develop, ticket-3324)
    Author: hieu.h.hoang hieu.h.hoang@dektech.com.au
    Date: Thu Nov 3 10:07:09 2022 +0700

    mds: Test cases for conflicted vdests [#3324]
    
    Verify the service events before and after conflict.
    

    commit f5b653c6a77b0d43b647ef8930403645ff147bcd
    Author: hieu.h.hoang hieu.h.hoang@dektech.com.au
    Date: Thu Nov 3 09:56:53 2022 +0700

    mds: Add a test function to wait for vdest events [#3324]
    
    If vdest is installed with ownership enabled, a select object is provided
    to notify incoming events. Before retrieving a event, polling the select
    object to make sure the event arrived.
    

    commit 81e23dd92464fbb8e880e48e38c033f5b02084d9
    Author: hieu.h.hoang hieu.h.hoang@dektech.com.au
    Date: Mon Oct 31 14:23:17 2022 +0700

    mds: Fix invalid read [#3324]
    
    After removing the active subscription result, mds finds
    the next active subscription result by using the deleted
    result. It led an invalid read. Solution is to get the
    first active subscription result rather than the next
    active result.
    
     
  • Hieu Hong Hoang

    Hieu Hong Hoang - 2022-11-04
    • status: review --> fixed
     

Log in to post a comment.