【标题描述】
我们在使用异常注入与模糊测试结合的方式测试iSuald,期望发现错误处理代码中的内存破坏缺陷。
这个issue可能是一个潜在的use-after-free的bug。
我们的异常注入会强制触发在特定上下文的错误处理代码。例如malloc返回NULL(内存不足),open返回-1(文件突然被移动),fork返回-1(全局系统进程数达上限)等等情况,观察在这样情况下程序能否正确处理。所以没有我们的异常注入环境,比较难复现,这里我分析相关的代码如下(如果需要进一步信息请沟通)
// in src/daemon/modules/image/oci/registry/registry.c:671
671 static int create_image(pull_descriptor *desc, char *image_id, bool *reuse)
672 {
// 在storage_img_create()中的变量img,加入全局map后,因异常可能被free,但是没有从map取出
699 ret = storage_img_create(image_id, top_layer_id, NULL, &opts);
700 if (ret != 0) {
//在storage_get_img_top_layer()中从全局map中search出该变量img,use after free
701 pre_top_layer = storage_get_img_top_layer(image_id);
735 return ret;
736 }
// storage_img_create() -> image_store_create()
// in src/daemon/modules/image/oci/storage/image_store/image_store.c:781
781 char *image_store_create(...)
783 {
832 img = new_image(im, g_image_store->dir);
// image_store_append_image()执行失败,如下分析
840 if (image_store_append_image(dst_id, searchable_digest, img) != 0) {
842 ret = -1;
843 goto out;
844 }
857 out:
858 if (ret != 0) {
//在这里被free
863 free_image_t(img);
864 img = NULL;
865 }
868 return dst_id;
869 }
733 static int image_store_append_image(...)
734 {
739 item = util_smart_calloc_s(sizeof(struct linked_list), 1);
744 linked_list_add_elem(item, img);
745 linked_list_add_tail(&g_image_store->images_list, item);
746 g_image_store->images_list_len++;
// 成功加入map
748 if (!map_insert(g_image_store->byid, (void *)id, (void *)img)) {
752 }
// append_image_according_to_digest()失败,goto out.
754 if (append_image_according_to_digest(g_image_store->bydigest, searchable_digest, img) != 0) {
756 ret = -1;
757 goto out;
758 }
773 out:
774 if (ret != 0) {
// 释放item,unlink list,但是没有从map移出img
775 linked_list_del(item);
776 free(item);
777 }
778 return ret;
779 }
// storage_get_img_top_layer() -> image_store_top_layer()
// in src/daemon/modules/image/oci/storage/image_store/image_store.c:1875
1875 char *image_store_top_layer(const char *id)
1876 {
// lookup a freed img, use after free
1895 img = lookup(id);
1901 top_layer = util_strdup_s(img->simage->layer);
1903 out:
1904 image_ref_dec(img);
1905 image_store_unlock();
1906 return top_layer;
1907 }
【环境信息】
硬件信息:
1) Intel,x86_64
软件信息:
Ubuntu 20.04
iSulad v2.0.14
如果有特殊组网,请提供网络拓扑图
【预期结果】
不应出现内存破坏BUG
【附件信息】
==89896==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000438950 at pc 0x55920149676b bp 0x7effc4d0b620 sp 0x7effc4d0b618
READ of size 8 at 0x603000438950 thread T13 (grpcpp_sync_ser)
#0 0x55920149676a in atomic_int_inc /home/r1/isulad/iSulad/src/utils/cutils/util_atomic.h:82:13
#1 0x55920149666d in image_ref_inc /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:123:5
#2 0x55920145de91 in lookup /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:470:5
#3 0x55920146e3fe in image_store_top_layer /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:1895:11
#4 0x5592014454ac in storage_get_img_top_layer /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/storage.c:898:12
#5 0x5592015f8b0e in create_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:701:25
#6 0x5592015d7475 in register_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:875:11
0x603000438950 is located 16 bytes inside of 24-byte region [0x603000438940,0x603000438958)
freed by thread T13 (grpcpp_sync_ser) here:
#0 0x559200352322 in free (/home/r1/isulad/iSulad/build/src/isulad+0x77c322)
#1 0x559201496d50 in free_image_t /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:152:5
#2 0x5592014598ae in image_store_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:863:9
#3 0x55920143f622 in storage_img_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/storage.c:350:16
#4 0x5592015f8aad in create_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:699:11
#5 0x5592015d7475 in register_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:875:11
previously allocated by thread T13 (grpcpp_sync_ser) here:
#0 0x559200352702 in calloc (/home/r1/isulad/iSulad/build/src/isulad+0x77c702)
#1 0x7effd2bafd5f in util_smart_calloc_s /home/r1/isulad/iSulad/src/utils/cutils/utils.c:269:12
#2 0x559201497676 in create_empty_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:33:25
#3 0x5592014963e5 in new_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:105:11
#4 0x559201459338 in image_store_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:832:11
#5 0x55920143f622 in storage_img_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/storage.c:350:16
#6 0x5592015f8aad in create_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:699:11
#7 0x5592015d7475 in register_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:875:11
#8 0x5592015d2ecb in registry_pull /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:2047:15
#9 0x5592015a8be9 in pull_image
Hi xkt95, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: iSulad, and any of the maintainers: @haomintsai , @lifeng_isula , @haozi007 , @jingxiaolu , @JingWoo
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
感谢,我们尽快修复。或者您这边也可以提pr修复一下
登录 后才可以发表评论