[jira] [Commented] (KUDU-3274) Buffer overflow in SASL
[ https://issues.apache.org/jira/browse/KUDU-3274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17326361#comment-17326361 ] Attila Bukor commented on KUDU-3274: This might be the cause: https://github.com/cyrusimap/cyrus-sasl/issues/587 According to a comment, CVE-2019-19906 was assigned to that issue, which unfortunately [won't be fixed in RHEL7|https://access.redhat.com/security/cve/cve-2019-19906], so this suppression would need to stay until we can upgrade our test infra to RHEL8. > Buffer overflow in SASL > --- > > Key: KUDU-3274 > URL: https://issues.apache.org/jira/browse/KUDU-3274 > Project: Kudu > Issue Type: Bug >Reporter: Attila Bukor >Priority: Major > > There seems to be a buffer overflow in SASL under certain conditions ("Server > not found in Kerberos database" error): > {code} > ==9298==ERROR: AddressSanitizer: heap-buffer-overflow on address > 0x60e3e2d6 at pc 0x00530bf4 bp 0x7f8eb50ad0f0 sp 0x7f8eb50ac8a0 > READ of size 151 at 0x60e3e2d6 thread T88 (client-negotiat) > #0 0x530bf3 in __interceptor_strlen.part.35 > sanitizer_common/sanitizer_common_interceptors.inc:365:5 > #1 0x7f8ee6ad9ee8 in std::basic_ostream >& > std::operator<< >(std::basic_ostream std::char_traits >&, char const*) > (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x113ee8) > #2 0x7f8eeb7c9c9b in kudu::rpc::SaslLogCallback(void*, int, char const*) > ../src/kudu/rpc/sasl_common.cc:102:29 > #3 0x7f8eeb30241c in sasl_seterror > (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/libsasl2.so.3+0x1441c) > #4 0x7f8edd8f143d in _init > (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/sasl2/libgssapiv2.so+0x243d) > #5 0x7f8edd8f2452 in _init > (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/sasl2/libgssapiv2.so+0x3452) > #6 0x7f8eeb2f7844 in sasl_client_step > (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/libsasl2.so.3+0x9844) > #7 0x7f8eeb2f7bc5 in sasl_client_start > (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/libsasl2.so.3+0x9bc5) > #8 0x7f8eeb678679 in > kudu::rpc::ClientNegotiation::SendSaslInitiate()::$_1::operator()() const > ../src/kudu/rpc/client_negotiation.cc:594:14 > #9 0x7f8eeb67831c in std::_Function_handler kudu::rpc::ClientNegotiation::SendSaslInitiate()::$_1>::_M_invoke(std::_Any_data > const&) ../../../include/c++/8/bits/std_function.h:282:9 > #10 0x7f8ef3b28220 in std::function::operator()() const > ../../../include/c++/8/bits/std_function.h:687:14 > #11 0x7f8eeb7c5840 in kudu::rpc::WrapSaslCall(sasl_conn*, > std::function const&, char const*) > ../src/kudu/rpc/sasl_common.cc:341:12 > #12 0x7f8eeb67363b in kudu::rpc::ClientNegotiation::SendSaslInitiate() > ../src/kudu/rpc/client_negotiation.cc:593:20 > #13 0x7f8eeb66e0c7 in > kudu::rpc::ClientNegotiation::AuthenticateBySasl(kudu::faststring*, > std::unique_ptr std::default_delete >*) > ../src/kudu/rpc/client_negotiation.cc:523:14 > #14 0x7f8eeb667b99 in > kudu::rpc::ClientNegotiation::Negotiate(std::unique_ptr std::default_delete >*) > ../src/kudu/rpc/client_negotiation.cc:220:7 > #15 0x7f8eeb715027 in > kudu::rpc::DoClientNegotiation(kudu::rpc::Connection*, kudu::TriStateFlag, > kudu::TriStateFlag, kudu::MonoTime, std::unique_ptr std::default_delete >*) > ../src/kudu/rpc/negotiation.cc:218:3 > #16 0x7f8eeb712095 in > kudu::rpc::Negotiation::RunNegotiation(scoped_refptr > const&, kudu::TriStateFlag, kudu::TriStateFlag, kudu::MonoTime) > ../src/kudu/rpc/negotiation.cc:295:9 > #17 0x7f8eeb74d4ad in > kudu::rpc::ReactorThread::StartConnectionNegotiation(scoped_refptr > const&)::$_1::operator()() const ../src/kudu/rpc/reactor.cc:614:3 > #18 0x7f8eeb74d06c in std::_Function_handler kudu::rpc::ReactorThread::StartConnectionNegotiation(scoped_refptr > const&)::$_1>::_M_invoke(std::_Any_data const&) > ../../../include/c++/8/bits/std_function.h:297:2 > #19 0x71b760 in std::function::operator()() const > ../../../include/c++/8/bits/std_function.h:687:14 > #20 0x7f8ee917d03d in kudu::ThreadPool::DispatchThread() > ../src/kudu/util/threadpool.cc:669:7 > #21 0x7f8ee91817dc in kudu::ThreadPool::CreateThread()::$_1::operator()() > const ../src/kudu/util/threadpool.cc:742:48 > #22 0x7f8ee918162c in std::_Function_handler kudu::ThreadPool::CreateThread()::$_1>::_M_invoke(std::_Any_data const&) > ../../../include/c++/8/bits/std_function.h:297:2 > #23 0x71b760 in std::function::operator()() const > ../../../include/c++/8/bits/std_function.h:687:14 > #24 0x7f8ee915660a in kudu::Thread::SuperviseThread(void*) > ../src/kudu/util/thread.cc:674:3 > #25 0x7f8eec6106da in start_thread > (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) > #26 0x7f8ee64de71e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12171e) > 0x60e3e2d6 is
[jira] [Commented] (KUDU-3274) Buffer overflow in SASL
[ https://issues.apache.org/jira/browse/KUDU-3274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17322189#comment-17322189 ] ASF subversion and git services commented on KUDU-3274: --- Commit 5cd8d574c020925e8257dc6d11af4ee516f329b7 in kudu's branch refs/heads/master from Attila Bukor [ https://gitbox.apache.org/repos/asf?p=kudu.git;h=5cd8d57 ] KUDU-3274 Ignore buffer overflow in libsasl We recently added a few test cases where the client negotiation fails with this error (which is what we expect): GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server kudu/127.6.40@krbtest.com not found in Kerberos database) Apparently SASL doesn't allocate enough memory for this error message in some cases which causes these tests to be flaky with a ~20% error rate with AddressSanitizer enabled: ==9298==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60e3e2d6 at pc 0x00530bf4 bp 0x7f8eb50ad0f0 sp 0x7f8eb50ac8a0 READ of size 151 at 0x60e3e2d6 thread T88 (client-negotiat) #0 0x530bf3 in __interceptor_strlen.part.35 sanitizer_common/sanitizer_common_interceptors.inc:365:5 #1 0x7f8ee6ad9ee8 in std::basic_ostream >& std::operator<< >(std::basic_ostream >&, char const*) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x113ee8) #2 0x7f8eeb7c9c9b in kudu::rpc::SaslLogCallback(void*, int, char const*) ../src/kudu/rpc/sasl_common.cc:102:29 #3 0x7f8eeb30241c in sasl_seterror (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/libsasl2.so.3+0x1441c) #4 0x7f8edd8f143d in _init (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/sasl2/libgssapiv2.so+0x243d) #5 0x7f8edd8f2452 in _init (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/sasl2/libgssapiv2.so+0x3452) #6 0x7f8eeb2f7844 in sasl_client_step (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/libsasl2.so.3+0x9844) #7 0x7f8eeb2f7bc5 in sasl_client_start (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/libsasl2.so.3+0x9bc5) #8 0x7f8eeb678679 in kudu::rpc::ClientNegotiation::SendSaslInitiate()::$_1::operator()() const ../src/kudu/rpc/client_negotiation.cc:594:14 #9 0x7f8eeb67831c in std::_Function_handler::_M_invoke(std::_Any_data const&) ../../../include/c++/8/bits/std_function.h:282:9 #10 0x7f8ef3b28220 in std::function::operator()() const ../../../include/c++/8/bits/std_function.h:687:14 #11 0x7f8eeb7c5840 in kudu::rpc::WrapSaslCall(sasl_conn*, std::function const&, char const*) ../src/kudu/rpc/sasl_common.cc:341:12 #12 0x7f8eeb67363b in kudu::rpc::ClientNegotiation::SendSaslInitiate() ../src/kudu/rpc/client_negotiation.cc:593:20 #13 0x7f8eeb66e0c7 in kudu::rpc::ClientNegotiation::AuthenticateBySasl(kudu::faststring*, std::unique_ptr >*) ../src/kudu/rpc/client_negotiation.cc:523:14 #14 0x7f8eeb667b99 in kudu::rpc::ClientNegotiation::Negotiate(std::unique_ptr >*) ../src/kudu/rpc/client_negotiation.cc:220:7 #15 0x7f8eeb715027 in kudu::rpc::DoClientNegotiation(kudu::rpc::Connection*, kudu::TriStateFlag, kudu::TriStateFlag, kudu::MonoTime, std::unique_ptr >*) ../src/kudu/rpc/negotiation.cc:218:3 #16 0x7f8eeb712095 in kudu::rpc::Negotiation::RunNegotiation(scoped_refptr const&, kudu::TriStateFlag, kudu::TriStateFlag, kudu::MonoTime) ../src/kudu/rpc/negotiation.cc:295:9 #17 0x7f8eeb74d4ad in kudu::rpc::ReactorThread::StartConnectionNegotiation(scoped_refptr const&)::$_1::operator()() const ../src/kudu/rpc/reactor.cc:614:3 #18 0x7f8eeb74d06c in std::_Function_handler const&)::$_1>::_M_invoke(std::_Any_data const&) ../../../include/c++/8/bits/std_function.h:297:2 #19 0x71b760 in std::function::operator()() const ../../../include/c++/8/bits/std_function.h:687:14 #20 0x7f8ee917d03d in kudu::ThreadPool::DispatchThread() ../src/kudu/util/threadpool.cc:669:7 #21 0x7f8ee91817dc in kudu::ThreadPool::CreateThread()::$_1::operator()() const ../src/kudu/util/threadpool.cc:742:48 #22 0x7f8ee918162c in std::_Function_handler::_M_invoke(std::_Any_data const&) ../../../include/c++/8/bits/std_function.h:297:2 #23 0x71b760 in std::function::operator()() const ../../../include/c++/8/bits/std_function.h:687:14 #24 0x7f8ee915660a in kudu::Thread::SuperviseThread(void*) ../src/kudu/util/thread.cc:674:3 #25 0x7f8eec6106da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da) #26 0x7f8ee64de71e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12171e) 0x60e3e2d6 is located 0 bytes to the right of 150-byte region [0x60e3e240,0x60e3e2d6) allocated by thread T88 (client-negotiat) here: #0 0x5a4bb8 in malloc /home/abukor/src/kudu/thirdparty/src/llvm-9.0.0.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3 #1 0x7f8eeb2fa1df in _buf_alloc (/tmp/dist-test-taskexUtyr/build/dist-test-system-libs/libsasl2.so.3+0xc1df) This patch suppresses address sanitizer errors in