Giters

ovis-hpc / ovis

OVIS/LDMS High Performance Computing monitoring, analysis, and visualization project.

Home Page:https://github.com/ovis-hpc/ovis-wiki/wiki

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

use-after-free in xprt/stream

baallan opened this issue · comments

commented

For the teardown script prdcr_del step in:

updtr_stop name=allhosts
updtr_prdcr_del name=allhosts regex=.*
updtr_del name=allhosts

prdcr_stop name=localhost1
prdcr_unsubscribe regex=.* stream=slurm
prdcr_del name=localhost1

I get the following use after free trace:

==29762== Invalid read of size 1
==29762==    at 0x4C2E2B1: __strcmp_sse42 (vg_replace_strmem.c:852)
==29762==    by 0x5267456: p_cmp (ldmsd_stream.c:56)
==29762==    by 0x610363C: rbt_find (rbt.c:383)
==29762==    by 0x5267A47: __find_publisher (ldmsd_stream.c:135)
==29762==    by 0x5267A47: ldmsd_stream_publisher_remove (ldmsd_stream.c:243)
==29762==    by 0x41FCFF: ldmsd_prdcr_del (ldmsd_prdcr.c:894)
==29762==    by 0x41A7A8: prdcr_del_handler (ldmsd_request.c:1631)
==29762==    by 0x41B5DF: ldmsd_handle_request (ldmsd_request.c:942)
==29762==    by 0x41B9F4: ldmsd_process_config_request (ldmsd_request.c:1260)
==29762==    by 0x41053B: ldmsd_recv_msg (ldmsd_config.c:989)
==29762==    by 0x41057E: __listen_connect_cb (ldmsd_config.c:1011)
==29762==    by 0x4E4E609: process_send_request (ldms_xprt.c:934)
==29762==    by 0x4E4E609: ldms_xprt_recv_request (ldms_xprt.c:1622)
==29762==    by 0x4E4E609: recv_cb (ldms_xprt.c:2082)
==29762==    by 0x4E4E609: ldms_zap_cb (ldms_xprt.c:2816)
==29762==    by 0x4E4F9BC: ldms_zap_auto_cb (ldms_xprt.c:2960)
==29762==  Address 0x91eab80 is 0 bytes inside a block of size 11 free'd
==29762==    at 0x4C2B06D: free (vg_replace_malloc.c:540)
==29762==    by 0x41F0C1: __ldmsd_xprt_ctxt_free (ldmsd_prdcr.c:576)
==29762==    by 0x4E4A166: ldms_xprt_put (ldms_xprt.c:658)
==29762==    by 0x4E4F818: ldms_zap_cb (ldms_xprt.c:2911)
==29762==    by 0xACB1363: sock_event (zap_sock.c:1614)
==29762==    by 0xACB1363: sock_ev_cb (zap_sock.c:1155)
==29762==    by 0xACB190E: io_thread_proc (zap_sock.c:1412)
==29762==    by 0x714CEA4: start_thread (in /usr/lib64/libpthread-2.17.so)
==29762==    by 0x6A6EB0C: clone (in /usr/lib64/libc-2.17.so)
==29762==  Block was alloc'd at
==29762==    at 0x4C29F73: malloc (vg_replace_malloc.c:309)
==29762==    by 0x69FCB89: strdup (in /usr/lib64/libc-2.17.so)
==29762==    by 0x4207B1: prdcr_connect_cb (ldmsd_prdcr.c:612)
==29762==    by 0x4E4FDB5: ldms_xprt_auth_end (ldms_xprt_auth.c:147)
==29762==    by 0xB0CB9B4: __auth_xprt_begin (ldms_auth_none.c:118)
==29762==    by 0x4E4FD1F: ldms_xprt_auth_begin (ldms_xprt_auth.c:128)
==29762==    by 0x4E4F583: ldms_zap_cb (ldms_xprt.c:2856)
==29762==    by 0xACB0210: process_sep_msg_accepted (zap_sock.c:518)
==29762==    by 0xACB10DB: sock_read (zap_sock.c:1361)
==29762==    by 0xACB10DB: sock_ev_cb (zap_sock.c:1141)
==29762==    by 0xACB190E: io_thread_proc (zap_sock.c:1412)
==29762==    by 0x714CEA4: start_thread (in /usr/lib64/libpthread-2.17.so)
==29762==    by 0x6A6EB0C: clone (in /usr/lib64/libc-2.17.so)

the top of tree sha for this build is:
29518af (from 4/18/23)

commented

I'll look into this.