Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unexpected crash #6633

Closed
ChijinZ opened this issue Dec 1, 2019 · 6 comments
Closed

Unexpected crash #6633

ChijinZ opened this issue Dec 1, 2019 · 6 comments
Labels
state:to-be-closed requesting the core team to close the issue

Comments

@ChijinZ
Copy link

ChijinZ commented Dec 1, 2019

=== REDIS BUG REPORT START: Cut & paste starting from here ===
9215:M 30 Nov 2019 22:36:12.632 # Redis 999.999.999 crashed by signal: 11
9215:M 30 Nov 2019 22:36:12.632 # Crashed running the instruction at: 0x55d4daa531e9
9215:M 30 Nov 2019 22:36:12.632 # Accessing address: (nil)
9215:M 30 Nov 2019 22:36:12.632 # Failed assertion: (:0)

------ STACK TRACE ------
EIP:
./src/redis-server *:6379(je_large_dalloc+0x29)[0x55d4daa531e9]

Backtrace:
./src/redis-server *:6379(logStackTrace+0x5a)[0x55d4da99967a]
./src/redis-server *:6379(sigsegvHandler+0xb1)[0x55d4da999e31]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x12890)[0x7fc41e0f0890]
./src/redis-server *:6379(je_large_dalloc+0x29)[0x55d4daa531e9]
./src/redis-server *:6379(clientAcceptHandler+0x13f)[0x55d4da961c6f]
./src/redis-server *:6379(+0xd30c6)[0x55d4da9e50c6]
./src/redis-server *:6379(+0x4fd3a)[0x55d4da961d3a]
./src/redis-server *:6379(acceptTcpHandler+0x6b)[0x55d4da961e4b]
./src/redis-server *:6379(aeProcessEvents+0x149)[0x55d4da94d519]
./src/redis-server *:6379(aeMain+0x2b)[0x55d4da94d98b]
./src/redis-server *:6379(main+0x520)[0x55d4da94a4b0]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7fc41dd0eb97]
./src/redis-server *:6379(_start+0x2a)[0x55d4da94a6ea]

------ INFO OUTPUT ------

Server

redis_version:999.999.999
redis_git_sha1:a1b65481
redis_git_dirty:0
redis_build_id:443dd9add5fcae7
redis_mode:standalone
os:Linux 4.15.0-66-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:atomic-builtin
gcc_version:7.4.0
process_id:9215
run_id:ca5672780ea5b71a41080ff3f8133e50b987c30b
tcp_port:6379
uptime_in_seconds:30082
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:14843484
executable:/home/jin/Documents/cve/redis/./src/redis-server
config_file:

Clients

connected_clients:0
client_recent_max_input_buffer:4
client_recent_max_output_buffer:0
blocked_clients:0
tracking_clients:0

Memory

used_memory:461304
used_memory_human:450.49K
used_memory_rss:5599232
used_memory_rss_human:5.34M
used_memory_peak:585656
used_memory_peak_human:571.93K
used_memory_peak_perc:78.77%
used_memory_overhead:523680
used_memory_startup:523608
used_memory_dataset:18446744073709489240
used_memory_dataset_perc:1844674407370955161600.00%
allocator_allocated:535856
allocator_active:770048
allocator_resident:3883008
total_system_memory:16766013440
total_system_memory_human:15.61G
used_memory_lua:37888
used_memory_lua_human:37.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.44
allocator_frag_bytes:234192
allocator_rss_ratio:5.04
allocator_rss_bytes:3112960
rss_overhead_ratio:1.44
rss_overhead_bytes:1716224
mem_fragmentation_ratio:12.14
mem_fragmentation_bytes:5137992
mem_not_counted_for_evict:0
mem_replication_backlog:0
mem_clients_slaves:0
mem_clients_normal:0
mem_aof_buffer:0
mem_allocator:jemalloc-5.1.0
active_defrag_running:0
lazyfree_pending_objects:0

Persistence

loading:0
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:0
rdb_last_save_time:1575098091
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:0
rdb_current_bgsave_time_sec:-1
rdb_last_cow_size:159744
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
module_fork_in_progress:0
module_fork_last_cow_size:0

Stats

total_connections_received:626
total_commands_processed:624
instantaneous_ops_per_sec:0
total_net_input_bytes:660487
total_net_output_bytes:28460
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:4
sync_full:0
sync_partial_ok:0
sync_partial_err:0
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
expire_cycle_cpu_milliseconds:450
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:376
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
tracking_used_slots:0

Replication

role:master
connected_slaves:0
master_replid:26e74a5684e9555d93bc50febfe4d14ebd440c5a
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:0
repl_backlog_size:1048576
repl_backlog_first_byte_offset:0
repl_backlog_histlen:0

CPU

used_cpu_sys:18.329356
used_cpu_user:21.013227
used_cpu_sys_children:0.002555
used_cpu_user_children:0.000000

Modules

Commandstats

cmdstat_restore:calls=624,usec=659,usec_per_call=1.06

Cluster

cluster_enabled:0

Keyspace

db0:keys=1,expires=0,avg_ttl=0

------ CLIENT LIST OUTPUT ------

------ REGISTERS ------
9215:M 30 Nov 2019 22:36:12.635 #
RAX:0000000000000000 RBX:00007fc41d815140
RCX:000055d4daaa47c0 RDX:000055d4dacfdb40
RDI:00007fc41eca6730 RSI:0000000000000000
RBP:00007fc41eca6730 RSP:00007fff5c0d1c50
R8 :0000000000000000 R9 :0000000000000004
R10:00000000000000eb R11:00000000000000eb
R12:0000000000000000 R13:000055d4dacfa860
R14:00007fff5c0d1dac R15:0000000000000007
RIP:000055d4daa531e9 EFL:0000000000010246
CSGSFS:002b000000000033
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5f) -> 72c9219fde312600
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5e) -> 7902000000000000
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5d) -> 0000000000000000
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5c) -> 0000000000000000
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5b) -> 0000000000000000
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5a) -> 0000000000000000
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c59) -> 00003130322e3936
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c58) -> 2e3930312e303531
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c57) -> 000055d4da961c6f
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c56) -> 00007fff5c0d1dac
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c55) -> 000055d4dacfa860
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c54) -> 00007fff5c0d1c90
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c53) -> 00007fc41d829c40
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c52) -> 00007fc41d815140
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c51) -> 72c9219fde312600
9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c50) -> 000055d4dacfa860

------ MODULES INFO OUTPUT ------

------ FAST MEMORY TEST ------
9215:M 30 Nov 2019 22:36:12.636 # Bio thread for job type #0 terminated
9215:M 30 Nov 2019 22:36:12.636 # Bio thread for job type #1 terminated
9215:M 30 Nov 2019 22:36:12.636 # Bio thread for job type #2 terminated
*** Preparing to test memory region 55d4dace5000 (2260992 bytes)
*** Preparing to test memory region 55d4db8e0000 (135168 bytes)
*** Preparing to test memory region 7fc41aa2c000 (8388608 bytes)
*** Preparing to test memory region 7fc41b22d000 (8388608 bytes)
*** Preparing to test memory region 7fc41ba2e000 (8388608 bytes)
*** Preparing to test memory region 7fc41c22f000 (8388608 bytes)
*** Preparing to test memory region 7fc41d400000 (8388608 bytes)
*** Preparing to test memory region 7fc41e0da000 (16384 bytes)
*** Preparing to test memory region 7fc41e2f9000 (16384 bytes)
*** Preparing to test memory region 7fc41eca6000 (32768 bytes)
*** Preparing to test memory region 7fc41ecd0000 (4096 bytes)
.O.O.O.O.O.O.O.O.O.O.O
Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible.

------ DUMPING CODE AROUND EIP ------
Symbol: je_large_dalloc (base: 0x55d4daa531c0)
Module: ./src/redis-server *:6379 (base 0x55d4da912000)
$ xxd -r -p /tmp/dump.hex /tmp/dump.bin
$ objdump --adjust-vma=0x55d4daa531c0 -D -b binary -m i386:x86-64 /tmp/dump.bin

9215:M 30 Nov 2019 22:36:12.726 # dump of function (hexdump of 169 bytes):
41564155488d1575a92a004154554989f4534889fd4883ec1064488b042528000000488944240831c0488b0625ff0f0000488b1cc28b0d85a82a00488bb310680000390e0f8396000000803db6302900000f850a0100004c89e24889de4889efe8cb50fcff4889e24c89e14889de4889ef48c7042400000000e8e24cfcff4885ed743c488b8db80100004c8ba3106800004885c9418b34240f84120100003b75040f830901000089f2
Function at 0x55d4daa182f0 is je_arena_extent_dalloc_large_prep
Function at 0x55d4daa17f20 is je_arena_extents_dirty_dalloc

=== REDIS BUG REPORT END. Make sure to include from START to END. ===

version information

commit a1b654819cc0031ba30910afa1d68174d4f926ae (HEAD -> unstable, origin/unstable, origin/HEAD)
Merge: a4066989 ed226976
Author: Salvatore Sanfilippo <antirez@gmail.com>
Date:   Mon Nov 25 17:54:21 2019 +0100

    Merge pull request #6598 from oranagra/module-hook-test
    
    try to fix an unstable test (module hook for loading progress)
@oranagra
Copy link
Member

what i see is a server with one key, that processed only RESTORE commands (unless CONFIG RESETSTAT was used).
and i see it crashed in the allocator while trying to accept a new connection.
very odd..

@ChijinZ did you figure this out eventually?
i see this is an old copy of unstable, and i never saw anything similar to this, so i tend to assume this was just some flop.

@oranagra oranagra added the state:to-be-closed requesting the core team to close the issue label Aug 22, 2021
@carnil
Copy link

carnil commented Sep 20, 2021

It appears that CVE-2020-21468 was assigned for this issue.

@oranagra
Copy link
Member

Assigned by who?
What's the point of a CVE if no one knows how it happened and how to reproduce it?

I suspect it was a bad build crashing right at startup (no commands, no clients, uptime of 0).
Also the crash report here is about a build from the unstable branch, not 5. 0.7

@carnil
Copy link

carnil commented Sep 21, 2021

Assigned by who?
What's the point of a CVE if no one knows how it happened and how to reproduce it?

I suspect it was a bad build crashing right at startup (no commands, no clients, uptime of 0).
Also the crash report here is about a build from the unstable branch, not 5. 0.7

Assigned through MITRE.

I do not know, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21468 contains the references to this issue, but MITRE will not share the requestor. @ChijinZ might want to provide more information on how to reproduce, or otherwise the CVE should be disputed if it's not a valid issue.

@oranagra
Copy link
Member

If this turns out to be a real security issue, please share the info with redis@redis.io

@oranagra
Copy link
Member

no response...
i'm closing this as an invalid report. seems like a bad build of unstable or something like that.

@djerun djerun mentioned this issue Apr 15, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
state:to-be-closed requesting the core team to close the issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@carnil @oranagra @ChijinZ