Redis server crashes with illegal msgpack string (bug in lua-cmsgpack) #2210

Closed
dubek opened this Issue Dec 12, 2014 · 6 comments

Comments

Projects
None yet
4 participants
@dubek

dubek commented Dec 12, 2014

The following command crashes the Redis server (on unstable but I guess any version that contains lua-cmsgpack):

EVAL "return cmsgpack.unpack('\\219\\255\\255\\255\\255Z')" 0

The bug is in lua-cmsgpack and its handling of 32-bit length fields which contain big values. Here's a description and fix for lua-cmsgpack: antirez/lua-cmsgpack#36

Redis server output:

=== REDIS BUG REPORT START: Cut & paste starting from here ===
26108:M 12 Dec 15:23:53.734 #     Redis 2.9.999 crashed by signal: 11
26108:M 12 Dec 15:23:53.734 #     Failed assertion: <no assertion failed> (<no file>:0)
26108:M 12 Dec 15:23:53.734 # --- STACK TRACE
./redis-server *:6379(logStackTrace+0x43)[0x44f623]
./redis-server *:6379[0x4788a8]
/lib64/libpthread.so.0[0x3156a0f710]
./redis-server *:6379[0x4788a8]
./redis-server *:6379(lua_pushlstring+0x42)[0x46f892]
./redis-server *:6379(mp_decode_to_lua_type+0x21c)[0x48707c]
./redis-server *:6379[0x487596]
./redis-server *:6379[0x472859]
./redis-server *:6379[0x47bcd4]
./redis-server *:6379[0x472d3d]
./redis-server *:6379[0x4723e7]
./redis-server *:6379[0x472462]
./redis-server *:6379(lua_pcall+0x4f)[0x46fb8f]
./redis-server *:6379(evalGenericCommand+0x42a)[0x45b2ea]
./redis-server *:6379(call+0x72)[0x41f6c2]
./redis-server *:6379(processCommand+0x44d)[0x41fd4d]
./redis-server *:6379(processInputBuffer+0x4f)[0x42bc8f]
./redis-server *:6379(readQueryFromClient+0xc2)[0x42bdd2]
./redis-server *:6379(aeProcessEvents+0x13c)[0x419a9c]
./redis-server *:6379(aeMain+0x2b)[0x419d5b]
./redis-server *:6379(main+0x2e3)[0x4233e3]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x315621ed5d]
./redis-server *:6379[0x4190b9]

Let me know if more info is needed in order to solve this.

Note: the bug in lua-cmsgpack was found using a scan of american fuzzy lop.

@dubek

This comment has been minimized.

Show comment
Hide comment
@dubek

dubek Dec 12, 2014

BTW - sorry for posting about this to Redis-Dev mailing list - I didn't read the instructions correctly.

dubek commented Dec 12, 2014

BTW - sorry for posting about this to Redis-Dev mailing list - I didn't read the instructions correctly.

@mattsta

This comment has been minimized.

Show comment
Hide comment
@mattsta

mattsta Dec 12, 2014

Contributor

Wow, that is an inconvenient error. Thanks for tracking it down!

Contributor

mattsta commented Dec 12, 2014

Wow, that is an inconvenient error. Thanks for tracking it down!

@antirez

This comment has been minimized.

Show comment
Hide comment
@antirez

antirez Dec 12, 2014

Owner

Thank you a lot @dubek

Owner

antirez commented Dec 12, 2014

Thank you a lot @dubek

@antirez antirez closed this Dec 12, 2014

antirez added a commit that referenced this issue Dec 12, 2014

Lua cmsgpack lib updated to latest version.
It fixes a bad bug that crashes the server in certain conditions
as shown in issue #2210.

antirez added a commit that referenced this issue Dec 12, 2014

Lua cmsgpack lib updated to latest version.
It fixes a bad bug that crashes the server in certain conditions
as shown in issue #2210.

antirez added a commit that referenced this issue Dec 12, 2014

Lua cmsgpack lib updated to latest version.
It fixes a bad bug that crashes the server in certain conditions
as shown in issue #2210.
@antirez

This comment has been minimized.

Show comment
Hide comment
@antirez

antirez Dec 12, 2014

Owner

Lua-cmsgpack updated in all the branches.

Owner

antirez commented Dec 12, 2014

Lua-cmsgpack updated in all the branches.

@mattsta mattsta referenced this issue in antirez/lua-cmsgpack Dec 18, 2014

Merged

Remove static function declarations #37

@TheBeeMan

This comment has been minimized.

Show comment
Hide comment
@TheBeeMan

TheBeeMan Jan 18, 2016

Could you provide the testcases?

Could you provide the testcases?

@dubek

This comment has been minimized.

Show comment
Hide comment
@dubek

dubek Jan 18, 2016

@TheBeeMan look at the EVAL command in the original post.

dubek commented Jan 18, 2016

@TheBeeMan look at the EVAL command in the original post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment