Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redis server crashes with illegal msgpack string (bug in lua-cmsgpack) #2210

Closed
dubek opened this issue Dec 12, 2014 · 6 comments
Closed

Redis server crashes with illegal msgpack string (bug in lua-cmsgpack) #2210

dubek opened this issue Dec 12, 2014 · 6 comments

Comments

@dubek
Copy link

@dubek dubek commented Dec 12, 2014

The following command crashes the Redis server (on unstable but I guess any version that contains lua-cmsgpack):

EVAL "return cmsgpack.unpack('\\219\\255\\255\\255\\255Z')" 0

The bug is in lua-cmsgpack and its handling of 32-bit length fields which contain big values. Here's a description and fix for lua-cmsgpack: antirez/lua-cmsgpack#36

Redis server output:

=== REDIS BUG REPORT START: Cut & paste starting from here ===
26108:M 12 Dec 15:23:53.734 #     Redis 2.9.999 crashed by signal: 11
26108:M 12 Dec 15:23:53.734 #     Failed assertion: <no assertion failed> (<no file>:0)
26108:M 12 Dec 15:23:53.734 # --- STACK TRACE
./redis-server *:6379(logStackTrace+0x43)[0x44f623]
./redis-server *:6379[0x4788a8]
/lib64/libpthread.so.0[0x3156a0f710]
./redis-server *:6379[0x4788a8]
./redis-server *:6379(lua_pushlstring+0x42)[0x46f892]
./redis-server *:6379(mp_decode_to_lua_type+0x21c)[0x48707c]
./redis-server *:6379[0x487596]
./redis-server *:6379[0x472859]
./redis-server *:6379[0x47bcd4]
./redis-server *:6379[0x472d3d]
./redis-server *:6379[0x4723e7]
./redis-server *:6379[0x472462]
./redis-server *:6379(lua_pcall+0x4f)[0x46fb8f]
./redis-server *:6379(evalGenericCommand+0x42a)[0x45b2ea]
./redis-server *:6379(call+0x72)[0x41f6c2]
./redis-server *:6379(processCommand+0x44d)[0x41fd4d]
./redis-server *:6379(processInputBuffer+0x4f)[0x42bc8f]
./redis-server *:6379(readQueryFromClient+0xc2)[0x42bdd2]
./redis-server *:6379(aeProcessEvents+0x13c)[0x419a9c]
./redis-server *:6379(aeMain+0x2b)[0x419d5b]
./redis-server *:6379(main+0x2e3)[0x4233e3]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x315621ed5d]
./redis-server *:6379[0x4190b9]

Let me know if more info is needed in order to solve this.

Note: the bug in lua-cmsgpack was found using a scan of american fuzzy lop.

@dubek
Copy link
Author

@dubek dubek commented Dec 12, 2014

BTW - sorry for posting about this to Redis-Dev mailing list - I didn't read the instructions correctly.

@mattsta
Copy link
Contributor

@mattsta mattsta commented Dec 12, 2014

Wow, that is an inconvenient error. Thanks for tracking it down!

@antirez
Copy link
Contributor

@antirez antirez commented Dec 12, 2014

Thank you a lot @dubek

@antirez antirez closed this Dec 12, 2014
antirez added a commit that referenced this issue Dec 12, 2014
It fixes a bad bug that crashes the server in certain conditions
as shown in issue #2210.
antirez added a commit that referenced this issue Dec 12, 2014
It fixes a bad bug that crashes the server in certain conditions
as shown in issue #2210.
antirez added a commit that referenced this issue Dec 12, 2014
It fixes a bad bug that crashes the server in certain conditions
as shown in issue #2210.
@antirez
Copy link
Contributor

@antirez antirez commented Dec 12, 2014

Lua-cmsgpack updated in all the branches.

@soh0ro0t
Copy link

@soh0ro0t soh0ro0t commented Jan 18, 2016

Could you provide the testcases?

@dubek
Copy link
Author

@dubek dubek commented Jan 18, 2016

@TheBeeMan look at the EVAL command in the original post.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.