Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] server accessing uninitialized memory when SCRIPT, INTERSTORE and UNIONSTORE commands are processed #578

Open
hoyhoy opened this issue May 30, 2024 · 3 comments
Open

[BUG] server accessing uninitialized memory when SCRIPT, INTERSTORE and UNIONSTORE commands are processed #578

hoyhoy opened this issue May 30, 2024 · 3 comments

Comments

@hoyhoy
Copy link

hoyhoy commented May 30, 2024
edited
Loading

The valkey server appears to be reading from uninitialized memory in several places. Sometimes, random bits are XOR'd together for "entropy" and it doesn't matter -- which is possibly the case with lz4, but the sinterGenericCommand() and sunionDiffGenericCommand() look bad and possibly exploitable.

SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/lzf_c.c:164 in lzf_compress
==redis-server==1707645==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55e7c37ac0d7 in lzf_compress /p/b/redis2e2c76e50e46b/b/src/lzf_c.c:164
    #1 0x55e7c3871379 in rdbSaveRawString /p/b/redis2e2c76e50e46b/b/src/rdb.c:378
    #2 0x55e7c387c0d8 in rdbSaveObject /p/b/redis2e2c76e50e46b/b/src/rdb.c:951
    #3 0x55e7c39c73c0 in createDumpPayload /p/b/redis2e2c76e50e46b/b/src/cluster.c:6528
    #4 0x55e7c39c79e6 in dumpCommand /p/b/redis2e2c76e50e46b/b/src/cluster.c:6593
    #5 0x55e7c37706c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519
    #6 0x55e7c3b9975b in scriptCall /p/b/redis2e2c76e50e46b/b/src/script.c:566
    #7 0x55e7c3b94739 in luaRedisGenericCommand /p/b/redis2e2c76e50e46b/b/src/script_lua.c:933
    #8 0x55e7c3c08cf9 in luaD_precall :?
    #9 0x55e7c3c5b319 in luaV_execute :?
    #10 0x55e7c3c0e3a6 in luaD_call :?
    #11 0x55e7c3c06b10 in luaD_rawrunprotected :?
    #12 0x55e7c3c0f622 in luaD_pcall :?
    #13 0x55e7c3bf92d6 in lua_pcall ??:?
    #14 0x55e7c3b9220f in luaCallFunction /p/b/redis2e2c76e50e46b/b/src/script_lua.c:?
    #15 0x55e7c39dcd8c in evalGenericCommand /p/b/redis2e2c76e50e46b/b/src/eval.c:536
    #16 0x55e7c37706c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519
    #17 0x55e7c37783dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160
    #18 0x55e7c37fe6f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2466
    #19 0x55e7c37d9951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713
    #20 0x55e7c3b79301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79
    #21 0x55e7c373b4c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436
    #22 0x55e7c373ce81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496
    #23 0x55e7c3797088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360
    #24 0x7ff623561d84 in __libc_start_main ??:?
    #25 0x55e7c36900bd in _start ??:?

  raw origin id: -2147480726
  Uninitialized value was created by an allocation of 'htab' in the stack frame
    #0 0x55e7c37ab5a9 in lzf_compress /p/b/redis2e2c76e50e46b/b/src/lzf_c.c:117

SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557 in sunionDiffGenericCommand
SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557 in sunionDiffGenericCommand
SUMMARY: =redis-server==1707645==WARNING: MemorySanitizer: use-of-uninitialized-value
 #0 0x55e7c38c812d in sinterGenericCommand /p/b/redis2e2c76e50e46b/b/src/t_set.c:1366
 #1 0x55e7c37706c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519
 #2 0x55e7c37783dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160
 #3 0x55e7c37fe6f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2466
 #4 0x55e7c37d9951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713
 #5 0x55e7c3b79301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79
 #6 0x55e7c373b4c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436
 #7 0x55e7c373ce81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496
 #8 0x55e7c3797088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360
 #9 0x7ff623561d84 in __libc_start_main ??:?
 #10 0x55e7c36900bd in _start ??:?

SUMMARY: MemorySanitizer: use-of-uninitialized-value /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557:32 in sunionDiffGenericCommand
==redis-server==3048125==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x55a5c93b959e in sunionDiffGenericCommand /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557:32
    #1 0x55a5c92676c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519:5
    #2 0x55a5c926f3dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160:9
    #3 0x55a5c92f56f6 in processCommandAndResetClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2466:9
    #4 0x55a5c92f56f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2574:17
    #5 0x55a5c92d0951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713:9
    #6 0x55a5c9670301 in callHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79:18
    #7 0x55a5c9670301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/socket.c:298:14
    #8 0x55a5c92324c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436:17
    #9 0x55a5c9233e81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496:9
    #10 0x55a5c928e088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360:5
    #11 0x7fde96abed84 in __libc_start_main ../csu/libc-start.c:302:16
    #12 0x55a5c91870bd in _start (build/debug/bin/redis-server+0x1730bd)

  raw origin id: -1879047711
  Uninitialized value was stored to memory at
    #0 0x55a5c93b9597 in sunionDiffGenericCommand /p/b/redis2e2c76e50e46b/b/src/t_set.c:1557:64
    #1 0x55a5c92676c6 in call /p/b/redis2e2c76e50e46b/b/src/server.c:3519:5
    #2 0x55a5c926f3dc in processCommand /p/b/redis2e2c76e50e46b/b/src/server.c:4160:9
    #3 0x55a5c92f56f6 in processCommandAndResetClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2466:9
    #4 0x55a5c92f56f6 in processInputBuffer /p/b/redis2e2c76e50e46b/b/src/networking.c:2574:17
    #5 0x55a5c92d0951 in readQueryFromClient /p/b/redis2e2c76e50e46b/b/src/networking.c:2713:9
    #6 0x55a5c9670301 in callHandler /p/b/redis2e2c76e50e46b/b/src/./connhelpers.h:79:18
    #7 0x55a5c9670301 in connSocketEventHandler /p/b/redis2e2c76e50e46b/b/src/socket.c:298:14
    #8 0x55a5c92324c2 in aeProcessEvents /p/b/redis2e2c76e50e46b/b/src/ae.c:436:17
    #9 0x55a5c9233e81 in aeMain /p/b/redis2e2c76e50e46b/b/src/ae.c:496:9
    #10 0x55a5c928e088 in main /p/b/redis2e2c76e50e46b/b/src/server.c:7360:5
    #11 0x7fde96abed84 in __libc_start_main ../csu/libc-start.c:302:16
@hoyhoy hoyhoy changed the title [BUG] server reading from uninitialized memory when SCRIPT, INTERSTORE and UNIONSTORE commands are processed [BUG] server accessing from uninitialized memory when SCRIPT, INTERSTORE and UNIONSTORE commands are processed May 30, 2024
@hoyhoy hoyhoy changed the title [BUG] server accessing from uninitialized memory when SCRIPT, INTERSTORE and UNIONSTORE commands are processed [BUG] server accessing uninitialized memory when SCRIPT, INTERSTORE and UNIONSTORE commands are processed May 30, 2024
@madolson
Copy link
Member

@hoyhoy Can you paste the commands you ran to cause this use? I wasn't able to naively reproduce it.

@hoyhoy
Copy link
Author

hoyhoy commented Jun 11, 2024

@madolson you have a MSAN build? It's clang on linux only. Seems to happen immediately. We have a very simple test that does a minimum union and intersection, and clang -fsanitize=memory flags it. Redis is reading and writing uninitialized memory.

@madolson
Copy link
Member

Will take a look.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hoyhoy @madolson