Skip to content

knotd crash when a transfer is in progress and reload is issued

Steps to reproduce:

  1. Configure knotd as a slave, master will be::1@53001
  2. Launch nc -k -l ::1 530001
  3. Launch knot
  4. Once a bootstrap attempt is made, issue knotc reload
  5. Wait until the transfer connection timeouts.

ASAN report:

=================================================================
==31308==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00000d3c0 at pc 0x0000004ec518 bp 0x7faa32fe6e90 sp 0x7faa32fe6e88
READ of size 4 at 0x61d00000d3c0 thread T1
    #0 0x4ec517 in conf_str /tmp/knot/src/knot/conf/conf.c:473:2
    #1 0x56b8b4 in zone_master_try /tmp/knot/src/knot/zone/zone.c:293:4
    #2 0x55cf25 in event_xfer /tmp/knot/src/knot/zone/events/handlers.c:489:12
    #3 0x55a3de in event_wrap /tmp/knot/src/knot/zone/events/events.c:188:15
    #4 0x550c73 in worker_main /tmp/knot/src/knot/worker/pool.c:78:3
    #5 0x52ddff in thread_ep /tmp/knot/src/knot/server/dthreads.c:161:4
    #6 0x7faa5776e609 in start_thread (/lib64/libpthread.so.0+0x7609)
    #7 0x7faa56d87a4c in __clone (/lib64/libc.so.6+0x102a4c)

0x61d00000d3c0 is located 320 bytes inside of 2184-byte region [0x61d00000d280,0x61d00000db08)
freed by thread T0 here:
    #0 0x4b66bb in __interceptor_free /home/nikola/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30:3
    #1 0x57efda in unset_item /tmp/knot/src/libknot/yparser/ypscheme.c:130:3
    #2 0x57ef2f in yp_scheme_free /tmp/knot/src/libknot/yparser/ypscheme.c:182:3
    #3 0x4e2ec3 in conf_free /tmp/knot/src/knot/conf/base.c:320:2
    #4 0x4e2e5a in conf_update /tmp/knot/src/knot/conf/base.c:309:3
    #5 0x533c8a in server_reload /tmp/knot/src/knot/server/server.c:519:3
    #6 0x58e2b3 in ctl_reload /tmp/knot/src/knot/ctl/commands.c:272:9
    #7 0x502b20 in remote_answer /tmp/knot/src/knot/ctl/remote.c:282:10
    #8 0x503f57 in remote_process /tmp/knot/src/knot/ctl/remote.c:331:9
    #9 0x4dfcda in event_loop /tmp/knot/src/utils/knotd/main.c:220:10
    #10 0x4de8f5 in main /tmp/knot/src/utils/knotd/main.c:500:2
    #11 0x7faa56ca557f in __libc_start_main (/lib64/libc.so.6+0x2057f)

previously allocated by thread T0 here:
    #0 0x4b699b in __interceptor_malloc /home/nikola/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40:3
    #1 0x5809d7 in set_grp_item /tmp/knot/src/libknot/yparser/ypscheme.c:60:19
    #2 0x57eeb4 in set_item /tmp/knot/src/libknot/yparser/ypscheme.c:120:10
    #3 0x57ecd9 in yp_scheme_copy /tmp/knot/src/libknot/yparser/ypscheme.c:164:13
    #4 0x4e1579 in conf_clone /tmp/knot/src/knot/conf/base.c:238:12
    #5 0x533ae0 in server_reload /tmp/knot/src/knot/server/server.c:493:13
    #6 0x58e2b3 in ctl_reload /tmp/knot/src/knot/ctl/commands.c:272:9
    #7 0x502b20 in remote_answer /tmp/knot/src/knot/ctl/remote.c:282:10
    #8 0x503f57 in remote_process /tmp/knot/src/knot/ctl/remote.c:331:9
    #9 0x4dfcda in event_loop /tmp/knot/src/utils/knotd/main.c:220:10
    #10 0x4de8f5 in main /tmp/knot/src/utils/knotd/main.c:500:2
    #11 0x7faa56ca557f in __libc_start_main (/lib64/libc.so.6+0x2057f)

Thread T1 created by T0 here:
    #0 0x49e5f9 in __interceptor_pthread_create /home/nikola/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:232:3
    #1 0x52c9bc in dt_start_id /tmp/knot/src/knot/server/dthreads.c:461:12
    #2 0x52c6d8 in dt_start /tmp/knot/src/knot/server/dthreads.c:484:13
    #3 0x550ddc in worker_pool_start /tmp/knot/src/knot/worker/pool.c:145:2
    #4 0x533501 in server_start /tmp/knot/src/knot/server/server.c:437:2
    #5 0x4de802 in main /tmp/knot/src/utils/knotd/main.c:480:8
    #6 0x7faa56ca557f in __libc_start_main (/lib64/libc.so.6+0x2057f)

SUMMARY: AddressSanitizer: heap-use-after-free /tmp/knot/src/knot/conf/conf.c:473:2 in conf_str
Shadow bytes around the buggy address:
  0x0c3a7fff9a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff9a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff9a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a7fff9a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff9a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a7fff9a70: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c3a7fff9a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff9a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff9aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff9ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a7fff9ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==31308==ABORTING