9.6 KiB
MAAT ipport_plugin存在double-free导致SAPP异常重启
| ID | Creation Date | Assignee | Status |
|---|---|---|---|
| OMPUB-1133 | 2024-01-31T14:31:03.000+0800 | 刘文坛 | 已解决 |
- MAAT ipport_plugin存在double-free导致SAPP异常重启 ** 版本: libmaatframe-4.1.27.3f95cb2-1.el8.x86_64 *** !image-2024-01-31-14-33-21-896.png! ** ASAN报错
{code:java}
==160==ERROR: AddressSanitizer: attempting double-free on 0x604002df9190 in thread T10 (SD_DYNAMIC_MAAT): #0 0x7ffff6eef7f0 in __interceptor_free (/lib64/libasan.so.5+0xef7f0) #1 0x7ffe6924689c in ipport_item_free /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:358 #2 0x7ffe69246e19 in ipport_plugin_runtime_update /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:435 #3 0x7ffe691dc527 in table_manager_update_runtime /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_table.c:1287 #4 0x7ffe691b3787 in maat_update_cb /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:161 #5 0x7ffe691d728f in redis_monitor_traverse /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_redis_monitor.c:1431 #6 0x7ffe691b562c in rule_monitor_loop /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:429 #7 0x7ffff58141c9 in start_thread (/lib64/libpthread.so.0+0x81c9) #8 0x7ffff4702e72 in __clone (/lib64/libc.so.6+0x39e72)0x604002df9190 is located 0 bytes inside of 48-byte region [0x604002df9190,0x604002df91c0) freed by thread T10 (SD_DYNAMIC_MAAT) here: #0 0x7ffff6eef7f0 in __interceptor_free (/lib64/libasan.so.5+0xef7f0) #1 0x7ffe691c532c in ex_container_free /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ex_data.c:181 #2 0x7ffe692469ad in ipport_plugin_runtime_update_row /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:384 #3 0x7ffe69246ded in ipport_plugin_runtime_update /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:431 #4 0x7ffe691dc527 in table_manager_update_runtime /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_table.c:1287 #5 0x7ffe691b3787 in maat_update_cb /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:161 #6 0x7ffe691d728f in redis_monitor_traverse /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_redis_monitor.c:1431 #7 0x7ffe691b562c in rule_monitor_loop /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:429 #8 0x7ffff58141c9 in start_thread (/lib64/libpthread.so.0+0x81c9)previously allocated by thread T10 (SD_DYNAMIC_MAAT) here: #0 0x7ffff6eefdc0 in calloc (/lib64/libasan.so.5+0xefdc0) #1 0x7ffe69245d12 in ipport_item_new /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:263 #2 0x7ffe69246cf1 in ipport_plugin_runtime_update /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:421 #3 0x7ffe691dc527 in table_manager_update_runtime /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_table.c:1287 #4 0x7ffe691b3787 in maat_update_cb /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:161 #5 0x7ffe691d728f in redis_monitor_traverse /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_redis_monitor.c:1431 #6 0x7ffe691b562c in rule_monitor_loop /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:429 #7 0x7ffff58141c9 in start_thread (/lib64/libpthread.so.0+0x81c9)Thread T10 (SD_DYNAMIC_MAAT) created by T0 here: #0 0x7ffff6e52eb3 in __interceptor_pthread_create (/lib64/libasan.so.5+0x52eb3) #1 0x7ffe69191729 in maat_new /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_api.c:429 #2 0x7ffe6a18c43e in maat_feather_init(char const*, char*, char*) /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/firewall/src/policy_match.cpp:2350 #3 0x7ffe6a18c8b2 in firewall_maat_init(char const*, int, int) /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/firewall/src/policy_match.cpp:2394 #4 0x7ffe6a1bfa87 in firewall_stellar_runtime_init /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/firewall/src/firewall_session.cpp:3828 #5 0x7ffe6aad08f0 (plug/stellar_on_sapp/stellar_on_sapp.so+0x28f0)SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.5+0xef7f0) in __interceptor_free ==160==ABORTINGThread 11 "SD_DYNAMIC_MAAT" received signal SIGABRT, Aborted. [Switching to Thread 0x7ffe5a7b2700 (LWP 173)] 0x00007ffff4717acf in raise () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff4717acf in raise () from /lib64/libc.so.6 #1 0x00007ffff46eaea5 in abort () from /lib64/libc.so.6 #2 0x00007ffff6f0fc12 in __sanitizer::Abort() () from /lib64/libasan.so.5 #3 0x00007ffff6f1853c in __sanitizer::Die() () from /lib64/libasan.so.5 #4 0x00007ffff6ef7dee in __asan::ReportDoubleFree(unsigned long, __sanitizer::BufferedStackTrace*) () from /lib64/libasan.so.5 #5 0x00007ffff6e2cb85 in __asan::Allocator::Deallocate(void*, unsigned long, __sanitizer::BufferedStackTrace*, __asan::AllocType) () from /lib64/libasan.so.5 #6 0x00007ffff6eef7be in free () from /lib64/libasan.so.5 #7 0x00007ffe6924689d in ipport_item_free (item=0x604002df9190) at /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:358 #8 0x00007ffe69246e1a in ipport_plugin_runtime_update (ipport_plugin_runtime=0x606008db1200, ipport_plugin_schema=0x60b000054ec0, table_name=0x7ffe5910d958 "TSG_DYN_IPPORT_SUBSCRIBER_MAPPING", line=0x60f002954860 "1611181778\t4\t154.198.114.96\t47744\t47807\t923041254449\t{"imsi":"410010184696090","phone_number":"923041254449"}\t1\t1706682367373\tf28b45f3-69b0-49be-9b77-890fd9f11a22", valid_column=8) at /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_ipport_plugin.c:435 #9 0x00007ffe691dc528 in table_manager_update_runtime (tbl_mgr=0x625001e0f100, table_name=0x7ffe5910d958 "TSG_DYN_IPPORT_SUBSCRIBER_MAPPING", table_id=0, line=0x60f002954860 "1611181778\t4\t154.198.114.96\t47744\t47807\t923041254449\t{"imsi":"410010184696090","phone_number":"923041254449"}\t1\t1706682367373\tf28b45f3-69b0-49be-9b77-890fd9f11a22", update_type=2) at /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_table.c:1287 #10 0x00007ffe691b3788 in maat_update_cb (table_name=0x7ffe5910d958 "TSG_DYN_IPPORT_SUBSCRIBER_MAPPING", line=0x60f002954860 "1611181778\t4\t154.198.114.96\t47744\t47807\t923041254449\t{"imsi":"410010184696090","phone_number":"923041254449"}\t1\t1706682367373\tf28b45f3-69b0-49be-9b77-890fd9f11a22", u_param=0x624000376100) at /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:161 #11 0x00007ffe691d7290 in redis_monitor_traverse (version=13448566, mr_ctx=0x624000377b70, start_fn=0x7ffe691b30be <maat_start_cb>, update_fn=0x7ffe691b337a <maat_update_cb>, finish_fn=0x7ffe691b3c0f <maat_finish_cb>, u_param=0x624000376100) at /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_redis_monitor.c:1431 #12 0x00007ffe691b562d in rule_monitor_loop (arg=0x624000376100) at /data1/liuxueli/code/06786edd-7c90-4805-b356-ec8a6176ec8b-dca93cb1-5179-405f-8871-08741e2fb135/stellar/maat/src/maat_rule.c:429 #13 0x00007ffff58141ca in start_thread () from /lib64/libpthread.so.0 #14 0x00007ffff4702e73 in clone () from /lib64/libc.so.6 (gdb) {code}liuwentan commented on 2024-01-31T16:49:07.645+0800:
h2. 问题根因
ipport_plugin将合法rule 指针存储于 ex_data_container 中,如果解析到错误配置则会free ex_data_container(连带 free rule),外层还会再次判断 rule !=NULL, 导致double free rule. h2. 解决方案
将 rule 的所有权交给 ex_data_container,外层不再对 rule 进行管理
liuwentan commented on 2024-01-31T17:37:52.647+0800:
maat v4.1.28已修复上述问题
Attachments
51289/image-2024-01-31-14-33-21-896.png