Hi Sage, Sage Weil <sage@xxxxxxxxxxxx> ezt írta (időpont: 2018. aug. 7., K, 15:03): > > Hi Reka, > > On Tue, 7 Aug 2018, Réka Nikolett Kovács wrote: > > Hi, > > > > I am working on a bug finding tool that looks for a special kind of a > > use-after-free problem in C++ code (a "checker" module in the Clang > > Static Analyzer [1]), and I've been running it on a few projects to > > see if it finds anything interesting. > > > > I've found the following on line 131 in ceph/src/kv/RocksDBStore.cc > > [2], where I suspect we are returning a pointer to a deallocated > > memory region: > > > > > return mop->name().c_str(); > > > > Here, mop is a std::shared_ptr<KeyValueDB::MergeOperator>, and name() > > seems to return a string by value [3], a temporary object, on which > > c_str() is called to obtain a const char * pointing to its inner > > buffer. But the temporary string object is destroyed at the end of the > > return statement, and the caller receives a pointer that references a > > deallocated buffer. > > > > I hope you find this report useful. > > Thanks for the report! I'm generating a fix now. See > > http://tracker.ceph.com/issues/26875 > https://github.com/ceph/ceph/pull/23477 > Glad to help! > > Best, > > Réka > > > > P.S. I tried to open an issue for this in the Bug Tracker, but it > > seems that I don't have the necessary permissions. > > Sorry about that--we got some tracker spam and had to disable things > temporarily. No problem at all. I just wanted you to know that I made an effort in case that would've been the way to go. Reka > > sage > > > > > > ----- > > [1] https://clang-analyzer.llvm.org/ > > [2] Link to v14.0.0 for stability, the issue is only one line off on > > the master branch: > > https://github.com/ceph/ceph/blob/v14.0.0/src/kv/RocksDBStore.cc#L130 > > [3] https://github.com/ceph/ceph/blob/v14.0.0/src/kv/KeyValueDB.h#L390 > > -- > > To unsubscribe from this list: send the line "unsubscribe ceph-devel" in > > the body of a message to majordomo@xxxxxxxxxxxxxxx > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > > > -- To unsubscribe from this list: send the line "unsubscribe ceph-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
