Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-15611

Possible crash when all preprocessing steps are removed from item

XMLWordPrintable

    • Sprint 49 (Feb 2019)
    • 0.5

      Steps to reproduce:

      1. Create item with 3 preprocessing steps and reload cache
      2. Remove all preprocessing steps and reload cache

      Use following patch in order to set specific garbage value and confirm that crash is possible

      Index: src/libs/zbxdbcache/dbconfig.c
===================================================================
--- src/libs/zbxdbcache/dbconfig.c    (revision 89538)
+++ src/libs/zbxdbcache/dbconfig.c    (working copy)
@@ -4359,6 +4359,7 @@
                 if (0 == preprocitem->preproc_ops.values_num)
                 {
                     zbx_vector_ptr_destroy(&preprocitem->preproc_ops);
+                    preprocitem->preproc_ops = 2; /* set freed memory to garbage */
                     zbx_hashset_remove_direct(&config->preprocitems, preprocitem);
                 }
                 else

      Result:

      vector.c:28:1: runtime error: null pointer passed as argument 1, which is declared to never be null
dbconfig.c:4264:23: runtime error: load of null pointer of type 'struct zbx_dc_preproc_op_t *'
==163110== Invalid read of size 8
==163110==    at 0x5AA48A: dc_compare_preprocops_by_step (dbconfig.c:4264)
==163110==    by 0x63ADF84: msort_with_tmp.part.0 (in /usr/lib64/libc-2.28.so)
==163110==    by 0x63AE1E5: qsort_r (in /usr/lib64/libc-2.28.so)
==163110==    by 0x65FE8B: zbx_vector_ptr_sort (vector.c:28)
==163110==    by 0x5AB2A1: DCsync_item_preproc (dbconfig.c:4382)
==163110==    by 0x5AD9A3: DCsync_configuration (dbconfig.c:4861)
==163110==    by 0x432C43: dbconfig_thread (dbconfig.c:93)
==163110==    by 0x66898C: zbx_thread_start (threads.c:132)
==163110==    by 0x41F1BF: MAIN_ZABBIX_ENTRY (server.c:1113)
==163110==    by 0x637F41: daemon_start (daemon.c:392)
==163110==    by 0x41E5BD: main (server.c:867)
==163110==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==163110== 
163110:20190207:093344.452 Got signal [signal:11(SIGSEGV),reason:1,refaddr:(nil)]. Crashing ...
163110:20190207:093344.453 ====== Fatal information: ======
163110:20190207:093344.454 Program counter: 0x5aa48a
163110:20190207:093344.456 === Registers: ===
163110:20190207:093344.458 r8      =                1 =                    1 =                    1
163110:20190207:093344.461 r9      =       1ffeffc900 =         137422162176 =         137422162176
163110:20190207:093344.461 r10     =                0 =                    0 =                    0
163110:20190207:093344.461 r11     =                2 =                    2 =                    2
163110:20190207:093344.462 r12     =                1 =                    1 =                    1
163110:20190207:093344.462 r13     =                0 =                    0 =                    0
163110:20190207:093344.462 r14     =                8 =                    8 =                    8
163110:20190207:093344.462 r15     =       1ffeffcfd0 =         137422163920 =         137422163920
163110:20190207:093344.462 rdi     =       1ffeffcce1 =         137422163169 =         137422163169
163110:20190207:093344.463 rsi     =       1ffeffcf10 =         137422163728 =         137422163728
163110:20190207:093344.463 rbp     =       1ffeffcf50 =         137422163792 =         137422163792
163110:20190207:093344.463 rbx     =                8 =                    8 =                    8
163110:20190207:093344.463 rdx     =               6d =                  109 =                  109
163110:20190207:093344.464 rax     =                0 =                    0 =                    0
163110:20190207:093344.464 rcx     =          5869b4b =             92707659 =             92707659
163110:20190207:093344.464 rsp     =       1ffeffcf20 =         137422163744 =         137422163744
163110:20190207:093344.464 rip     =           5aa48a =              5940362 =              5940362
163110:20190207:093344.465 efl     =                4 =                    4 =                    4
163110:20190207:093344.465 csgsfs  =                0 =                    0 =                    0
163110:20190207:093344.465 err     =                4 =                    4 =                    4
163110:20190207:093344.465 trapno  =                e =                   14 =                   14
163110:20190207:093344.466 oldmask =                0 =                    0 =                    0
163110:20190207:093344.466 cr2     =                0 =                    0 =                    0
163110:20190207:093344.466 === Backtrace: ===
163110:20190207:093344.501 16: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](zbx_backtrace+0x53) [0x6388ed]
163110:20190207:093344.501 15: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](zbx_log_fatal_info+0x367) [0x638fc2]
163110:20190207:093344.501 14: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration]() [0x639480]
163110:20190207:093344.502 13: /lib64/libpthread.so.0(+0x13030) [0x4ca0030]
163110:20190207:093344.502 12: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration]() [0x5aa48a]
163110:20190207:093344.502 11: /lib64/libc.so.6(+0x39f85) [0x63adf85]
163110:20190207:093344.503 10: /lib64/libc.so.6(qsort_r+0x246) [0x63ae1e6]
163110:20190207:093344.503 9: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](zbx_vector_ptr_sort+0x123) [0x65fe8c]
163110:20190207:093344.503 8: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration]() [0x5ab2a2]
163110:20190207:093344.504 7: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](DCsync_configuration+0xa69) [0x5ad9a4]
163110:20190207:093344.504 6: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](dbconfig_thread+0x203) [0x432c44]
163110:20190207:093344.504 5: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](zbx_thread_start+0x6c) [0x66898d]
163110:20190207:093344.505 4: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](MAIN_ZABBIX_ENTRY+0xbe7) [0x41f1c0]
163110:20190207:093344.505 3: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](daemon_start+0x531) [0x637f42]
163110:20190207:093344.505 2: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](main+0x3d2) [0x41e5be]
163110:20190207:093344.505 1: /lib64/libc.so.6(__libc_start_main+0xf3) [0x6398413]
163110:20190207:093344.505 0: ./sbin/zabbix_server: configuration syncer [synced configuration in 1549524824.240268 sec, syncing configuration](_start+0x2e) [0x41c97e]

        1. ZBX-15611.diff
          3 kB

            vso Vladislavs Sokurenko
            vso Vladislavs Sokurenko
            Team A
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: