Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18654

5.2.1: DB upgrade write behind malloc()ed area:-(

    XMLWordPrintable

    Details

    • Type: Problem report
    • Status: Closed
    • Priority: Trivial
    • Resolution: Duplicate
    • Affects Version/s: 5.2.1
    • Fix Version/s: None
    • Component/s: Proxy (P), Server (S)
    • Labels:
    • Environment:
      ARM 32 Ubuntu 14.04 (Odroid X2) - Zabbix compiled from source

      Description

      Steps to reproduce:

      • I tried to upgrade my little home zabbix server from 5.0.4 to 5.2.1
      • The DB upgrade progressed through DBpatch_5010043
      • DBpatch_5010044 never completed.
      • So I started to add debug prints and eventually, I found, that a malloc() did not succeed
      • So I tried to do a valgrind run and found two behind-by-1 writes. The lines will be a bit offset because of my added logging lines.
      ==14329== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 3)
      ==14330== Invalid write of size 1
      ==14330==    at 0x11AD14: DBpatch_convert_screen (dbupgrade_5010.c:1336)
      ==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
      ==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
      ==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
      ==14330==    by 0xE80ED: daemon_start (daemon.c:398)
      ==14330==    by 0x2C2BF: main (server.c:975)
      ==14330==  Address 0x56532ec is 0 bytes after a block of size 100 alloc'd
      ==14330==    at 0x482E358: malloc (vg_replace_malloc.c:296)
      ==14330==    by 0x4830D3F: realloc (vg_replace_malloc.c:692)
      ==14330==    by 0xF31C5: zbx_realloc2 (misc.c:660)
      ==14330==    by 0x11A261: zbx_vector_char_reserve (dbupgrade_5010.c:496)
      ==14330==    by 0x11A261: zbx_vector_char_append_array (dbupgrade_5010.c:496)
      ==14330==    by 0x11A2BF: lw_array_create (dbupgrade_5010.c:678)
      ==14330==    by 0x11ACB3: DBpatch_convert_screen (dbupgrade_5010.c:1326)
      ==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
      ==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
      ==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
      ==14330==    by 0xE80ED: daemon_start (daemon.c:398)
      ==14330==    by 0x2C2BF: main (server.c:975)
      ==14330== 
      ==14330== Invalid write of size 1
      ==14330==    at 0x11AD26: DBpatch_convert_screen (dbupgrade_5010.c:1338)
      ==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
      ==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
      ==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
      ==14330==    by 0xE80ED: daemon_start (daemon.c:398)
      ==14330==    by 0x2C2BF: main (server.c:975)
      ==14330==  Address 0x56533cc is 0 bytes after a block of size 100 alloc'd
      ==14330==    at 0x482E358: malloc (vg_replace_malloc.c:296)
      ==14330==    by 0x4830D3F: realloc (vg_replace_malloc.c:692)
      ==14330==    by 0xF31C5: zbx_realloc2 (misc.c:660)
      ==14330==    by 0x11A261: zbx_vector_char_reserve (dbupgrade_5010.c:496)
      ==14330==    by 0x11A261: zbx_vector_char_append_array (dbupgrade_5010.c:496)
      ==14330==    by 0x11A2BF: lw_array_create (dbupgrade_5010.c:678)
      ==14330==    by 0x11ACBF: DBpatch_convert_screen (dbupgrade_5010.c:1328)
      ==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
      ==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
      ==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
      ==14330==    by 0xE80ED: daemon_start (daemon.c:398)
      ==14330==    by 0x2C2BF: main (server.c:975)
      
      • The problematic loop:
                        for (i = 0; i < dim_x->values_num; i++)
                        {
                                if (POS_EMPTY != dim_x->values[i])
                                        offsets_x->values[i + 1] = i == 0 ? dim_x->values[i] : offsets_x->values[i] + dim_x->values[i];
                                if (POS_EMPTY != dim_y->values[i])
                                        offsets_y->values[i + 1] = i == 0 ? dim_y->values[i] : offsets_y->values[i] + dim_y->values[i];
                        }
        
      • My quick-hack to avoid the problem (including one of the added prints):
        --- zabbix-5.2.1/src/libs/zbxdbupgrade/dbupgrade_5010.c 2020-10-26 08:44:34.000000000 -0700
        +++ ../zabbix-5.2.1/src/libs/zbxdbupgrade/dbupgrade_5010.c      2020-11-13 22:23:54.446499634 -0800
        @@ -661,21 +661,22 @@
         
         static void    lw_array_debug(char *pfx, zbx_vector_char_t *v)
         {
        -       zabbix_log(LOG_LEVEL_TRACE, "%s: %s", pfx, lw_array_to_str(v));
        +       // zabbix_log(LOG_LEVEL_TRACE, "%s: %s", pfx, lw_array_to_str(v));
        +       zabbix_log(LOG_LEVEL_WARNING, "%s: %s", pfx, lw_array_to_str(v));
         }
         
         static zbx_vector_char_t       *lw_array_create(void)
         {
                zbx_vector_char_t       *v;
        -       static char             fill[SCREEN_MAX_ROWS];
        +       static char             fill[SCREEN_MAX_ROWS + 1];
         
                if (0 == fill[0])
        -               memset(fill, POS_EMPTY, SCREEN_MAX_ROWS);
        +               memset(fill, POS_EMPTY, SCREEN_MAX_ROWS + 1);
         
                v = (zbx_vector_char_t *)malloc(sizeof(zbx_vector_char_t));
         
                zbx_vector_char_create(v);
        -       zbx_vector_char_append_array(v, fill, SCREEN_MAX_ROWS);
        +       zbx_vector_char_append_array(v, fill, SCREEN_MAX_ROWS + 1);
         
                return v;
         }
        

      I hope, this can be checked and potentially fixed?!

      Thanks,
      – Marco

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              zabbix.dev Zabbix Development Team
              Reporter:
              mw46d Marco Walther
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: