Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-18654

5.2.1: DB upgrade write behind malloc()ed area:-(

XMLWordPrintable

    • Icon: Problem report Problem report
    • Resolution: Duplicate
    • Icon: Trivial Trivial
    • None
    • 5.2.1
    • Proxy (P), Server (S)
    • ARM 32 Ubuntu 14.04 (Odroid X2) - Zabbix compiled from source

      Steps to reproduce:

      • I tried to upgrade my little home zabbix server from 5.0.4 to 5.2.1
      • The DB upgrade progressed through DBpatch_5010043
      • DBpatch_5010044 never completed.
      • So I started to add debug prints and eventually, I found, that a malloc() did not succeed
      • So I tried to do a valgrind run and found two behind-by-1 writes. The lines will be a bit offset because of my added logging lines.
      ==14329== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 6 from 3)
==14330== Invalid write of size 1
==14330==    at 0x11AD14: DBpatch_convert_screen (dbupgrade_5010.c:1336)
==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
==14330==    by 0xE80ED: daemon_start (daemon.c:398)
==14330==    by 0x2C2BF: main (server.c:975)
==14330==  Address 0x56532ec is 0 bytes after a block of size 100 alloc'd
==14330==    at 0x482E358: malloc (vg_replace_malloc.c:296)
==14330==    by 0x4830D3F: realloc (vg_replace_malloc.c:692)
==14330==    by 0xF31C5: zbx_realloc2 (misc.c:660)
==14330==    by 0x11A261: zbx_vector_char_reserve (dbupgrade_5010.c:496)
==14330==    by 0x11A261: zbx_vector_char_append_array (dbupgrade_5010.c:496)
==14330==    by 0x11A2BF: lw_array_create (dbupgrade_5010.c:678)
==14330==    by 0x11ACB3: DBpatch_convert_screen (dbupgrade_5010.c:1326)
==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
==14330==    by 0xE80ED: daemon_start (daemon.c:398)
==14330==    by 0x2C2BF: main (server.c:975)
==14330== 
==14330== Invalid write of size 1
==14330==    at 0x11AD26: DBpatch_convert_screen (dbupgrade_5010.c:1338)
==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
==14330==    by 0xE80ED: daemon_start (daemon.c:398)
==14330==    by 0x2C2BF: main (server.c:975)
==14330==  Address 0x56533cc is 0 bytes after a block of size 100 alloc'd
==14330==    at 0x482E358: malloc (vg_replace_malloc.c:296)
==14330==    by 0x4830D3F: realloc (vg_replace_malloc.c:692)
==14330==    by 0xF31C5: zbx_realloc2 (misc.c:660)
==14330==    by 0x11A261: zbx_vector_char_reserve (dbupgrade_5010.c:496)
==14330==    by 0x11A261: zbx_vector_char_append_array (dbupgrade_5010.c:496)
==14330==    by 0x11A2BF: lw_array_create (dbupgrade_5010.c:678)
==14330==    by 0x11ACBF: DBpatch_convert_screen (dbupgrade_5010.c:1328)
==14330==    by 0x11B7F9: DBpatch_5010044 (dbupgrade_5010.c:1431)
==14330==    by 0x106C3F: DBcheck_version (dbupgrade.c:959)
==14330==    by 0x2CDD9: MAIN_ZABBIX_ENTRY (server.c:1183)
==14330==    by 0xE80ED: daemon_start (daemon.c:398)
==14330==    by 0x2C2BF: main (server.c:975)
      • The problematic loop: 
                        for (i = 0; i < dim_x->values_num; i++)
                {
                        if (POS_EMPTY != dim_x->values[i])
                                offsets_x->values[i + 1] = i == 0 ? dim_x->values[i] : offsets_x->values[i] + dim_x->values[i];
                        if (POS_EMPTY != dim_y->values[i])
                                offsets_y->values[i + 1] = i == 0 ? dim_y->values[i] : offsets_y->values[i] + dim_y->values[i];
                }
      • My quick-hack to avoid the problem (including one of the added prints): 
        --- zabbix-5.2.1/src/libs/zbxdbupgrade/dbupgrade_5010.c 2020-10-26 08:44:34.000000000 -0700
+++ ../zabbix-5.2.1/src/libs/zbxdbupgrade/dbupgrade_5010.c      2020-11-13 22:23:54.446499634 -0800
@@ -661,21 +661,22 @@
 
 static void    lw_array_debug(char *pfx, zbx_vector_char_t *v)
 {
-       zabbix_log(LOG_LEVEL_TRACE, "%s: %s", pfx, lw_array_to_str(v));
+       // zabbix_log(LOG_LEVEL_TRACE, "%s: %s", pfx, lw_array_to_str(v));
+       zabbix_log(LOG_LEVEL_WARNING, "%s: %s", pfx, lw_array_to_str(v));
 }
 
 static zbx_vector_char_t       *lw_array_create(void)
 {
        zbx_vector_char_t       *v;
-       static char             fill[SCREEN_MAX_ROWS];
+       static char             fill[SCREEN_MAX_ROWS + 1];
 
        if (0 == fill[0])
-               memset(fill, POS_EMPTY, SCREEN_MAX_ROWS);
+               memset(fill, POS_EMPTY, SCREEN_MAX_ROWS + 1);
 
        v = (zbx_vector_char_t *)malloc(sizeof(zbx_vector_char_t));
 
        zbx_vector_char_create(v);
-       zbx_vector_char_append_array(v, fill, SCREEN_MAX_ROWS);
+       zbx_vector_char_append_array(v, fill, SCREEN_MAX_ROWS + 1);
 
        return v;
 }

      I hope, this can be checked and potentially fixed?!

      Thanks,
      – Marco

            zabbix.dev Zabbix Development Team
            mw46d Marco Walther
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: