Commit 7cfe6c4
fix BigValueRoute sscanf over-read on non-NUL-terminated reply
Summary:
Root cause: BigValueRoute<RouterInfo>::ChunksInfo(folly::StringPiece replyValue) parsed the chunks-info header by calling sscanf(replyValue.data(), "%u-%u-%lu%n", ...). The StringPiece is a (ptr, len) view over a coalesced IOBuf reply payload and is NOT NUL-terminated. glibc sscanf computes the input C-string length up front by scanning for a NUL with rawmemchr (via _IO_str_init_static_internal called with size=-1), BEFORE any parsing happens. When the byte after the payload is not a NUL, that scan reads past the buffer; if the payload abuts an unmapped page the read SIGSEGVs. The existing charsRead == replyValue.size() guard cannot prevent it because it runs only after the faulting sscanf call returns.
Evidence: confirmed in two production CachiusServer coredumps on mcrpxy-web* threads. In the non-marker core the rawmemchr fault register was rdi=0x7f8744dfffe0, exactly 0x20 below the page boundary 0x7f8744e00000, with rsi=0 (scanning for NUL) - i.e. a length-scan running off the end of a mapped page. Both cores had a valid v1 ChunksInfo input ("1-2-7419256", "1-2-3745222203") followed by adjacent garbage, so the crash requires no malformed or attacker-controlled data. This accounts for ~480 SIGSEGV/week (~19% of CachiusServer crashes); it is steady and version-independent. (It is distinct from the larger CachiusCPUPool SIGABRT population, which is unrelated to mcrouter.)
Fix: parse strictly within the StringPiece bounds. Extracted a bounded detail::parseChunksInfo() helper using folly::split('-', ...) (exact 3 fields) + folly::tryTo<uint32_t/uint32_t/uint64_t>, which never reads past replyValue. Semantics are preserved (and slightly stricter on malformed input: leading '+', overflow, and negative fields are now rejected - none reachable from the toStringType() producer, which emits pure "{}-{}-{}" digits). numChunks_/suffix_ are now zero-initialized.
Bumps ClientVersion 182 -> 183.
Reviewed By: disylh
Differential Revision: D107896217
fbshipit-source-id: 77e80ddc660d66e46b0f0bbc66ec2028aec261cc1 parent dbb0ad7 commit 7cfe6c4
2 files changed
Lines changed: 57 additions & 14 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
12 | 12 | | |
13 | 13 | | |
14 | 14 | | |
| 15 | + | |
15 | 16 | | |
| 17 | + | |
16 | 18 | | |
17 | 19 | | |
18 | 20 | | |
| |||
52 | 54 | | |
53 | 55 | | |
54 | 56 | | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
55 | 81 | | |
56 | 82 | | |
57 | 83 | | |
| |||
383 | 409 | | |
384 | 410 | | |
385 | 411 | | |
386 | | - | |
387 | | - | |
388 | | - | |
389 | | - | |
390 | | - | |
391 | | - | |
392 | | - | |
393 | | - | |
394 | | - | |
395 | | - | |
396 | | - | |
397 | | - | |
398 | | - | |
399 | | - | |
| 412 | + | |
| 413 | + | |
| 414 | + | |
400 | 415 | | |
401 | 416 | | |
402 | 417 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
0 commit comments