[asterisk-bugs] [JIRA] (ASTERISK-29378) res_prometheus: Crash when scraping bridges and creating a bridge at the same time
Sébastien Duthil (JIRA)
noreply at issues.asterisk.org
Wed Mar 31 14:43:15 CDT 2021
Sébastien Duthil created ASTERISK-29378:
-------------------------------------------
Summary: res_prometheus: Crash when scraping bridges and creating a bridge at the same time
Key: ASTERISK-29378
URL: https://issues.asterisk.org/jira/browse/ASTERISK-29378
Project: Asterisk
Issue Type: Bug
Security Level: None
Components: Resources/General
Affects Versions: 18.3.0, 18.2.2
Reporter: Sébastien Duthil
Attachments: bridge_metrics.txt, core.19981.1614676357-brief.txt, core.19981.1614676357-full.txt, core.19981.1614676357-info.txt, core.19981.1614676357-locks.txt, core.19981.1614676357-thread1.txt
Given there are two bridges already created in Asterisk
Given a Prometheus server is scraping /metrics on Asterisk
When a third bridge is created at the wrong time
When the wrong memory location is allocated and overwritten
Then Asterisk crashes
"The wrong time" occurs between counting the bridges and iterating on the bridges in {{res/prometheus/bridges.c:bridges_scrape_cb}}.
"The wrong memory location" is the third element of the array {{bridge_metrics}} in {{res/prometheus/bridges.c:bridges_scrape_cb}}, which is written and read by {{bridges_scrape_cb}} without being properly allocated.
I'm attaching the output of ast_coredumper. Here are the interesting values of variables I extracted from gdb:
{noformat}
Frame #9 0x00007f349db6f38d in bridges_scrape_cb (response=0x7f349c3cbcc8) at prometheus/bridges.c:145
bridge_metrics = 0x7f34cc004800
bridge_metrics + 1 = 0x7f34cc004ec8
bridge_metrics + 2 = 0x7f34cc005590 (the unallocated element)
*bridge_metrics at 3 = (first 3 elements shown in bridge_metrics.txt)
i = 3
num_bridges = optimized out
bridge_count.value = "2"
{noformat}
I interpret those values as the bridge_metrics array was allocated for two bridges, but a third bridge was created just after the allocation and made the bridge loop to overflow the allocated memory.
AFAIU, this bug is an array overflow and can cause memory corruption since it writes in a memory location that wasn't properly allocated.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list