[asterisk-bugs] [JIRA] (ASTERISK-29378) res_prometheus: Crash when scraping bridges and creating a bridge at the same time

Sébastien Duthil (JIRA) noreply at issues.asterisk.org
Wed Mar 31 14:43:15 CDT 2021 

Sébastien Duthil created ASTERISK-29378:
-------------------------------------------

             Summary: res_prometheus: Crash when scraping bridges and creating a bridge at the same time
                 Key: ASTERISK-29378
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29378
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Resources/General
    Affects Versions: 18.3.0, 18.2.2
            Reporter: Sébastien Duthil
         Attachments: bridge_metrics.txt, core.19981.1614676357-brief.txt, core.19981.1614676357-full.txt, core.19981.1614676357-info.txt, core.19981.1614676357-locks.txt, core.19981.1614676357-thread1.txt

Given there are two bridges already created in Asterisk
Given a Prometheus server is scraping /metrics on Asterisk
When a third bridge is created at the wrong time
When the wrong memory location is allocated and overwritten
Then Asterisk crashes

"The wrong time" occurs between counting the bridges and iterating on the bridges in {{res/prometheus/bridges.c:bridges_scrape_cb}}.

"The wrong memory location" is the third element of the array {{bridge_metrics}} in {{res/prometheus/bridges.c:bridges_scrape_cb}}, which is written and read by {{bridges_scrape_cb}} without being properly allocated.

I'm attaching the output of ast_coredumper. Here are the interesting values of variables I extracted from gdb:
{noformat}
Frame #9  0x00007f349db6f38d in bridges_scrape_cb (response=0x7f349c3cbcc8) at prometheus/bridges.c:145

bridge_metrics = 0x7f34cc004800
bridge_metrics + 1 = 0x7f34cc004ec8
bridge_metrics + 2 = 0x7f34cc005590 (the unallocated element)
*bridge_metrics at 3 = (first 3 elements shown in bridge_metrics.txt)
i = 3
num_bridges = optimized out
bridge_count.value = "2"
{noformat}

I interpret those values as the bridge_metrics array was allocated for two bridges, but a third bridge was created just after the allocation and made the bridge loop to overflow the allocated memory.

AFAIU, this bug is an array overflow and can cause memory corruption since it writes in a memory location that wasn't properly allocated.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list