[asterisk-bugs] [JIRA] (ASTERISK-29378) res_prometheus: Crash when scraping bridges and creating a bridge at the same time

Wed Mar 31 14:43:15 CDT 2021

    [ https://issues.asterisk.org/jira/browse/ASTERISK-29378?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=254407#comment-254407 ] 

Asterisk Team commented on ASTERISK-29378:
------------------------------------------

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur.

Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/].

> res_prometheus: Crash when scraping bridges and creating a bridge at the same time
> ----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29378
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29378
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/General
>    Affects Versions: 18.2.2, 18.3.0
>            Reporter: Sébastien Duthil
>         Attachments: bridge_metrics.txt, core.19981.1614676357-brief.txt, core.19981.1614676357-full.txt, core.19981.1614676357-info.txt, core.19981.1614676357-locks.txt, core.19981.1614676357-thread1.txt
>
>
> Given there are two bridges already created in Asterisk
> Given a Prometheus server is scraping /metrics on Asterisk
> When a third bridge is created at the wrong time
> When the wrong memory location is allocated and overwritten
> Then Asterisk crashes
> "The wrong time" occurs between counting the bridges and iterating on the bridges in {{res/prometheus/bridges.c:bridges_scrape_cb}}.
> "The wrong memory location" is the third element of the array {{bridge_metrics}} in {{res/prometheus/bridges.c:bridges_scrape_cb}}, which is written and read by {{bridges_scrape_cb}} without being properly allocated.
> I'm attaching the output of ast_coredumper. Here are the interesting values of variables I extracted from gdb:
> {noformat}
> Frame #9  0x00007f349db6f38d in bridges_scrape_cb (response=0x7f349c3cbcc8) at prometheus/bridges.c:145
> bridge_metrics = 0x7f34cc004800
> bridge_metrics + 1 = 0x7f34cc004ec8
> bridge_metrics + 2 = 0x7f34cc005590 (the unallocated element)
> *bridge_metrics at 3 = (first 3 elements shown in bridge_metrics.txt)
> i = 3
> num_bridges = optimized out
> bridge_count.value = "2"
> {noformat}
> I interpret those values as the bridge_metrics array was allocated for two bridges, but a third bridge was created just after the allocation and made the bridge loop to overflow the allocated memory.
> AFAIU, this bug is an array overflow and can cause memory corruption since it writes in a memory location that wasn't properly allocated.

--
This message was sent by Atlassian JIRA
(v6.2#6252)