[asterisk-bugs] [JIRA] (ASTERISK-29378) res_prometheus: Crash when scraping bridges and creating a bridge at the same time

Sébastien Duthil (JIRA) noreply at issues.asterisk.org
Wed Mar 31 14:43:15 CDT 2021 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-29378?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sébastien Duthil updated ASTERISK-29378:
----------------------------------------

    Attachment: core.19981.1614676357-thread1.txt
                core.19981.1614676357-locks.txt
                core.19981.1614676357-info.txt
                core.19981.1614676357-full.txt
                core.19981.1614676357-brief.txt
                bridge_metrics.txt

Core dump infos.

> res_prometheus: Crash when scraping bridges and creating a bridge at the same time
> ----------------------------------------------------------------------------------
>
>                 Key: ASTERISK-29378
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-29378
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Resources/General
>    Affects Versions: 18.2.2, 18.3.0
>            Reporter: Sébastien Duthil
>         Attachments: bridge_metrics.txt, core.19981.1614676357-brief.txt, core.19981.1614676357-full.txt, core.19981.1614676357-info.txt, core.19981.1614676357-locks.txt, core.19981.1614676357-thread1.txt
>
>
> Given there are two bridges already created in Asterisk
> Given a Prometheus server is scraping /metrics on Asterisk
> When a third bridge is created at the wrong time
> When the wrong memory location is allocated and overwritten
> Then Asterisk crashes
> "The wrong time" occurs between counting the bridges and iterating on the bridges in {{res/prometheus/bridges.c:bridges_scrape_cb}}.
> "The wrong memory location" is the third element of the array {{bridge_metrics}} in {{res/prometheus/bridges.c:bridges_scrape_cb}}, which is written and read by {{bridges_scrape_cb}} without being properly allocated.
> I'm attaching the output of ast_coredumper. Here are the interesting values of variables I extracted from gdb:
> {noformat}
> Frame #9  0x00007f349db6f38d in bridges_scrape_cb (response=0x7f349c3cbcc8) at prometheus/bridges.c:145
> bridge_metrics = 0x7f34cc004800
> bridge_metrics + 1 = 0x7f34cc004ec8
> bridge_metrics + 2 = 0x7f34cc005590 (the unallocated element)
> *bridge_metrics at 3 = (first 3 elements shown in bridge_metrics.txt)
> i = 3
> num_bridges = optimized out
> bridge_count.value = "2"
> {noformat}
> I interpret those values as the bridge_metrics array was allocated for two bridges, but a third bridge was created just after the allocation and made the bridge loop to overflow the allocated memory.
> AFAIU, this bug is an array overflow and can cause memory corruption since it writes in a memory location that wasn't properly allocated.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list