Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mask body of runOps to avoid a heap corruption #89

Merged
merged 1 commit into from
Aug 29, 2019
Merged

Mask body of runOps to avoid a heap corruption #89

merged 1 commit into from
Aug 29, 2019

Conversation

cocreature
Copy link
Collaborator

No description provided.

Gabriella439
Gabriella439 reviewed Aug 28, 2019
View reviewed changes
core/src/Network/GRPC/LowLevel/Op.hs
-- 1. We allocate an OpContext, e.g., OpRecvMessageContext and the corresponding ByteBuffer.
-- 2. We pass the buffer to gRPC in startBatch.
-- 3. If we now get an exception we will free the ByteBuffer.
-- 4. gRPC can now end up writing to the freed ByteBuffer and we get a heap corruption.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where would gRPC write to the freed ByteBuffer? The reason I ask is that I don't see opArray used outside of startBatch

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

startBatch is asynchronous. The actual write happens somewhere in the gRPC internals. I haven’t tracked it down to the exact location.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took a brief look and it looks like at least call->receiving_buffer retains a reference to the buffer https://github.com/grpc/grpc/blob/master/src/core/lib/surface/call.cc#L1804

Probably also worth pointing out that this fix is based on an actual issue that we encountered in our tests.

@neongreen
Copy link

I can confirm that this patch fixes a segfault that we started to get on an internal project after upgrading to grpc-1.22.

@Gabriella439 Gabriella439 merged commit be70fc4 into awakesecurity:master Aug 29, 2019
@Gabriella439
Copy link
Contributor

@cocreature: Thank you!

@neongreen
Copy link

neongreen commented Aug 29, 2019
edited
Loading

Update: this branch works for our project but the master of gRPC-haskell doesn't 🤔 #90 seems to be the only difference. @cocreature do your tests pass with the current gRPC-haskell master?

@cocreature
Copy link
Collaborator Author

@neongreen I’m confused, this branch is identical to the current master now that the PR is merged.

@neongreen
Copy link

I believe it's not.

$ git diff cocreature/fix-heap-corruption origin/master

diff --git a/core/src/Network/GRPC/LowLevel/Op.hs b/core/src/Network/GRPC/LowLevel/Op.hs
index ed8cd8e..bde3997 100644
--- a/core/src/Network/GRPC/LowLevel/Op.hs
+++ b/core/src/Network/GRPC/LowLevel/Op.hs
@@ -108,8 +108,8 @@ freeOpContext (OpSendInitialMetadataContext m _) = C.metadataFree m
 freeOpContext (OpSendMessageContext (bb, s)) =
   C.grpcByteBufferDestroy bb >> C.freeSlice s
 freeOpContext OpSendCloseFromClientContext = return ()
-freeOpContext (OpSendStatusFromServerContext metadata _ _ _) =
-  C.metadataFree metadata
+freeOpContext (OpSendStatusFromServerContext metadata _ _ s) =
+  C.metadataFree metadata >> C.freeSlice s
 freeOpContext (OpRecvInitialMetadataContext metadata) =
   C.metadataArrayDestroy metadata
 freeOpContext (OpRecvMessageContext pbb) =

@neongreen
Copy link

Latest commits in this branch:

Mask body of runOps to avoid a heap corruption
Fix sdist tarballs (#88) …
Upgrade to gRPC 1.22 (#85)

Latest commits in master:

Mask body of runOps to avoid a heap corruption (#89)
Free slice in OpSendStatusFromServerContext (#90) …
Fix sdist tarballs (#88) …
Upgrade to gRPC 1.22 (#85)

@neongreen
Copy link

neongreen commented Aug 29, 2019
edited
Loading

I'm starting to suspect that this branch is a red herring and the only reason it "fixed" our segfault is that our segfault is caused by #90, which happened not to be present in this branch. I will see if I can share the code.

@neongreen neongreen mentioned this pull request Aug 29, 2019
Closed
@cocreature cocreature mentioned this pull request Feb 1, 2021
Open
RichardWarfield pushed a commit to litxio/gRPC-haskell that referenced this pull request Apr 25, 2023
@j6carey @Gabriella439
Relax dhall upper bound. (awakesecurity#89)
47a55e6
RichardWarfield pushed a commit to litxio/gRPC-haskell that referenced this pull request Apr 25, 2023
@riz0id
Tests reuse encoding buffer (awakesecurity#89)
d310747 
* change: expose `Proto3.Wire.Reverse.Internal`
* change: export `smallChunkSize`, `metaDataAlign`, and `metaDataSize`
* change: export sealBuffer
* change: export BuildRState
* change: export `readTotal`, `readState`, `writeState`, `readSpace`, and `writeSpace`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gabriella439 Gabriella439 Gabriella439 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@cocreature @neongreen @Gabriella439