=== REDIS BUG REPORT START: Cut & paste starting from here ===
9215:M 30 Nov 2019 22:36:12.632 # Redis 999.999.999 crashed by signal: 11
9215:M 30 Nov 2019 22:36:12.632 # Crashed running the instruction at: 0x55d4daa531e9
9215:M 30 Nov 2019 22:36:12.632 # Accessing address: (nil)
9215:M 30 Nov 2019 22:36:12.632 # Failed assertion:
------ STACK TRACE ------ EIP: ./src/redis-server *:6379(je_large_dalloc+0x29)[0x55d4daa531e9]
Backtrace: ./src/redis-server :6379(logStackTrace+0x5a)[0x55d4da99967a] ./src/redis-server :6379(sigsegvHandler+0xb1)[0x55d4da999e31] /lib/x86_64-linux-gnu/libpthread.so.0(+0x12890)[0x7fc41e0f0890] ./src/redis-server :6379(je_large_dalloc+0x29)[0x55d4daa531e9] ./src/redis-server :6379(clientAcceptHandler+0x13f)[0x55d4da961c6f] ./src/redis-server :6379(+0xd30c6)[0x55d4da9e50c6] ./src/redis-server :6379(+0x4fd3a)[0x55d4da961d3a] ./src/redis-server :6379(acceptTcpHandler+0x6b)[0x55d4da961e4b] ./src/redis-server :6379(aeProcessEvents+0x149)[0x55d4da94d519] ./src/redis-server :6379(aeMain+0x2b)[0x55d4da94d98b] ./src/redis-server :6379(main+0x520)[0x55d4da94a4b0] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7fc41dd0eb97] ./src/redis-server *:6379(_start+0x2a)[0x55d4da94a6ea]
------ INFO OUTPUT ------
Server
redis_version:999.999.999 redis_git_sha1:a1b65481 redis_git_dirty:0 redis_build_id:443dd9add5fcae7 redis_mode:standalone os:Linux 4.15.0-66-generic x86_64 arch_bits:64 multiplexing_api:epoll atomicvar_api:atomic-builtin gcc_version:7.4.0 process_id:9215 run_id:ca5672780ea5b71a41080ff3f8133e50b987c30b tcp_port:6379 uptime_in_seconds:30082 uptime_in_days:0 hz:10 configured_hz:10 lru_clock:14843484 executable:/home/jin/Documents/cve/redis/./src/redis-server config_file:
Clients
connected_clients:0 client_recent_max_input_buffer:4 client_recent_max_output_buffer:0 blocked_clients:0 tracking_clients:0
Memory
used_memory:461304 used_memory_human:450.49K used_memory_rss:5599232 used_memory_rss_human:5.34M used_memory_peak:585656 used_memory_peak_human:571.93K used_memory_peak_perc:78.77% used_memory_overhead:523680 used_memory_startup:523608 used_memory_dataset:18446744073709489240 used_memory_dataset_perc:1844674407370955161600.00% allocator_allocated:535856 allocator_active:770048 allocator_resident:3883008 total_system_memory:16766013440 total_system_memory_human:15.61G used_memory_lua:37888 used_memory_lua_human:37.00K used_memory_scripts:0 used_memory_scripts_human:0B number_of_cached_scripts:0 maxmemory:0 maxmemory_human:0B maxmemory_policy:noeviction allocator_frag_ratio:1.44 allocator_frag_bytes:234192 allocator_rss_ratio:5.04 allocator_rss_bytes:3112960 rss_overhead_ratio:1.44 rss_overhead_bytes:1716224 mem_fragmentation_ratio:12.14 mem_fragmentation_bytes:5137992 mem_not_counted_for_evict:0 mem_replication_backlog:0 mem_clients_slaves:0 mem_clients_normal:0 mem_aof_buffer:0 mem_allocator:jemalloc-5.1.0 active_defrag_running:0 lazyfree_pending_objects:0
Persistence
loading:0 rdb_changes_since_last_save:0 rdb_bgsave_in_progress:0 rdb_last_save_time:1575098091 rdb_last_bgsave_status:ok rdb_last_bgsave_time_sec:0 rdb_current_bgsave_time_sec:-1 rdb_last_cow_size:159744 aof_enabled:0 aof_rewrite_in_progress:0 aof_rewrite_scheduled:0 aof_last_rewrite_time_sec:-1 aof_current_rewrite_time_sec:-1 aof_last_bgrewrite_status:ok aof_last_write_status:ok aof_last_cow_size:0 module_fork_in_progress:0 module_fork_last_cow_size:0
Stats
total_connections_received:626 total_commands_processed:624 instantaneous_ops_per_sec:0 total_net_input_bytes:660487 total_net_output_bytes:28460 instantaneous_input_kbps:0.00 instantaneous_output_kbps:0.00 rejected_connections:4 sync_full:0 sync_partial_ok:0 sync_partial_err:0 expired_keys:0 expired_stale_perc:0.00 expired_time_cap_reached_count:0 expire_cycle_cpu_milliseconds:450 evicted_keys:0 keyspace_hits:0 keyspace_misses:0 pubsub_channels:0 pubsub_patterns:0 latest_fork_usec:376 migrate_cached_sockets:0 slave_expires_tracked_keys:0 active_defrag_hits:0 active_defrag_misses:0 active_defrag_key_hits:0 active_defrag_key_misses:0 tracking_used_slots:0
Replication
role:master connected_slaves:0 master_replid:26e74a5684e9555d93bc50febfe4d14ebd440c5a master_replid2:0000000000000000000000000000000000000000 master_repl_offset:0 second_repl_offset:-1 repl_backlog_active:0 repl_backlog_size:1048576 repl_backlog_first_byte_offset:0 repl_backlog_histlen:0
CPU
used_cpu_sys:18.329356 used_cpu_user:21.013227 used_cpu_sys_children:0.002555 used_cpu_user_children:0.000000
Modules
Commandstats
cmdstat_restore:calls=624,usec=659,usec_per_call=1.06
Cluster
cluster_enabled:0
Keyspace
db0:keys=1,expires=0,avg_ttl=0
------ CLIENT LIST OUTPUT ------
------ REGISTERS ------ 9215:M 30 Nov 2019 22:36:12.635 # RAX:0000000000000000 RBX:00007fc41d815140 RCX:000055d4daaa47c0 RDX:000055d4dacfdb40 RDI:00007fc41eca6730 RSI:0000000000000000 RBP:00007fc41eca6730 RSP:00007fff5c0d1c50 R8 :0000000000000000 R9 :0000000000000004 R10:00000000000000eb R11:00000000000000eb R12:0000000000000000 R13:000055d4dacfa860 R14:00007fff5c0d1dac R15:0000000000000007 RIP:000055d4daa531e9 EFL:0000000000010246 CSGSFS:002b000000000033 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5f) -> 72c9219fde312600 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5e) -> 7902000000000000 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5d) -> 0000000000000000 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5c) -> 0000000000000000 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5b) -> 0000000000000000 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c5a) -> 0000000000000000 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c59) -> 00003130322e3936 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c58) -> 2e3930312e303531 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c57) -> 000055d4da961c6f 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c56) -> 00007fff5c0d1dac 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c55) -> 000055d4dacfa860 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c54) -> 00007fff5c0d1c90 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c53) -> 00007fc41d829c40 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c52) -> 00007fc41d815140 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c51) -> 72c9219fde312600 9215:M 30 Nov 2019 22:36:12.635 # (00007fff5c0d1c50) -> 000055d4dacfa860
------ MODULES INFO OUTPUT ------
------ FAST MEMORY TEST ------ 9215:M 30 Nov 2019 22:36:12.636 # Bio thread for job type #0 terminated 9215:M 30 Nov 2019 22:36:12.636 # Bio thread for job type #1 terminated 9215:M 30 Nov 2019 22:36:12.636 # Bio thread for job type #2 terminated *** Preparing to test memory region 55d4dace5000 (2260992 bytes) *** Preparing to test memory region 55d4db8e0000 (135168 bytes) *** Preparing to test memory region 7fc41aa2c000 (8388608 bytes) *** Preparing to test memory region 7fc41b22d000 (8388608 bytes) *** Preparing to test memory region 7fc41ba2e000 (8388608 bytes) *** Preparing to test memory region 7fc41c22f000 (8388608 bytes) *** Preparing to test memory region 7fc41d400000 (8388608 bytes) *** Preparing to test memory region 7fc41e0da000 (16384 bytes) *** Preparing to test memory region 7fc41e2f9000 (16384 bytes) *** Preparing to test memory region 7fc41eca6000 (32768 bytes) *** Preparing to test memory region 7fc41ecd0000 (4096 bytes) .O.O.O.O.O.O.O.O.O.O.O Fast memory test PASSED, however your memory can still be broken. Please run a memory test for several hours if possible.
------ DUMPING CODE AROUND EIP ------ Symbol: je_large_dalloc (base: 0x55d4daa531c0) Module: ./src/redis-server *:6379 (base 0x55d4da912000) $ xxd -r -p /tmp/dump.hex /tmp/dump.bin $ objdump --adjust-vma=0x55d4daa531c0 -D -b binary -m i386:x86-64 /tmp/dump.bin
9215:M 30 Nov 2019 22:36:12.726 # dump of function (hexdump of 169 bytes): 41564155488d1575a92a004154554989f4534889fd4883ec1064488b042528000000488944240831c0488b0625ff0f0000488b1cc28b0d85a82a00488bb310680000390e0f8396000000803db6302900000f850a0100004c89e24889de4889efe8cb50fcff4889e24c89e14889de4889ef48c7042400000000e8e24cfcff4885ed743c488b8db80100004c8ba3106800004885c9418b34240f84120100003b75040f830901000089f2 Function at 0x55d4daa182f0 is je_arena_extent_dalloc_large_prep Function at 0x55d4daa17f20 is je_arena_extents_dirty_dalloc
=== REDIS BUG REPORT END. Make sure to include from START to END. ===
version information
commit a1b654819cc0031ba30910afa1d68174d4f926ae (HEAD -> unstable, origin/unstable, origin/HEAD)
Merge: a4066989 ed226976
Author: Salvatore Sanfilippo <antirez@gmail.com>
Date: Mon Nov 25 17:54:21 2019 +0100
Merge pull request #6598 from oranagra/module-hook-test
try to fix an unstable test (module hook for loading progress)
Comment From: oranagra
what i see is a server with one key, that processed only RESTORE commands (unless CONFIG RESETSTAT was used). and i see it crashed in the allocator while trying to accept a new connection. very odd..
@ChijinZ did you figure this out eventually? i see this is an old copy of unstable, and i never saw anything similar to this, so i tend to assume this was just some flop.
Comment From: carnil
It appears that CVE-2020-21468 was assigned for this issue.
Comment From: oranagra
Assigned by who? What's the point of a CVE if no one knows how it happened and how to reproduce it?
I suspect it was a bad build crashing right at startup (no commands, no clients, uptime of 0).
Also the crash report here is about a build from the unstable branch, not 5. 0.7
Comment From: carnil
Assigned by who? What's the point of a CVE if no one knows how it happened and how to reproduce it?
I suspect it was a bad build crashing right at startup (no commands, no clients, uptime of 0). Also the crash report here is about a build from the
unstablebranch, not 5. 0.7
Assigned through MITRE.
I do not know, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-21468 contains the references to this issue, but MITRE will not share the requestor. @ChijinZ might want to provide more information on how to reproduce, or otherwise the CVE should be disputed if it's not a valid issue.
Comment From: oranagra
If this turns out to be a real security issue, please share the info with redis@redis.io
Comment From: oranagra
no response... i'm closing this as an invalid report. seems like a bad build of unstable or something like that.