Open Bug 1645927 Opened 4 years ago Updated 4 years ago

When using LMDB, RKV crashes when attempting to read invalid database

Categories

(Toolkit :: Storage, defect, P3)

Product:
Toolkit
Component:
Storage
Type:
defect

Tracking

()

People

(Reporter: agi, Unassigned)

References

(Blocks 1 open bug)

Details

Probably not super high priority, but while writing a test I noticed that rkv crashes when trying to read from an invalid database (I wrote the string "this is garbage" in the data.mdb file):

https://treeherder.mozilla.org/#/jobs?repo=try&revision=c6197e05c2531bbf6bf895a2de71f9a8b161cc24&selectedTaskRun=eCrzd_PUT2Ol-ThP-UvrWA.0

Crash dump filename: /tmp/xpc-other-hZYDch/5df61728-b423-b09e-2073-6b1a59f4196e.dmp
Operating system: Linux
                  0.0.0 Linux 4.4.0-1014-aws #14taskcluster1-Ubuntu SMP Tue Apr 3 10:27:00 UTC 2018 x86_64
CPU: amd64
     family 6 model 85 stepping 4
     2 CPUs
GPU: UNKNOWN
Crash reason:  SIGBUS / BUS_ADRERR
Crash address: 0x7f904d001090
Process uptime: not available
Thread 18 (crashed)
 0  libxul.so!mdb_env_stat [mdb.c:c6197e05c2531bbf6bf895a2de71f9a8b161cc24 : 9676 + 0x11]
    rax = 0x0000000000000000   rdx = 0x0000000000000000  
    rcx = 0x00007f904d001010   rbx = 0x00007f904d8c9100  
    rsi = 0x00007f904d2b9300   rdi = 0x00007f904d895300  
    rbp = 0x00007f904d2b9530   rsp = 0x00007f904d2b9298  
     r8 = 0x0000000000000000    r9 = 0x00007f904d8ef4f0   
    r10 = 0x0000000000000027   r11 = 0x0000000000000000  
    r12 = 0x00007f904d2b93e0   r13 = 0x00007f904d2ba980  
    r14 = 0x00007f904d14e8e0   r15 = 0x00007f9066686370  
    rip = 0x00007f9063f629f0
    Found by: given as instruction pointer in context    
 1  libxul.so!<kvstore::task::GetOrCreateTask as moz_task::Task>::run [task.rs:c6197e05c2531bbf6bf895a2de71f9a8b161cc24 : 191 + 0x30]
    rbx = 0x00007f904d8c9100   rbp = 0x00007f904d2b9530  
    rsp = 0x00007f904d2b92a0   r12 = 0x00007f904d2b93e0  
    r13 = 0x00007f904d2ba980   r14 = 0x00007f904d14e8e0  
    r15 = 0x00007f9066686370   rip = 0x00007f906356d18f  
    Found by: call frame info
 2  libxul.so!moz_task::TaskRunnable::allocate::Run [lib.rs:c6197e05c2531bbf6bf895a2de71f9a8b161cc24 : 163 + 0x3c]
    rbx = 0x00007f904d8c9b00   rbp = 0x00007f904d2b9560  
    rsp = 0x00007f904d2b9540   r12 = 0x0000000000000000  
    r13 = 0x00007f9053578280   r14 = 0x0000000000000001  
    r15 = 0x00007f904d8c9b00   rip = 0x00007f90635b7dfc  
    Found by: call frame info
Blocks: rkv-fuzzing

Thanks for filing this! Indeed the LMDB backend (which should not be used) does not graciously handle malformed or corrupted databases. This isn't the case for the SafeMode backend (which every new product using RKV should be using), which gracefully returns a Result with an Error.

A while back, Symas has confirmed that they're not interested in dealing with garbage in database files in any meaningful way, so crashing is what we're stuck with so far (again: don't use LDMB, use SafeMode, which doesn't suffer from this).

Severity: -- → S3
Priority: -- → P3
Blocks: rkv-perf-mode
No longer blocks: rkv-fuzzing
Summary: rkv crashes when attempting to read invalid database → When using LMDB, RKV crashes when attempting to read invalid database
You need to log in before you can comment on or make changes to this bug.