lotus icon indicating copy to clipboard operation
lotus copied to clipboard

Published 20 hours ago verified publisher icon filecoin-project

[BUG] Panic out of memory in backupds

Open AdamKorcz opened this issue 4 years ago • 0 comments

Describe the bug The bug is a panic out of memory when calling github.com/filecoin-project/lotus/lib/backupds.RestoreInto() with a well-crafted byte array.

Version (run lotus version): The bug was found yesterday on the master branch.

To Reproduce

Dockerfile:

FROM golang:1.16.5-buster
RUN apt-get update && apt-get install -y mesa-opencl-icd ocl-icd-opencl-dev gcc \
    git bzr jq pkg-config curl clang build-essential hwloc libhwloc-dev
WORKDIR /src
COPY poc.go /src/
RUN git clone --depth 1 https://github.com/filecoin-project/lotus && \
    cd lotus && \
    make && \
    cp /src/poc.go . && \
    go run poc.go

poc.go:

package main


import (
    "bytes"
    "github.com/ipfs/go-datastore"
    "github.com/filecoin-project/lotus/lib/backupds"
)

func main() {
    payload := []byte{130, 159, 130, 91, 0, 0, 0, 113, 190, 130, 130, 159, 130, 91, 0, 0, 0, 113, 190, 130}
    byteReader := bytes.NewReader(payload)
    ds2 := datastore.NewMapDatastore()
    _ = backupds.RestoreInto(byteReader, ds2)
    return
}

Then:

  1. Place both files in same dir
  2. Run docker build .

Expected behavior Not a crash

Stacktrace

fatal error: runtime: out of memory

runtime stack:
runtime.throw(0x60e164, 0x16)
        /usr/local/go/src/runtime/panic.go:1117 +0x72
runtime.sysMap(0xc004000000, 0x71c0000000, 0x7993f0)
        /usr/local/go/src/runtime/mem_linux.go:169 +0xc6
runtime.(*mheap).sysAlloc(0x780c40, 0x71bec00000, 0x42ce57, 0x780c48)
        /usr/local/go/src/runtime/malloc.go:729 +0x1e5
runtime.(*mheap).grow(0x780c40, 0x38df415, 0x0)
        /usr/local/go/src/runtime/mheap.go:1346 +0x85
runtime.(*mheap).allocSpan(0x780c40, 0x38df415, 0x460100, 0x20)
        /usr/local/go/src/runtime/mheap.go:1173 +0x609
runtime.(*mheap).alloc.func1()
        /usr/local/go/src/runtime/mheap.go:910 +0x59
runtime.systemstack(0x4699f4)
        /usr/local/go/src/runtime/asm_amd64.s:379 +0x66
runtime.mstart()
        /usr/local/go/src/runtime/proc.go:1246

goroutine 1 [running]:
runtime.systemstack_switch()
        /usr/local/go/src/runtime/asm_amd64.s:339 fp=0xc000113b70 sp=0xc000113b68 pc=0x469b20
runtime.(*mheap).alloc(0x780c40, 0x38df415, 0x101, 0x0)
        /usr/local/go/src/runtime/mheap.go:904 +0x85 fp=0xc000113bc0 sp=0xc000113b70 pc=0x428b05
runtime.(*mcache).allocLarge(0x7f425ec01108, 0x71be82829f, 0x101, 0x5c5ec0)
        /usr/local/go/src/runtime/mcache.go:224 +0x97 fp=0xc000113c18 sp=0xc000113bc0 pc=0x419317
runtime.mallocgc(0x71be82829f, 0x5c5ec0, 0x47f401, 0x1)
        /usr/local/go/src/runtime/malloc.go:1078 +0x925 fp=0xc000113ca0 sp=0xc000113c18 pc=0x40f285
runtime.makeslice(0x5c5ec0, 0x71be82829f, 0x71be82829f, 0x71be82829f)
        /usr/local/go/src/runtime/slice.go:98 +0x6c fp=0xc000113cd0 sp=0xc000113ca0 pc=0x44e94c
github.com/whyrusleeping/cbor-gen.ReadByteArray(0x649160, 0xc00005e200, 0x10000000000, 0x9, 0x1, 0x0, 0x0, 0x0)
        /go/pkg/mod/github.com/whyrusleeping/[email protected]/utils.go:477 +0x99 fp=0xc000113d48 sp=0xc000113cd0 pc=0x5604f9
github.com/filecoin-project/lotus/lib/backupds.ReadBackup(0x648ec0, 0xc00007f170, 0xc000113f00, 0x0, 0x0, 0x40f418)
        /src/lotus/lib/backupds/read.go:53 +0x395 fp=0xc000113ea8 sp=0xc000113d48 pc=0x5aa295
github.com/filecoin-project/lotus/lib/backupds.RestoreInto(0x648ec0, 0xc00007f170, 0x64c4b8, 0xc000010060, 0x200, 0x0)
        /src/lotus/lib/backupds/read.go:125 +0x129 fp=0xc000113f28 sp=0xc000113ea8 pc=0x5ab289
main.main()
        /src/lotus/poc.go:19 +0x146 fp=0xc000113f88 sp=0xc000113f28 pc=0x5ab726
runtime.main()
        /usr/local/go/src/runtime/proc.go:225 +0x256 fp=0xc000113fe0 sp=0xc000113f88 pc=0x4399f6
runtime.goexit()
        /usr/local/go/src/runtime/asm_amd64.s:1371 +0x1 fp=0xc000113fe8 sp=0xc000113fe0 pc=0x46b961
exit status 2

AdamKorcz avatar Jun 09 '21 17:06 AdamKorcz