Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Input found by gofuzz can crash the alpha server #2900

Closed
gitlw opened this issue Jan 16, 2019 · 3 comments · Fixed by #2914
Closed

Input found by gofuzz can crash the alpha server #2900

gitlw opened this issue Jan 16, 2019 · 3 comments · Fixed by #2914
Assignees
Labels
kind/bug Something is broken.

Comments

@gitlw
Copy link

gitlw commented Jan 16, 2019

If you suspect this could be a bug, follow the template.

  • What version of Dgraph are you using?
    v1.0.12-rc3-4-g4e2895d9

  • Have you tried reproducing the issue with latest release?
    Yes

  • What is the hardware spec (RAM, OS)?

  • Steps to reproduce the issue (command/config used to run Dgraph).
    Run the alpha server through run-single.sh inside dgraph/dgraph
    Run the query
    curl http://localhost:8180/query -d @query.txt

where the query.txt has the following data
{e(orderasc:#

Then the alpha server will crash with the following stack trace:

bank-dg1  | I0116 00:08:54.658719       1 server.go:445] Got a query: query:"{e(orderasc:#" 
bank-dg1  | 2019/01/16 00:08:54 http: panic serving 172.18.0.1:58232: runtime error: index out of range
bank-dg1  | goroutine 448 [running]:
bank-dg1  | net/http.(*conn).serve.func1(0xc00ac5b040)
bank-dg1  | 	/usr/local/go/src/net/http/server.go:1746 +0xd0
bank-dg1  | panic(0x1336f00, 0x1ed21e0)
bank-dg1  | 	/usr/local/go/src/runtime/panic.go:513 +0x1b9
bank-dg1  | github.com/dgraph-io/dgraph/gql.getRoot(0xc00ad258d0, 0xc000073a50, 0xc00ad25828, 0x1107bb6)
bank-dg1  | 	/home/lucas/go/src/github.com/dgraph-io/dgraph/gql/parser.go:2318 +0x258d
bank-dg1  | github.com/dgraph-io/dgraph/gql.getQuery(0xc00ad258d0, 0x14b60d0, 0xc00af74fc0, 0xc00af7b9e0)
bank-dg1  | 	/home/lucas/go/src/github.com/dgraph-io/dgraph/gql/parser.go:762 +0x58
bank-dg1  | github.com/dgraph-io/dgraph/gql.Parse(0xc00af17270, 0xd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
bank-dg1  | 	/home/lucas/go/src/github.com/dgraph-io/dgraph/gql/parser.go:508 +0x1c1
bank-dg1  | github.com/dgraph-io/dgraph/edgraph.(*Server).Query(0xc00ac4fc40, 0x159f980, 0xc00af7b980, 0xc00ac9caa0, 0xc00af74f00, 0x0, 0x0)
bank-dg1  | 	/home/lucas/go/src/github.com/dgraph-io/dgraph/edgraph/server.go:471 +0x2fc
bank-dg1  | github.com/dgraph-io/dgraph/dgraph/cmd/alpha.queryHandler(0x159e980, 0xc00042a380, 0xc0000c1500)
bank-dg1  | 	/home/lucas/go/src/github.com/dgraph-io/dgraph/dgraph/cmd/alpha/http.go:168 +0x2cf
bank-dg1  | net/http.HandlerFunc.ServeHTTP(0x14b5e28, 0x159e980, 0xc00042a380, 0xc0000c1500)
bank-dg1  | 	/usr/local/go/src/net/http/server.go:1964 +0x44
bank-dg1  | net/http.(*ServeMux).ServeHTTP(0x1f91320, 0x159e980, 0xc00042a380, 0xc0000c1500)
bank-dg1  | 	/usr/local/go/src/net/http/server.go:2361 +0x127
bank-dg1  | net/http.serverHandler.ServeHTTP(0xc0004a8000, 0x159e980, 0xc00042a380, 0xc0000c1500)
bank-dg1  | 	/usr/local/go/src/net/http/server.go:2741 +0xab
bank-dg1  | net/http.(*conn).serve(0xc00ac5b040, 0x159f8c0, 0xc00acdda80)
bank-dg1  | 	/usr/local/go/src/net/http/server.go:1847 +0x646
bank-dg1  | created by net/http.(*Server).Serve
bank-dg1  | 	/usr/local/go/src/net/http/server.go:2851 +0x2f5
  • Expected behaviour and actual result.
    The alpha server should return an error saying the input is invalid.
@srfrog
Copy link
Contributor

srfrog commented Jan 16, 2019

adding a len() might fix this crash but the bug isnt really there, most likely.

@gitlw
Copy link
Author

gitlw commented Jan 16, 2019

@srfrog It is indeed a bug.

@gitlw gitlw self-assigned this Jan 16, 2019
@manishrjain
Copy link
Contributor

Great find. As discussed, we should be iterating over the lexer output to check for any errors upfront, before we start to use it to generate the query tree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/bug Something is broken.
3 participants