Sanitize dump payload: ziplist, listpack, zipmap, intset, stream

When loading an encoded payload we will at least do a shallow validation to check that the size that's encoded in the payload matches the size of the allocation. This let's us later use this encoded size to make sure the various offsets inside encoded payload don't reach outside the allocation, if they do, we'll assert/panic, but at least we won't segfault or smear memory. We can also do 'deep' validation which runs on all the records of the encoded payload and validates that they don't contain invalid offsets. This lets us detect corruptions early and reject a RESTORE command rather than accepting it and asserting (crashing) later when accessing that payload via some command. configuration: - adding ACL flag skip-sanitize-payload - adding config sanitize-dump-payload [yes/no/clients] For now, we don't have a good way to ensure MIGRATE in cluster resharding isn't being slowed down by these sanitation, so i'm setting the default value to `no`, but later on it should be set to `clients` by default. changes: - changing rdbReportError not to `exit` in RESTORE command - adding a new stat to be able to later check if cluster MIGRATE isn't being slowed down by sanitation.
author: Oran Agra <oran@redislabs.com> 2020-08-13 16:41:05 +0300
committer: Oran Agra <oran@redislabs.com> 2020-12-06 14:54:34 +0200
commit: ca1c182567add4092e9cb6ea829e9c5193e8fd55 (patch)
tree: c4ccd1e235d797066dda7e24bccec9b5473d7981 /tests/integration/corrupt-dump.tcl
parent: c4fdf09c0584a3cee32b92f01b7958c72776aedc (diff)
download: redis-ca1c182567add4092e9cb6ea829e9c5193e8fd55.tar.gz
1 files changed, 178 insertions, 0 deletions
diff --git a/tests/integration/corrupt-dump.tcl b/tests/integration/corrupt-dump.tcl
new file mode 100644
index 000000000..9864036d2
--- /dev/null
+++ b/tests/integration/corrupt-dump.tcl
@@ -0,0 +1,178 @@
+# tests of corrupt ziplist payload with valid CRC
+
+tags {"dump" "corruption"} {
+
+set corrupt_payload_7445 "\x0E\x01\x1D\x1D\x00\x00\x00\x16\x00\x00\x00\x03\x00\x00\x04\x43\x43\x43\x43\x06\x04\x42\x42\x42\x42\x06\x3F\x41\x41\x41\x41\xFF\x09\x00\x88\xA5\xCA\xA8\xC5\x41\xF4\x35"
+
+test {corrupt payload: #7445 - with sanitize} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r config set sanitize-dump-payload yes
+        catch {
+            r restore key 0 $corrupt_payload_7445
+        } err
+        assert_match "*Bad data format*" $err
+        verify_log_message 0 "*Ziplist integrity check failed*" 0
+    }
+}
+
+test {corrupt payload: #7445 - without sanitize - 1} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r config set sanitize-dump-payload no
+        r config set crash-memcheck-enabled no ;# avoid valgrind issues
+        r restore key 0 $corrupt_payload_7445
+        catch {r lindex key 2}
+        verify_log_message 0 "*ASSERTION FAILED*" 0
+    }
+}
+
+test {corrupt payload: #7445 - without sanitize - 2} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r config set sanitize-dump-payload no
+        r config set crash-memcheck-enabled no ;# avoid valgrind issues
+        r restore key 0 $corrupt_payload_7445
+        catch {r lset key 2 "BEEF"}
+        verify_log_message 0 "*ASSERTION FAILED*" 0
+    }
+}
+
+test {corrupt payload: hash with valid zip list header, invalid entry len} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r restore key 0 "\x0D\x1B\x1B\x00\x00\x00\x16\x00\x00\x00\x04\x00\x00\x02\x61\x00\x04\x02\x62\x00\x04\x14\x63\x00\x04\x02\x64\x00\xFF\x09\x00\xD9\x10\x54\x92\x15\xF5\x5F\x52"
+        r config set crash-memcheck-enabled no ;# avoid valgrind issues
+        r config set hash-max-ziplist-entries 1
+        catch {r hset key b b}
+        verify_log_message 0 "*zipEntrySafe*" 0
+    }
+}
+
+test {corrupt payload: invalid zlbytes header} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        catch {
+            r restore key 0 "\x0D\x1B\x25\x00\x00\x00\x16\x00\x00\x00\x04\x00\x00\x02\x61\x00\x04\x02\x62\x00\x04\x02\x63\x00\x04\x02\x64\x00\xFF\x09\x00\xB7\xF7\x6E\x9F\x43\x43\x14\xC6"
+        } err
+        assert_match "*Bad data format*" $err
+    }
+}
+
+test {corrupt payload: valid zipped hash header, dup records} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r restore key 0 "\x0D\x1B\x1B\x00\x00\x00\x16\x00\x00\x00\x04\x00\x00\x02\x61\x00\x04\x02\x62\x00\x04\x02\x61\x00\x04\x02\x64\x00\xFF\x09\x00\xA1\x98\x36\x78\xCC\x8E\x93\x2E"
+        r config set crash-memcheck-enabled no ;# avoid valgrind issues
+        r config set hash-max-ziplist-entries 1
+        # cause an assertion when converting to hash table
+        catch {r hset key b b}
+        verify_log_message 0 "*ziplist with dup elements dump*" 0
+    }
+}
+
+test {corrupt payload: quicklist big ziplist prev len} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r restore key 0 "\x0E\x01\x13\x13\x00\x00\x00\x0E\x00\x00\x00\x02\x00\x00\x02\x61\x00\x0E\x02\x62\x00\xFF\x09\x00\x49\x97\x30\xB2\x0D\xA1\xED\xAA"
+        r config set crash-memcheck-enabled no ;# avoid valgrind issues
+        catch {r lindex key -2}
+        verify_log_message 0 "*ASSERTION FAILED*" 0
+    }
+}
+
+test {corrupt payload: quicklist small ziplist prev len} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r config set sanitize-dump-payload yes
+        catch {
+            r restore key 0 "\x0E\x01\x13\x13\x00\x00\x00\x0E\x00\x00\x00\x02\x00\x00\x02\x61\x00\x02\x02\x62\x00\xFF\x09\x00\xC7\x71\x03\x97\x07\x75\xB0\x63"
+        } err
+        assert_match "*Bad data format*" $err
+        verify_log_message 0 "*Ziplist integrity check failed*" 0
+    }
+}
+
+test {corrupt payload: quicklist ziplist wrong count} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r restore key 0 "\x0E\x01\x13\x13\x00\x00\x00\x0E\x00\x00\x00\x03\x00\x00\x02\x61\x00\x04\x02\x62\x00\xFF\x09\x00\x4D\xE2\x0A\x2F\x08\x25\xDF\x91"
+        r lpush key a
+        # check that the server didn't crash
+        r ping
+    }
+}
+
+test {corrupt payload: #3080 - quicklist} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        catch {
+            r RESTORE key 0 "\x0E\x01\x80\x00\x00\x00\x10\x41\x41\x41\x41\x41\x41\x41\x41\x02\x00\x00\x80\x41\x41\x41\x41\x07\x00\x03\xC7\x1D\xEF\x54\x68\xCC\xF3"
+            r DUMP key
+        }
+        assert_match "*Bad data format*" $err
+        verify_log_message 0 "*Ziplist integrity check failed*" 0
+    }
+}
+
+test {corrupt payload: #3080 - ziplist} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        catch {
+            r RESTORE key 0 "\x0A\x80\x00\x00\x00\x10\x41\x41\x41\x41\x41\x41\x41\x41\x02\x00\x00\x80\x41\x41\x41\x41\x07\x00\x39\x5B\x49\xE0\xC1\xC6\xDD\x76"
+        }
+        assert_match "*Bad data format*" $err
+        verify_log_message 0 "*Ziplist integrity check failed*" 0
+    }
+}
+
+test {corrupt payload: load corrupted rdb with no CRC - #3505} {
+    set server_path [tmpdir "server.rdb-corruption-test"]
+    exec cp tests/assets/corrupt_ziplist.rdb $server_path
+    set srv [start_server [list overrides [list "dir" $server_path "dbfilename" "corrupt_ziplist.rdb" loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no]]]
+
+    # wait for termination
+    wait_for_condition 100 50 {
+        ! [is_alive $srv]
+    } else {
+        fail "rdb loading didn't fail"
+    }
+
+    set stdout [dict get $srv stdout]
+    assert_equal [count_message_lines $stdout "Terminating server after rdb file reading failure."]  1
+    assert_lessthan 1 [count_message_lines $stdout "Ziplist integrity check failed"]
+    kill_server $srv ;# let valgrind look for issues
+}
+
+test {corrupt payload: listpack invalid size header} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        catch {
+            r restore key 0 "\x0F\x01\x10\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x40\x55\x5F\x00\x00\x00\x0F\x00\x01\x01\x00\x01\x02\x01\x88\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x00\x01\x00\x01\x00\x01\x00\x01\x02\x02\x88\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x61\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x88\x62\x00\x00\x00\x00\x00\x00\x00\x09\x08\x01\xFF\x0A\x01\x00\x00\x09\x00\x45\x91\x0A\x87\x2F\xA5\xF9\x2E"
+        } err
+        assert_match "*Bad data format*" $err
+        verify_log_message 0 "*Stream listpack integrity check failed*" 0
+    }
+}
+
+test {corrupt payload: listpack too long entry len} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r restore key 0 "\x0F\x01\x10\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x40\x55\x55\x00\x00\x00\x0F\x00\x01\x01\x00\x01\x02\x01\x88\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x00\x01\x00\x01\x00\x01\x00\x01\x02\x02\x89\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x61\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x88\x62\x00\x00\x00\x00\x00\x00\x00\x09\x08\x01\xFF\x0A\x01\x00\x00\x09\x00\x40\x63\xC9\x37\x03\xA2\xE5\x68"
+        catch {
+            r xinfo stream key full
+        } err
+        verify_log_message 0 "*ASSERTION FAILED*" 0
+    }
+}
+
+test {corrupt payload: listpack very long entry len} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r restore key 0 "\x0F\x01\x10\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x40\x55\x55\x00\x00\x00\x0F\x00\x01\x01\x00\x01\x02\x01\x88\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x00\x01\x00\x01\x00\x01\x00\x01\x02\x02\x88\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x61\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x9C\x62\x00\x00\x00\x00\x00\x00\x00\x09\x08\x01\xFF\x0A\x01\x00\x00\x09\x00\x63\x6F\x42\x8E\x7C\xB5\xA2\x9D"
+        catch {
+            r xinfo stream key full
+        } err
+        verify_log_message 0 "*ASSERTION FAILED*" 0
+    }
+}
+
+test {corrupt payload: listpack too long entry prev len} {
+    start_server [list overrides [list loglevel verbose use-exit-on-panic yes crash-memcheck-enabled no] ] {
+        r config set sanitize-dump-payload yes
+        catch {
+            r restore key 0 "\x0F\x01\x10\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00\x02\x40\x55\x55\x00\x00\x00\x0F\x00\x01\x01\x00\x15\x02\x01\x88\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x00\x01\x00\x01\x00\x01\x00\x01\x02\x02\x88\x31\x00\x00\x00\x00\x00\x00\x00\x09\x88\x61\x00\x00\x00\x00\x00\x00\x00\x09\x88\x32\x00\x00\x00\x00\x00\x00\x00\x09\x88\x62\x00\x00\x00\x00\x00\x00\x00\x09\x08\x01\xFF\x0A\x01\x00\x00\x09\x00\x06\xFB\x44\x24\x0A\x8E\x75\xEA"
+        } err
+        assert_match "*Bad data format*" $err
+        verify_log_message 0 "*Stream listpack integrity check failed*" 0
+    }
+}
+
+} ;# tags
+
author	Oran Agra <oran@redislabs.com>	2020-08-13 16:41:05 +0300
committer	Oran Agra <oran@redislabs.com>	2020-12-06 14:54:34 +0200
commit	ca1c182567add4092e9cb6ea829e9c5193e8fd55 (patch)
tree	c4ccd1e235d797066dda7e24bccec9b5473d7981 /tests/integration/corrupt-dump.tcl
parent	c4fdf09c0584a3cee32b92f01b7958c72776aedc (diff)
download	redis-ca1c182567add4092e9cb6ea829e9c5193e8fd55.tar.gz