Details
-
Bug
-
Status: Resolved
-
Normal
-
Resolution: Fixed
-
None
-
The check-only-after-doing-the-decompress logic appears to be in all current releases.
Here are some samples at different evolution points :
3.11.2:
3.5:
2.1.17:
The check-only-after-doing-the-decompress logic appears to be in all current releases. Here are some samples at different evolution points : 3.11.2: https://github.com/apache/cassandra/blob/cassandra-3.11.2/src/java/org/apache/cassandra/io/util/CompressedChunkReader.java#L146 https://github.com/apache/cassandra/blob/cassandra-3.11.2/src/java/org/apache/cassandra/io/util/CompressedChunkReader.java#L207 3.5: https://github.com/apache/cassandra/blob/cassandra-3.5/src/java/org/apache/cassandra/io/compress/CompressedRandomAccessReader.java#L135 https://github.com/apache/cassandra/blob/cassandra-3.5/src/java/org/apache/cassandra/io/compress/CompressedRandomAccessReader.java#L196 2.1.17: https://github.com/apache/cassandra/blob/cassandra-2.1.17/src/java/org/apache/cassandra/io/compress/CompressedRandomAccessReader.java#L122
-
Normal
Description
While checksums are (generally) performed on compressed data, the checksum test when reading is currently (in all variants of C* 2.x, 3.x I've looked at) done [on the compressed data] only after the uncompress operation has completed.
The issue here is that LZ4_decompress_fast (as documented in e.g. https://github.com/lz4/lz4/blob/dev/lib/lz4.h#L214) can result in memory overruns when provided with malformed source data. This in turn can (and does, e.g. in CASSANDRA-13757) lead to JVM crashes during the uncompress of corrupted chunks. The checksum operation would obviously detect the issue, but we'd never get to it if the JVM crashes first.
Moving the checksum test of the compressed data to before the uncompress operation (in cases where the checksum is done on compressed data) will resolve this issue.
-----------------------------
The check-only-after-doing-the-decompress logic appears to be in all current releases.
Here are some samples at different evolution points :
3.11.2:
3.5:
2.1.17:
Attachments
Issue Links
- duplicates
-
CASSANDRA-13757 Cassandra 3.5.0 JVM Segfault Problem While Repair Job is Running
- Resolved
- is duplicated by
-
CASSANDRA-14283 Crash with SIGBUS (0x7), problematic frame LZ4_decompress_fast
- Resolved
-
CASSANDRA-13757 Cassandra 3.5.0 JVM Segfault Problem While Repair Job is Running
- Resolved