Skip to content

Crash when using google_grpc and cannot read secret_data from file #8941

Closed
Closed
Crash when using google_grpc and cannot read secret_data from file#8941
Labels
bughelp wantedNeeds help!
@howardjohn

Description

@howardjohn
howardjohn
opened on Nov 7, 2019

Issue Template

Title: Crash when using google_grpc and cannot read secret_data from file

Description:
We have some SDS config using google_grpc with call_credentials like so:

            "tls_certificate_sds_secret_configs":[
              {
                "name":"default",
                "sds_config":{
                  "api_config_source":{
                    "api_type":"GRPC",
                    "grpc_services":[
                      {
                        "google_grpc":{
                          "target_uri": "/path/to/uds",
                          "channel_credentials":{
                            "local_credentials":{
                            }
                          },
                          "call_credentials":[
                            {
                              "from_plugin":{
                                "name":"envoy.grpc_credentials.file_based_metadata",
                                "config":{
                                  "secret_data":{
                                    "filename": "/path/to/file"
                                  },
                                  "header_key":"istio_sds_credentials_header-bin"
                                }
                              }
                            }
                          ],
                          "credentials_factory_name":"envoy.grpc_credentials.file_based_metadata",
                          "stat_prefix":"sdsstat"
                        }
                      }
                    ]
                  }
                }
              }
            ],

When the filename reference in secret_data cannot be read, Envoy is crashing. In my case, this was due to file permissions, but apparently the same issue occurs from the file not being there at all.

Repro steps:
Sorry I don't have a minimal reproduction, but basically configure SDS like above and have the file not exist.

Call Stack:

If the Envoy binary is crashing, a call stack is required.

backtrace.h:75] #2: std::__terminate() [0x555b3618aa73]
backtrace.h:75] #3: Envoy::Config::DataSource::read() [0x555b35a1e900]
backtrace.h:75] #4: Envoy::Extensions::GrpcCredentials::FileBasedMetadata::FileBasedMetadataAuthenticator::GetMetadata() [0x555b34b422a0]
backtrace.h:75] #5: grpc::MetadataCredentialsPluginWrapper::InvokePlugin() [0x555b35a222e8]
backtrace.h:75] #6: std::__1::__function::__func<>::operator()() [0x555b35a23173]
backtrace.h:75] #7: grpc::DynamicThreadPool::ThreadFunc() [0x555b35a28a91]
backtrace.h:75] #8: grpc::DynamicThreadPool::DynamicThread::ThreadFunc() [0x555b35a287e5]
backtrace.h:75] #9: grpc_core::(anonymous namespace)::ThreadInternalsPosix::ThreadInternalsPosix()::{lambda()#1}::__invoke() [0x555b35aeda83]
backtrace.h:75] #10: start_thread [0x7f3edeb326db]

so its failing here https://github.com/envoyproxy/envoy/blob/master/source/extensions/grpc_credentials/file_based_metadata/config.cc#L65 then https://github.com/envoyproxy/envoy/blob/master/source/common/config/datasource.cc#L12. Looks like there isn't really any error handling here.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bughelp wantedNeeds help!

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions