[CRASH] ASSERTION FAILED and stack-buffer-overflow in networking.c:1026

[zyingp]

Crash report

13886:C 08 Jan 2022 07:29:07.000 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
13886:C 08 Jan 2022 07:29:07.000 # Redis version=255.255.255, bits=64, commit=00000000, modified=0, pid=13886, just started
13886:C 08 Jan 2022 07:29:07.001 # Warning: no config file specified, using the default config. In order to specify a config file use ./redis-server-2022-1-2-ASAN /path/to/redis.conf
13886:M 08 Jan 2022 07:29:07.002 * Increased maximum number of open files to 10032 (it was originally set to 1024).
13886:M 08 Jan 2022 07:29:07.003 * monotonic clock: POSIX clock_gettime
                _._
           _.-``__ ''-._
      _.-``    `.  `_.  ''-._           Redis 255.255.255 (00000000/0) 64 bit
  .-`` .-```.  ```\/    _.,_ ''-._
 (    '      ,       .-`  | `,    )     Running in standalone mode
 |`-._`-...-` __...-.``-._|'` _.-'|     Port: 6379
 |    `-._   `._    /     _.-'    |     PID: 13886
  `-._    `-._  `-./  _.-'    _.-'
 |`-._`-._    `-.__.-'    _.-'_.-'|
 |    `-._`-._        _.-'_.-'    |           https://redis.io
  `-._    `-._`-.__.-'_.-'    _.-'
 |`-._`-._    `-.__.-'    _.-'_.-'|
 |    `-._`-._        _.-'_.-'    |
  `-._    `-._`-.__.-'_.-'    _.-'
      `-._    `-.__.-'    _.-'
          `-._        _.-'
              `-.__.-'

13886:M 08 Jan 2022 07:29:07.009 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
13886:M 08 Jan 2022 07:29:07.009 # Server initialized
13886:M 08 Jan 2022 07:29:07.010 # WARNING overcommit_memory is set to 0! Background save may fail under low memory condition. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
13886:M 08 Jan 2022 07:29:07.013 * Loading RDB produced by version 255.255.255
13886:M 08 Jan 2022 07:29:07.013 * RDB age 224269 seconds
13886:M 08 Jan 2022 07:29:07.014 * RDB memory usage when created 0.82 Mb
13886:M 08 Jan 2022 07:29:07.014 * Done loading RDB, keys loaded: 60, keys expired: 0.
13886:M 08 Jan 2022 07:29:07.014 * DB loaded from disk: 0.002 seconds
13886:M 08 Jan 2022 07:29:07.014 * Ready to accept connections
13886:M 08 Jan 2022 07:30:11.606 * Replica 127.0.0.1:<unknown-replica-port> asks for synchronization
13886:M 08 Jan 2022 07:30:11.607 * Partial resynchronization not accepted: Replication ID mismatch (Replica asked for 'replicationid', my replication IDs are 'ba3f222f42df34fbf727ff0424d362fddbac19c4' and '304487fdad84b21fb9cded15b081113116e71d4a')
13886:M 08 Jan 2022 07:30:11.608 * Starting BGSAVE for SYNC with target: disk
13886:M 08 Jan 2022 07:30:12.124 * Background saving started by pid 13898


=== REDIS BUG REPORT START: Cut & paste starting from here ===
13886:M 08 Jan 2022 07:30:12.126 # === ASSERTION FAILED ===
13886:M 08 Jan 2022 07:30:12.127 # ==> networking.c:1026 'c->bufpos == 0 && listLength(c->reply) == 0' is not true

------ STACK TRACE ------

Backtrace:
./redis-server-2022-1-2-ASAN *:6379(_serverAssert+0x83)[0x7fb36b62c1b3]
./redis-server-2022-1-2-ASAN *:6379(clientHasPendingReplies+0x1ed)[0x7fb36b56cf5d]
./redis-server-2022-1-2-ASAN *:6379(prepareClientToWrite+0x6a)[0x7fb36b56d01a]
./redis-server-2022-1-2-ASAN *:6379(addReply+0x93)[0x7fb36b575613]
./redis-server-2022-1-2-ASAN *:6379(addReplyLongLongWithPrefix+0x1a7)[0x7fb36b57a967]
./redis-server-2022-1-2-ASAN *:6379(slowlogCommand+0x41e)[0x7fb36b65f10e]
./redis-server-2022-1-2-ASAN *:6379(call+0x11b)[0x7fb36b52cedb]
./redis-server-2022-1-2-ASAN *:6379(processCommand+0xb4f)[0x7fb36b530c1f]
./redis-server-2022-1-2-ASAN *:6379(processCommandAndResetClient+0x3e)[0x7fb36b57196e]
./redis-server-2022-1-2-ASAN *:6379(processInputBuffer+0x24e)[0x7fb36b579d7e]
./redis-server-2022-1-2-ASAN *:6379(readQueryFromClient+0x9b8)[0x7fb36b581888]
./redis-server-2022-1-2-ASAN *:6379(+0x330597)[0x7fb36b730597]
./redis-server-2022-1-2-ASAN *:6379(aeProcessEvents+0x4ec)[0x7fb36b51a44c]
./redis-server-2022-1-2-ASAN *:6379(aeMain+0x4d)[0x7fb36b51b30d]
./redis-server-2022-1-2-ASAN *:6379(main+0x442)[0x7fb36b50e3d2]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7fb369491b97]
./redis-server-2022-1-2-ASAN *:6379(_start+0x2a)[0x7fb36b50fe3a]

------ INFO OUTPUT ------
13898:C 08 Jan 2022 07:30:12.142 * DB saved on disk
# Server
redis_version:255.255.255
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:41175f004c38f34d
redis_mode:standalone
os:Linux 4.4.0-19041-Microsoft x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:7.5.0
process_id:13886
process_supervised:no
run_id:93e5ce2ba2afb2adb037d8b22ba1a98c7b056cdd
tcp_port:6379
server_time_usec:1641598212124840
uptime_in_seconds:65
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:14208259
executable:/mnt/d/zyp/fuzzer/memdbFuzz/visualstudio/afl-vs-raw/afl-vs-raw/bin/x64/Debug/./redis-server-2022-1-2-ASAN
config_file:
io_threads_active:0

# Clients
connected_clients:0
cluster_connections:0
maxclients:10000
client_recent_max_input_buffer:0
client_recent_max_output_buffer:0
blocked_clients:0
tracking_clients:0
clients_in_timeout_table:0

# Memory
used_memory:902984
used_memory_human:881.82K
used_memory_rss:17035264
used_memory_rss_human:16.25M
used_memory_peak:902984
used_memory_peak_human:881.82K
used_memory_peak_perc:100.20%
used_memory_overhead:851076
used_memory_startup:847960
used_memory_dataset:51908
used_memory_dataset_perc:94.34%
allocator_allocated:1013328
allocator_active:1212416
allocator_resident:4624384
total_system_memory:8359202816
total_system_memory_human:7.79G
used_memory_lua:37888
used_memory_vm_eval:37888
used_memory_lua_human:37.00K
used_memory_scripts_eval:0
number_of_cached_scripts:0
number_of_functions:0
used_memory_vm_functions:35840
used_memory_vm_total:73728
used_memory_vm_total_human:72.00K
used_memory_functions:168
used_memory_scripts:168
used_memory_scripts_human:168B
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.20
allocator_frag_bytes:199088
allocator_rss_ratio:3.81
allocator_rss_bytes:3411968
rss_overhead_ratio:3.68
rss_overhead_bytes:12410880
mem_fragmentation_ratio:19.82
mem_fragmentation_bytes:16175864
mem_not_counted_for_evict:0
mem_replication_backlog:4
mem_total_replication_buffers:0
mem_clients_slaves:0
mem_clients_normal:0
mem_cluster_links:0
mem_aof_buffer:0
mem_allocator:jemalloc-5.2.1
active_defrag_running:0
lazyfree_pending_objects:0
lazyfreed_objects:0

# Persistence
loading:0
async_loading:0
current_cow_peak:0
current_cow_size:0
current_cow_size_age:0
current_fork_perc:0.00
current_save_keys_processed:0
current_save_keys_total:60
rdb_changes_since_last_save:0
rdb_bgsave_in_progress:1
rdb_last_save_time:1641598147
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:0
rdb_last_cow_size:0
rdb_last_load_keys_expired:0
rdb_last_load_keys_loaded:60
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
module_fork_in_progress:0
module_fork_last_cow_size:0

# Stats
total_connections_received:1
total_commands_processed:1
instantaneous_ops_per_sec:0
total_net_input_bytes:58
total_net_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:1
sync_partial_ok:0
sync_partial_err:1
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
expire_cycle_cpu_milliseconds:2
evicted_keys:0
evicted_clients:0
total_eviction_exceeded_time:0
current_eviction_exceeded_time:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:514741
total_forks:1
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
total_active_defrag_time:0
current_active_defrag_time:0
tracking_total_keys:0
tracking_total_items:0
tracking_total_prefixes:0
unexpected_error_replies:0
total_error_replies:0
dump_payload_sanitizations:0
total_reads_processed:1
total_writes_processed:0
io_threaded_reads_processed:0
io_threaded_writes_processed:0

# Replication
role:master
connected_slaves:1
slave0:ip=127.0.013898:C 08 Jan 2022 07:30:12.149 * Fork CoW for RDB: current 0 MB, peak 0 MB, average 0 MB
.1,port=0,state=wait_bgsave,offset=0,lag=0
master_failover_state:no-failover
master_replid:ba3f222f42df34fbf727ff0424d362fddbac19c4
master_replid2:304487fdad84b21fb9cded15b081113116e71d4a
master_repl_offset:28
second_repl_offset:29
repl_backlog_active:1
repl_backlog_size:1048576
repl_backlog_first_byte_offset:29
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.031250
used_cpu_user:0.015625
used_cpu_sys_children:0.000000
used_cpu_user_children:0.000000
used_cpu_sys_main_thread:0.031250
used_cpu_user_main_thread:0.015625

# Modules

# Commandstats
cmdstat_psync:calls=1,usec=519279,usec_per_call=519279.00,rejected_calls=0,failed_calls=0

# Errorstats

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=60,expires=0,avg_ttl=0

------ CLIENT LIST OUTPUT ------
id=4 addr=127.0.0.1:11428 laddr=127.0.0.1:6379 fd=8 name= age=1 idle=1 flags=S db=0 sub=0 psub=0 multi=-1 qbuf=58 qbuf-free=20416 argv-mem=11 multi-mem=0 obl=0 oll=1 omem=0 tot-mem=40995 events=r cmd=slowlog|get user=default redir=-1 resp=2

------ CURRENT CLIENT INFO ------
id=4 addr=127.0.0.1:11428 laddr=127.0.0.1:6379 fd=8 name= age=1 idle=1 flags=S db=0 sub=0 psub=0 multi=-1 qbuf=58 qbuf-free=20416 argv-mem=11 multi-mem=0 obl=0 oll=1 omem=0 tot-mem=40995 events=r cmd=slowlog|get user=default redir=-1 resp=2
argv[0]: 'SLOWLOG'
argv[1]: 'GET'
argv[2]: '3'

------ MODULES INFO OUTPUT ------

------ CONFIG DEBUG OUTPUT ------
io-threads-do-reads no
lazyfree-lazy-eviction no
lazyfree-lazy-expire no
lazyfree-lazy-server-del no
lazyfree-lazy-user-del no
lazyfree-lazy-user-flush no
repl-diskless-sync no
replica-read-only yes
activedefrag no
repl-diskless-load disabled
sanitize-dump-payload no
io-threads 1
list-compress-depth 0
proto-max-bulk-len 512mb
client-query-buffer-limit 1gb

------ FAST MEMORY TEST ------
13886:M 08 Jan 2022 07:30:12.176 # Bio thread for job type #0 terminated
13886:M 08 Jan 2022 07:30:12.176 # Bio thread for job type #1 terminated
13886:M 08 Jan 2022 07:30:12.176 # Bio thread for job type #2 terminated
*** Preparing to test memory region 7fff7000 (268435456 bytes)
*** Preparing to test memory region 2008fff7000 (15392894357504 bytes)
*** Preparing to test memory region 602000000000 (65536 bytes)
*** Preparing to test memory region 602e00000000 (65536 bytes)
*** Preparing to test memory region 603000000000 (65536 bytes)
*** Preparing to test memory region 603e00000000 (65536 bytes)
*** Preparing to test memory region 604000000000 (65536 bytes)
*** Preparing to test memory region 604e00000000 (65536 bytes)
*** Preparing to test memory region 606000000000 (65536 bytes)
*** Preparing to test memory region 606e00000000 (65536 bytes)
*** Preparing to test memory region 607000000000 (65536 bytes)
*** Preparing to test memory region 607e00000000 (65536 bytes)
*** Preparing to test memory region 608000000000 (65536 bytes)
*** Preparing to test memory region 608e00000000 (65536 bytes)
*** Preparing to test memory region 60b000000000 (65536 bytes)
*** Preparing to test memory region 60be00000000 (65536 bytes)
*** Preparing to test memory region 60c000000000 (65536 bytes)
*** Preparing to test memory region 60ce00000000 (65536 bytes)
*** Preparing to test memory region 60d000000000 (65536 bytes)
*** Preparing to test memory region 60de00000000 (65536 bytes)
*** Preparing to test memory region 60e000000000 (65536 bytes)
*** Preparing to test memory region 60ee00000000 (65536 bytes)
*** Preparing to test memory region 60f000000000 (65536 bytes)
*** Preparing to test memory region 60fe00000000 (65536 bytes)
*** Preparing to test memory region 610000000000 (65536 bytes)
*** Preparing to test memory region 610e00000000 (65536 bytes)
*** Preparing to test memory region 611000000000 (65536 bytes)
*** Preparing to test memory region 611e00000000 (65536 bytes)
*** Preparing to test memory region 612000000000 (65536 bytes)
*** Preparing to test memory region 612e00000000 (65536 bytes)
*** Preparing to test memory region 613000000000 (65536 bytes)
*** Preparing to test memory region 613e00000000 (65536 bytes)
*** Preparing to test memory region 615000000000 (65536 bytes)
*** Preparing to test memory region 615e00000000 (65536 bytes)
*** Preparing to test memory region 616000000000 (65536 bytes)
*** Preparing to test memory region 616e00000000 (65536 bytes)
*** Preparing to test memory region 617000000000 (65536 bytes)
*** Preparing to test memory region 617e00000000 (65536 bytes)
*** Preparing to test memory region 619000000000 (65536 bytes)
*** Preparing to test memory region 619e00000000 (65536 bytes)
*** Preparing to test memory region 61a000000000 (65536 bytes)
*** Preparing to test memory region 61ae00000000 (65536 bytes)
*** Preparing to test memory region 61b000000000 (65536 bytes)
*** Preparing to test memory region 61be00000000 (65536 bytes)
*** Preparing to test memory region 61d000000000 (65536 bytes)
*** Preparing to test memory region 61de00000000 (65536 bytes)
*** Preparing to test memory region 61e000000000 (65536 bytes)
*** Preparing to test memory region 61ee00000000 (65536 bytes)
*** Preparing to test memory region 621000000000 (65536 bytes)
*** Preparing to test memory region 621e00000000 (65536 bytes)
*** Preparing to test memory region 624000000000 (327680 bytes)
*** Preparing to test memory region 624e00000000 (65536 bytes)
*** Preparing to test memory region 640000000000 (12288 bytes)
*** Preparing to test memory region 7fb3638c1000 (8388608 bytes)
*** Preparing to test memory region 7fb3640d1000 (8388608 bytes)
*** Preparing to test memory region 7fb3648e1000 (8388608 bytes)
*** Preparing to test memory region 7fb3650f1000 (8388608 bytes)
*** Preparing to test memory region 7fb365c00000 (8388608 bytes)
*** Preparing to test memory region 7fb366500000 (1048576 bytes)
*** Preparing to test memory region 7fb366700000 (1048576 bytes)
*** Preparing to test memory region 7fb366890000 (32768 bytes)
*** Preparing to test memory region 7fb3668a0000 (57344 bytes)
*** Preparing to test memory region 7fb366900000 (1048576 bytes)
*** Preparing to test memory region 7fb366a10000 (69632 bytes)
*** Preparing to test memory region 7fb366a30000 (4096 bytes)
*** Preparing to test memory region 7fb366a40000 (4096 bytes)
*** Preparing to test memory region 7fb366a50000 (4096 bytes)
*** Preparing to test memory region 7fb366a60000 (4096 bytes)
*** Preparing to test memory region 7fb366a70000 (4096 bytes)
*** Preparing to test memory region 7fb366a80000 (4096 bytes)
*** Preparing to test memory region 7fb366a90000 (4096 bytes)
*** Preparing to test memory region 7fb366aa0000 (4096 bytes)
*** Preparing to test memory region 7fb366ab0000 (4096 bytes)
*** Preparing to test memory region 7fb366ac0000 (4096 bytes)
*** Preparing to test memory region 7fb366ad0000 (4096 bytes)
*** Preparing to test memory region 7fb366ae0000 (4096 bytes)
*** Preparing to test memory region 7fb366af0000 (4096 bytes)
*** Preparing to test memory region 7fb366b00000 (1052672 bytes)
*** Preparing to test memory region 7fb366c10000 (4096 bytes)
*** Preparing to test memory region 7fb366c20000 (4096 bytes)
*** Preparing to test memory region 7fb366c30000 (4096 bytes)
*** Preparing to test memory region 7fb366c40000 (4096 bytes)
*** Preparing to test memory region 7fb366c50000 (4096 bytes)
*** Preparing to test memory region 7fb366c60000 (4096 bytes)
*** Preparing to test memory region 7fb366c70000 (4096 bytes)
*** Preparing to test memory region 7fb366c80000 (4096 bytes)
*** Preparing to test memory region 7fb366c90000 (4096 bytes)
*** Preparing to test memory region 7fb366ca0000 (4096 bytes)
*** Preparing to test memory region 7fb366cb0000 (4096 bytes)
*** Preparing to test memory region 7fb366cc0000 (4096 bytes)
*** Preparing to test memory region 7fb366cd0000 (4096 bytes)
*** Preparing to test memory region 7fb366ce0000 (37036032 bytes)
*** Preparing to test memory region 7fb369257000 (4096 bytes)
*** Preparing to test memory region 7fb369467000 (4096 bytes)
*** Preparing to test memory region 7fb36985b000 (8192 bytes)
*** Preparing to test memory region 7fb36985d000 (16384 bytes)
*** Preparing to test memory region 7fb369a8a000 (4096 bytes)
*** Preparing to test memory region 7fb369a8b000 (16384 bytes)
*** Preparing to test memory region 7fb369c93000 (4096 bytes)
*** Preparing to test memory region 7fb36a03d000 (4096 bytes)
*** Preparing to test memory region 7fb36a393000 (12288 bytes)
*** Preparing to test memory region 7fb36a396000 (12996608 bytes)
*** Preparing to test memory region 7fb36b030000 (4096 bytes)
*** Preparing to test memory region 7fb36b040000 (659456 bytes)
*** Preparing to test memory region 7fb36b0f0000 (4096 bytes)
*** Preparing to test memory region 7fb36b100000 (4096 bytes)
*** Preparing to test memory region 7fb36b110000 (4096 bytes)
*** Preparing to test memory region 7fb36b120000 (4096 bytes)
*** Preparing to test memory region 7fb36b130000 (4096 bytes)
*** Preparing to test memory region 7fb36b140000 (4096 bytes)
*** Preparing to test memory region 7fb36b150000 (73728 bytes)
*** Preparing to test memory region 7fb36b170000 (4096 bytes)
*** Preparing to test memory region 7fb36b180000 (4096 bytes)
*** Preparing to test memory region 7fb36b190000 (4096 bytes)
*** Preparing to test memory region 7fb36b1a0000 (16384 bytes)
*** Preparing to test memory region 7fb36b1b0000 (4096 bytes)
*** Preparing to test memory region 7fb36b1c0000 (4096 bytes)
*** Preparing to test memory region 7fb36b1d0000 (57344 bytes)
*** Preparing to test memory region 7fb36b1e0000 (4096 bytes)
*** Preparing to test memory region 7fb36b1f0000 (32768 bytes)
*** Preparing to test memory region 7fb36b200000 (4096 bytes)
*** Preparing to test memory region 7fb36b210000 (8192 bytes)
*** Preparing to test memory region 7fb36b220000 (4096 bytes)
*** Preparing to test memory region 7fb36b228000 (4096 bytes)
*** Preparing to test memory region 7fb36b229000 (4096 bytes)
*** Preparing to test memory region 7fb36b230000 (8192 bytes)
*** Preparing to test memory region 7fb36b240000 (16384 bytes)
*** Preparing to test memory region 7fb36b250000 (8192 bytes)
=================================================================
==13886==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffff2710b10 at pc 0x7fb36b62b960 bp 0x7ffff27106a0 sp 0x7ffff2710690
WRITE of size 8 at 0x7ffff2710b10 thread T0
    #0 0x7fb36b62b95f in memtest_test_linux_anonymous_maps /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/debug.c:1787
    #1 0x7fb36b62ba14 in doFastMemoryTest /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/debug.c:1841
    #2 0x7fb36b62c1b7 in _serverAssert /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/debug.c:976
    #3 0x7fb36b56cf5c in clientHasPendingReplies /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/networking.c:1026
    #4 0x7fb36b56d019 in prepareClientToWrite /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/networking.c:288
    #5 0x7fb36b575612 in addReply /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/networking.c:382
    #6 0x7fb36b57a966 in addReplyLongLongWithPrefix /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/networking.c:773
    #7 0x7fb36b65f10d in slowlogCommand /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/slowlog.c:190
    #8 0x7fb36b52ceda in call /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/server.c:3029
    #9 0x7fb36b530c1e in processCommand /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/server.c:3606
    #10 0x7fb36b57196d in processCommandAndResetClient /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/networking.c:2171
    #11 0x7fb36b579d7d in processInputBuffer /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/networking.c:2266
    #12 0x7fb36b581887 in readQueryFromClient /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/networking.c:2378
    #13 0x7fb36b730596 in callHandler /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/connhelpers.h:79
    #14 0x7fb36b730596 in connSocketEventHandler /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/connection.c:295
    #15 0x7fb36b51a44b in aeProcessEvents /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/ae.c:428
    #16 0x7fb36b51b30c in aeMain /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/ae.c:488
    #17 0x7fb36b50e3d1 in main /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/server.c:6541
    #18 0x7fb369491b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #19 0x7fb36b50fe39 in _start (/mnt/d/zyp/fuzzer/memdbFuzz/visualstudio/afl-vs-raw/afl-vs-raw/bin/x64/Debug/redis-server-2022-1-2-ASAN+0x10fe39)

Address 0x7ffff2710b10 is located in stack of thread T0 at offset 1056 in frame
    #0 0x7fb36b62b3cf in memtest_test_linux_anonymous_maps /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/debug.c:1752

  This frame has 4 object(s):
    [32, 1056) 'start_vect' <== Memory access at offset 1056 overflows this variable
    [1088, 2112) 'size_vect'
    [2144, 3168) 'line'
    [3200, 4224) 'logbuf'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /mnt/d/zyp/fuzzer/fuzzed_projects/redis/redis-latest/redis-unstable/src/debug.c:1787 in memtest_test_linux_anonymous_maps
Shadow bytes around the buggy address:
  0x10007e4da110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007e4da160: 00 00[f2]f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x10007e4da170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da1a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007e4da1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13886==ABORTING

Additional information

1. OS distribution and version
   OS: Window WSL v1.
   Redis version: the unstable branch, commit #5460c10 (2022-1-3)

2. Steps to reproduce (if any)
   (a) Build redis code with ASAN
   CFLAGS="-g -fsanitize=address -fno-omit-frame-pointer " LDFLAGS="-g -O0 -fsanitize=address " make
   (b) Download the PoC input file from https://raw.githubusercontent.com/zyingp/temp/master/redis/crash_StackOverFlow_prepareClientToWrite
   (c) Start the redis server in one console.
   ./redis-server
   (d) Open another console and run nc with the input file like:
   nc 127.0.0.1 6379 < "./crash_StackOverFlow_prepareClientToWrite"
   (e) The server crashes.

   I found the crash by fuzzing.

[enjoy-binbin]

Thanks for report, verified.

[root@binblog redis]# cat crash2
PSYNC replicationid -5
slowlog get
set a b
[root@binblog redis]# nc 127.0.0.1 6379 < crash2
+FULLRESYNC 373848c87acc903165d2e6ef691ecc2d867d5c9d 14

crash in (look like `slowlog get` will add a reply, but the client not able to read it)
int clientHasPendingReplies(client *c) {
    if (getClientType(c) == CLIENT_TYPE_SLAVE) {
        /* Replicas use global shared replication buffer instead of
         * private output buffer. */
        serverAssert(c->bufpos == 0 && listLength(c->reply) == 0);         ->>>>>>>>>  execute (set a b), now len(c->reply): 1 buf: *0
        if (c->ref_repl_buf_node == NULL) return 0;

        /* If the last replication buffer block content is totally sent,
         * we have nothing to send. */
        listNode *ln = listLast(server.repl_buffer_blocks);
        replBufBlock *tail = listNodeValue(ln);
        if (ln == c->ref_repl_buf_node &&
            c->ref_block_pos == tail->used) return 0;

        return 1;
    } else {
        return c->bufpos || listLength(c->reply);
    }
}

the assert introduced in #9166 (not the main reason)

btw, if i am not wrong,PSYNC is an internal command, and should not be called like this.
and a replica client sholud not write anythings in the reply buffer normally
looks like it's been fixed in #10020 in normal way, maybe we should do the same in addReplyDeferredLen(or other missing)

--- a/src/networking.c
+++ b/src/networking.c
@@ -603,6 +603,18 @@ void *addReplyDeferredLen(client *c) {
      * ready to be sent, since we are sure that before returning to the
      * event loop setDeferredAggregateLen() will be called. */
     if (prepareClientToWrite(c) != C_OK) return NULL;
+
+    /* Replicas should normally not cause any writes to the reply buffer. In case a rogue replica sent a command on the
+     * replication link that caused a reply to be generated we'll simply disconnect it.
+     * Note this is the simplest way to check a command added a response. Replication links are used to write data but
+     * not for responses, so we should normally never get here on a replica client. */
+    if (getClientType(c) == CLIENT_TYPE_SLAVE) {
+        serverLog(LL_WARNING, "Replica generated a reply to command %s, disconnecting it",
+                  c->lastcmd ? c->lastcmd->name : "<unknown>");
+        freeClientAsync(c);
+        return NULL;
+    }
+
     trimReplyUnusedTailSpace(c);
     listAddNodeTail(c->reply,NULL); /* NULL is our placeholder. */
     return listLast(c->reply);

and the serverlog (ps: the subcommand name is error (should be slowlog get, but currently not able to do it with lastcmd->name)):

24219:M 08 Jan 2022 13:08:55.412 # Replica generated a reply to command get, disconnecting it

needed @oranagra @yoav-steinberg check it again.

if we do so, i like to changed the output info a litter bit:

1. cmd with a full name by using `getFullCommandName`, now it will print the right subcommand name like slowlog|get
2. print the full client info by using `catClientInfoString`, i think the info is valuable

32590:M 08 Jan 2022 16:48:24.453 # Replica generated a reply to command slowlog|get, disconnecting it: id=5 addr=127.0.0.1:41104 laddr=127.0.0.1:6379 fd=8 name= age=0 idle=0 flags=S db=0 sub=0 psub=0 multi=-1 qbuf=52 qbuf-free=20422 argv-mem=10 multi-mem=0 obl=0 oll=0 omem=0 tot-mem=40986 events=r cmd=slowlog|get user=default redir=-1 resp=2
32590:M 08 Jan 2022 16:48:24.453 # Connection with replica 127.0.0.1:<unknown-replica-port> lost.

[oranagra]

@enjoy-binbin i agree with everything you wrote. please make a PR.