[CRASH]The psync command will crash redis

Hello, When I fuzzed the redis server, I found these command will crash redis. Just like:  
```
psync ldecl1 k
failover
set key value
```  
In fact, `set key value` can be replaced with any command.    
Save these command to a file named input, When executing `nc 127.0.0.1 6379 < ./input`, redis crashed.  
I use AddressSanitizer(ASan) to compile redis. Here is the error output:  
```
83901:M 27 Mar 2021 23:57:56.593 * Ready to accept connections
83901:M 27 Mar 2021 23:57:57.978 * Replica 127.0.0.1:<unknown-replica-port> asks for synchronization
83901:M 27 Mar 2021 23:57:57.978 * Replication backlog created, my new replication IDs are 'a3435f53876523650d68711898cb1d4429abd0fa' and '0000000000000000000000000000000000000000'
83901:M 27 Mar 2021 23:57:57.978 * Starting BGSAVE for SYNC with target: disk
83901:M 27 Mar 2021 23:57:57.979 * Background saving started by pid 83907
83901:M 27 Mar 2021 23:57:57.979 * FAILOVER requested to any replica.


=== REDIS BUG REPORT START: Cut & paste starting from here ===
83901:M 27 Mar 2021 23:57:57.980 # === ASSERTION FAILED ===
83901:M 27 Mar 2021 23:57:57.980 # ==> server.c:3570 '!(areClientsPaused() && !server.client_pause_in_transaction)' is not true

------ STACK TRACE ------

Backtrace:
./../src/redis-server *:6379(_serverAssert+0xb2)[0x5610c22ebb8d]
./../src/redis-server *:6379(propagate+0x87)[0x5610c220f431]
./../src/redis-server *:6379(call+0x7b8)[0x5610c220fe2d]
./../src/redis-server *:6379(processCommand+0x1109)[0x5610c2211d4a]
./../src/redis-server *:6379(processCommandAndResetClient+0x32)[0x5610c2247f54]
./../src/redis-server *:6379(processInputBuffer+0xb0)[0x5610c2251066]
./../src/redis-server *:6379(readQueryFromClient+0xb11)[0x5610c2258589]
./../src/redis-server *:6379(+0x28e1c7)[0x5610c23cd1c7]
./../src/redis-server *:6379(aeProcessEvents+0xfbc)[0x5610c21ffb4f]
./../src/redis-server *:6379(aeMain+0x51)[0x5610c21fff22]
./../src/redis-server *:6379(main+0xc9c)[0x5610c221b71d]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xe7)[0x7f591654fbf7]
./../src/redis-server *:6379(_start+0x2a)[0x5610c21f62fa]

------ INFO OUTPUT ------
# Server
redis_version:6.2.1
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:a467c84480d77006
redis_mode:standalone
os:Linux 5.4.0-42-generic x86_64
arch_bits:64
multiplexing_api:epoll
atomicvar_api:c11-builtin
gcc_version:7.5.0
process_id:83901
process_supervised:no
run_id:51a23597d1e785ebcf6394ecc3f7075f5981cc16
tcp_port:6379
server_time_usec:1616914677980015
uptime_in_seconds:1
uptime_in_days:0
hz:10
configured_hz:10
lru_clock:6301941
executable:/home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/tmp/./../src/redis-server
config_file:
io_threads_active:0

# Clients
connected_clients:0
cluster_connections:0
maxclients:4064
client_recent_max_input_buffer:0
client_recent_max_output_buffer:0
blocked_clients:0
tracking_clients:0
clients_in_timeout_table:0

# Memory
used_memory:1643896
used_memory_human:1.57M
used_memory_rss:17989632
used_memory_rss_human:17.16M
used_memory_peak:1643896
used_memory_peak_human:1.57M
used_memory_peak_perc:100.11%
used_memory_overhead:1580024
used_memory_startup:531376
used_memory_dataset:63872
used_memory_dataset_perc:5.74%
allocator_allocated:760032
allocator_active:929792
allocator_resident:3293184
total_system_memory:2055110656
total_system_memory_human:1.91G
used_memory_lua:37888
used_memory_lua_human:37.00K
used_memory_scripts:0
used_memory_scripts_human:0B
number_of_cached_scripts:0
maxmemory:0
maxmemory_human:0B
maxmemory_policy:noeviction
allocator_frag_ratio:1.22
allocator_frag_bytes:169760
allocator_rss_ratio:3.54
allocator_rss_bytes:2363392
rss_overhead_ratio:5.46
rss_overhead_bytes:14696448
mem_fragmentation_ratio:33.85
mem_fragmentation_bytes:17458256
mem_not_counted_for_evict:0
mem_replication_backlog:1048576
mem_clients_slaves:0
mem_clients_normal:0
mem_aof_buffer:0
mem_allocator:jemalloc-5.1.0
active_defrag_running:0
lazyfree_pending_objects:0
lazyfreed_objects:0

# Persistence
loading:0
current_cow_size:0
current_fork_perc:0.00%
current_save_keys_processed:0
current_save_keys_total:0
rdb_changes_since_last_save:1
rdb_bgsave_in_progress:1
rdb_last_save_time:1616914676
rdb_last_bgsave_status:ok
rdb_last_bgsave_time_sec:-1
rdb_current_bgsave_time_sec:0
rdb_last_cow_size:0
aof_enabled:0
aof_rewrite_in_progress:0
aof_rewrite_scheduled:0
aof_last_rewrite_time_sec:-1
aof_current_rewrite_time_sec:-1
aof_last_bgrewrite_status:ok
aof_last_write_status:ok
aof_last_cow_size:0
module_fork_in_progress:0
module_fork_last_cow_size:0

# Stats
total_connections_received:1
total_commands_processed:2
instantaneous_ops_per_sec:0
total_net_input_bytes:38
total_net_output_bytes:0
instantaneous_input_kbps:0.00
instantaneous_output_kbps:0.00
rejected_connections:0
sync_full:1
sync_partial_ok:0
sync_partial_err:1
expired_keys:0
expired_stale_perc:0.00
expired_time_cap_reached_count:0
expire_cycle_cpu_milliseconds:0
evicted_keys:0
keyspace_hits:0
keyspace_misses:0
pubsub_channels:0
pubsub_patterns:0
latest_fork_usec:1099
total_forks:1
migrate_cached_sockets:0
slave_expires_tracked_keys:0
active_defrag_hits:0
active_defrag_misses:0
active_defrag_key_hits:0
active_defrag_key_misses:0
tracking_total_keys:0
tracking_total_items:0
tracking_total_prefixes:0
unexpected_error_replies:0
total_error_replies:1
dump_payload_sanitizations:0
total_reads_processed:1
total_writes_processed:0
io_threaded_reads_processed:0
io_threaded_writes_processed:0

# Replication
role:master
connected_slaves:1
slave0:ip=127.0.0.1,port=0,state=wait_bgsave,offset=0,lag=0
master_failover_state:waiting-for-sync
master_replid:a3435f53876523650d68711898cb1d4429abd0fa
master_replid2:0000000000000000000000000000000000000000
master_repl_offset:0
second_repl_offset:-1
repl_backlog_active:1
repl_backlog_size:1048576
repl_backlog_first_byte_offset:1
repl_backlog_histlen:0

# CPU
used_cpu_sys:0.013550
used_cpu_user:0.011074
used_cpu_sys_children:0.000000
used_cpu_user_children:0.000000
used_cpu_sys_main_thread:0.014362
used_cpu_user_main_thread:0.009574

# Modules

# Commandstats
cmdstat_failover:calls=1,usec=29,usec_per_call=29.00,rejected_calls=0,failed_calls=0
cmdstat_psync:calls=1,usec=1368,usec_per_call=1368.00,rejected_calls=0,failed_calls=1
cmdstat_set:calls=1,usec=18,usec_per_call=18.00,rejected_calls=0,failed_calls=0

# Errorstats
errorstat_ERR:count=1

# Cluster
cluster_enabled:0

# Keyspace
db0:keys=1,expires=0,avg_ttl=0

------ CLIENT LIST OUTPUT ------
id=3 addr=127.0.0.1:48978 laddr=127.0.0.1:6379 fd=8 name= age=0 idle=0 flags=S db=0 sub=0 psub=0 multi=-1 qbuf=38 qbuf-free=40916 argv-mem=11 obl=56 oll=0 omem=0 tot-mem=61475 events=r cmd=set user=default redir=-1

------ CURRENT CLIENT INFO ------
id=3 addr=127.0.0.1:48978 laddr=127.0.0.1:6379 fd=8 name= age=0 idle=0 flags=S db=0 sub=0 psub=0 multi=-1 qbuf=38 qbuf-free=40916 argv-mem=11 obl=56 oll=0 omem=0 tot-mem=61475 events=r cmd=set user=default redir=-1
argv[0]: 'set'
argv[1]: 'key'
argv[2]: 'value'
83901:M 27 Mar 2021 23:57:57.981 # key 'key' found in DB containing the following object:
83901:M 27 Mar 2021 23:57:57.981 # Object type: 0
83901:M 27 Mar 2021 23:57:57.981 # Object encoding: 8
83901:M 27 Mar 2021 23:57:57.981 # Object refcount: 2

------ MODULES INFO OUTPUT ------

------ FAST MEMORY TEST ------
83901:M 27 Mar 2021 23:57:57.981 # Bio thread for job type #0 terminated
83901:M 27 Mar 2021 23:57:57.981 # Bio thread for job type #1 terminated
83907:C 27 Mar 2021 23:57:57.981 * DB saved on disk
83901:M 27 Mar 2021 23:57:57.981 # Bio thread for job type #2 terminated
*** Preparing to test memory region 7fff7000 (268435456 bytes)
*** Preparing to test memory region 2008fff7000 (15392894357504 bytes)
*** Preparing to test memory region 5610c284f000 (2289664 bytes)
*** Preparing to test memory region 602000000000 (65536 bytes)
*** Preparing to test memory region 602e00000000 (65536 bytes)
*** Preparing to test memory region 603000000000 (65536 bytes)
*** Preparing to test memory region 603e00000000 (65536 bytes)
*** Preparing to test memory region 604000000000 (65536 bytes)
*** Preparing to test memory region 604e00000000 (65536 bytes)
*** Preparing to test memory region 606000000000 (65536 bytes)
*** Preparing to test memory region 606e00000000 (65536 bytes)
*** Preparing to test memory region 607000000000 (65536 bytes)
*** Preparing to test memory region 607e00000000 (65536 bytes)
*** Preparing to test memory region 608000000000 (65536 bytes)
*** Preparing to test memory region 608e00000000 (65536 bytes)
*** Preparing to test memory region 60b000000000 (65536 bytes)
*** Preparing to test memory region 60be00000000 (65536 bytes)
*** Preparing to test memory region 60c000000000 (65536 bytes)
*** Preparing to test memory region 60ce00000000 (65536 bytes)
*** Preparing to test memory region 60d000000000 (65536 bytes)
*** Preparing to test memory region 60de00000000 (65536 bytes)
*** Preparing to test memory region 60e000000000 (65536 bytes)
*** Preparing to test memory region 60ee00000000 (65536 bytes)
*** Preparing to test memory region 60f000000000 (65536 bytes)
*** Preparing to test memory region 60fe00000000 (65536 bytes)
*** Preparing to test memory region 610000000000 (65536 bytes)
*** Preparing to test memory region 610e00000000 (65536 bytes)
*** Preparing to test memory region 611000000000 (65536 bytes)
*** Preparing to test memory region 611e00000000 (65536 bytes)
*** Preparing to test memory region 612000000000 (65536 bytes)
*** Preparing to test memory region 612e00000000 (65536 bytes)
*** Preparing to test memory region 613000000000 (65536 bytes)
*** Preparing to test memory region 613e00000000 (65536 bytes)
*** Preparing to test memory region 614000000000 (65536 bytes)
*** Preparing to test memory region 614e00000000 (65536 bytes)
*** Preparing to test memory region 615000000000 (65536 bytes)
*** Preparing to test memory region 615e00000000 (65536 bytes)
*** Preparing to test memory region 616000000000 (65536 bytes)
*** Preparing to test memory region 616e00000000 (65536 bytes)
*** Preparing to test memory region 617000000000 (65536 bytes)
*** Preparing to test memory region 617e00000000 (65536 bytes)
*** Preparing to test memory region 618000000000 (65536 bytes)
*** Preparing to test memory region 618e00000000 (65536 bytes)
*** Preparing to test memory region 619000000000 (65536 bytes)
*** Preparing to test memory region 619e00000000 (65536 bytes)
*** Preparing to test memory region 61a000000000 (65536 bytes)
*** Preparing to test memory region 61ae00000000 (65536 bytes)
*** Preparing to test memory region 61b000000000 (65536 bytes)
*** Preparing to test memory region 61be00000000 (65536 bytes)
*** Preparing to test memory region 61c000000000 (65536 bytes)
*** Preparing to test memory region 61ce00000000 (65536 bytes)
*** Preparing to test memory region 61d000000000 (65536 bytes)
*** Preparing to test memory region 61de00000000 (65536 bytes)
*** Preparing to test memory region 61e000000000 (65536 bytes)
*** Preparing to test memory region 61ee00000000 (65536 bytes)
*** Preparing to test memory region 621000000000 (65536 bytes)
*** Preparing to test memory region 621e00000000 (65536 bytes)
*** Preparing to test memory region 624000000000 (327680 bytes)
*** Preparing to test memory region 624e00000000 (65536 bytes)
*** Preparing to test memory region 640000000000 (12288 bytes)
*** Preparing to test memory region 7f591089e000 (2621440 bytes)
*** Preparing to test memory region 7f5910b1f000 (8388608 bytes)
*** Preparing to test memory region 7f5911320000 (8388608 bytes)
*** Preparing to test memory region 7f5911b21000 (8388608 bytes)
*** Preparing to test memory region 7f5912322000 (8388608 bytes)
*** Preparing to test memory region 7f5912e00000 (8388608 bytes)
*** Preparing to test memory region 7f5913600000 (1048576 bytes)
*** Preparing to test memory region 7f5913800000 (1048576 bytes)
*** Preparing to test memory region 7f5913a00000 (1048576 bytes)
*** Preparing to test memory region 7f5913c00000 (1048576 bytes)
*** Preparing to test memory region 7f5913dbc000 (37036032 bytes)
*** Preparing to test memory region 7f591691b000 (16384 bytes)
*** Preparing to test memory region 7f5916b3a000 (16384 bytes)
*** Preparing to test memory region 7f5917436000 (12996608 bytes)
*** Preparing to test memory region 7f591815f000 (90112 bytes)
*** Preparing to test memory region 7f59181b7000 (1019904 bytes)
*** Preparing to test memory region 7f59182b0000 (81920 bytes)
*** Preparing to test memory region 7f59182c6000 (4096 bytes)
.ASAN:DEADLYSIGNAL
=================================================================
==83901==ERROR: AddressSanitizer: SEGV on unknown address 0x000090016dff (pc 0x5610c23273d0 bp 0x7fffb89d4450 sp 0x7fffb88d4390 T0)
==83901==The signal is caused by a READ memory access.
83907:C 27 Mar 2021 23:57:57.983 * RDB: 0 MB of memory used by copy-on-write
    #0 0x5610c23273cf in memcpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
    #1 0x5610c23273cf in memtest_preserving_test /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/memtest.c:305
    #2 0x5610c22eb2bb in memtest_test_linux_anonymous_maps /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/debug.c:1693
    #3 0x5610c22eb477 in doFastMemoryTest /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/debug.c:1734
    #4 0x5610c22eb824 in printCrashReport /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/debug.c:1850
    #5 0x5610c22ebb91 in _serverAssert /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/debug.c:905
    #6 0x5610c220f430 in propagate /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/server.c:3570
    #7 0x5610c220fe2c in call /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/server.c:3788
    #8 0x5610c2211d49 in processCommand /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/server.c:4178
    #9 0x5610c2247f53 in processCommandAndResetClient /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/networking.c:1994
    #10 0x5610c2251065 in processInputBuffer /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/networking.c:2088
    #11 0x5610c2258588 in readQueryFromClient /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/networking.c:2174
    #12 0x5610c23cd1c6 in callHandler /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/connhelpers.h:79
    #13 0x5610c23cd1c6 in connSocketEventHandler /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/connection.c:295
    #14 0x5610c21ffb4e in aeProcessEvents /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/ae.c:428
    #15 0x5610c21fff21 in aeMain /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/ae.c:488
    #16 0x5610c221b71c in main /home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/server.c:6277
    #17 0x7f591654fbf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)
    #18 0x5610c21f62f9 in _start (/home/zer0e/redis/asan_redis-6.2.1/redis-6.2.1/src/redis-server+0xb72f9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34 in memcpy
==83901==ABORTING

```  
My OS platform is Ubuntu 18.04.    
Thanks.
FYI: We found this crash by fuzzing([AFL](https://github.com/google/AFL))

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[CRASH]The psync command will crash redis #8712

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[CRASH]The psync command will crash redis #8712

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions