fix BigValueRoute sscanf over-read on non-NUL-terminated reply

Summary: Root cause: BigValueRoute::ChunksInfo(folly::StringPiece replyValue) parsed the chunks-info header by calling sscanf(replyValue.data(), “%u-%u-%lu%n”, …). The StringPiece is a (ptr, len) view over a coalesced IOBuf reply payload and is NOT NUL-terminated. glibc sscanf computes the input C-string length up front by scanning for a NUL with rawmemchr (via _IO_str_init_static_internal called with size=-1), BEFORE any parsing happens. When the byte after the payload is not a NUL, that scan reads past the buffer; if the payload abuts an unmapped page the read SIGSEGVs. The existing charsRead == replyValue.size() guard cannot prevent it because it runs only after the faulting sscanf call returns.

Evidence: confirmed in two production CachiusServer coredumps on mcrpxy-web* threads. In the non-marker core the rawmemchr fault register was rdi=0x7f8744dfffe0, exactly 0x20 below the page boundary 0x7f8744e00000, with rsi=0 (scanning for NUL) - i.e. a length-scan running off the end of a mapped page. Both cores had a valid v1 ChunksInfo input (“1-2-7419256”, “1-2-3745222203”) followed by adjacent garbage, so the crash requires no malformed or attacker-controlled data. This accounts for ~~480 SIGSEGV/week (~~19% of CachiusServer crashes); it is steady and version-independent. (It is distinct from the larger CachiusCPUPool SIGABRT population, which is unrelated to mcrouter.)

Fix: parse strictly within the StringPiece bounds. Extracted a bounded detail::parseChunksInfo() helper using folly::split(‘-‘, …) (exact 3 fields) + folly::tryTo<uint32_t/uint32_t/uint64_t>, which never reads past replyValue. Semantics are preserved (and slightly stricter on malformed input: leading ‘+’, overflow, and negative fields are now rejected - none reachable from the toStringType() producer, which emits pure “{}-{}-{}” digits). numChunks_/suffix_ are now zero-initialized.

Bumps ClientVersion 182 -> 183.

Reviewed By: disylh

Differential Revision: D107896217

fbshipit-source-id: 77e80ddc660d66e46b0f0bbc66ec2028aec261cc

Mcrouter

Mcrouter (pronounced mc router) is a memcached protocol router for scaling memcached deployments. It’s a core component of cache infrastructure at Facebook and Instagram where mcrouter handles almost 5 billion requests per second at peak.

Mcrouter is developed and maintained by Facebook.

See https://github.com/facebook/mcrouter/wiki to get started.

Quick start guide

New! Ubuntu package available

Currently, we support Ubuntu Bionic (18.04) amd64. Here is how to install it:

Add the repo key:

$ wget -O - https://facebook.github.io/mcrouter/debrepo/bionic/PUBLIC.KEY | sudo apt-key add

Add the following line to apt sources file /etc/apt/sources.list

deb https://facebook.github.io/mcrouter/debrepo/bionic bionic contrib

Update the local repo cache:

$ sudo apt-get update

Install mcrouter:

$ sudo apt-get install mcrouter

Installing From Source

See https://github.com/facebook/mcrouter/wiki/mcrouter-installation for more detailed installation instructions.

Mcrouter depends on folly, wangle, fizz, and fbthrift.

The installation is a standard autotools flow:

$ autoreconf --install
$ ./configure
$ make
$ sudo make install
$ mcrouter --help

Assuming you have a memcached instance on the local host running on port 5001, the simplest mcrouter setup is:

$ mcrouter \
    --config-str='{"pools":{"A":{"servers":["127.0.0.1:5001"]}},
                  "route":"PoolRoute|A"}' \
    -p 5000
$ echo -ne "get key\r\n" | nc 0 5000

(nc is the GNU Netcat, http://netcat.sourceforge.net/)

Features

Memcached ASCII protocol
Connection pooling
Multiple hashing schemes
Prefix routing
Replicated pools
Production traffic shadowing
Online reconfiguration
Flexible routing
Destination health monitoring/automatic failover
Cold cache warm up
Broadcast operations
Reliable delete stream
Multi-cluster support
Rich stats and debug commands
Quality of service
Large values
Multi-level caches
IPv6 support
SSL support

Links

Documentation: https://github.com/facebook/mcrouter/wiki Engineering discussions and support: https://www.facebook.com/groups/mcrouter

License

Licensed under the MIT license: https://github.com/facebook/mcrouter/blob/master/LICENSE