Ceph-Fuse Perms heap-buffer-overflow 问题

	void set_gid_list(int count, const gid_t *gids) {
		gid_list.reserve(count);
		for (int i = 0; i < count; ++i) {
→           gid_list.push_back(gids[i]);
		}
	}

MClientRequest::ref Client::build_client_request(MetaRequest *request)
{
	...
	const gid_t *_gids;
	int gid_count = request->perms.get_gids(&_gids);
	req->set_gid_list(gid_count, _gids);
...

int get_gids(const gid_t **_gids) const { *_gids = gids; return gid_count; }

struct MetaRequest
{
	...
	void set_caller_perms(const UserPerm& _perms) {
		perms.shallow_copy(_perms);
		head.caller_uid = perms.uid();
		head.caller_gid = perms.gid();
	}
...

static void fuse_ll_getattr(fuse_req_t req, fuse_ino_t ino,
			    struct fuse_file_info *fi)
{
	  UserPerm perms(ctx->uid, ctx->gid);
...

=================================================================
==39169==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200056aa70 at pc 0x7fd0c67c82b8 bp 0x7fd0a45ce410 sp 0x7fd0a45ce400
READ of size 4 at 0x60200056aa70 thread T32 (ms_dispatch)
    #0 0x7fd0c67c82b7 in MClientRequest::set_gid_list(int, unsigned int const*) /usr/src/debug/ceph-14.2.5.mh218/src/messages/MClientRequest.h:151
    #1 0x7fd0c67c82b7 in Client::build_client_request(MetaRequest*) /usr/src/debug/ceph-14.2.5.mh218/src/client/Client.cc:2654
    #2 0x7fd0c67c8b62 in Client::send_request(MetaRequest*, MetaSession*, bool) /usr/src/debug/ceph-14.2.5.mh218/src/client/Client.cc:2578
    #3 0x7fd0c685b971 in Client::resend_unsafe_requests(MetaSession*, bool) /usr/src/debug/ceph-14.2.5.mh218/src/client/Client.cc:3301
    #4 0x7fd0c6910afd in Client::send_reconnect(MetaSession*) /usr/src/debug/ceph-14.2.5.mh218/src/client/Client.cc:3172
    #5 0x7fd0c6932d75 in Client::handle_mds_map(boost::intrusive_ptr<MMDSMap const> const&) /usr/src/debug/ceph-14.2.5.mh218/src/client/Client.cc:3125
    #6 0x7fd0c69366c7 in Client::ms_dispatch2(boost::intrusive_ptr<Message> const&) /usr/src/debug/ceph-14.2.5.mh218/src/client/Client.cc:2945
    #7 0x7fd0bb7c5e0b in Messenger::ms_deliver_dispatch(boost::intrusive_ptr<Message> const&) /usr/src/debug/ceph-14.2.5.mh218/src/msg/Messenger.h:694
    #8 0x7fd0bb7c5e0b in DispatchQueue::entry() /usr/src/debug/ceph-14.2.5.mh218/src/msg/DispatchQueue.cc:199
    #9 0x7fd0bbad5d90 in DispatchQueue::DispatchThread::entry() /usr/src/debug/ceph-14.2.5.mh218/src/msg/DispatchQueue.h:102
    #10 0x7fd0b8d10dc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
    #11 0x7fd0b79d628c in clone (/lib64/libc.so.6+0xf628c)
Address 0x60200056aa70 is a wild pointer.
SUMMARY: AddressSanitizer: heap-buffer-overflow /usr/src/debug/ceph-14.2.5.mh218/src/messages/MClientRequest.h:151 in MClientRequest::set_gid_list(int, unsigned int const*)
Shadow bytes around the buggy address:
  0x0c04800a54f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800a5500: fa fa fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800a5510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fa
  0x0c04800a5520: fa fa fa fa fa fa fa fa fa fa fd fa fa fa fa fa
  0x0c04800a5530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c04800a5540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
  0x0c04800a5550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800a5560: fa fa fa fa fa fa fd fa fa fa fa fa fa fa fa fa
  0x0c04800a5570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800a5580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c04800a5590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T32 (ms_dispatch) created by T0 here:
    #0 0x7fd0c54e0e6f in pthread_create (/lib64/libasan.so.5+0x51e6f)
    #1 0x7fd0bb2d7928 in Thread::try_create(unsigned long) /usr/src/debug/ceph-14.2.5.mh218/src/common/Thread.cc:136
    #2 0x7fd0bb2d7b46 in Thread::create(char const*, unsigned long) /usr/src/debug/ceph-14.2.5.mh218/src/common/Thread.cc:151
    #3 0x7fd0bb7b1fc1 in DispatchQueue::start() /usr/src/debug/ceph-14.2.5.mh218/src/msg/DispatchQueue.cc:233
    #4 0x7fd0bbb120a2 in AsyncMessenger::ready() /usr/src/debug/ceph-14.2.5.mh218/src/msg/async/AsyncMessenger.cc:334
    #5 0x7fd0c67b4463 in Messenger::add_dispatcher_tail(Dispatcher*) /usr/src/debug/ceph-14.2.5.mh218/src/msg/Messenger.h:400
    #6 0x7fd0c67b4463 in StandaloneClient::init() /usr/src/debug/ceph-14.2.5.mh218/src/client/Client.cc:16561
    #7 0x7fd0c6739432 in main /usr/src/debug/ceph-14.2.5.mh218/src/ceph_fuse.cc:263
    #8 0x7fd0b7901b14 in __libc_start_main (/lib64/libc.so.6+0x21b14)
==39169==ABORTING