You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by GitBox <gi...@apache.org> on 2021/05/27 07:31:00 UTC

[GitHub] [trafficserver] masaori335 opened a new issue #7893: ASan: heap-use-after-free on HttpSessionAccept::accept

masaori335 opened a new issue #7893:
URL: https://github.com/apache/trafficserver/issues/7893


   Another heap-use-after-free with the same condition to #7891
   ```
   ==38606==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000142928 at pc 0x000100171a3b bp 0x000108a459f0 sp 0x000108a459e8
   READ of size 8 at 0x619000142928 thread T2
       #0 0x100171a3a in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*) HttpSessionAccept.cc:61
       #1 0x10017218b in HttpSessionAccept::mainEvent(int, void*) HttpSessionAccept.cc:75
       #2 0x100009704 in Continuation::handleEvent(int, void*) I_Continuation.h:219
       #3 0x100a194db in send_plugin_event(Continuation*, int, void*) SSLNextProtocolAccept.cc:33
       #4 0x100a19189 in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) SSLNextProtocolAccept.cc:110
       #5 0x100009704 in Continuation::handleEvent(int, void*) I_Continuation.h:219
       #6 0x100aed5a2 in read_signal_and_update(int, UnixNetVConnection*) UnixNetVConnection.cc:83
       #7 0x100aed3ba in read_signal_done(int, NetHandler*, UnixNetVConnection*) UnixNetVConnection.cc:150
       #8 0x100aed332 in UnixNetVConnection::readSignalDone(int, NetHandler*) UnixNetVConnection.cc:1037
       #9 0x1009f83ba in SSLNetVConnection::net_read_io(NetHandler*, EThread*) SSLNetVConnection.cc:655
       #10 0x100abda13 in NetHandler::process_ready_list() UnixNet.cc:415
       #11 0x100abf12e in NetHandler::waitForActivity(long long) UnixNet.cc:546
       #12 0x100b7ea64 in EThread::execute_regular() UnixEThread.cc:303
       #13 0x100b7fb87 in EThread::execute() UnixEThread.cc:364
       #14 0x100b7a9b6 in spawn_thread_internal(void*) Thread.cc:92
       #15 0x7fff206108fb in _pthread_start+0xdf (libsystem_pthread.dylib:x86_64+0x68fb)
       #16 0x7fff2060c442 in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x2442)
   
   0x619000142928 is located 168 bytes inside of 1072-byte region [0x619000142880,0x619000142cb0)
   freed by thread T2 here:
       #0 0x102fa1969 in wrap_free+0xa9 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x45969)
       #1 0x10265667d in ats_memalign_free ink_memory.cc:138
       #2 0x10268ac83 in jearena::JemallocNodumpAllocator::deallocate(_InkFreeList*, void*) JeAllocator.cc:139
       #3 0x10265c8dc in malloc_free(_InkFreeList*, void*) ink_queue.cc:331
       #4 0x102658855 in ink_freelist_free ink_queue.cc:281
       #5 0x10000502c in Allocator::free_void(void*) Allocator.h:74
       #6 0x10019b6ab in Http1ClientSession::free() Http1ClientSession.cc:123
       #7 0x100968964 in ProxySession::handle_api_return(int) ProxySession.cc:169
       #8 0x100968f4a in ProxySession::do_api_callout(TSHttpHookID) ProxySession.cc:146
       #9 0x10019ac2f in Http1ClientSession::destroy() Http1ClientSession.cc:76
       #10 0x10019e2b8 in Http1ClientSession::do_io_close(int) Http1ClientSession.cc:266
       #11 0x10019f8ec in Http1ClientSession::state_keep_alive(int, void*) Http1ClientSession.cc:377
       #12 0x100009704 in Continuation::handleEvent(int, void*) I_Continuation.h:219
       #13 0x100aed5a2 in read_signal_and_update(int, UnixNetVConnection*) UnixNetVConnection.cc:83
       #14 0x100aefdea in UnixNetVConnection::mainEvent(int, Event*) UnixNetVConnection.cc:1171
       #15 0x100009704 in Continuation::handleEvent(int, void*) I_Continuation.h:219
       #16 0x100a12a42 in UnixNetVConnection::callback(int, void*) P_UnixNetVConnection.h:232
       #17 0x100ac1902 in NetHandler::_close_ne(NetEvent*, long long, int&, int&, int&, int&) UnixNet.cc:692
       #18 0x100ac25f1 in NetHandler::manage_keep_alive_queue() UnixNet.cc:648
       #19 0x100ac2fa7 in NetHandler::add_to_keep_alive_queue(NetEvent*) UnixNet.cc:720
       #20 0x100af444f in UnixNetVConnection::add_to_keep_alive_queue() UnixNetVConnection.cc:1454
       #21 0x1001a0b5a in Http1ClientSession::release(ProxyTransaction*) Http1ClientSession.cc:425
       #22 0x1001a1c6c in Http1ClientSession::start() Http1ClientSession.cc:510
       #23 0x1009688ec in ProxySession::handle_api_return(int) ProxySession.cc:165
       #24 0x100968f4a in ProxySession::do_api_callout(TSHttpHookID) ProxySession.cc:146
       #25 0x10019c9f5 in Http1ClientSession::new_connection(NetVConnection*, MIOBuffer*, IOBufferReader*) Http1ClientSession.cc:201
       #26 0x100171a01 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*) HttpSessionAccept.cc:59
       #27 0x10017218b in HttpSessionAccept::mainEvent(int, void*) HttpSessionAccept.cc:75
       #28 0x100009704 in Continuation::handleEvent(int, void*) I_Continuation.h:219
       #29 0x100a194db in send_plugin_event(Continuation*, int, void*) SSLNextProtocolAccept.cc:33
   
   previously allocated by thread T2 here:
       #0 0x102fa1f33 in wrap_posix_memalign+0xb3 (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x45f33)
       #1 0x10265642e in ats_memalign ink_memory.cc:102
       #2 0x10268ab6d in jearena::JemallocNodumpAllocator::allocate(_InkFreeList*) JeAllocator.cc:118
       #3 0x10265c7ec in malloc_new(_InkFreeList*) ink_queue.cc:268
       #4 0x102658687 in ink_freelist_new ink_queue.cc:187
       #5 0x1001724e4 in Http1ClientSession* ClassAllocator<Http1ClientSession, true>::alloc<>() Allocator.h:142
       #6 0x100172001 in ClassAllocator<Http1ClientSession, true>::Value_type* thread_alloc<ClassAllocator<Http1ClientSession, true> >(ClassAllocator<Http1ClientSession, true>&, ProxyAllocator&) I_ProxyAllocator.h:62
       #7 0x1001718a7 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*) HttpSessionAccept.cc:52
       #8 0x10017218b in HttpSessionAccept::mainEvent(int, void*) HttpSessionAccept.cc:75
       #9 0x100009704 in Continuation::handleEvent(int, void*) I_Continuation.h:219
       #10 0x100a194db in send_plugin_event(Continuation*, int, void*) SSLNextProtocolAccept.cc:33
       #11 0x100a19189 in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) SSLNextProtocolAccept.cc:110
       #12 0x100009704 in Continuation::handleEvent(int, void*) I_Continuation.h:219
       #13 0x100aed5a2 in read_signal_and_update(int, UnixNetVConnection*) UnixNetVConnection.cc:83
       #14 0x100aed3ba in read_signal_done(int, NetHandler*, UnixNetVConnection*) UnixNetVConnection.cc:150
       #15 0x100aed332 in UnixNetVConnection::readSignalDone(int, NetHandler*) UnixNetVConnection.cc:1037
       #16 0x1009f83ba in SSLNetVConnection::net_read_io(NetHandler*, EThread*) SSLNetVConnection.cc:655
       #17 0x100abda13 in NetHandler::process_ready_list() UnixNet.cc:415
       #18 0x100abf12e in NetHandler::waitForActivity(long long) UnixNet.cc:546
       #19 0x100b7ea64 in EThread::execute_regular() UnixEThread.cc:303
       #20 0x100b7fb87 in EThread::execute() UnixEThread.cc:364
       #21 0x100b7a9b6 in spawn_thread_internal(void*) Thread.cc:92
       #22 0x7fff206108fb in _pthread_start+0xdf (libsystem_pthread.dylib:x86_64+0x68fb)
       #23 0x7fff2060c442 in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x2442)
   
   Thread T2 created by T0 here:
       #0 0x102f9b97c in wrap_pthread_create+0x5c (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x3f97c)
       #1 0x100b7a72d in ink_thread_create(_opaque_pthread_t**, void* (*)(void*), void*, int, unsigned long, void*) ink_thread.h:159
       #2 0x100b7a4f3 in Thread::start(char const*, void*, unsigned long, std::__1::function<void ()> const&) Thread.cc:109
       #3 0x100b84264 in EventProcessor::spawn_event_threads(int, int, unsigned long) UnixEventProcessor.cc:392
       #4 0x100b853b5 in EventProcessor::start(int, unsigned long) UnixEventProcessor.cc:455
       #5 0x1000f5ee9 in main traffic_server.cc:2033
       #6 0x7fff2062bf5c in start+0x0 (libdyld.dylib:x86_64+0x15f5c)
   
   SUMMARY: AddressSanitizer: heap-use-after-free HttpSessionAccept.cc:61 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*)
   Shadow bytes around the buggy address:
     0x1c32000284d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x1c32000284e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x1c32000284f0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
     0x1c3200028500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x1c3200028510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   =>0x1c3200028520: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
     0x1c3200028530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x1c3200028540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x1c3200028550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x1c3200028560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x1c3200028570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   Shadow byte legend (one shadow byte represents 8 application bytes):
     Addressable:           00
     Partially addressable: 01 02 03 04 05 06 07
     Heap left redzone:       fa
     Freed heap region:       fd
     Stack left redzone:      f1
     Stack mid redzone:       f2
     Stack right redzone:     f3
     Stack after return:      f5
     Stack use after scope:   f8
     Global redzone:          f9
     Global init order:       f6
     Poisoned by user:        f7
     Container overflow:      fc
     Array cookie:            ac
     Intra object redzone:    bb
     ASan internal:           fe
     Left alloca redzone:     ca
     Right alloca redzone:    cb
     Shadow gap:              cc
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficserver] masaori335 closed issue #7893: ASan: heap-use-after-free on HttpSessionAccept::accept

Posted by GitBox <gi...@apache.org>.

masaori335 closed issue #7893:
URL: https://github.com/apache/trafficserver/issues/7893


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficserver] masaori335 commented on issue #7893: ASan: heap-use-after-free on HttpSessionAccept::accept

Posted by GitBox <gi...@apache.org>.

masaori335 commented on issue #7893:
URL: https://github.com/apache/trafficserver/issues/7893#issuecomment-849408233


   The order looks matters. It looks like `Http1ClientSession::new_connection()` frees the `new_session`.
   https://github.com/apache/trafficserver/blob/050b2dfe9a89348b4105183a2b31e7cc59fc389d/proxy/http/HttpSessionAccept.cc#L59-L61


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org