You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by GitBox <gi...@apache.org> on 2022/03/16 21:40:24 UTC
[GitHub] [trafficserver] moonchen opened a new issue #8735: [Healthcheck] ASAN reports use after free
moonchen opened a new issue #8735:
URL: https://github.com/apache/trafficserver/issues/8735
```
Mar 15 18:13:49 redacted traffic_manager[53076]: =================================================================
Mar 15 18:13:49 redacted traffic_manager[53076]: ==53086==ERROR: AddressSanitizer: heap-use-after-free on address 0x629000032200 at pc 0x7f478e8ebe57 bp 0x7f47c9a88a10 sp 0x7f47c9a88a08
Mar 15 18:13:49 redacted traffic_manager[53076]: READ of size 4 at 0x629000032200 thread T6 ([ET_NET 4])
Mar 15 18:13:51 redacted traffic_manager[53076]: #0 0x7f478e8ebe56 in hc_process_read /redacted/plugins/healthchecks/healthchecks.c:412:25
Mar 15 18:13:51 redacted traffic_manager[53076]: #1 0x7f478e8ebe56 in hc_intercept /redacted/plugins/healthchecks/healthchecks.c:479:5
Mar 15 18:13:51 redacted traffic_manager[53076]: #2 0x562f0a94bc14 in INKContInternal::handle_event(int, void*) /redacted/src/traffic_server/InkAPI.cc:1140:29
Mar 15 18:13:51 redacted traffic_manager[53076]: #3 0x562f0afefcd7 in PluginVC::process_read_side(bool) /redacted/iocore/eventsystem/I_Continuation.h
Mar 15 18:13:51 redacted traffic_manager[53076]: #4 0x562f0aff1ae1 in PluginVC::process_write_side(bool) /redacted/proxy/PluginVC.cc:568:19
Mar 15 18:13:51 redacted traffic_manager[53076]: #5 0x562f0afecc0e in PluginVC::main_handler(int, void*) /redacted/proxy/PluginVC.cc:224:7
Mar 15 18:13:51 redacted traffic_manager[53076]: #6 0x562f0b1a7419 in Continuation::handleEvent(int, void*) /redacted/iocore/eventsystem/./I_Continuation.h:219:12
Mar 15 18:13:51 redacted traffic_manager[53076]: #7 0x562f0b1a7419 in EThread::process_event(Event*, int) /redacted/iocore/eventsystem/UnixEThread.cc:164:22
Mar 15 18:13:51 redacted traffic_manager[53076]: #8 0x562f0b1a8391 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /redacted/iocore/eventsystem/UnixEThread.cc:199:7
Mar 15 18:13:51 redacted traffic_manager[53076]: #9 0x562f0b1a94b4 in EThread::execute_regular() /redacted/iocore/eventsystem/UnixEThread.cc:259:5
Mar 15 18:13:51 redacted traffic_manager[53076]: #10 0x562f0b1aa7cf in EThread::execute() /redacted/iocore/eventsystem/UnixEThread.cc:364:11
Mar 15 18:13:51 redacted traffic_manager[53076]: #11 0x562f0b1a5044 in spawn_thread_internal(void*) /redacted/iocore/eventsystem/Thread.cc
Mar 15 18:13:51 redacted traffic_manager[53076]: #12 0x7f47d228bea4 in start_thread (/lib64/libpthread.so.0+0x7ea4)
Mar 15 18:13:51 redacted traffic_manager[53076]: #13 0x7f47d18c59fc in clone (/lib64/libc.so.6+0xfe9fc)
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x629000032200 is located 0 bytes inside of 16408-byte region [0x629000032200,0x629000036218)
Mar 15 18:13:51 redacted traffic_manager[53076]: freed by thread T37 here:
Mar 15 18:13:51 redacted traffic_manager[53076]: #0 0x562f0a8f0cf2 in free (/redacted/traffic_server+0x663cf2)
Mar 15 18:13:51 redacted traffic_manager[53076]: #1 0x7f478e8ea84e in hc_thread /redacted/plugins/healthchecks/healthchecks.c:207:11
Mar 15 18:13:51 redacted traffic_manager[53076]: #2 0x562f0a9a5320 in ink_thread_trampoline(void*) /redacted/src/traffic_server/InkIOCoreAPI.cc:128:12
Mar 15 18:13:51 redacted traffic_manager[53076]: #3 0x7f47d228bea4 in start_thread (/lib64/libpthread.so.0+0x7ea4)
Mar 15 18:13:51 redacted traffic_manager[53076]: previously allocated by thread T0 ([TS_MAIN]) here:
Mar 15 18:13:51 redacted traffic_manager[53076]: #0 0x562f0a8f0f5d in malloc (/redacted/traffic_server+0x663f5d)
Mar 15 18:13:51 redacted traffic_manager[53076]: #1 0x7f47d3af8b32 in ats_malloc /redacted/src/tscore/ink_memory.cc:64:9
Mar 15 18:13:51 redacted traffic_manager[53076]: #2 0x7f478e8ea350 in parse_configs /redacted/plugins/healthchecks/healthchecks.c:358:23
Mar 15 18:13:51 redacted traffic_manager[53076]: #3 0x7f478e8ea350 in TSPluginInit /redacted/plugins/healthchecks/healthchecks.c:568:27
Mar 15 18:13:51 redacted traffic_manager[53076]: #4 0x562f0afe8f7a in single_plugin_init(int, char**, bool) /redacted/proxy/Plugin.cc:181:5
Mar 15 18:13:51 redacted traffic_manager[53076]: #5 0x562f0afe8f7a in plugin_init(bool) /redacted/proxy/Plugin.cc:351:14
Mar 15 18:13:51 redacted traffic_manager[53076]: #6 0x562f0a9c0e45 in main /redacted/src/traffic_server/traffic_server.cc:2103:11
Mar 15 18:13:51 redacted traffic_manager[53076]: #7 0x7f47d17e9554 in __libc_start_main (/lib64/libc.so.6+0x22554)
Mar 15 18:13:51 redacted traffic_manager[53076]: Thread T6 ([ET_NET 4]) created by T0 ([TS_MAIN]) here:
Mar 15 18:13:51 redacted traffic_manager[53076]: #0 0x562f0a8db73c in pthread_create (/redacted/traffic_server+0x64e73c)
Mar 15 18:13:51 redacted traffic_manager[53076]: #1 0x562f0b1a4deb in ink_thread_create(unsigned long*, void* (*)(void*), void*, int, unsigned long, void*) /redacted/iocore/eventsystem/../../include/tscore/ink_thread.h:159:9
Mar 15 18:13:51 redacted traffic_manager[53076]: #2 0x562f0b1a4deb in Thread::start(char const*, void*, unsigned long, std::__1::function<void ()> const&) /redacted/iocore/eventsystem/Thread.cc:108:3
Mar 15 18:13:51 redacted traffic_manager[53076]: #3 0x562f0b1b27d3 in EventProcessor::spawn_event_threads(int, int, unsigned long) /redacted/iocore/eventsystem/UnixEventProcessor.cc:392:21
Mar 15 18:13:51 redacted traffic_manager[53076]: #4 0x562f0b1b3fe8 in EventProcessor::start(int, unsigned long) /redacted/iocore/eventsystem/UnixEventProcessor.cc:455:9
Mar 15 18:13:51 redacted traffic_manager[53076]: #5 0x562f0a9c00e8 in main /redacted/src/traffic_server/traffic_server.cc:2039:18
Mar 15 18:13:51 redacted traffic_manager[53076]: #6 0x7f47d17e9554 in __libc_start_main (/lib64/libc.so.6+0x22554)
Mar 15 18:13:51 redacted traffic_manager[53076]: Thread T37 created by T0 ([TS_MAIN]) here:
Mar 15 18:13:51 redacted traffic_manager[53076]: #0 0x562f0a8db73c in pthread_create (/redacted/traffic_server+0x64e73c)
Mar 15 18:13:51 redacted traffic_manager[53076]: #1 0x562f0a9a50d5 in ink_thread_create(unsigned long*, void* (*)(void*), void*, int, unsigned long, void*) /redacted/src/../include/tscore/ink_thread.h:159:9
Mar 15 18:13:51 redacted traffic_manager[53076]: #2 0x562f0a9a50d5 in TSThreadCreate /redacted/src/traffic_server/InkIOCoreAPI.cc:156:3
Mar 15 18:13:51 redacted traffic_manager[53076]: #3 0x7f478e8e9d6b in TSPluginInit /redacted/plugins/healthchecks/healthchecks.c:574:8
Mar 15 18:13:51 redacted traffic_manager[53076]: #4 0x562f0afe8f7a in single_plugin_init(int, char**, bool) /redacted/proxy/Plugin.cc:181:5
Mar 15 18:13:51 redacted traffic_manager[53076]: #5 0x562f0afe8f7a in plugin_init(bool) /redacted/proxy/Plugin.cc:351:14
Mar 15 18:13:51 redacted traffic_manager[53076]: #6 0x562f0a9c0e45 in main /redacted/src/traffic_server/traffic_server.cc:2103:11
Mar 15 18:13:51 redacted traffic_manager[53076]: #7 0x7f47d17e9554 in __libc_start_main (/lib64/libc.so.6+0x22554)
Mar 15 18:13:51 redacted traffic_manager[53076]: SUMMARY: AddressSanitizer: heap-use-after-free /redacted/plugins/healthchecks/healthchecks.c:412:25 in hc_process_read
Mar 15 18:13:51 redacted traffic_manager[53076]: Shadow bytes around the buggy address:
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Mar 15 18:13:51 redacted traffic_manager[53076]: =>0x0c527fffe440:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Mar 15 18:13:51 redacted traffic_manager[53076]: 0x0c527fffe490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Mar 15 18:13:51 redacted traffic_manager[53076]: Shadow byte legend (one shadow byte represents 8 application bytes):
Mar 15 18:13:51 redacted traffic_manager[53076]: Addressable: 00
Mar 15 18:13:51 redacted traffic_manager[53076]: Partially addressable: 01 02 03 04 05 06 07
Mar 15 18:13:51 redacted traffic_manager[53076]: Heap left redzone: fa
Mar 15 18:13:51 redacted traffic_manager[53076]: Freed heap region: fd
Mar 15 18:13:51 redacted traffic_manager[53076]: Stack left redzone: f1
Mar 15 18:13:51 redacted traffic_manager[53076]: Stack mid redzone: f2
Mar 15 18:13:51 redacted traffic_manager[53076]: Stack right redzone: f3
Mar 15 18:13:51 redacted traffic_manager[53076]: Stack after return: f5
Mar 15 18:13:51 redacted traffic_manager[53076]: Stack use after scope: f8
Mar 15 18:13:51 redacted traffic_manager[53076]: Global redzone: f9
Mar 15 18:13:51 redacted traffic_manager[53076]: Global init order: f6
Mar 15 18:13:51 redacted traffic_manager[53076]: Poisoned by user: f7
Mar 15 18:13:51 redacted traffic_manager[53076]: Container overflow: fc
Mar 15 18:13:51 redacted traffic_manager[53076]: Array cookie: ac
Mar 15 18:13:51 redacted traffic_manager[53076]: Intra object redzone: bb
Mar 15 18:13:51 redacted traffic_manager[53076]: ASan internal: fe
Mar 15 18:13:51 redacted traffic_manager[53076]: Left alloca redzone: ca
Mar 15 18:13:51 redacted traffic_manager[53076]: Right alloca redzone: cb
Mar 15 18:13:51 redacted traffic_manager[53076]: Shadow gap: cc
Mar 15 18:13:51 redacted traffic_manager[53076]: ==53086==ABORTING
```
One possible order of operations that causes the race condition:
1. hc_intercept continuation is created with g_config->data.
2. Inotify causes g_config->data to be replaced, and the old one is put on the freelist.
3. hc_process_read reads the old data.
4. old data is freed by freelist
5. hc_process_read dereferences old data.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org