You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by GitBox <gi...@apache.org> on 2022/03/07 17:43:13 UTC
[GitHub] [trafficserver] cmcfarlen commented on issue #8647: SIGSEGV on Vol::force_evacuate_head
cmcfarlen commented on issue #8647:
URL: https://github.com/apache/trafficserver/issues/8647#issuecomment-1060953565
Looking at the core file:
```
(gdb) thread 38
[Switching to thread 38 (Thread 0x7fdde0796700 (LWP 19126))]
#0 0x00007fdde76121d9 in waitpid () from /lib64/libpthread.so.0
(gdb) fr 3
#3 evacuation_block_exists (dir=0x7f9d8edaa9e6, p=0x7fdddb2fa000) at ./P_CacheVol.h:461
461 if (dir_offset(&b->dir) == dir_offset(dir))
(gdb) info locals
b = 0xea326b5d0d1ef237
(gdb) p *b
Cannot access memory at address 0xea326b5d0d1ef237
(gdb) li
456 TS_INLINE EvacuationBlock *
457 evacuation_block_exists(Dir *dir, Vol *p)
458 {
459 EvacuationBlock *b = p->evacuate[dir_evac_bucket(dir)].head;
460 for (; b; b = b->link.next)
461 if (dir_offset(&b->dir) == dir_offset(dir))
462 return b;
463 return nullptr;
464 }
465
```
The local variable b holds an invalid pointer so this crashes when dereferencing b on line 161.
line 459 assumes dir_evac_bucket returns a valid index into p->evacuate. This update adds a bounds check around this.
Further analysis on this scenario:
```
(gdb) p p->evacuate_size
$1 = 6442
(gdb) x/5xh dir
0x7f9d8edaa9e6: 0x0412 0x3d77 0x338f 0x0000 0x0018
```
The Dir type is an array of 5 uint16_t. Plugging these values into a unit test and calling the dir_evac_bucket macro yields 12526 which is outside of the bounds of p->evacuate_size.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: issues-unsubscribe@trafficserver.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org