You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Phil Sorber (JIRA)" <ji...@apache.org> on 2015/09/15 04:17:47 UTC
[jira] [Updated] (TS-3860) Buffer overflow in H2 on debug build
[ https://issues.apache.org/jira/browse/TS-3860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Phil Sorber updated TS-3860:
----------------------------
Backport to Version: 5.3.3
> Buffer overflow in H2 on debug build
> ------------------------------------
>
> Key: TS-3860
> URL: https://issues.apache.org/jira/browse/TS-3860
> Project: Traffic Server
> Issue Type: Bug
> Components: HTTP/2
> Reporter: Leif Hedstrom
> Assignee: Ryo Okubo
> Labels: yahoo
> Fix For: 6.0.0
>
> Attachments: ts-3860-01.patch, ts-3860-02.patch
>
>
> {code}
> ==15480==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000acafe8 at pc 0x7f13fa bp 0x7ff13b8e3ee0 sp 0x7ff13b8e3ed8
> READ of size 1 at 0x000000acafe8 thread T8 ([ET_NET 7])
> #0 0x7f13f9 in checksum_block(char const*, int) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530
> #1 0x7f167f in mime_hdr_sanity_check(MIMEHdrImpl*) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:560
> #2 0x7f5d6d in mime_hdr_field_attach(MIMEHdrImpl*, MIMEField*, int, MIMEField*) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:1533
> #3 0x6fd29a in http2_write_psuedo_headers(HTTPHdr*, unsigned char*, unsigned long, Http2DynamicTable&) /usr/local/src/trafficserver/proxy/http2/HTTP2.cc:560
> #4 0x710ecd in Http2ConnectionState::send_headers_frame(FetchSM*) /usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:966
> #5 0x70f906 in Http2ConnectionState::main_event_handler(int, void*) /usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:768
> #6 0x53075a in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #7 0x704fe9 in send_connection_event /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:60
> #8 0x707176 in Http2ClientSession::main_event_handler(int, void*) /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:259
> #9 0x53075a in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #10 0x52bd6a in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:260
> #11 0x52d6e6 in FetchSM::process_fetch_read(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:456
> #12 0x52df4a in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:518
> #13 0x53075a in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #14 0x5abc09 in PluginVC::process_read_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:663
> #15 0x5aa834 in PluginVC::process_write_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:555
> #16 0x5a74dc in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:208
> #17 0x53075a in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
> #18 0xa23154 in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #19 0xa236f7 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
> #20 0xa21662 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
> #21 0x7ff143381df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> #22 0x7ff1426291ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x000000acafe8 is located 0 bytes to the right of global variable '*.LC7' from 'HPACK.cc' (0xacafe0) of size 8
> '*.LC7' is ascii string ':status'
> SUMMARY: AddressSanitizer: global-buffer-overflow /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530 checksum_block(char const*, int)
> Shadow bytes around the buggy address:
> 0x0000801515a0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
> 0x0000801515b0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
> 0x0000801515c0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
> 0x0000801515d0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
> 0x0000801515e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9
> =>0x0000801515f0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00[f9]f9 f9
> 0x000080151600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
> 0x000080151610: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9
> 0x000080151620: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 00
> 0x000080151630: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 00
> 0x000080151640: 00 00 03 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> Thread T8 ([ET_NET 7]) created by T0 ([ET_NET 0]) here:
> #0 0x7ff14562786a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
> #1 0xa2113e in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xa217eb in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
> #3 0xa26d03 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x5942ff in main /usr/local/src/trafficserver/proxy/Main.cc:1624
> #5 0x7ff142554af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> ==15480==ABORTING
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)