You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/04/08 18:47:25 UTC

[jira] [Resolved] (TS-3804) ASAN heap-use-after-free in HttpClientSession::destroy

     [ https://issues.apache.org/jira/browse/TS-3804?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom resolved TS-3804.
-------------------------------
       Resolution: Cannot Reproduce
    Fix Version/s:     (was: 6.2.0)

> ASAN heap-use-after-free in HttpClientSession::destroy
> ------------------------------------------------------
>
>                 Key: TS-3804
>                 URL: https://issues.apache.org/jira/browse/TS-3804
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP
>            Reporter: Leif Hedstrom
>            Assignee: Sudheer Vinukonda
>              Labels: crash
>
> Seeing this with current master on docs.trafficserver:
> {code}
> traffic_server: using root directory '/opt/ats'
> =================================================================
> ==20070==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250038c6328 at pc 0x60d722 bp 0x2af782a92940 sp 0x2af782a92938
> WRITE of size 8 at 0x6250038c6328 thread T4 ([ET_NET 3])
>     #0 0x60d721 in HttpClientSession::destroy() /usr/local/src/trafficserver/proxy/http/HttpClientSession.cc:98
>     #1 0x60c867 in HttpClientSession::state_wait_for_close(int, void*) /usr/local/src/trafficserver/proxy/http/HttpClientSession.cc:356
>     #2 0x592027 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:146
>     #3 0x592027 in PluginVC::process_read_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:629
>     #4 0x59eb99 in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:204
>     #5 0xc3357e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #6 0xc3357e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #7 0xc35259 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
>     #8 0xc32188 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #9 0x2af77b75cdf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #10 0x2af77cfc51ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x6250038c6328 is located 6696 bytes inside of 8032-byte region [0x6250038c4900,0x6250038c6860)
> freed by thread T4 ([ET_NET 3]) here:
>     #0 0x2af77935b1c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
>     #1 0x67cab5 in ClassAllocator<HttpSM>::free(HttpSM*) ../../lib/ts/Allocator.h:134
>     #2 0x67cab5 in HttpSM::destroy() /usr/local/src/trafficserver/proxy/http/HttpSM.cc:316
>     #3 0x67cab5 in HttpSM::kill_this() /usr/local/src/trafficserver/proxy/http/HttpSM.cc:6647
>     #4 0x67f7d7 in HttpSM::main_handler(int, void*) /usr/local/src/trafficserver/proxy/http/HttpSM.cc:2558
>     #5 0x74711d in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
>     #6 0x74711d in HttpTunnel::main_handler(int, void*) /usr/local/src/trafficserver/proxy/http/HttpTunnel.cc:1585
>     #7 0x594051 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:146
>     #8 0x594051 in PluginVC::process_write_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:545
>     #9 0x59e324 in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:208
>     #10 0xc3357e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #11 0xc3357e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #12 0xc35259 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
>     #13 0xc32188 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #14 0x2af77b75cdf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T4 ([ET_NET 3]) here:
>     #0 0x2af77935b93b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
>     #1 0x2af77a244849 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:100
>     #2 0x2af77a2451b0 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:239
>     #3 0x6129a5 in ClassAllocator<HttpSM>::alloc() ../../lib/ts/Allocator.h:120
>     #4 0x6129a5 in HttpSM::allocate() /usr/local/src/trafficserver/proxy/http/HttpSM.h:566
>     #5 0x6129a5 in HttpClientSession::new_transaction() /usr/local/src/trafficserver/proxy/http/HttpClientSession.cc:141
>     #6 0x6129a5 in HttpClientSession::start() /usr/local/src/trafficserver/proxy/http/HttpClientSession.h:63
>     #7 0x60dff0 in HttpClientSession::new_connection(NetVConnection*, MIOBuffer*, IOBufferReader*, bool) /usr/local/src/trafficserver/proxy/http/HttpClientSession.cc:225
>     #8 0x600328 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*) /usr/local/src/trafficserver/proxy/http/HttpSessionAccept.cc:74
>     #9 0x5ffa14 in HttpSessionAccept::mainEvent(int, void*) /usr/local/src/trafficserver/proxy/http/HttpSessionAccept.cc:86
>     #10 0x58fc90 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:146
>     #11 0x58fc90 in PluginVCCore::state_send_accept(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:1121
>     #12 0x59c565 in PluginVCCore::connect() /usr/local/src/trafficserver/proxy/PluginVC.cc:1069
>     #13 0x54a58b in TSHttpConnectWithPluginId /usr/local/src/trafficserver/proxy/InkAPI.cc:6093
>     #14 0x4e4d6d in FetchSM::httpConnect() /usr/local/src/trafficserver/proxy/FetchSM.cc:67
>     #15 0x78b0a1 in spdy_fetcher_launch /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:204
>     #16 0x78b0a1 in spdy_process_syn_stream_frame /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:297
>     #17 0x78b0a1 in spdy_on_ctrl_recv_callback(spdylay_session*, spdylay_frame_type, spdylay_frame*, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyCallbacks.cc:317
>     #18 0x2af77aef703f in spdylay_session_call_on_ctrl_frame_received /admin/src/spdylay/lib/spdylay_session.c:1634
>     #19 0x2af77aef703f in spdylay_session_on_syn_stream_received /admin/src/spdylay/lib/spdylay_session.c:1782
>     #20 0x3b000003e5 (+0x3a700093e5)
> Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
>     #0 0x2af77932a86a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xc32e15 in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xc32e15 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xc3b466 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x4967bb in main /usr/local/src/trafficserver/proxy/Main.cc:1624
>     #5 0x2af77cef0af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/src/trafficserver/proxy/http/HttpClientSession.cc:98 HttpClientSession::destroy()
> Shadow bytes around the buggy address:
>   0x0c4a80710c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c4a80710c60: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a80710cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==20070==ABORTING
> traffic_server: using root directory '/opt/ats'
> [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
> [Jul 29 02:36:27.744] Manager {0x7ff670b9b8c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
> [Jul 29 02:36:27.744] Manager {0x7ff670b9b8c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
> traffic_server: using root directory '/opt/ats'
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)