You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/12/16 20:09:46 UTC

[jira] [Updated] (TS-3910) SSLNetVConnection and add_to_active_queue heap-use-after-free

     [ https://issues.apache.org/jira/browse/TS-3910?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-3910:
------------------------------
    Assignee: Bryan Call

> SSLNetVConnection and add_to_active_queue heap-use-after-free
> -------------------------------------------------------------
>
>                 Key: TS-3910
>                 URL: https://issues.apache.org/jira/browse/TS-3910
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Network, SSL
>    Affects Versions: 6.0.0
>            Reporter: Bryan Call
>            Assignee: Bryan Call
>             Fix For: 6.2.0
>
>
> {code}
> ==15615==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000be6288 at pc 0x9e756d bp 0x2b14e4f317d0 sp 0x2b14e4f317c8
> WRITE of size 8 at 0x618000be6288 thread T6 ([ET_NET 5])
>     #0 0x9e756c in DLL<UnixNetVConnection, UnixNetVConnection::Link_active_queue_link>::insert(UnixNetVConnection*, UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e756c)
>     #1 0x9e6b98 in Queue<UnixNetVConnection, UnixNetVConnection::Link_active_queue_link>::insert(UnixNetVConnection*, UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e6b98)
>     #2 0x9e5fe2 in Queue<UnixNetVConnection, UnixNetVConnection::Link_active_queue_link>::enqueue(UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e5fe2)
>     #3 0x9e3cc8 in NetHandler::add_to_active_queue(UnixNetVConnection*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:733
>     #4 0x9ddbe8 in UnixNetVConnection::add_to_active_queue() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixConnection.cc:409
>     #5 0x64b34c in HttpClientSession::new_transaction() /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpClientSession.cc:124
>     #6 0x64e27d in HttpClientSession::state_keep_alive(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpClientSession.cc:415
>     #7 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #8 0x9f4040 in read_signal_and_update /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #9 0x9fa8c3 in UnixNetVConnection::readSignalAndUpdate(int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1013
>     #10 0x9be342 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:605
>     #11 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
>     #12 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #13 0xa405e4 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #14 0xa411fc in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #15 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #16 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #17 0x2b14ddc261ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x618000be6288 is located 520 bytes inside of 880-byte region [0x618000be6080,0x618000be63f0)
> freed by thread T6 ([ET_NET 5]) here:
>     #0 0x2b14da1b01d7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
>     #1 0x2b14db0ab3b2 in ats_memalign_free /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:139
>     #2 0x2b14db0abf60 in ink_freelist_free /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:292
>     #3 0x9c7226 in ClassAllocator<SSLNetVConnection>::free(SSLNetVConnection*) (/home/y/bin64/traffic_server+0x9c7226)
>     #4 0x9c1a72 in SSLNetVConnection::free(EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:936
>     #5 0x9f3f81 in close_UnixNetVConnection(UnixNetVConnection*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:134
>     #6 0x9f42f6 in read_signal_and_update /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:164
>     #7 0x9f46f4 in read_signal_done /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
>     #8 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
>     #9 0x9be784 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:647
>     #10 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
>     #11 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #12 0xa405e4 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #13 0xa411fc in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #14 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #15 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T48 ([ACCEPT 0:444]) here:
>     #0 0x2b14da1b094b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
>     #1 0x2b14db0ab233 in ats_memalign /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:100
>     #2 0x2b14db0abe0d in ink_freelist_new /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:239
>     #3 0x9ba049 in ClassAllocator<SSLNetVConnection>::alloc() ../../lib/ts/Allocator.h:120
>     #4 0x9b9ac7 in SSLNetProcessor::allocate_vc(EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetProcessor.cc:134
>     #5 0x9e9d0c in NetAccept::do_blocking_accept(EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetAccept.cc:275
>     #6 0x9ebf4d in NetAccept::acceptLoopEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetAccept.cc:492
>     #7 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #8 0xa414ad in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:275
>     #9 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #10 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T6 ([ET_NET 5]) created by T0 ([ET_NET 0]) here:
>     #0 0x2b14da17f87a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xa3e6ea in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xa3ed47 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xa43dad in EventProcessor::start(int, unsigned long) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x59180f in main /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
>     #5 0x2b14ddb51af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)