You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/02/04 19:55:48 UTC

[jira] [Closed] (TS-3654) ASAN heap-use-after-free in cache-hosting (regression)

     [ https://issues.apache.org/jira/browse/TS-3654?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom closed TS-3654.
-----------------------------

> ASAN heap-use-after-free in cache-hosting (regression)
> ------------------------------------------------------
>
>                 Key: TS-3654
>                 URL: https://issues.apache.org/jira/browse/TS-3654
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: Cache
>            Reporter: Leif Hedstrom
>            Assignee: Susan Hinrichs
>             Fix For: 6.0.0
>
>
> {code}
> RPRINT Cache_vol: 1 128 Megabyte Volumes
> RPRINT Cache_vol: Not enough space for 10 volume
> RPRINT Cache_vol: Random Volumes after clearing the disks
> RPRINT Cache_vol: volume=1 scheme=http size=128
> RPRINT Cache_vol: Random Volumes without clearing the disks
> RPRINT Cache_vol: volume=1 scheme=rtsp size=128
> =================================================================
> ==3733==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000a2960 at pc 0xa7ce83 bp 0x7f3c7f946980 sp 0x7f3c7f946970
> READ of size 8 at 0x6040000a2960 thread T3 ([ET_NET 2])
>     #0 0xa7ce82 in cplist_update ../../../../iocore/cache/Cache.cc:3230
>     #1 0xa7ce82 in cplist_reconfigure() ../../../../iocore/cache/Cache.cc:3374
>     #2 0xac619e in execute_and_verify(RegressionTest*) ../../../../iocore/cache/CacheHosting.cc:994
>     #3 0xac75f8 in RegressionTest_Cache_vol(RegressionTest*, int, int*) ../../../../iocore/cache/CacheHosting.cc:840
>     #4 0x7f3c8480b4d2 in start_test ../../../../lib/ts/Regression.cc:77
>     #5 0x7f3c8480b4d2 in RegressionTest::run_some() ../../../../lib/ts/Regression.cc:125
>     #6 0x7f3c8480b9b6 in RegressionTest::check_status() ../../../../lib/ts/Regression.cc:140
>     #7 0x57b5b4 in RegressionCont::mainEvent(int, Event*) ../../../proxy/Main.cc:1220
>     #8 0xc8b86e in Continuation::handleEvent(int, void*) ../../../../iocore/eventsystem/I_Continuation.h:145
>     #9 0xc8b86e in EThread::process_event(Event*, int) ../../../../iocore/eventsystem/UnixEThread.cc:128
>     #10 0xc8da67 in EThread::execute() ../../../../iocore/eventsystem/UnixEThread.cc:207
>     #11 0xc8a488 in spawn_thread_internal ../../../../iocore/eventsystem/Thread.cc:85
>     #12 0x7f3c84392529 in start_thread (/lib64/libpthread.so.0+0x3813e07529)
>     #13 0x381370022c in __clone (/lib64/libc.so.6+0x381370022c)
> 0x6040000a2960 is located 16 bytes inside of 40-byte region [0x6040000a2950,0x6040000a2978)
> freed by thread T3 ([ET_NET 2]) here:
>     #0 0x7f3c84aaf64f in operator delete(void*) (/lib64/libasan.so.1+0x5864f)
>     #1 0xabbd16 in CacheDisk::delete_volume(int) ../../../../iocore/cache/CacheDisk.cc:330
>     #2 0xa7bfe0 in cplist_update ../../../../iocore/cache/Cache.cc:3212
>     #3 0xa7bfe0 in cplist_reconfigure() ../../../../iocore/cache/Cache.cc:3374
>     #4 0xac619e in execute_and_verify(RegressionTest*) ../../../../iocore/cache/CacheHosting.cc:994
>     #5 0xac75f8 in RegressionTest_Cache_vol(RegressionTest*, int, int*) ../../../../iocore/cache/CacheHosting.cc:840
>     #6 0x7f3c8480b4d2 in start_test ../../../../lib/ts/Regression.cc:77
>     #7 0x7f3c8480b4d2 in RegressionTest::run_some() ../../../../lib/ts/Regression.cc:125
>     #8 0x7f3c8480b9b6 in RegressionTest::check_status() ../../../../lib/ts/Regression.cc:140
>     #9 0x57b5b4 in RegressionCont::mainEvent(int, Event*) ../../../proxy/Main.cc:1220
>     #10 0xc8b86e in Continuation::handleEvent(int, void*) ../../../../iocore/eventsystem/I_Continuation.h:145
>     #11 0xc8b86e in EThread::process_event(Event*, int) ../../../../iocore/eventsystem/UnixEThread.cc:128
>     #12 0xc8da67 in EThread::execute() ../../../../iocore/eventsystem/UnixEThread.cc:207
>     #13 0xc8a488 in spawn_thread_internal ../../../../iocore/eventsystem/Thread.cc:85
>     #14 0x7f3c84392529 in start_thread (/lib64/libpthread.so.0+0x3813e07529)
> previously allocated by thread T3 ([ET_NET 2]) here:
>     #0 0x7f3c84aaf14f in operator new(unsigned long) (/lib64/libasan.so.1+0x5814f)
>     #1 0xaba5ca in CacheDisk::create_volume(int, long, int) ../../../../iocore/cache/CacheDisk.cc:296
>     #2 0xa74f81 in create_volume ../../../../iocore/cache/Cache.cc:3551
>     #3 0xa7ca20 in cplist_reconfigure() ../../../../iocore/cache/Cache.cc:3405
>     #4 0xac619e in execute_and_verify(RegressionTest*) ../../../../iocore/cache/CacheHosting.cc:994
>     #5 0xac75f8 in RegressionTest_Cache_vol(RegressionTest*, int, int*) ../../../../iocore/cache/CacheHosting.cc:840
>     #6 0x7f3c8480b4d2 in start_test ../../../../lib/ts/Regression.cc:77
>     #7 0x7f3c8480b4d2 in RegressionTest::run_some() ../../../../lib/ts/Regression.cc:125
>     #8 0x7f3c8480b9b6 in RegressionTest::check_status() ../../../../lib/ts/Regression.cc:140
>     #9 0x57b5b4 in RegressionCont::mainEvent(int, Event*) ../../../proxy/Main.cc:1220
>     #10 0xc8b86e in Continuation::handleEvent(int, void*) ../../../../iocore/eventsystem/I_Continuation.h:145
>     #11 0xc8b86e in EThread::process_event(Event*, int) ../../../../iocore/eventsystem/UnixEThread.cc:128
>     #12 0xc8da67 in EThread::execute() ../../../../iocore/eventsystem/UnixEThread.cc:207
>     #13 0xc8a488 in spawn_thread_internal ../../../../iocore/eventsystem/Thread.cc:85
>     #14 0x7f3c84392529 in start_thread (/lib64/libpthread.so.0+0x3813e07529)
> Thread T3 ([ET_NET 2]) created by T0 ([ET_NET 0]) here:
>     #0 0x7f3c84a7adba in pthread_create (/lib64/libasan.so.1+0x23dba)
>     #1 0xc8b115 in ink_thread_create ../../../../lib/ts/ink_thread.h:150
>     #2 0xc8b115 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) ../../../../iocore/eventsystem/Thread.cc:100
>     #3 0xc93696 in EventProcessor::start(int, unsigned long) ../../../../iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x496fa3 in main ../../../proxy/Main.cc:1627
>     #5 0x381361ffdf in __libc_start_main (/lib64/libc.so.6+0x381361ffdf)
> SUMMARY: AddressSanitizer: heap-use-after-free ../../../../iocore/cache/Cache.cc:3230 cplist_update
> Shadow bytes around the buggy address:
>   0x0c088000c4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c088000c4e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c088000c4f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c088000c500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c088000c510: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c088000c520: fa fa 00 00 00 00 00 00 fa fa fd fd[fd]fd fd fa
>   0x0c088000c530: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
>   0x0c088000c540: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
>   0x0c088000c550: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
>   0x0c088000c560: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
>   0x0c088000c570: fa fa 00 00 00 00 00 05 fa fa 00 00 00 00 00 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==3733==ABORTING
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)