You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/02/04 19:55:52 UTC

[jira] [Closed] (TS-3802) ASAN Crash with latest master due to double free of MIOBuffer in SSLNetVConnection.

     [ https://issues.apache.org/jira/browse/TS-3802?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom closed TS-3802.
-----------------------------

> ASAN Crash with latest master due to double free of MIOBuffer in SSLNetVConnection.
> -----------------------------------------------------------------------------------
>
>                 Key: TS-3802
>                 URL: https://issues.apache.org/jira/browse/TS-3802
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SPDY
>    Affects Versions: 6.0.0
>            Reporter: Sudheer Vinukonda
>            Assignee: Sudheer Vinukonda
>            Priority: Blocker
>             Fix For: 6.0.0
>
>
> Below's the ASAN stack trace that [~zwoop] found on docs@ after installing the latest master. 
> The issue is that, the recent rearrangement of cleanup (TS-1007) via ProxyClientSession for SPDY/H2 etc resulted in the *netvc* being null'ed out before calling SpdyClientSession::clear() (for example, when an inactivity timeout occurs). This results in bypassing the code that sets the SSL_VC's iobuf to null (specifically to prevent double free via SSLNetVConnection::free() and via SpdyClientSession::clear (req_buffer))..
> The fix is to basically set the SSL_VC's iobuf to null before calling ProxyClientSession with SSN_CLOSE_HOOK, thus, making sure the iobuf is only cleaned once.
> {code}
> [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
> [Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
> [Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
> traffic_server: using root directory '/opt/ats'
> =================================================================
> ==30546==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110001cb010 at pc 0xb4ee72 bp 0x2b0ac04527e0 sp 0x2b0ac04527d8
> READ of size 8 at 0x6110001cb010 thread T6 ([ET_NET 5])
>     #0 0xb4ee71 in Ptr<IOBufferBlock>::operator=(IOBufferBlock*) ../../lib/ts/Ptr.h:354
>     #1 0xb4ee71 in free_MIOBuffer ../../iocore/eventsystem/P_IOBuffer.h:770
>     #2 0xb4ee71 in SSLNetVConnection::free(EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:907
>     #3 0xbac5f9 in close_UnixNetVConnection(UnixNetVConnection*, EThread*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:134
>     #4 0xbb62c6 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:164
>     #5 0xbb62c6 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
>     #6 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
>     #7 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
>     #8 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #9 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #10 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
>     #11 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #12 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #13 0x2b0aba1771ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x6110001cb010 is located 16 bytes inside of 240-byte region [0x6110001cb000,0x6110001cb0f0)
> freed by thread T6 ([ET_NET 5]) here:
>     #0 0x2b0ab650d1c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
>     #1 0x782f88 in SpdyClientSession::clear() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:162
>     #2 0x783310 in SpdyClientSession::destroy() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:274
>     #3 0x780240 in SpdyClientSession::do_io_close(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:487
>     #4 0x780240 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:263
>     #5 0xbb6410 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
>     #6 0xbb6410 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #7 0xbb6410 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
>     #8 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
>     #9 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
>     #10 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #11 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #12 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
>     #13 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #14 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T6 ([ET_NET 5]) here:
>     #0 0x2b0ab650d93b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
>     #1 0x2b0ab73f6849 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:100
>     #2 0x2b0ab73f71b0 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:239
>     #3 0xb617cc in ClassAllocator<MIOBuffer>::alloc() ../../lib/ts/Allocator.h:120
>     #4 0xb617cc in thread_alloc<MIOBuffer> ../../iocore/eventsystem/I_ProxyAllocator.h:63
>     #5 0xb617cc in new_MIOBuffer_internal ../../iocore/eventsystem/P_IOBuffer.h:759
>     #6 0xb617cc in MIOBuffer_tracker::operator()(long) ../../iocore/eventsystem/I_IOBuffer.h:1253
>     #7 0xb617cc in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:520
>     #8 0xb8163c in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516
>     #9 0xc346ee in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #10 0xc346ee in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #11 0xc346ee in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #12 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #13 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T6 ([ET_NET 5]) created by T0 ([ET_NET 0]) here:
>     #0 0x2b0ab64dc86a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xc310a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xc310a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xc396f6 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x49676b in main /usr/local/src/trafficserver/proxy/Main.cc:1624
>     #5 0x2b0aba0a2af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> SUMMARY: AddressSanitizer: heap-use-after-free ../../lib/ts/Ptr.h:354 Ptr<IOBufferBlock>::operator=(IOBufferBlock*)
> Shadow bytes around the buggy address:
>   0x0c22800315b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c22800315c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
>   0x0c22800315d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c22800315e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c22800315f0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
> =>0x0c2280031600: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2280031610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
>   0x0c2280031620: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
>   0x0c2280031630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2280031640: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
>   0x0c2280031650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==30546==ABORTING
> traffic_server: using root directory '/opt/ats'
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)