You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/01/10 23:13:39 UTC

[jira] [Updated] (TS-3920) MIMEHdr heap-use-after-free

     [ https://issues.apache.org/jira/browse/TS-3920?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-3920:
------------------------------
    Fix Version/s:     (was: 6.1.0)
                   6.2.0

> MIMEHdr heap-use-after-free
> ---------------------------
>
>                 Key: TS-3920
>                 URL: https://issues.apache.org/jira/browse/TS-3920
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP
>    Affects Versions: 6.0.0
>            Reporter: Bryan Call
>            Assignee: Bryan Call
>             Fix For: 6.2.0
>
>
> {code}
> ==24576==ERROR: AddressSanitizer: heap-use-after-free on address 0x62501880600c at pc 0x81aaea bp 0x2abfc0de7300 sp 0x2abfc0de72f8
> READ of size 10 at 0x62501880600c thread T19 ([ET_NET 18])
>     #0 0x81aae9 in HdrHeap::duplicate_str(char const*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:320
>     #1 0x82faf7 in mime_field_value_set(HdrHeap*, MIMEHdrImpl*, MIMEField*, char const*, int, bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.cc:2076
>     #2 0x5c2933 in MIMEField::value_set(HdrHeap*, MIMEHdrImpl*, char const*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.h:810
>     #3 0x7138b5 in MIMEHdr::field_value_set(MIMEField*, char const*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.h:1296
>     #4 0x6c74fb in HttpTransact::ModifyRequest(HttpTransact::State*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpTransact.cc:1151
>     #5 0x69e65f in HttpSM::call_transact_and_set_next_state(void (*)(HttpTransact::State*)) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:6881
>     #6 0x66bb6c in HttpSM::state_read_client_request_header(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:766
>     #7 0x679549 in HttpSM::main_handler(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:2542
>     #8 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #9 0x5a7f22 in PluginVC::process_read_side(bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:663
>     #10 0x5a6d02 in PluginVC::process_write_side(bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:555
>     #11 0x5a401d in PluginVC::main_handler(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:208
>     #12 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #13 0xa40450 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #14 0xa40903 in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179
>     #15 0xa3ea29 in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #16 0x2abfb58f0df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #17 0x2abfb66811ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x62501880600c is located 12 bytes inside of 4096-byte region [0x625018806000,0x625018807000)
> freed by thread T19 ([ET_NET 18]) here:
>     #0 0x2abfb2c0b1d7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
>     #1 0x2abfb3b063b2 in ats_memalign_free /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:139
>     #2 0x2abfb3b06f60 in ink_freelist_free /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:292
>     #3 0x4fae6e in Allocator::free_void(void*) ../../lib/ts/Allocator.h:68
>     #4 0x4fb85f in IOBufferData::dealloc() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:310
>     #5 0x4fb98b in IOBufferData::free() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:323
>     #6 0x742f42 in Ptr<RefCountObj>::operator=(RefCountObj*) ../../lib/ts/Ptr.h:366
>     #7 0x81b07c in HdrHeap::coalesce_str_heaps(int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:384
>     #8 0x81a900 in HdrHeap::allocate_str(int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:288
>     #9 0x81aa5f in HdrHeap::duplicate_str(char const*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:318
>     #10 0x834534 in mime_str_u16_set(HdrHeap*, char const*, int, char const**, unsigned short*, bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.cc:2808
>     #11 0x82ce4d in mime_field_name_set(HdrHeap*, MIMEHdrImpl*, MIMEField*, short, char const*, int, bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.cc:1712
>     #12 0x5c2aa3 in MIMEHdr::field_create(char const*, int) ../../proxy/hdrs/MIME.h:1083
>     #13 0x6c7491 in HttpTransact::ModifyRequest(HttpTransact::State*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpTransact.cc:1148
>     #14 0x69e65f in HttpSM::call_transact_and_set_next_state(void (*)(HttpTransact::State*)) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:6881
>     #15 0x66bb6c in HttpSM::state_read_client_request_header(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:766
>     #16 0x679549 in HttpSM::main_handler(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:2542
>     #17 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #18 0x5a7f22 in PluginVC::process_read_side(bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:663
>     #19 0x5a6d02 in PluginVC::process_write_side(bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:555
>     #20 0x5a401d in PluginVC::main_handler(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:208
>     #21 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #22 0xa40450 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #23 0xa40903 in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179
>     #24 0xa3ea29 in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #25 0x2abfb58f0df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T19 ([ET_NET 18]) here:
>     #0 0x2abfb2c0b94b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
>     #1 0x2abfb3b06233 in ats_memalign /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:100
>     #2 0x2abfb3b06e0d in ink_freelist_new /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:239
>     #3 0x530647 in Allocator::alloc_void() ../../lib/ts/Allocator.h:61
>     #4 0x531420 in IOBufferData::alloc(long, AllocType) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:284
>     #5 0x53123c in new_IOBufferData_internal(char const*, long, AllocType) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:255
>     #6 0x53162e in IOBufferBlock::alloc(long) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:399
>     #7 0x531e6d in MIOBuffer::alloc(long) ../iocore/eventsystem/P_IOBuffer.h:1096
>     #8 0x531c8c in new_MIOBuffer_internal(char const*, long) ../iocore/eventsystem/P_IOBuffer.h:763
>     #9 0x530a54 in MIOBuffer_tracker::operator()(long) ../iocore/eventsystem/I_IOBuffer.h:1253
>     #10 0x532da5 in FetchSM::init_comm() FetchSM.h:62
>     #11 0x52efd3 in FetchSM::ext_init(Continuation*, char const*, char const*, char const*, sockaddr const*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/FetchSM.cc:536
>     #12 0x57c48a in TSFetchCreate /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/InkAPI.cc:7365
>     #13 0x762626 in spdy_fetcher_launch /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyCallbacks.cc:190
>     #14 0x7631e4 in spdy_process_syn_stream_frame /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyCallbacks.cc:297
>     #15 0x7634ac in spdy_on_ctrl_recv_callback(spdylay_session*, spdylay_frame_type, spdylay_frame*, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyCallbacks.cc:317
>     #16 0xa463df in spdylay_session_call_on_ctrl_frame_received /home/bcall/ytrafficserver-6.0.x/spdylay-1.2.3/lib/spdylay_session.c:1634
>     #17 0xa463df in spdylay_session_on_syn_stream_received /home/bcall/ytrafficserver-6.0.x/spdylay-1.2.3/lib/spdylay_session.c:1782
>     #18 0x100002117 (+0x7000b117)
> Thread T19 ([ET_NET 18]) created by T0 ([ET_NET 0]) here:
>     #0 0x2abfb2bda87a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xa3e556 in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xa3ebb3 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xa43c19 in EventProcessor::start(int, unsigned long) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x59180f in main /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
>     #5 0x2abfb65acaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> SUMMARY: AddressSanitizer: heap-use-after-free /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:320 HdrHeap::duplicate_str(char const*, int)
> Shadow bytes around the buggy address:
>   0x0c4a830f8bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c4a830f8bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c4a830f8bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c4a830f8be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c4a830f8bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> =>0x0c4a830f8c00: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a830f8c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a830f8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a830f8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a830f8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c4a830f8c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==24576==ABORTING
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)