You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Bryan Call (JIRA)" <ji...@apache.org> on 2015/09/14 18:42:46 UTC

[jira] [Updated] (TS-3909) SSLNextProtocolTrampoline heap-use-after-free

     [ https://issues.apache.org/jira/browse/TS-3909?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bryan Call updated TS-3909:
---------------------------
    Fix Version/s: 6.0.0

> SSLNextProtocolTrampoline heap-use-after-free
> ---------------------------------------------
>
>                 Key: TS-3909
>                 URL: https://issues.apache.org/jira/browse/TS-3909
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 6.0.0
>            Reporter: Bryan Call
>             Fix For: 6.0.0
>
>
> {code}
> ==6232==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000538880 at pc 0x9c851c bp 0x2ac88a2d4880 sp 0x2ac88a2d4878
> READ of size 8 at 0x606000538880 thread T24 ([ET_NET 23])
>     #0 0x9c851b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:108
>     #1 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #2 0x9f4040 in read_signal_and_update /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #3 0x9f46f4 in read_signal_done /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
>     #4 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
>     #5 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542
>     #6 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
>     #7 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #8 0xa405e4 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #9 0xa411fc in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #10 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #11 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #12 0x2ac87e74b1ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x606000538880 is located 0 bytes inside of 56-byte region [0x606000538880,0x6060005388b8)
> freed by thread T24 ([ET_NET 23]) here:
>     #0 0x2ac87acd6127 in operator delete(void*) ../../.././libsanitizer/asan/asan_new_delete.cc:81
>     #1 0x9c8613 in SSLNextProtocolTrampoline::~SSLNextProtocolTrampoline() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:66
>     #2 0x9c83ea in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89
>     #3 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #4 0x9f4040 in read_signal_and_update /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #5 0x9fbe75 in UnixNetVConnection::mainEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1175
>     #6 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #7 0x9e35e4 in NetHandler::_close_vc(UnixNetVConnection*, long, int&, int&, int&, int&) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:678
>     #8 0x9e2c01 in NetHandler::manage_keep_alive_queue() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:634
>     #9 0x9e3882 in NetHandler::add_to_keep_alive_queue(UnixNetVConnection*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:699
>     #10 0x9ddb48 in UnixNetVConnection::add_to_keep_alive_queue() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixConnection.cc:397
>     #11 0x759044 in SpdyClientSession::init(NetVConnection*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:116
>     #12 0x7598da in SpdyClientSession::new_connection(NetVConnection*, MIOBuffer*, IOBufferReader*, bool) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:193
>     #13 0x7582dc in SpdySessionAccept::mainEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdySessionAccept.cc:56
>     #14 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #15 0x9c78a5 in send_plugin_event /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:32
>     #16 0x9c842b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:99
>     #17 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #18 0x9f4040 in read_signal_and_update /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #19 0x9f46f4 in read_signal_done /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
>     #20 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
>     #21 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542
>     #22 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
>     #23 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #24 0xa405e4 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #25 0xa411fc in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #26 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #27 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T24 ([ET_NET 23]) here:
>     #0 0x2ac87acd5caf in operator new(unsigned long) ../../.././libsanitizer/asan/asan_new_delete.cc:50
>     #1 0x9c7c2d in SSLNextProtocolAccept::mainEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:133
>     #2 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #3 0x9fb50d in UnixNetVConnection::acceptEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1100
>     #4 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #5 0xa405e4 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #6 0xa40a97 in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179
>     #7 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #8 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T24 ([ET_NET 23]) created by T0 ([ET_NET 0]) here:
>     #0 0x2ac87aca487a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xa3e6ea in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xa3ed47 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xa43dad in EventProcessor::start(int, unsigned long) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x59180f in main /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
>     #5 0x2ac87e676af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)