You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Phil Sorber (JIRA)" <ji...@apache.org> on 2015/09/03 04:20:45 UTC
[jira] [Updated] (TS-3658) ASAN triggers when using the escalate.so
plugin
[ https://issues.apache.org/jira/browse/TS-3658?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Phil Sorber updated TS-3658:
----------------------------
Fix Version/s: 5.3.2
> ASAN triggers when using the escalate.so plugin
> -----------------------------------------------
>
> Key: TS-3658
> URL: https://issues.apache.org/jira/browse/TS-3658
> Project: Traffic Server
> Issue Type: Bug
> Components: Core, Plugins, TS API
> Reporter: Leif Hedstrom
> Assignee: Leif Hedstrom
> Fix For: 5.3.2, 6.0.0
>
>
> {code}
> ==12883==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d0000f4480 at pc 0x7f00bd8b5e18 bp 0x7f00b8ac0a20 sp 0x7f00b8ac0a10
> READ of size 1 at 0x61d0000f4480 thread T4 ([ET_NET 3])
> #0 0x7f00bd8b5e17 in ink_strlcpy(char*, char const*, unsigned long) ../../../../lib/ts/ink_string.cc:188
> #1 0x6a967a in HttpSM::redirect_request(char const*, int) ../../../../proxy/http/HttpSM.cc:7474
> #2 0x6be974 in HttpSM::do_redirect() ../../../../proxy/http/HttpSM.cc:7346
> #3 0x6d065f in HttpSM::set_next_state() ../../../../proxy/http/HttpSM.cc:7041
> #4 0x6c0021 in HttpSM::state_api_callout(int, void*) ../../../../proxy/http/HttpSM.cc:1415
> #5 0x6d4c2a in HttpSM::state_api_callback(int, void*) ../../../../proxy/http/HttpSM.cc:1224
> #6 0x564a7f in TSHttpTxnReenable ../../../proxy/InkAPI.cc:5621
> #7 0x7f00ade09f84 in EscalateResponse ../../../../../plugins/experimental/escalate/escalate.cc:132
> #8 0x6bfc26 in HttpSM::state_api_callout(int, void*) ../../../../proxy/http/HttpSM.cc:1333
> #9 0x6c21df in HttpSM::state_read_server_response_header(int, void*) ../../../../proxy/http/HttpSM.cc:1817
> #10 0x6d5050 in HttpSM::main_handler(int, void*) ../../../../proxy/http/HttpSM.cc:2524
> #11 0xc0b6b5 in Continuation::handleEvent(int, void*) ../../../../iocore/eventsystem/I_Continuation.h:145
> #12 0xc0b6b5 in read_signal_and_update ../../../../iocore/net/UnixNetVConnection.cc:139
> #13 0xc0b6b5 in read_from_net ../../../../iocore/net/UnixNetVConnection.cc:352
> #14 0xbe225c in NetHandler::mainNetEvent(int, Event*) ../../../../iocore/net/UnixNet.cc:551
> #15 0xc8e7f9 in Continuation::handleEvent(int, void*) ../../../../iocore/eventsystem/I_Continuation.h:145
> #16 0xc8e7f9 in EThread::process_event(Event*, int) ../../../../iocore/eventsystem/UnixEThread.cc:128
> #17 0xc8e7f9 in EThread::execute() ../../../../iocore/eventsystem/UnixEThread.cc:252
> #18 0xc8a588 in spawn_thread_internal ../../../../iocore/eventsystem/Thread.cc:85
> #19 0x7f00bd41a529 in start_thread (/lib64/libpthread.so.0+0x3813e07529)
> #20 0x381370022c in __clone (/lib64/libc.so.6+0x381370022c)
> 0x61d0000f4480 is located 0 bytes to the right of 2048-byte region [0x61d0000f3c80,0x61d0000f4480)
> allocated by thread T4 ([ET_NET 3]) here:
> #0 0x7f00bdb367c7 in malloc (/lib64/libasan.so.1+0x577c7)
> #1 0x7f00bd8ab695 in ats_malloc ../../../../lib/ts/ink_memory.cc:50
> #2 0x7f00bd8ab837 in ats_memalign ../../../../lib/ts/ink_memory.cc:89
> #3 0x7f00bd8ac090 in ink_freelist_new ../../../../lib/ts/ink_queue.cc:243
> #4 0x8de60d in new_HdrStrHeap ../../../../proxy/hdrs/HdrHeap.cc:151
> #5 0x8de60d in HdrHeap::allocate_str(int) ../../../../proxy/hdrs/HdrHeap.cc:267
> #6 0x8e263d in HdrHeap::duplicate_str(char const*, int) ../../../../proxy/hdrs/HdrHeap.cc:318
> #7 0x8fc741 in mime_str_u16_set(HdrHeap*, char const*, int, char const**, unsigned short*, bool) ../../../../proxy/hdrs/MIME.cc:2806
> #8 0x91944f in url_scheme_set ../../../../proxy/hdrs/URL.cc:412
> #9 0x91944f in url_parse_scheme ../../../../proxy/hdrs/URL.cc:1109
> #10 0x91944f in url_parse(HdrHeap*, URLImpl*, char const**, char const*, bool) ../../../../proxy/hdrs/URL.cc:1139
> #11 0x6a9e13 in URL::parse(char const**, char const*) ../../../../proxy/hdrs/URL.h:724
> #12 0x6a9e13 in URL::parse(char const*, int) ../../../../proxy/hdrs/URL.h:738
> #13 0x6a9e13 in HttpSM::redirect_request(char const*, int) ../../../../proxy/http/HttpSM.cc:7419
> #14 0x6be974 in HttpSM::do_redirect() ../../../../proxy/http/HttpSM.cc:7346
> #15 0x6d065f in HttpSM::set_next_state() ../../../../proxy/http/HttpSM.cc:7041
> #16 0x6c0021 in HttpSM::state_api_callout(int, void*) ../../../../proxy/http/HttpSM.cc:1415
> #17 0x6d4c2a in HttpSM::state_api_callback(int, void*) ../../../../proxy/http/HttpSM.cc:1224
> #18 0x564a7f in TSHttpTxnReenable ../../../proxy/InkAPI.cc:5621
> #19 0x7f00ade09f84 in EscalateResponse ../../../../../plugins/experimental/escalate/escalate.cc:132
> #20 0x6bfc26 in HttpSM::state_api_callout(int, void*) ../../../../proxy/http/HttpSM.cc:1333
> #21 0x6c21df in HttpSM::state_read_server_response_header(int, void*) ../../../../proxy/http/HttpSM.cc:1817
> #22 0x6d5050 in HttpSM::main_handler(int, void*) ../../../../proxy/http/HttpSM.cc:2524
> #23 0xc0b6b5 in Continuation::handleEvent(int, void*) ../../../../iocore/eventsystem/I_Continuation.h:145
> #24 0xc0b6b5 in read_signal_and_update ../../../../iocore/net/UnixNetVConnection.cc:139
> #25 0xc0b6b5 in read_from_net ../../../../iocore/net/UnixNetVConnection.cc:352
> #26 0xbe225c in NetHandler::mainNetEvent(int, Event*) ../../../../iocore/net/UnixNet.cc:551
> #27 0xc8e7f9 in Continuation::handleEvent(int, void*) ../../../../iocore/eventsystem/I_Continuation.h:145
> #28 0xc8e7f9 in EThread::process_event(Event*, int) ../../../../iocore/eventsystem/UnixEThread.cc:128
> #29 0xc8e7f9 in EThread::execute() ../../../../iocore/eventsystem/UnixEThread.cc:252
> #30 0xc8a588 in spawn_thread_internal ../../../../iocore/eventsystem/Thread.cc:85
> #31 0x7f00bd41a529 in start_thread (/lib64/libpthread.so.0+0x3813e07529)
> Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
> #0 0x7f00bdb02dba in pthread_create (/lib64/libasan.so.1+0x23dba)
> #1 0xc8b215 in ink_thread_create ../../../../lib/ts/ink_thread.h:150
> #2 0xc8b215 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) ../../../../iocore/eventsystem/Thread.cc:100
> #3 0xc93796 in EventProcessor::start(int, unsigned long) ../../../../iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x496fe3 in main ../../../proxy/Main.cc:1627
> #5 0x381361ffdf in __libc_start_main (/lib64/libc.so.6+0x381361ffdf)
> SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../lib/ts/ink_string.cc:188 ink_strlcpy(char*, char const*, unsigned long)
> Shadow bytes around the buggy address:
> 0x0c3a80016840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3a80016850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3a80016860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3a80016870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3a80016880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c3a80016890:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3a800168a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3a800168b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3a800168c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c3a800168d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 0x0c3a800168e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==12883==ABORTING
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)