[jira] [Commented] (TS-3860) Buffer overflow in H2 on debug build

Tue, 25 Aug 2015 00:20:07 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3860?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14710764#comment-14710764
 ] 

Ryo Okubo commented on TS-3860:
-------------------------------

[~bcall] [~zwoop] I think adding a new flag would confuse ... as an other 
approach, I post a patch that disables {{n_v_raw_printable}} flag. Can you try 
it?

> Buffer overflow in H2 on debug build
> ------------------------------------
>
>                 Key: TS-3860
>                 URL: https://issues.apache.org/jira/browse/TS-3860
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: HTTP/2
>            Reporter: Leif Hedstrom
>            Assignee: Ryo Okubo
>              Labels: yahoo
>             Fix For: 6.1.0
>
>         Attachments: ts-3860-01.patch
>
>
> {code}
> ==15480==ERROR: AddressSanitizer: global-buffer-overflow on address 
> 0x000000acafe8 at pc 0x7f13fa bp 0x7ff13b8e3ee0 sp 0x7ff13b8e3ed8
> READ of size 1 at 0x000000acafe8 thread T8 ([ET_NET 7])
>     #0 0x7f13f9 in checksum_block(char const*, int) 
> /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530
>     #1 0x7f167f in mime_hdr_sanity_check(MIMEHdrImpl*) 
> /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:560
>     #2 0x7f5d6d in mime_hdr_field_attach(MIMEHdrImpl*, MIMEField*, int, 
> MIMEField*) /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:1533
>     #3 0x6fd29a in http2_write_psuedo_headers(HTTPHdr*, unsigned char*, 
> unsigned long, Http2DynamicTable&) 
> /usr/local/src/trafficserver/proxy/http2/HTTP2.cc:560
>     #4 0x710ecd in Http2ConnectionState::send_headers_frame(FetchSM*) 
> /usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:966
>     #5 0x70f906 in Http2ConnectionState::main_event_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:768
>     #6 0x53075a in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #7 0x704fe9 in send_connection_event 
> /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:60
>     #8 0x707176 in Http2ClientSession::main_event_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:259
>     #9 0x53075a in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #10 0x52bd6a in FetchSM::InvokePluginExt(int) 
> /usr/local/src/trafficserver/proxy/FetchSM.cc:260
>     #11 0x52d6e6 in FetchSM::process_fetch_read(int) 
> /usr/local/src/trafficserver/proxy/FetchSM.cc:456
>     #12 0x52df4a in FetchSM::fetch_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/FetchSM.cc:518
>     #13 0x53075a in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #14 0x5abc09 in PluginVC::process_read_side(bool) 
> /usr/local/src/trafficserver/proxy/PluginVC.cc:663
>     #15 0x5aa834 in PluginVC::process_write_side(bool) 
> /usr/local/src/trafficserver/proxy/PluginVC.cc:555
>     #16 0x5a74dc in PluginVC::main_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/PluginVC.cc:208
>     #17 0x53075a in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #18 0xa23154 in EThread::process_event(Event*, int) 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #19 0xa236f7 in EThread::execute() 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:179
>     #20 0xa21662 in spawn_thread_internal 
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #21 0x7ff143381df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #22 0x7ff1426291ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x000000acafe8 is located 0 bytes to the right of global variable '*.LC7' 
> from 'HPACK.cc' (0xacafe0) of size 8
>   '*.LC7' is ascii string ':status'
> SUMMARY: AddressSanitizer: global-buffer-overflow 
> /usr/local/src/trafficserver/proxy/hdrs/MIME.cc:530 checksum_block(char 
> const*, int)
> Shadow bytes around the buggy address:
>   0x0000801515a0: 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>   0x0000801515b0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
>   0x0000801515c0: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 04 f9 f9 f9 f9
>   0x0000801515d0: 00 00 05 f9 f9 f9 f9 f9 00 00 00 00 00 f9 f9 f9
>   0x0000801515e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 03 f9 f9
> =>0x0000801515f0: f9 f9 f9 f9 06 f9 f9 f9 f9 f9 f9 f9 00[f9]f9 f9
>   0x000080151600: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
>   0x000080151610: 00 00 00 00 00 00 00 00 00 00 00 00 00 01 f9 f9
>   0x000080151620: f9 f9 f9 f9 00 00 06 f9 f9 f9 f9 f9 00 00 00 00
>   0x000080151630: 00 00 00 05 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>   0x000080151640: 00 00 03 f9 f9 f9 f9 f9 00 00 00 02 f9 f9 f9 f9
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> Thread T8 ([ET_NET 7]) created by T0 ([ET_NET 0]) here:
>     #0 0x7ff14562786a in __interceptor_pthread_create 
> ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xa2113e in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xa217eb in Thread::start(char const*, unsigned long, void* 
> (*)(void*), void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xa26d03 in EventProcessor::start(int, unsigned long) 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x5942ff in main /usr/local/src/trafficserver/proxy/Main.cc:1624
>     #5 0x7ff142554af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> ==15480==ABORTING
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to