[ https://issues.apache.org/jira/browse/TS-3909?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15238505#comment-15238505 ]
Susan Hinrichs edited comment on TS-3909 at 4/13/16 3:08 AM: ------------------------------------------------------------- Yes, we should go ahead with this for 6.2. We haven't seen this crash in production since we applied this patch. I'll merge it to master tomorrow. was (Author: shinrich): Yes, we should go ahead with this for 6.2. We haven't seen this crash in production since we applied this patch. > SSLNextProtocolTrampoline heap-use-after-free > --------------------------------------------- > > Key: TS-3909 > URL: https://issues.apache.org/jira/browse/TS-3909 > Project: Traffic Server > Issue Type: Bug > Components: SSL > Affects Versions: 6.0.0 > Reporter: Bryan Call > Assignee: Susan Hinrichs > Fix For: 6.2.0 > > Attachments: ts-3909.diff > > > {code} > ==6232==ERROR: AddressSanitizer: heap-use-after-free on address > 0x606000538880 at pc 0x9c851c bp 0x2ac88a2d4880 sp 0x2ac88a2d4878 > READ of size 8 at 0x606000538880 thread T24 ([ET_NET 23]) > #0 0x9c851b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:108 > #1 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #2 0x9f4040 in read_signal_and_update > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145 > #3 0x9f46f4 in read_signal_done > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206 > #4 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006 > #5 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542 > #6 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516 > #7 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #8 0xa405e4 in EThread::process_event(Event*, int) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #9 0xa411fc in EThread::execute() > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252 > #10 0xa3ebbd in spawn_thread_internal > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86 > #11 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4) > #12 0x2ac87e74b1ac in __clone (/lib64/libc.so.6+0xf61ac) > 0x606000538880 is located 0 bytes inside of 56-byte region > [0x606000538880,0x6060005388b8) > freed by thread T24 ([ET_NET 23]) here: > #0 0x2ac87acd6127 in operator delete(void*) > ../../.././libsanitizer/asan/asan_new_delete.cc:81 > #1 0x9c8613 in SSLNextProtocolTrampoline::~SSLNextProtocolTrampoline() > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:66 > #2 0x9c83ea in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89 > #3 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #4 0x9f4040 in read_signal_and_update > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145 > #5 0x9fbe75 in UnixNetVConnection::mainEvent(int, Event*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1175 > #6 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #7 0x9e35e4 in NetHandler::_close_vc(UnixNetVConnection*, long, int&, > int&, int&, int&) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:678 > #8 0x9e2c01 in NetHandler::manage_keep_alive_queue() > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:634 > #9 0x9e3882 in NetHandler::add_to_keep_alive_queue(UnixNetVConnection*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:699 > #10 0x9ddb48 in UnixNetVConnection::add_to_keep_alive_queue() > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixConnection.cc:397 > #11 0x759044 in SpdyClientSession::init(NetVConnection*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:116 > #12 0x7598da in SpdyClientSession::new_connection(NetVConnection*, > MIOBuffer*, IOBufferReader*, bool) > /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:193 > #13 0x7582dc in SpdySessionAccept::mainEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdySessionAccept.cc:56 > #14 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #15 0x9c78a5 in send_plugin_event > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:32 > #16 0x9c842b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:99 > #17 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #18 0x9f4040 in read_signal_and_update > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145 > #19 0x9f46f4 in read_signal_done > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206 > #20 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006 > #21 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542 > #22 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516 > #23 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #24 0xa405e4 in EThread::process_event(Event*, int) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #25 0xa411fc in EThread::execute() > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252 > #26 0xa3ebbd in spawn_thread_internal > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86 > #27 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4) > previously allocated by thread T24 ([ET_NET 23]) here: > #0 0x2ac87acd5caf in operator new(unsigned long) > ../../.././libsanitizer/asan/asan_new_delete.cc:50 > #1 0x9c7c2d in SSLNextProtocolAccept::mainEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:133 > #2 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #3 0x9fb50d in UnixNetVConnection::acceptEvent(int, Event*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1100 > #4 0x531046 in Continuation::handleEvent(int, void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146 > #5 0xa405e4 in EThread::process_event(Event*, int) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128 > #6 0xa40a97 in EThread::execute() > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179 > #7 0xa3ebbd in spawn_thread_internal > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86 > #8 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4) > Thread T24 ([ET_NET 23]) created by T0 ([ET_NET 0]) here: > #0 0x2ac87aca487a in __interceptor_pthread_create > ../../.././libsanitizer/asan/asan_interceptors.cc:183 > #1 0xa3e6ea in ink_thread_create ../../lib/ts/ink_thread.h:150 > #2 0xa3ed47 in Thread::start(char const*, unsigned long, void* > (*)(void*), void*) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101 > #3 0xa43dad in EventProcessor::start(int, unsigned long) > /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140 > #4 0x59180f in main > /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624 > #5 0x2ac87e676af4 in __libc_start_main (/lib64/libc.so.6+0x21af4) > {code} -- This message was sent by Atlassian JIRA (v6.3.4#6332)