[jira] [Commented] (TS-4470) ASAN stack-buffer-overflow when slow log is enabled

ASF GitHub Bot (JIRA) Mon, 20 Jun 2016 17:18:06 -0700

    [ 
https://issues.apache.org/jira/browse/TS-4470?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15340751#comment-15340751
 ]


ASF GitHub Bot commented on TS-4470:
------------------------------------

Github user bryancall commented on a diff in the pull request:

    https://github.com/apache/trafficserver/pull/721#discussion_r67789890
  
    --- Diff: proxy/http/HttpSM.cc ---
    @@ -6890,7 +6890,8 @@ HttpSM::update_stats()
         int offset = 0;
         int skip = 0;
     
    -    t_state.hdr_info.client_request.url_print(url_string, sizeof 
url_string, &offset, &skip);
    +    t_state.hdr_info.client_request.url_print(url_string, 
sizeof(url_string), &offset, &skip);
    +    url_string[sizeof(url_string) - 1] = 0; // NULL terminate the string
    --- End diff --
    
    Yeah, that would be better.


> ASAN stack-buffer-overflow when slow log is enabled
> ---------------------------------------------------
>
>                 Key: TS-4470
>                 URL: https://issues.apache.org/jira/browse/TS-4470
>             Project: Traffic Server
>          Issue Type: Bug
>    Affects Versions: 6.2.0
>            Reporter: Bryan Call
>            Assignee: Bryan Call
>            Priority: Blocker
>             Fix For: 7.0.0
>
>
> =================================================================
> ==13159==ERROR: AddressSanitizer: stack-buffer-overflow on address 
> 0x2b5ec8877660 at pc 0x0000004fcdf1 bp 0x2b5ec8875c60 sp 0x2b5ec8875410
> READ of size 260 at 0x2b5ec8877660 thread T21 ([ET_NET 20])
>     #0 0x4fcdf0 in printf_common(void*, char const*, __va_list_tag*) [clone 
> .isra.6] (/usr/local/bin/traffic_server+0x4fcdf0)
>     #1 0x4fd744 in vfprintf (/usr/local/bin/traffic_server+0x4fd744)
>     #2 0x2b5ec1a668ee in vprintline<1024> 
> /home/bcall/dev/trafficserver/lib/ts/Diags.cc:61
>     #3 0x2b5ec1a668ee in Diags::print_va(char const*, DiagsLevel, SrcLoc 
> const*, char const*, __va_list_tag*) const 
> /home/bcall/dev/trafficserver/lib/ts/Diags.cc:340
>     #4 0x2b5ec1a6765f in Diags::error_va(DiagsLevel, char const*, char 
> const*, int, char const*, __va_list_tag*) const 
> /home/bcall/dev/trafficserver/lib/ts/Diags.cc:572
>     #5 0x72a724 in Diags::error(DiagsLevel, char const*, char const*, int, 
> char const*, ...) const /home/bcall/dev/trafficserver/lib/ts/Diags.h:242
>     #6 0x7455d6 in HttpSM::update_stats() 
> /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:6972
>     #7 0x77b07f in HttpSM::kill_this() 
> /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:6786
>     #8 0x77d6f7 in HttpSM::main_handler(int, void*) 
> /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:2660
>     #9 0x832d3a in Continuation::handleEvent(int, void*) 
> /home/bcall/dev/trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #10 0x832d3a in HttpTunnel::main_handler(int, void*) 
> /home/bcall/dev/trafficserver/proxy/http/HttpTunnel.cc:1637
>     #11 0xcfdbb5 in Continuation::handleEvent(int, void*) 
> /home/bcall/dev/trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #12 0xcfdbb5 in write_signal_and_update 
> /home/bcall/dev/trafficserver/iocore/net/UnixNetVConnection.cc:181
>     #13 0xcfdbb5 in write_signal_done 
> /home/bcall/dev/trafficserver/iocore/net/UnixNetVConnection.cc:223
>     #14 0xcfdbb5 in write_to_net_io(NetHandler*, UnixNetVConnection*, 
> EThread*) /home/bcall/dev/trafficserver/iocore/net/UnixNetVConnection.cc:563
>     #15 0xcbc4ca in NetHandler::mainNetEvent(int, Event*) 
> /home/bcall/dev/trafficserver/iocore/net/UnixNet.cc:529
>     #16 0xda8ce3 in Continuation::handleEvent(int, void*) 
> /home/bcall/dev/trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #17 0xda8ce3 in EThread::process_event(Event*, int) 
> /home/bcall/dev/trafficserver/iocore/eventsystem/UnixEThread.cc:148
>     #18 0xdabc8a in EThread::execute() 
> /home/bcall/dev/trafficserver/iocore/eventsystem/UnixEThread.cc:275
>     #19 0xda7a58 in spawn_thread_internal 
> /home/bcall/dev/trafficserver/iocore/eventsystem/Thread.cc:86
>     #20 0x2b5ec2264aa0 in start_thread (/lib64/libpthread.so.0+0x3818807aa0)
>     #21 0x38180e893c in clone (/lib64/libc.so.6+0x38180e893c)
> Address 0x2b5ec8877660 is located in stack of thread T21 ([ET_NET 20]) at 
> offset 736 in frame
>     #0 0x7443ef in HttpSM::update_stats() 
> /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:6827
>   This frame has 6 object(s):
>     [32, 36) 'offset'
>     [96, 100) 'skip'
>     [160, 164) 'length'
>     [224, 270) 'client_ip'
>     [320, 448) 'unique_id_string'
>     [480, 736) 'url_string' <== Memory access at offset 736 overflows this 
> variable
> HINT: this may be a false positive if your program uses some custom stack 
> unwind mechanism or swapcontext
>       (longjmp and C++ exceptions *are* supported)
> Thread T21 ([ET_NET 20]) created by T0 ([ET_NET 0]) here:
>     #0 0x4d50b4 in pthread_create (/usr/local/bin/traffic_server+0x4d50b4)
>     #1 0xda85aa in ink_thread_create 
> /home/bcall/dev/trafficserver/lib/ts/ink_thread.h:147
>     #2 0xda85aa in Thread::start(char const*, unsigned long, void* 
> (*)(void*), void*) 
> /home/bcall/dev/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xdafff2 in EventProcessor::start(int, unsigned long) 
> /home/bcall/dev/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:141
>     #4 0x4ab7ed in main /home/bcall/dev/trafficserver/proxy/Main.cc:1733
>     #5 0x381801ed5c in __libc_start_main (/lib64/libc.so.6+0x381801ed5c)
> SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 printf_common(void*, 
> char const*, __va_list_tag*) [clone .isra.6]
> Shadow bytes around the buggy address:
>   0x056c59106e70: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4
>   0x056c59106e80: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
>   0x056c59106e90: 00 06 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
>   0x056c59106ea0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
>   0x056c59106eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x056c59106ec0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
>   0x056c59106ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
>   0x056c59106ee0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x056c59106ef0: 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3 f3
>   0x056c59106f00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x056c59106f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
> ==13159==ABORTING



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Commented] (TS-4470) ASAN stack-buffer-overflow when slow log is enabled

Reply via email to