[ 
https://issues.apache.org/jira/browse/TS-3805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Susan Hinrichs resolved TS-3805.
--------------------------------
    Resolution: Fixed

I think this was addressed with the session shutdown reworking that followed 
TS-3612.  Please reopen if we are still seeing this.

> ASAN heap-use-after-free in ProxyClientSession::ssn_hook_get
> ------------------------------------------------------------
>
>                 Key: TS-3805
>                 URL: https://issues.apache.org/jira/browse/TS-3805
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core
>            Reporter: Leif Hedstrom
>            Assignee: Susan Hinrichs
>              Labels: ASAN, crash
>             Fix For: 7.0.0
>
>
> {code}
> [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
> [Jul 30 11:02:22.124] Manager {0x7f1366c0e8c0} WARNING: Be aware that access 
> control checks for HTTP/2 connections are not active!
> [Jul 30 11:02:22.124] Manager {0x7f1366c0e8c0} WARNING: Be aware that access 
> control checks for HTTP/2 connections are not active!
> traffic_server: using root directory '/opt/ats'
> =================================================================
> ==11239==ERROR: AddressSanitizer: heap-use-after-free on address 
> 0x61700009a170 at pc 0x52e50d bp 0x2b9d1a56a6b0 sp 0x2b9d1a56a6a8
> READ of size 8 at 0x61700009a170 thread T3 ([ET_NET 2])
>     #0 0x52e50c in APIHooks::get() const 
> /usr/local/src/trafficserver/proxy/InkAPI.cc:1258
>     #1 0x66bb1e in FeatureAPIHooks<TSHttpHookID, 
> (TSHttpHookID)19>::get(TSHttpHookID) const ../../proxy/InkAPIInternal.h:256
>     #2 0x66bb1e in ProxyClientSession::ssn_hook_get(TSHttpHookID) const 
> ../../proxy/ProxyClientSession.h:64
>     #3 0x66bb1e in HttpSM::state_api_callout(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1328
>     #4 0x67c586 in HttpSM::kill_this() 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:6552
>     #5 0x67f817 in HttpSM::main_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:2558
>     #6 0xbb82d0 in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:146
>     #7 0xbb82d0 in read_signal_and_update 
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #8 0xbb82d0 in UnixNetVConnection::mainEvent(int, Event*) 
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
>     #9 0xb8d622 in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:146
>     #10 0xb8d622 in InactivityCop::check_inactivity(int, Event*) 
> /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
>     #11 0xc336de in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #12 0xc336de in EThread::process_event(Event*, int) 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #13 0xc35947 in EThread::execute() 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
>     #14 0xc322e8 in spawn_thread_internal 
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #15 0x2b9d1363bdf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #16 0x2b9d14ea41ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x61700009a170 is located 240 bytes inside of 688-byte region 
> [0x61700009a080,0x61700009a330)
> freed by thread T3 ([ET_NET 2]) here:
>     #0 0x2b9d1123a1c7 in __interceptor_free 
> ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
>     #1 0x62f74e in HttpVCTable::cleanup_entry(HttpVCTableEntry*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:216
>     #2 0x65047a in HttpSM::state_read_client_request_header(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:606
>     #3 0x67f4f0 in HttpSM::main_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:2545
>     #4 0xbb82d0 in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:146
>     #5 0xbb82d0 in read_signal_and_update 
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #6 0xbb82d0 in UnixNetVConnection::mainEvent(int, Event*) 
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
>     #7 0xb8d622 in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:146
>     #8 0xb8d622 in InactivityCop::check_inactivity(int, Event*) 
> /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
>     #9 0xc336de in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #10 0xc336de in EThread::process_event(Event*, int) 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #11 0xc35947 in EThread::execute() 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
>     #12 0xc322e8 in spawn_thread_internal 
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #13 0x2b9d1363bdf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T3 ([ET_NET 2]) here:
>     #0 0x2b9d1123a93b in __interceptor_posix_memalign 
> ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
>     #1 0x2b9d12123849 in ats_memalign 
> /usr/local/src/trafficserver/lib/ts/ink_memory.cc:100
>     #2 0x2b9d121241b0 in ink_freelist_new 
> /usr/local/src/trafficserver/lib/ts/ink_queue.cc:239
>     #3 0x5ffe94 in ClassAllocator<HttpClientSession>::alloc() 
> ../../lib/ts/Allocator.h:120
>     #4 0x5ffe94 in thread_alloc_init<HttpClientSession> 
> ../../iocore/eventsystem/I_ProxyAllocator.h:81
>     #5 0x5ffe94 in HttpSessionAccept::accept(NetVConnection*, MIOBuffer*, 
> IOBufferReader*) 
> /usr/local/src/trafficserver/proxy/http/HttpSessionAccept.cc:63
>     #6 0x5ffa14 in HttpSessionAccept::mainEvent(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSessionAccept.cc:86
>     #7 0xb6999e in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:99
>     #8 0xbc420f in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:146
>     #9 0xbc420f in read_signal_and_update 
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #10 0xbc420f in read_signal_done 
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:206
>     #11 0xbc420f in UnixNetVConnection::readSignalDone(int, NetHandler*) 
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1006
>     #12 0xb60ac8 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) 
> /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:540
>     #13 0xb834fc in NetHandler::mainNetEvent(int, Event*) 
> /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516
>     #14 0xc365be in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #15 0xc365be in EThread::process_event(Event*, int) 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #16 0xc365be in EThread::execute() 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #17 0xc322e8 in spawn_thread_internal 
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
>     #18 0x2b9d1363bdf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T3 ([ET_NET 2]) created by T0 ([ET_NET 0]) here:
>     #0 0x2b9d1120986a in __interceptor_pthread_create 
> ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xc32f75 in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xc32f75 in Thread::start(char const*, unsigned long, void* 
> (*)(void*), void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xc3b5c6 in EventProcessor::start(int, unsigned long) 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x4967bb in main /usr/local/src/trafficserver/proxy/Main.cc:1624
>     #5 0x2b9d14dcfaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> SUMMARY: AddressSanitizer: heap-use-after-free 
> /usr/local/src/trafficserver/proxy/InkAPI.cc:1258 APIHooks::get() const
> Shadow bytes around the buggy address:
>   0x0c2e8000b3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c2e8000b3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c2e8000b3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c2e8000b400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c2e8000b410: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c2e8000b420: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
>   0x0c2e8000b430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2e8000b440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2e8000b450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c2e8000b460: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
>   0x0c2e8000b470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Contiguous container OOB:fc
>   ASan internal:           fe
> ==11239==ABORTING
> [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
> [Jul 30 11:11:14.291] Manager {0x7fe0756968c0} WARNING: Be aware that access 
> control checks for HTTP/2 connections are not active!
> [Jul 30 11:11:14.291] Manager {0x7fe0756968c0} WARNING: Be aware that access 
> control checks for HTTP/2 connections are not active!
> traffic_server: using root directory '/opt/ats'
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to