sudheerv edited a comment on issue #6946: URL: https://github.com/apache/trafficserver/issues/6946#issuecomment-649140562
Debugged some more with asserts which haven't tripped so far. Also ran ASAN in parallel with @whutwhu and we found that there's a potential global memory corruption with the log filter as below. The setter fields for log fields don't seem to be safeguarding against buffer overflow, so we are going to try a patch to ensure the buffer isn't overflown when copying those fields during log filtering actions. ``` (gdb) p hostdb_max_iobuf_index $12 = 1769172816 (gdb) p http_global_hooks $13 = (HttpAPIHooks *) 0x2b2ee301e000 (gdb) p invalid_str No symbol "invalid_str" in current context. (gdb) p INVALID_STR $14 = 0xaa2c10 <INVALID_STR> "https://www.link\005"; ``` ``` ================================================================ ==3885==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000142ccce at pc 0x2b30bb9d5a65 bp 0x2b30c6a53370 sp 0x2b30c6a53368 WRITE of size 1 at 0x00000142ccce thread T21 ([ET_NET 19]) #0 0x2b30bb9d5a64 in ink_strlcpy(char*, char const*, unsigned long) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/src/tscore/ink_string.cc:183 #1 0x9d3268 in LogFilterString::wipe_this_entry(LogAccess*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/logging/LogFilter.cc:370 #2 0x9e3c5f in LogFilterList::wipe_this_entry(LogAccess*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/logging/LogFilter.cc:1016 #3 0x9ffe0e in LogObject::log(LogAccess*, std::basic_string_view<char, std::char_traits<char> >) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/logging/LogObject.cc:546 #4 0x9ffe0e in LogObject::log(LogAccess*, char const*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/logging/LogObject.cc:517 #5 0x9ffe0e in LogObjectManager::log(LogAccess*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/logging/LogObject.cc:1277 #6 0x981a0a in Log::access(LogAccess*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/logging/Log.cc:1157 #7 0x6f91b5 in HttpSM::kill_this() /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/http/HttpSM.cc:7083 #8 0x6fa12f in HttpSM::main_handler(int, void*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/http/HttpSM.cc:2723 #9 0x81051b in Continuation::handleEvent(int, void*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/eventsystem/I_Continuation.h:190 #10 0x81051b in HttpTunnel::main_handler(int, void*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/proxy/http/HttpTunnel.cc:1629 #11 0xeb62b1 in Continuation::handleEvent(int, void*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/eventsystem/I_Continuation.h:190 #12 0xeb62b1 in write_signal_and_update /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/net/UnixNetVConnection.cc:115 #13 0xeb62b1 in write_signal_done /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/net/UnixNetVConnection.cc:161 #14 0xed0d2a in write_to_net_io(NetHandler*, UnixNetVConnection*, EThread*) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/net/UnixNetVConnection.cc:494 #15 0xe6f793 in NetHandler::process_ready_list() /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/net/UnixNet.cc:429 #16 0xe703d8 in NetHandler::waitForActivity(long) /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/net/UnixNet.cc:547 #17 0xfe515e in EThread::execute_regular() /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/eventsystem/UnixEThread.cc:266 #18 0xfe5ab1 in EThread::execute() /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/eventsystem/UnixEThread.cc:327 #19 0xfdff1a in spawn_thread_internal /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/iocore/eventsystem/Thread.cc:92 #20 0x2b30bd7bfdd4 in start_thread (/lib64/libpthread.so.0+0x7dd4) #21 0x2b30be570eac in __clone (/lib64/libc.so.6+0xfdeac) 0x00000142ccce is located 0 bytes to the right of global variable 'INVALID_STR' defined in 'LogAccess.cc:35:6' (0x142ccc0) of size 14 SUMMARY: AddressSanitizer: global-buffer-overflow /home/xinli1/work/prj/ats9/core/ats-core_BR_HF_ats9/ats9/src/src/tscore/ink_string.cc:183 in ink_strlcpy(char*, char const*, unsigned long) Shadow bytes around the buggy address: 0x00008027d940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x00008027d990: 00 00 00 00 00 00 00 00 00[06]f9 f9 f9 f9 f9 f9 0x00008027d9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x00008027d9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 ``` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
