bneradt opened a new issue, #11084:
URL: https://github.com/apache/trafficserver/issues/11084
When I enabled QUIC in docs via AltSvc, ASan reported a use after free.
Commit under test:
```
fbd212851 (HEAD -> 10.0.x, origin/10.0.x) http3: Propagate events from
QUICNetVC (#11071)
```
ASan use after free report:
```
==2862542==ERROR: AddressSanitizer: heap-use-after-free on address
0x60900005986c at pc 0x5588c2d1fe0d bp 0x7f94702d2890 sp 0x7f94702d2880
READ of size 4 at 0x60900005986c thread T5 ([ET_NET 3])
#0 0x5588c2d1fe0c in QUICStreamVCAdapter::encourge_write()
/home/bneradt/src/trafficserver_10/src/iocore/net/quic/QUICStreamVCAdapter.cc:174
#1 0x5588c2d1ce27 in QUICStream::send_data(quiche_conn*)
/home/bneradt/src/trafficserver_10/src/iocore/net/quic/QUICStream.cc:126
#2 0x5588c2b58ba1 in QUICNetVConnection::_handle_write_ready()
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:625
#3 0x5588c2b54e1a in QUICNetVConnection::state_established(int, Event*)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:198
#4 0x5588c22df3f6 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#5 0x5588c2c5147a in EThread::process_event(Event*, int)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:162
#6 0x5588c2c52124 in EThread::execute_regular()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:269
#7 0x5588c2c52a11 in EThread::execute()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
#8 0x5588c2c4f827 in spawn_thread_internal
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
#9 0x7f94772d7608 in start_thread
/build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
#10 0x7f94771fa132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
0x60900005986c is located 44 bytes inside of 96-byte region
[0x609000059840,0x6090000598a0)
freed by thread T5 ([ET_NET 3]) here:
#0 0x7f94780dc40f in __interceptor_free
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x5588c2356f43 in ats_free(void*)
/home/bneradt/src/trafficserver_10/src/tscore/ink_memory.cc:127
#2 0x5588c2376a47 in
je_mi_malloc::JeMiNodumpAllocator::deallocate(_InkFreeList*, void*)
/home/bneradt/src/trafficserver_10/src/tscore/JeMiAllocator.cc:160
#3 0x5588c235984c in malloc_free
/home/bneradt/src/trafficserver_10/src/tscore/ink_queue.cc:349
#4 0x5588c23592b5 in ink_freelist_free(_InkFreeList*, void*)
/home/bneradt/src/trafficserver_10/src/tscore/ink_queue.cc:299
#5 0x5588c22dd75e in FreelistAllocator::free_void(void*)
/home/bneradt/src/trafficserver_10/include/tscore/Allocator.h:74
#6 0x5588c28173dd in ClassAllocator<Event, false,
FreelistAllocator>::free(Event*)
/home/bneradt/src/trafficserver_10/include/tscore/Allocator.h:261
#7 0x5588c28125b9 in EThread::free_event(Event*)
/home/bneradt/src/trafficserver_10/src/iocore/dns/../eventsystem/P_UnixEThread.h:254
#8 0x5588c2c5174c in EThread::process_event(Event*, int)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:176
#9 0x5588c2c519ce in EThread::process_queue(Queue<Event,
Event::Link_link>*, int*, int*)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:197
#10 0x5588c2c51f65 in EThread::execute_regular()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:255
#11 0x5588c2c52a11 in EThread::execute()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
#12 0x5588c2c4f827 in spawn_thread_internal
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
#13 0x7f94772d7608 in start_thread
/build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
previously allocated by thread T5 ([ET_NET 3]) here:
#0 0x7f94780dd6e5 in __interceptor_posix_memalign
../../../../src/libsanitizer/asan/asan_malloc_linux.cc:217
#1 0x5588c2356def in ats_memalign(unsigned long, unsigned long)
/home/bneradt/src/trafficserver_10/src/tscore/ink_memory.cc:108
#2 0x5588c23769bf in
je_mi_malloc::JeMiNodumpAllocator::allocate(_InkFreeList*)
/home/bneradt/src/trafficserver_10/src/tscore/JeMiAllocator.cc:139
#3 0x5588c2359175 in malloc_new
/home/bneradt/src/trafficserver_10/src/tscore/ink_queue.cc:286
#4 0x5588c2358647 in ink_freelist_new(_InkFreeList*)
/home/bneradt/src/trafficserver_10/src/tscore/ink_queue.cc:202
#5 0x5588c22dd711 in FreelistAllocator::alloc_void()
/home/bneradt/src/trafficserver_10/include/tscore/Allocator.h:63
#6 0x5588c22e6bb4 in Event* ClassAllocator<Event, false,
FreelistAllocator>::alloc<>()
/home/bneradt/src/trafficserver_10/include/tscore/Allocator.h:245
#7 0x5588c2811266 in EThread::schedule_imm(Continuation*, int, void*)
/home/bneradt/src/trafficserver_10/src/iocore/dns/../eventsystem/P_UnixEThread.h:43
#8 0x5588c2d1fe77 in QUICStreamVCAdapter::encourge_write()
/home/bneradt/src/trafficserver_10/src/iocore/net/quic/QUICStreamVCAdapter.cc:175
#9 0x5588c2cb4f92 in
QUICStreamVCAdapter::IOInfo::setup_write_vio(Continuation*)
/home/bneradt/src/trafficserver_10/include/iocore/net/quic/QUICStreamVCAdapter.h:99
#10 0x5588c2cb8cd9 in Http3App::on_new_stream(QUICStream&)
/home/bneradt/src/trafficserver_10/src/proxy/http3/Http3App.cc:108
#11 0x5588c2d1d41c in QUICStreamManager::create_stream(unsigned long)
/home/bneradt/src/trafficserver_10/src/iocore/net/quic/QUICStreamManager.cc:99
#12 0x5588c2b58628 in QUICNetVConnection::_handle_read_ready()
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:605
#13 0x5588c2b54ded in QUICNetVConnection::state_established(int, Event*)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:194
#14 0x5588c22df3f6 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#15 0x5588c2b5491b in QUICNetVConnection::state_handshake(int, Event*)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:152
#16 0x5588c22df3f6 in Continuation::handleEvent(int, void*)
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
#17 0x5588c2b57809 in QUICNetVConnection::net_read_io(NetHandler*,
EThread*)
/home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:506
#18 0x5588c2bbb58c in NetHandler::process_ready_list()
/home/bneradt/src/trafficserver_10/src/iocore/net/NetHandler.cc:276
#19 0x5588c2bbbf21 in NetHandler::waitForActivity(long)
/home/bneradt/src/trafficserver_10/src/iocore/net/NetHandler.cc:364
#20 0x5588c2c524cb in EThread::execute_regular()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:299
#21 0x5588c2c52a11 in EThread::execute()
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
#22 0x5588c2c4f827 in spawn_thread_internal
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
#23 0x7f94772d7608 in start_thread
/build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
Thread T5 ([ET_NET 3]) created by T0 ([TS_MAIN]) here:
#0 0x7f9478009815 in __interceptor_pthread_create
../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x5588c2c4f33b in ink_thread_create
/home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
#2 0x5588c2c4f95b in Thread::start(char const*, void*, unsigned long,
std::function<void ()> const&)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:85
#3 0x5588c2c592ff in EventProcessor::spawn_event_threads(int, int,
unsigned long)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:467
#4 0x5588c2c59c4b in EventProcessor::start(int, unsigned long)
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:548
#5 0x5588c22ff44d in main
/home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2104
#6 0x7f94770ff082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: heap-use-after-free
/home/bneradt/src/trafficserver_10/src/iocore/net/quic/QUICStreamVCAdapter.cc:174
in QUICStreamVCAdapter::encourge_write()
Shadow bytes around the buggy address:
0x0c12800032b0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c12800032c0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c12800032d0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c12800032e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c12800032f0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
=>0x0c1280003300: fd fd fa fa fa fa fa fa fd fd fd fd fd[fd]fd fd
0x0c1280003310: fd fd fd fd fa fa fa fa fa fa fd fd fd fd fd fd
0x0c1280003320: fd fd fd fd fd fd fa fa fa fa fa fa 00 00 00 00
0x0c1280003330: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fd fd
0x0c1280003340: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c1280003350: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2862542==ABORTING
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
