[I] docs: heap-buffer-overflow in StripeSM::evac_range [trafficserver]

via GitHub Wed, 01 Oct 2025 12:16:00 -0700


bneradt opened a new issue, #12534:
URL: https://github.com/apache/trafficserver/issues/12534


   ASan detected the following buffer overflow in the CacheVC:
   
   ```
   =================================================================
   ==4080244==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x616000010188 at pc 0x561a4537b016 bp 0x7fafccf0a670 sp 0x7fafccf0a660
   READ of size 8 at 0x616000010188 thread T2 ([ET_NET 0])
       #0 0x561a4537b015 in StripeSM::evac_range(long, long, int) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:1097
       #1 0x561a4537732c in StripeSM::aggWrite(int, void*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:815
       #2 0x561a4534460e in CacheVC::handleWrite(int, Event*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:264
       #3 0x561a45334358 in CacheVC::do_write_call() 
/home/bneradt/src/trafficserver_10/src/iocore/cache/P_CacheInternal.h:286
       #4 0x561a45343c2a in CacheVC::updateVector(int, Event*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:195
       #5 0x561a45346d31 in CacheVC::openWriteCloseHead(int, Event*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:385
       #6 0x561a45347c3e in CacheVC::openWriteClose(int, Event*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:476
       #7 0x561a452e657f in CacheVC::die() 
/home/bneradt/src/trafficserver_10/src/iocore/cache/P_CacheInternal.h:308
       #8 0x561a453341c6 in CacheVC::calluser(int) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/P_CacheInternal.h:251
       #9 0x561a4534895e in CacheVC::openWriteMain(int, Event*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:558
       #10 0x561a44d5c8f8 in Continuation::handleEvent(int, void*) 
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
       #11 0x561a456d7c6c in EThread::process_event(Event*, int) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:166
       #12 0x561a456d81c0 in EThread::process_queue(Queue<Event, 
Event::Link_link>*, int*, int*) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:201
       #13 0x561a456d8757 in EThread::execute_regular() 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:259
       #14 0x561a456d9222 in EThread::execute() 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:358
       #15 0x561a456d5ea8 in spawn_thread_internal 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:75
       #16 0x7fafd3be1608 in start_thread 
/build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477
       #17 0x7fafd3b06352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)
   
   0x616000010188 is located 0 bytes to the right of 520-byte region 
[0x61600000ff80,0x616000010188)
   allocated by thread T7 ([ET_NET 5]) here:
       #0 0x7fafd4bf3157 in __interceptor_malloc 
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
       #1 0x561a44dd1656 in ats_malloc(unsigned long) 
/home/bneradt/src/trafficserver_10/src/tscore/ink_memory.cc:65
       #2 0x561a45355a4f in PreservationTable::PreservationTable(int) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/PreservationTable.cc:52
       #3 0x561a4536eeca in StripeSM::StripeSM(CacheDisk*, long, long, int, 
int) /home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:120
       #4 0x561a452dc426 in Cache::open(bool, bool) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/Cache.cc:276
       #5 0x561a453122bb in CacheProcessor::diskInitialized() 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheProcessor.cc:814
       #6 0x561a452fae3d in CacheDisk::openDone(int, void*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheDisk.cc:218
       #7 0x561a452fa2e2 in CacheDisk::clearDone(int, void*) 
/home/bneradt/src/trafficserver_10/src/iocore/cache/CacheDisk.cc:160
       #8 0x561a44d5c8f8 in Continuation::handleEvent(int, void*) 
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
       #9 0x561a45396e58 in AIOCallback::io_complete(int, void*) 
/home/bneradt/src/trafficserver_10/src/iocore/aio/AIO.cc:100
       #10 0x561a44d5c8f8 in Continuation::handleEvent(int, void*) 
/home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
       #11 0x561a456d7c6c in EThread::process_event(Event*, int) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:166
       #12 0x561a456d81c0 in EThread::process_queue(Queue<Event, 
Event::Link_link>*, int*, int*) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:201
       #13 0x561a456d8757 in EThread::execute_regular() 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:259
       #14 0x561a456d9222 in EThread::execute() 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:358
       #15 0x561a456d5ea8 in spawn_thread_internal 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:75
       #16 0x7fafd3be1608 in start_thread 
/build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477
   
   Thread T2 ([ET_NET 0]) created by T0 ([TS_MAIN]) here:
       #0 0x7fafd4b9aa65 in __interceptor_pthread_create 
../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
       #1 0x561a456d591f in ink_thread_create 
/home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
       #2 0x561a456d5fdb in Thread::start(char const*, void*, unsigned long, 
std::function<void ()> const&) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:92
       #3 0x561a456e00a1 in EventProcessor::spawn_event_threads(int, int, 
unsigned long) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:476
       #4 0x561a456e09ed in EventProcessor::start(int, unsigned long) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:557
       #5 0x561a44d7a56e in main 
/home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2152
       #6 0x7fafd3a0b082 in __libc_start_main ../csu/libc-start.c:308
   
   Thread T7 ([ET_NET 5]) created by T0 ([TS_MAIN]) here:
       #0 0x7fafd4b9aa65 in __interceptor_pthread_create 
../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
       #1 0x561a456d591f in ink_thread_create 
/home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
       #2 0x561a456d5fdb in Thread::start(char const*, void*, unsigned long, 
std::function<void ()> const&) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:92
       #3 0x561a456e00a1 in EventProcessor::spawn_event_threads(int, int, 
unsigned long) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:476
       #4 0x561a456e09ed in EventProcessor::start(int, unsigned long) 
/home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:557
       #5 0x561a44d7a56e in main 
/home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2152
       #6 0x7fafd3a0b082 in __libc_start_main ../csu/libc-start.c:308
   
   SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:1097 in 
StripeSM::evac_range(long, long, int)
   Shadow bytes around the buggy address:
     0x0c2c7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c2c7fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c2c7fffa000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c2c7fffa010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
     0x0c2c7fffa020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
   =>0x0c2c7fffa030: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c2c7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
     0x0c2c7fffa050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x0c2c7fffa060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x0c2c7fffa070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
     0x0c2c7fffa080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
   Shadow byte legend (one shadow byte represents 8 application bytes):
     Addressable:           00
     Partially addressable: 01 02 03 04 05 06 07 
     Heap left redzone:       fa
     Freed heap region:       fd
     Stack left redzone:      f1
     Stack mid redzone:       f2
     Stack right redzone:     f3
     Stack after return:      f5
     Stack use after scope:   f8
     Global redzone:          f9
     Global init order:       f6
     Poisoned by user:        f7
     Container overflow:      fc
     Array cookie:            ac
     Intra object redzone:    bb
     ASan internal:           fe
     Left alloca redzone:     ca
     Right alloca redzone:    cb
     Shadow gap:              cc
   ==4080244==ABORTING
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

[I] docs: heap-buffer-overflow in StripeSM::evac_range [trafficserver]

Reply via email to