Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3405

Memory use after free in HTTP/2

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.3.0
    • Component/s: HTTP/2
    • Labels:
      None

      Description

      From Leif running on docs.trafficserver.apache.org:

      traffic_server: using root directory '/opt/ats'
      =================================================================
      ==31101==ERROR: AddressSanitizer: heap-use-after-free on address 0x61800000c888 at pc 0x4f3558 bp 0x2aaf10c88930 sp 0x2aaf10c88928
      READ of size 8 at 0x61800000c888 thread T2 ([ET_NET 1])
          #0 0x4f3557 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:146
          #1 0x4f3557 in FetchSM::InvokePluginExt(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:301
          #2 0x4f3a7a in FetchSM::process_fetch_read(int) /usr/local/src/trafficserver/proxy/FetchSM.cc:465
          #3 0x4f5112 in FetchSM::fetch_handler(int, void*) /usr/local/src/trafficserver/proxy/FetchSM.cc:514
          #4 0x59f1b7 in Continuation::handleEvent(int, void*) ../iocore/eventsystem/I_Continuation.h:146
          #5 0x59f1b7 in PluginVC::process_read_side(bool) /usr/local/src/trafficserver/proxy/PluginVC.cc:640
          #6 0x5abcb9 in PluginVC::main_handler(int, void*) /usr/local/src/trafficserver/proxy/PluginVC.cc:206
          #7 0xc821fe in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
          #8 0xc821fe in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:144
          #9 0xc84819 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:238
          #10 0xc80e18 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:88
          #11 0x2aaf0b083df2 in start_thread (/lib64/libpthread.so.0+0x7df2)
          #12 0x2aaf0c8ec1ac in clone (/lib64/libc.so.6+0xf61ac)
      
      0x61800000c888 is located 8 bytes inside of 816-byte region [0x61800000c880,0x61800000cbb0)
      freed by thread T0 ([ET_NET 0]) here:
          #0 0x2aaf08c131c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
          #1 0x7b7d42 in Http2ClientSession::do_io_close(int) /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:194
          #2 0x7b7d42 in Http2ClientSession::main_event_handler(int, void*) /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.cc:237
          #3 0xc1351f in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
          #4 0xc1351f in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:140
          #5 0xc1351f in read_signal_done /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:185
          #6 0xc1351f in UnixNetVConnection::readSignalDone(int, NetHandler*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:939
          #7 0xbbabf8 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:596
          #8 0xbda09c in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:513
          #9 0xc85089 in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
          #10 0xc85089 in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:144
          #11 0xc85089 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:268
          #12 0x498f96 in main /usr/local/src/trafficserver/proxy/Main.cc:1826
          #13 0x2aaf0c817af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
      
      previously allocated by thread T0 ([ET_NET 0]) here:
          #0 0x2aaf08c1393b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
          #1 0x2aaf09afd2f9 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:96
          #2 0x7cd804 in ClassAllocator<Http2ClientSession>::alloc() ../../lib/ts/Allocator.h:124
          #3 0x7cd804 in Http2SessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*) /usr/local/src/trafficserver/proxy/http2/Http2SessionAccept.cc:57
          #4 0x7cd3c4 in Http2SessionAccept::mainEvent(int, void*) /usr/local/src/trafficserver/proxy/http2/Http2SessionAccept.cc:69
          #5 0xbc2fae in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:101
          #6 0xc1351f in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
          #7 0xc1351f in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:140
          #8 0xc1351f in read_signal_done /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:185
          #9 0xc1351f in UnixNetVConnection::readSignalDone(int, NetHandler*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:939
          #10 0xbbba59 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:489
          #11 0xbda09c in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:513
          #12 0xc85089 in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
          #13 0xc85089 in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:144
          #14 0xc85089 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:268
          #15 0x498f96 in main /usr/local/src/trafficserver/proxy/Main.cc:1826
          #16 0x2aaf0c817af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
      
      Thread T2 ([ET_NET 1]) created by T0 ([ET_NET 0]) here:
          #0 0x2aaf08be286a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
          #1 0xc81aa5 in ink_thread_create ../../lib/ts/ink_thread.h:148
          #2 0xc81aa5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:103
          #3 0xc8a026 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
          #4 0x498d0b in main /usr/local/src/trafficserver/proxy/Main.cc:1636
          #5 0x2aaf0c817af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
      
      SUMMARY: AddressSanitizer: heap-use-after-free ../iocore/eventsystem/I_Continuation.h:146 Continuation::handleEvent(int, void*)
      Shadow bytes around the buggy address:
        0x0c307fff98c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff98d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff98e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff98f0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
        0x0c307fff9900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x0c307fff9910: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff9920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff9930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff9940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff9950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c307fff9960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==31101==ABORTING
      traffic_server: using root directory '/opt/ats'
      

        Attachments

        1. fix-h2-plus-spin.diff
          7 kB
          Susan Hinrichs
        2. fix-h2.patch
          5 kB
          Ryo Okubo
        3. fetchsm-change.diff
          0.8 kB
          Susan Hinrichs
        4. 0002-fix-h2.patch
          3 kB
          Ryo Okubo

          Issue Links

            Activity

              People

              • Assignee:
                rokubo Ryo Okubo
                Reporter:
                bcall Bryan Call
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: