Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3802

ASAN Crash with latest master due to double free of MIOBuffer in SSLNetVConnection.

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 6.0.0
    • Fix Version/s: 6.0.0
    • Component/s: SPDY
    • Labels:
      None

      Description

      Below's the ASAN stack trace that Leif Hedstrom found on docs@ after installing the latest master.

      The issue is that, the recent rearrangement of cleanup (TS-1007) via ProxyClientSession for SPDY/H2 etc resulted in the netvc being null'ed out before calling SpdyClientSession::clear() (for example, when an inactivity timeout occurs). This results in bypassing the code that sets the SSL_VC's iobuf to null (specifically to prevent double free via SSLNetVConnection::free() and via SpdyClientSession::clear (req_buffer))..

      The fix is to basically set the SSL_VC's iobuf to null before calling ProxyClientSession with SSN_CLOSE_HOOK, thus, making sure the iobuf is only cleaned once.

      [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
      [Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
      [Jul 28 16:32:38.748] Manager {0x7fba0fb738c0} WARNING: Be aware that access control checks for HTTP/2 connections are not active!
      traffic_server: using root directory '/opt/ats'
      =================================================================
      ==30546==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110001cb010 at pc 0xb4ee72 bp 0x2b0ac04527e0 sp 0x2b0ac04527d8
      READ of size 8 at 0x6110001cb010 thread T6 ([ET_NET 5])
          #0 0xb4ee71 in Ptr<IOBufferBlock>::operator=(IOBufferBlock*) ../../lib/ts/Ptr.h:354
          #1 0xb4ee71 in free_MIOBuffer ../../iocore/eventsystem/P_IOBuffer.h:770
          #2 0xb4ee71 in SSLNetVConnection::free(EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:907
          #3 0xbac5f9 in close_UnixNetVConnection(UnixNetVConnection*, EThread*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:134
          #4 0xbb62c6 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:164
          #5 0xbb62c6 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
          #6 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
          #7 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
          #8 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
          #9 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
          #10 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
          #11 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
          #12 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
          #13 0x2b0aba1771ac in __clone (/lib64/libc.so.6+0xf61ac)
      
      0x6110001cb010 is located 16 bytes inside of 240-byte region [0x6110001cb000,0x6110001cb0f0)
      freed by thread T6 ([ET_NET 5]) here:
          #0 0x2b0ab650d1c7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
          #1 0x782f88 in SpdyClientSession::clear() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:162
          #2 0x783310 in SpdyClientSession::destroy() /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:274
          #3 0x780240 in SpdyClientSession::do_io_close(int) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:487
          #4 0x780240 in SpdyClientSession::state_session_readwrite(int, void*) /usr/local/src/trafficserver/proxy/spdy/SpdyClientSession.cc:263
          #5 0xbb6410 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
          #6 0xbb6410 in read_signal_and_update /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:145
          #7 0xbb6410 in UnixNetVConnection::mainEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1175
          #8 0xb8b762 in Continuation::handleEvent(int, void*) ../../iocore/eventsystem/I_Continuation.h:146
          #9 0xb8b762 in InactivityCop::check_inactivity(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:102
          #10 0xc3180e in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
          #11 0xc3180e in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
          #12 0xc33a77 in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
          #13 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
          #14 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
      
      previously allocated by thread T6 ([ET_NET 5]) here:
          #0 0x2b0ab650d93b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
          #1 0x2b0ab73f6849 in ats_memalign /usr/local/src/trafficserver/lib/ts/ink_memory.cc:100
          #2 0x2b0ab73f71b0 in ink_freelist_new /usr/local/src/trafficserver/lib/ts/ink_queue.cc:239
          #3 0xb617cc in ClassAllocator<MIOBuffer>::alloc() ../../lib/ts/Allocator.h:120
          #4 0xb617cc in thread_alloc<MIOBuffer> ../../iocore/eventsystem/I_ProxyAllocator.h:63
          #5 0xb617cc in new_MIOBuffer_internal ../../iocore/eventsystem/P_IOBuffer.h:759
          #6 0xb617cc in MIOBuffer_tracker::operator()(long) ../../iocore/eventsystem/I_IOBuffer.h:1253
          #7 0xb617cc in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:520
          #8 0xb8163c in NetHandler::mainNetEvent(int, Event*) /usr/local/src/trafficserver/iocore/net/UnixNet.cc:516
          #9 0xc346ee in Continuation::handleEvent(int, void*) /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:146
          #10 0xc346ee in EThread::process_event(Event*, int) /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
          #11 0xc346ee in EThread::execute() /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
          #12 0xc30418 in spawn_thread_internal /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:86
          #13 0x2b0ab890edf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
      
      Thread T6 ([ET_NET 5]) created by T0 ([ET_NET 0]) here:
          #0 0x2b0ab64dc86a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
          #1 0xc310a5 in ink_thread_create ../../lib/ts/ink_thread.h:150
          #2 0xc310a5 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:101
          #3 0xc396f6 in EventProcessor::start(int, unsigned long) /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
          #4 0x49676b in main /usr/local/src/trafficserver/proxy/Main.cc:1624
          #5 0x2b0aba0a2af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
      
      SUMMARY: AddressSanitizer: heap-use-after-free ../../lib/ts/Ptr.h:354 Ptr<IOBufferBlock>::operator=(IOBufferBlock*)
      Shadow bytes around the buggy address:
        0x0c22800315b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c22800315c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
        0x0c22800315d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c22800315e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c22800315f0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
      =>0x0c2280031600: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2280031610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
        0x0c2280031620: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c2280031630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c2280031640: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
        0x0c2280031650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==30546==ABORTING
      traffic_server: using root directory '/opt/ats'
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                sudheerv Sudheer Vinukonda
                Reporter:
                sudheerv Sudheer Vinukonda
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: