Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-3910

SSLNetVConnection and add_to_active_queue heap-use-after-free

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Cannot Reproduce
    • 6.0.0
    • None
    • Network, SSL
    • None

    Description

      ==15615==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000be6288 at pc 0x9e756d bp 0x2b14e4f317d0 sp 0x2b14e4f317c8
WRITE of size 8 at 0x618000be6288 thread T6 ([ET_NET 5])
    #0 0x9e756c in DLL<UnixNetVConnection, UnixNetVConnection::Link_active_queue_link>::insert(UnixNetVConnection*, UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e756c)
    #1 0x9e6b98 in Queue<UnixNetVConnection, UnixNetVConnection::Link_active_queue_link>::insert(UnixNetVConnection*, UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e6b98)
    #2 0x9e5fe2 in Queue<UnixNetVConnection, UnixNetVConnection::Link_active_queue_link>::enqueue(UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e5fe2)
    #3 0x9e3cc8 in NetHandler::add_to_active_queue(UnixNetVConnection*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:733
    #4 0x9ddbe8 in UnixNetVConnection::add_to_active_queue() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixConnection.cc:409
    #5 0x64b34c in HttpClientSession::new_transaction() /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpClientSession.cc:124
    #6 0x64e27d in HttpClientSession::state_keep_alive(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpClientSession.cc:415
    #7 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #8 0x9f4040 in read_signal_and_update /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
    #9 0x9fa8c3 in UnixNetVConnection::readSignalAndUpdate(int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1013
    #10 0x9be342 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:605
    #11 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
    #12 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #13 0xa405e4 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #14 0xa411fc in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
    #15 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
    #16 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
    #17 0x2b14ddc261ac in __clone (/lib64/libc.so.6+0xf61ac)

0x618000be6288 is located 520 bytes inside of 880-byte region [0x618000be6080,0x618000be63f0)
freed by thread T6 ([ET_NET 5]) here:
    #0 0x2b14da1b01d7 in __interceptor_free ../../.././libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x2b14db0ab3b2 in ats_memalign_free /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:139
    #2 0x2b14db0abf60 in ink_freelist_free /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:292
    #3 0x9c7226 in ClassAllocator<SSLNetVConnection>::free(SSLNetVConnection*) (/home/y/bin64/traffic_server+0x9c7226)
    #4 0x9c1a72 in SSLNetVConnection::free(EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:936
    #5 0x9f3f81 in close_UnixNetVConnection(UnixNetVConnection*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:134
    #6 0x9f42f6 in read_signal_and_update /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:164
    #7 0x9f46f4 in read_signal_done /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
    #8 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
    #9 0x9be784 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:647
    #10 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
    #11 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #12 0xa405e4 in EThread::process_event(Event*, int) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #13 0xa411fc in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
    #14 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
    #15 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)

previously allocated by thread T48 ([ACCEPT 0:444]) here:
    #0 0x2b14da1b094b in __interceptor_posix_memalign ../../.././libsanitizer/asan/asan_malloc_linux.cc:130
    #1 0x2b14db0ab233 in ats_memalign /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:100
    #2 0x2b14db0abe0d in ink_freelist_new /home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:239
    #3 0x9ba049 in ClassAllocator<SSLNetVConnection>::alloc() ../../lib/ts/Allocator.h:120
    #4 0x9b9ac7 in SSLNetProcessor::allocate_vc(EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetProcessor.cc:134
    #5 0x9e9d0c in NetAccept::do_blocking_accept(EThread*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetAccept.cc:275
    #6 0x9ebf4d in NetAccept::acceptLoopEvent(int, Event*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetAccept.cc:492
    #7 0x531046 in Continuation::handleEvent(int, void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #8 0xa414ad in EThread::execute() /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:275
    #9 0xa3ebbd in spawn_thread_internal /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
    #10 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)

Thread T6 ([ET_NET 5]) created by T0 ([ET_NET 0]) here:
    #0 0x2b14da17f87a in __interceptor_pthread_create ../../.././libsanitizer/asan/asan_interceptors.cc:183
    #1 0xa3e6ea in ink_thread_create ../../lib/ts/ink_thread.h:150
    #2 0xa3ed47 in Thread::start(char const*, unsigned long, void* (*)(void*), void*) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
    #3 0xa43dad in EventProcessor::start(int, unsigned long) /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
    #4 0x59180f in main /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
    #5 0x2b14ddb51af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)

      Attachments

        Activity

          People

            bcall Bryan Call
            bcall Bryan Call
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: