Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-4470

ASAN stack-buffer-overflow when slow log is enabled

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 6.2.0
    • Fix Version/s: 6.2.0, 7.0.0
    • Component/s: None
    • Labels:
      None

      Description

      =================================================================
      ==13159==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x2b5ec8877660 at pc 0x0000004fcdf1 bp 0x2b5ec8875c60 sp 0x2b5ec8875410
      READ of size 260 at 0x2b5ec8877660 thread T21 ([ET_NET 20])
      #0 0x4fcdf0 in printf_common(void*, char const*, __va_list_tag*) [clone .isra.6] (/usr/local/bin/traffic_server+0x4fcdf0)
      #1 0x4fd744 in vfprintf (/usr/local/bin/traffic_server+0x4fd744)
      #2 0x2b5ec1a668ee in vprintline<1024> /home/bcall/dev/trafficserver/lib/ts/Diags.cc:61
      #3 0x2b5ec1a668ee in Diags::print_va(char const*, DiagsLevel, SrcLoc const*, char const*, __va_list_tag*) const /home/bcall/dev/trafficserver/lib/ts/Diags.cc:340
      #4 0x2b5ec1a6765f in Diags::error_va(DiagsLevel, char const*, char const*, int, char const*, __va_list_tag*) const /home/bcall/dev/trafficserver/lib/ts/Diags.cc:572
      #5 0x72a724 in Diags::error(DiagsLevel, char const*, char const*, int, char const*, ...) const /home/bcall/dev/trafficserver/lib/ts/Diags.h:242
      #6 0x7455d6 in HttpSM::update_stats() /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:6972
      #7 0x77b07f in HttpSM::kill_this() /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:6786
      #8 0x77d6f7 in HttpSM::main_handler(int, void*) /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:2660
      #9 0x832d3a in Continuation::handleEvent(int, void*) /home/bcall/dev/trafficserver/iocore/eventsystem/I_Continuation.h:153
      #10 0x832d3a in HttpTunnel::main_handler(int, void*) /home/bcall/dev/trafficserver/proxy/http/HttpTunnel.cc:1637
      #11 0xcfdbb5 in Continuation::handleEvent(int, void*) /home/bcall/dev/trafficserver/iocore/eventsystem/I_Continuation.h:153
      #12 0xcfdbb5 in write_signal_and_update /home/bcall/dev/trafficserver/iocore/net/UnixNetVConnection.cc:181
      #13 0xcfdbb5 in write_signal_done /home/bcall/dev/trafficserver/iocore/net/UnixNetVConnection.cc:223
      #14 0xcfdbb5 in write_to_net_io(NetHandler*, UnixNetVConnection*, EThread*) /home/bcall/dev/trafficserver/iocore/net/UnixNetVConnection.cc:563
      #15 0xcbc4ca in NetHandler::mainNetEvent(int, Event*) /home/bcall/dev/trafficserver/iocore/net/UnixNet.cc:529
      #16 0xda8ce3 in Continuation::handleEvent(int, void*) /home/bcall/dev/trafficserver/iocore/eventsystem/I_Continuation.h:153
      #17 0xda8ce3 in EThread::process_event(Event*, int) /home/bcall/dev/trafficserver/iocore/eventsystem/UnixEThread.cc:148
      #18 0xdabc8a in EThread::execute() /home/bcall/dev/trafficserver/iocore/eventsystem/UnixEThread.cc:275
      #19 0xda7a58 in spawn_thread_internal /home/bcall/dev/trafficserver/iocore/eventsystem/Thread.cc:86
      #20 0x2b5ec2264aa0 in start_thread (/lib64/libpthread.so.0+0x3818807aa0)
      #21 0x38180e893c in clone (/lib64/libc.so.6+0x38180e893c)

      Address 0x2b5ec8877660 is located in stack of thread T21 ([ET_NET 20]) at offset 736 in frame
      #0 0x7443ef in HttpSM::update_stats() /home/bcall/dev/trafficserver/proxy/http/HttpSM.cc:6827

      This frame has 6 object(s):
      [32, 36) 'offset'
      [96, 100) 'skip'
      [160, 164) 'length'
      [224, 270) 'client_ip'
      [320, 448) 'unique_id_string'
      [480, 736) 'url_string' <== Memory access at offset 736 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions are supported)
      Thread T21 ([ET_NET 20]) created by T0 ([ET_NET 0]) here:
      #0 0x4d50b4 in pthread_create (/usr/local/bin/traffic_server+0x4d50b4)
      #1 0xda85aa in ink_thread_create /home/bcall/dev/trafficserver/lib/ts/ink_thread.h:147
      #2 0xda85aa in Thread::start(char const*, unsigned long, void* (void*), void*) /home/bcall/dev/trafficserver/iocore/eventsystem/Thread.cc:101
      #3 0xdafff2 in EventProcessor::start(int, unsigned long) /home/bcall/dev/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:141
      #4 0x4ab7ed in main /home/bcall/dev/trafficserver/proxy/Main.cc:1733
      #5 0x381801ed5c in __libc_start_main (/lib64/libc.so.6+0x381801ed5c)

      SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 printf_common(void*, char const*, __va_list_tag*) [clone .isra.6]
      Shadow bytes around the buggy address:
      0x056c59106e70: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 04 f4 f4 f4
      0x056c59106e80: f2 f2 f2 f2 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
      0x056c59106e90: 00 06 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 00 00
      0x056c59106ea0: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
      0x056c59106eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x056c59106ec0: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
      0x056c59106ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
      0x056c59106ee0: f1 f1 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x056c59106ef0: 00 00 00 00 00 00 00 00 00 00 00 f4 f4 f4 f3 f3
      0x056c59106f00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x056c59106f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Heap right redzone: fb
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack partial redzone: f4
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      ==13159==ABORTING

        Attachments

          Activity

            People

            • Assignee:
              bcall Bryan Call
              Reporter:
              bcall Bryan Call
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 10m
                10m