On 2018/6/15 09:06, Frederic Lecaille wrote:
> On 06/15/2018 02:28 PM, Frederic Lecaille wrote:
>> On 06/15/2018 02:15 PM, Frederic Lecaille wrote:
>>> On 06/14/2018 11:05 PM, Patrick Hemmer wrote:
>>>> Haproxy segfaults if you pass the wrong argument type to a converter.
>>>> Example:
>>>>
>>>> haproxy.cfg:
>>>> global
>>>> lua-load /tmp/haproxy.lua
>>>>
>>>> frontend f1
>>>> mode http
>>>> bind :8000
>>>> default_backend b1
>>>>
>>>> http-request lua.foo
>>>>
>>>> backend b1
>>>> mode http
>>>> server s1 127.0.0.1:8080
>>>>
>>>> haproxy.lua:
>>>> core.register_action("foo", { "http-req" }, function(txn)
>>>> txn.sc:ipmask(txn.f:src(), 24, 112)
>>>> end)
>>>>
>>>> Result:
>>>> * thread #1, queue = 'com.apple.main-thread', stop reason =
>>>> EXC_BAD_ACCESS (code=1, address=0x18)
>>>> frame #0: 0x00007fffc9fcbf56
>>>> libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182
>>>> libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell:
>>>> -> 0x7fffc9fcbf56 <+182>: movb (%rsi,%r8), %cl
>>>> 0x7fffc9fcbf5a <+186>: movb %cl, (%rdi,%r8)
>>>> 0x7fffc9fcbf5e <+190>: subq $0x1, %rdx
>>>> 0x7fffc9fcbf62 <+194>: je 0x7fffc9fcbf78 ; <+216>
>>>> Target 0: (haproxy) stopped.
>>>> (lldb) bt
>>>> * thread #1, queue = 'com.apple.main-thread', stop reason =
>>>> EXC_BAD_ACCESS (code=1, address=0x18)
>>>> * frame #0: 0x00007fffc9fcbf56
>>>> libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182
>>>> frame #1: 0x00007fffc9e7442e
>>>> libsystem_c.dylib`__memcpy_chk + 22
>>>> frame #2: 0x000000010002ec46
>>>> haproxy`hlua_lua2arg_check(L=0x000000010120d298, first=3,
>>>> argp=0x00007fff5fbfe690, mask=196, p=0x0000000101817000) at hlua.c:749
>>>> frame #3: 0x000000010001fa00
>>>> haproxy`hlua_run_sample_conv(L=0x000000010120d298) at hlua.c:3393
>>>> frame #4: 0x000000010032400b haproxy`luaD_precall + 747
>>>> frame #5: 0x00000001003343c6 haproxy`luaV_execute + 3158
>>>> frame #6: 0x0000000100323429 haproxy`luaD_rawrunprotected
>>>> + 89
>>>> frame #7: 0x0000000100324516 haproxy`lua_resume + 278
>>>> frame #8: 0x000000010001b199
>>>> haproxy`hlua_ctx_resume(lua=0x0000000101205080, yield_allowed=1) at
>>>> hlua.c:1080
>>>> frame #9: 0x0000000100027de8
>>>> haproxy`hlua_action(rule=0x000000010101b180, px=0x0000000101817000,
>>>> sess=0x000000010120cb70, s=0x000000010120cc00, flags=2) at hlua.c:6198
>>>> frame #10: 0x0000000100044bcd
>>>> haproxy`http_req_get_intercept_rule(px=0x0000000101817000,
>>>> rules=0x0000000101817048, s=0x000000010120cc00,
>>>> deny_status=0x00007fff5fbfee78) at proto_http.c:2760
>>>> frame #11: 0x0000000100046182
>>>> haproxy`http_process_req_common(s=0x000000010120cc00,
>>>> req=0x000000010120cc10, an_bit=16, px=0x0000000101817000) at
>>>> proto_http.c:3461
>>>> frame #12: 0x0000000100094c50
>>>> haproxy`process_stream(t=0x000000010120cf40,
>>>> context=0x000000010120cc00, state=9) at stream.c:1905
>>>> frame #13: 0x000000010016179f
>>>> haproxy`process_runnable_tasks at task.c:362
>>>> frame #14: 0x00000001000ea0eb haproxy`run_poll_loop at
>>>> haproxy.c:2403
>>>> frame #15: 0x00000001000e7c74
>>>> haproxy`run_thread_poll_loop(data=0x00007fff5fbff3a4) at
>>>> haproxy.c:2464
>>>> frame #16: 0x00000001000e4a49 haproxy`main(argc=3,
>>>> argv=0x00007fff5fbff590) at haproxy.c:3082
>>>> frame #17: 0x00007fffc9db9235 libdyld.dylib`start + 1
>>>>
>>>> Issue goes away if you change the lua txn.sc:ipmask() line to:
>>>> txn.sc:ipmask(txn.f:src(), '24', '112')
>>>>
>>>> Reproduced with current master (9db0fed) and lua version 5.3.4.
>>>>
>>>> -Patrick
>>>
>>> It seems the patch attached to this mail fixes this issue. It at
>>> least make the varnishtest test file pass.
>>>
>>> Must be checked by Thierry.
>>
>> Should have mentionned that I could not reproduce this issue without
>> compiling the thread support (USE_THREAD=1).
>
> There is potentially the same issue in hlua_run_sample_conv(). See the
> updated patch attached to this mail.
>
>
I can confirm this patch addresses the segfault for my use case.
Thanks
-Patrick
