Segfaults with 1.9.6

Olivier D Fri, 25 Oct 2019 05:49:31 -0700

Hello,

I know I'm reporting an issue with  an old version, but I got 2 segfaults
in 48h.
As I only got 3 segfaults with HAProxy in +10 years, I just wanted to make
sure these bugs have been caught and are now fixed.


haproxy -vv output:

HA-Proxy version 1.9.6 2019/03/29 - https://haproxy.org/
Build options :
  TARGET  = linux2628
  CPU     = generic
  CC      = gcc
  CFLAGS  = -O2 -g -fno-strict-aliasing -Wdeclaration-after-statement
-fwrapv -Wno-format-truncation -Wno-unused-label -Wno-sign-compare
-Wno-unused-parameter -Wno-old-style-declaration -Wno-ignored-qualifiers
-Wno-clobbered -Wno-missing-field-initializers -Wno-implicit-fallthrough
-Wno-stringop-overflow -Wtype-limits -Wshift-negative-value
-Wshift-overflow=2 -Wduplicated-cond -Wnull-dereference
  OPTIONS = USE_ZLIB=1 USE_OPENSSL=1 USE_LUA=1 USE_STATIC_PCRE=1

Default settings :
  maxconn = 2000, bufsize = 16384, maxrewrite = 1024, maxpollevents = 200

Built with OpenSSL version : OpenSSL 1.1.1b  26 Feb 2019
Running on OpenSSL version : OpenSSL 1.1.1b  26 Feb 2019
OpenSSL library supports TLS extensions : yes
OpenSSL library supports SNI : yes
OpenSSL library supports : TLSv1.0 TLSv1.1 TLSv1.2 TLSv1.3
Built with Lua version : Lua 5.3.5
Built with transparent proxy support using: IP_TRANSPARENT IPV6_TRANSPARENT
IP_FREEBIND
Built with zlib version : 1.2.11
Running on zlib version : 1.2.11
Compression algorithms supported : identity("identity"),
deflate("deflate"), raw-deflate("deflate"), gzip("gzip")
Built with PCRE version : 8.41 2017-07-05
Running on PCRE version : 8.41 2017-07-05
PCRE library supports JIT : no (USE_PCRE_JIT not set)
Encrypted password support via crypt(3): yes
Built with multi-threading support.

Available polling systems :
      epoll : pref=300,  test result OK
       poll : pref=200,  test result OK
     select : pref=150,  test result OK
Total: 3 (3 usable), will use epoll.

Available multiplexer protocols :
(protocols marked as <default> cannot be specified using 'proto' keyword)
              h2 : mode=HTX        side=FE|BE
              h2 : mode=HTTP       side=FE
       <default> : mode=HTX        side=FE|BE
       <default> : mode=TCP|HTTP   side=FE|BE

Available filters :
        [SPOE] spoe
        [COMP] compression
        [CACHE] cache
        [TRACE] trace


### First segfault : ###

Program terminated with signal 11, Segmentation fault.
#0  0x00000000004cba32 in h2_process_mux (h2c=0x9b4b300) at
src/mux_h2.c:2588

(gdb) bt full
#0  0x00000000004cba32 in h2_process_mux (h2c=0x9b4b300) at
src/mux_h2.c:2588
        h2s = 0x98edf50
#1  h2_send (h2c=h2c@entry=0x9b4b300) at src/mux_h2.c:2716
        flags = <optimized out>
        conn = 0x9aef030
        done = 0
        sent = 0
#2  0x00000000004d3918 in h2_io_cb (t=<optimized out>, ctx=0x9b4b300,
status=<optimized out>) at src/mux_h2.c:2778
        h2c = 0x9b4b300
        ret = 0
#3  0x0000000000584456 in process_runnable_tasks () at src/task.c:437
        t = 0x9e15170
        state = <optimized out>
        ctx = <optimized out>
        process = <optimized out>
        t = <optimized out>
        max_processed = 194
#4  0x0000000000503fd4 in run_poll_loop () at src/haproxy.c:2642
        next = <optimized out>
        exp = <optimized out>
#5  run_thread_poll_loop (data=data@entry=0x19a32b0) at src/haproxy.c:2707
        ptif = <optimized out>
        ptdf = <optimized out>
        start_lock = 0
#6  0x00000000004648d8 in main (argc=<optimized out>, argv=0x7ffccfb0cba8)
at src/haproxy.c:3343
        tids = 0x19a32b0
        threads = 0x19a2750
        i = <optimized out>
        old_sig = {__val = {68097, 0, 64, 206158430210, 532575944795,
472446402679, 0, 139791683256608, 24, 11381472, 335544638, 11392704,
26776016, 139791680031404, 0, 26699504}}
        blocked_sig = {__val = {18446744067199990583, 18446744073709551615
<repeats 15 times>}}
        err = <optimized out>
        retry = <optimized out>
        limit = {rlim_cur = 801167, rlim_max = 801167}
        errmsg =
"\000\000\000\000\000\000\000\000\220Ap\312#\177\000\000\000\357\200\000\000\000\000\000(\357\200\000\000\000\000\000\231\353\200\000\000\000\000\000\000\000\000\000\002",
'\000' <repeats 11 times>"\350,
Dp\312#\177\000\000p\311\260\317\374\177\000\000\035\000\000\000\000\000\000\000\210\311\260\317\374\177\000\000
\326\230\001\001\000\000\000\000v\000"
        pidfd = <optimized out>


### Second segfault ###
Program terminated with signal 11, Segmentation fault.
#0  0x00000000005808b5 in __pendconn_unlink (p=p@entry=0x7fff694b0730) at
src/queue.c:138

(gdb) bt full
#0  0x00000000005808b5 in __pendconn_unlink (p=p@entry=0x7fff694b0730) at
src/queue.c:138
No locals.
#1  0x0000000000581507 in pendconn_redistribute (s=s@entry=0x6b01cd0) at
src/queue.c:413
        p = 0x7fff694b0730
        node = 0xb781a88
#2  0x00000000004ee2b2 in srv_update_status (s=s@entry=0x6b01cd0) at
src/server.c:4805
        next_admin = <optimized out>
        check = 0x6b02170
        xferred = <optimized out>
        px = 0x6a357e0
        prev_srv_count = 2
        srv_was_stopping = <optimized out>
        log_level = <optimized out>
        tmptrash = 0x0
#3  0x00000000004eef04 in srv_set_stopped (s=0x6b01cd0,
reason=reason@entry=0x0,
check=<optimized out>) at src/server.c:1016
        srv = <optimized out>
#4  0x00000000004eefc1 in srv_set_stopped (s=<optimized out>,
reason=reason@entry=0x0, check=<optimized out>) at src/server.c:999
No locals.
#5  0x00000000004f51c2 in check_notify_failure (check=check@entry=0x6b02170)
at src/checks.c:326
        s = <optimized out>
#6  0x00000000004fde28 in process_chk_conn (state=<optimized out>,
context=0x6b02170, t=0x8e16ba0) at src/checks.c:2302
        cs = <optimized out>
        conn = <optimized out>
        rv = <optimized out>
        check = 0x6b02170
        proxy = 0x6a357e0
#7  process_chk (t=0x8e16ba0, context=0x6b02170, state=<optimized out>) at
src/checks.c:2345
        check = 0x6b02170
#8  0x0000000000584456 in process_runnable_tasks () at src/task.c:437
        t = 0x8e16ba0
        state = <optimized out>
        ctx = <optimized out>
        process = <optimized out>
        t = <optimized out>
        max_processed = 199
#9  0x0000000000503fd4 in run_poll_loop () at src/haproxy.c:2642
        next = <optimized out>
        exp = <optimized out>
#10 run_thread_poll_loop (data=data@entry=0x131e280) at src/haproxy.c:2707
        ptif = <optimized out>
        ptdf = <optimized out>
        start_lock = 0
#11 0x00000000004648d8 in main (argc=<optimized out>, argv=0x7fff694b0cb8)
at src/haproxy.c:3343
        tids = 0x131e280
        threads = 0x131d720
        i = <optimized out>
        old_sig = {__val = {68097, 0, 64, 206158430210, 532575944795,
472446402679, 0, 140406116471072, 24, 11381472, 335544638, 11392704,
19939792, 140406113245868, 0, 19863280}}
        blocked_sig = {__val = {18446744067199990583, 18446744073709551615
<repeats 15 times>}}
        err = <optimized out>
        retry = <optimized out>
        limit = {rlim_cur = 801167, rlim_max = 801167}
        errmsg =
"\000\000\000\000\000\000\000\000\220\021\203\331\262\177\000\000\000\357\200\000\000\000\000\000(\357\200\000\000\000\000\000\231\353\200\000\000\000\000\000\000\000\000\000\002",
'\000' <repeats 11 times>"\350,
\024\203\331\262\177\000\000\200\nKi\377\177\000\000\035\000\000\000\000\000\000\000\230\nKi\377\177\000\000
\206\060\001\001\000\000\000\000v\000"
        pidfd = <optimized out>



Config file is very heavy with dozens of frontends and backends.
I can provide the coredump in a secure channel if needed.

Olivier

Segfaults with 1.9.6

Reply via email to