Leif Hedstrom created TS-3710:
---------------------------------
Summary: ASAN crash in TLS with 6.0.0
Key: TS-3710
URL: https://issues.apache.org/jira/browse/TS-3710
Project: Traffic Server
Issue Type: Bug
Reporter: Leif Hedstrom
{code}
==18563==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060000541a8
at pc 0xb9e0c2 bp 0x2ae1c3cac8d0 sp 0x2ae1c3cac8c8
READ of size 8 at 0x6060000541a8 thread T4 ([ET_NET 3])
#0 0xb9e0c1 in Continuation::handleEvent(int, void*)
../../iocore/eventsystem/I_Continuation.h:145
#1 0xb9e0c1 in read_signal_and_update
/usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:139
#2 0xb9e0c1 in UnixNetVConnection::mainEvent(int, Event*)
/usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1108
#3 0xb7c47f in Continuation::handleEvent(int, void*)
../../iocore/eventsystem/I_Continuation.h:145
#4 0xb7c47f in InactivityCop::check_inactivity(int, Event*)
/usr/local/src/trafficserver/iocore/net/UnixNet.cc:109
#5 0xc215ce in Continuation::handleEvent(int, void*)
/usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
#6 0xc215ce in EThread::process_event(Event*, int)
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#7 0xc237c7 in EThread::execute()
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
#8 0xc201e8 in spawn_thread_internal
/usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
#9 0x2ae1bc976df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
#10 0x2ae1be1df1ac in __clone (/lib64/libc.so.6+0xf61ac)
0x6060000541a8 is located 8 bytes inside of 56-byte region
[0x6060000541a0,0x6060000541d8)
freed by thread T4 ([ET_NET 3]) here:
#0 0x2ae1ba573117 in operator delete(void*)
../../.././libsanitizer/asan/asan_new_delete.cc:81
#1 0xb5d53e in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*)
/usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89
#2 0xbb185f in Continuation::handleEvent(int, void*)
../../iocore/eventsystem/I_Continuation.h:145
#3 0xbb185f in read_signal_and_update
/usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:139
#4 0xbb185f in read_signal_done
/usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:200
#5 0xbb185f in UnixNetVConnection::readSignalDone(int, NetHandler*)
/usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:950
#6 0xb55a4d in SSLNetVConnection::net_read_io(NetHandler*, EThread*)
/usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:480
#7 0xb7754c in NetHandler::mainNetEvent(int, Event*)
/usr/local/src/trafficserver/iocore/net/UnixNet.cc:551
#8 0xc24459 in Continuation::handleEvent(int, void*)
/usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
#9 0xc24459 in EThread::process_event(Event*, int)
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#10 0xc24459 in EThread::execute()
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
#11 0xc201e8 in spawn_thread_internal
/usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
#12 0x2ae1bc976df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
previously allocated by thread T4 ([ET_NET 3]) here:
#0 0x2ae1ba572c9f in operator new(unsigned long)
../../.././libsanitizer/asan/asan_new_delete.cc:50
#1 0xb5c2bb in SSLNextProtocolAccept::mainEvent(int, void*)
/usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:134
#2 0xb87109 in Continuation::handleEvent(int, void*)
../../iocore/eventsystem/I_Continuation.h:145
#3 0xb87109 in NetAccept::acceptFastEvent(int, void*)
/usr/local/src/trafficserver/iocore/net/UnixNetAccept.cc:466
#4 0xc24459 in Continuation::handleEvent(int, void*)
/usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
#5 0xc24459 in EThread::process_event(Event*, int)
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#6 0xc24459 in EThread::execute()
/usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
#7 0xc201e8 in spawn_thread_internal
/usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
#8 0x2ae1bc976df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
#0 0x2ae1ba54186a in __interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:183
#1 0xc20e75 in ink_thread_create ../../lib/ts/ink_thread.h:150
#2 0xc20e75 in Thread::start(char const*, unsigned long, void* (*)(void*),
void*) /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
#3 0xc293f6 in EventProcessor::start(int, unsigned long)
/usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
#4 0x495b5b in main /usr/local/src/trafficserver/proxy/Main.cc:1633
#5 0x2ae1be10aaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: heap-use-after-free
../../iocore/eventsystem/I_Continuation.h:145 Continuation::handleEvent(int,
void*)
Shadow bytes around the buggy address:
0x0c0c800027e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800027f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80002800: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
0x0c0c80002810: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
0x0c0c80002820: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c80002830: fa fa fa fa fd[fd]fd fd fd fd fd fa fa fa fa fa
0x0c0c80002840: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c80002850: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c80002860: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
0x0c0c80002870: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
0x0c0c80002880: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==18563==ABORTING
traffic_server: using root directory '/opt/ats'
traffic_server: Terminated (Signal sent by kill() 18557 0)
traffic_server: Terminated (Signal sent by kill() 3194 0)
[E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
[Jun 20 15:34:29.202] Manager {0x7f9e89a198c0} WARNING: Be aware that access
control checks for HTTP/2 connections are not active!
[Jun 20 15:34:29.202] Manager {0x7f9e89a198c0} WARNING: Be aware that access
control checks for HTTP/2 connections are not active!
traffic_server: using root directory '/opt/ats'
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
