[
https://issues.apache.org/jira/browse/TS-3710?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14596080#comment-14596080
]
Leif Hedstrom commented on TS-3710:
-----------------------------------
I think, but not 100% sure, that I see the same issue without ASAN, which
causes a crash:
{code}
(gdb) bt
#0 0x0000000000000000 in ?? ()
#1 0x0000000000742f51 in handleEvent (data=0x404cfd8, event=105,
this=0x2cdf800) at ../../iocore/eventsystem/I_Continuation.h:145
#2 read_signal_and_update (vc=0x404cec0, event=105) at
UnixNetVConnection.cc:142
#3 UnixNetVConnection::mainEvent (this=0x404cec0, event=<optimized out>,
e=<optimized out>) at UnixNetVConnection.cc:1115
#4 0x0000000000739be4 in handleEvent (data=0x3125d00, event=1, this=0x404cec0)
at ../../iocore/eventsystem/I_Continuation.h:145
#5 InactivityCop::check_inactivity (this=0x2cd81c0, event=<optimized out>,
e=<optimized out>) at UnixNet.cc:102
#6 0x0000000000768640 in handleEvent (data=0x3125d00, event=2, this=<optimized
out>) at I_Continuation.h:145
#7 EThread::process_event (this=0x2df0000, e=0x3125d00, calling_code=2) at
UnixEThread.cc:128
#8 0x00000000007694e9 in EThread::execute (this=0x2df0000) at
UnixEThread.cc:207
#9 0x00000000007680f5 in spawn_thread_internal (a=0x2b32550) at Thread.cc:85
#10 0x00002b36f5b7552a in start_thread (arg=0x2b36f8c31700) at
pthread_create.c:310
#11 0x00002b36f6c2322d in clone () at
../sysdeps/unix/sysv/linux/x86_64/clone.S:109
{code}
> ASAN crash in TLS with 6.0.0
> ----------------------------
>
> Key: TS-3710
> URL: https://issues.apache.org/jira/browse/TS-3710
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Leif Hedstrom
> Fix For: 6.0.0
>
>
> {code}
> ==18563==ERROR: AddressSanitizer: heap-use-after-free on address
> 0x6060000541a8 at pc 0xb9e0c2 bp 0x2ae1c3cac8d0 sp 0x2ae1c3cac8c8
> READ of size 8 at 0x6060000541a8 thread T4 ([ET_NET 3])
> #0 0xb9e0c1 in Continuation::handleEvent(int, void*)
> ../../iocore/eventsystem/I_Continuation.h:145
> #1 0xb9e0c1 in read_signal_and_update
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:139
> #2 0xb9e0c1 in UnixNetVConnection::mainEvent(int, Event*)
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:1108
> #3 0xb7c47f in Continuation::handleEvent(int, void*)
> ../../iocore/eventsystem/I_Continuation.h:145
> #4 0xb7c47f in InactivityCop::check_inactivity(int, Event*)
> /usr/local/src/trafficserver/iocore/net/UnixNet.cc:109
> #5 0xc215ce in Continuation::handleEvent(int, void*)
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #6 0xc215ce in EThread::process_event(Event*, int)
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #7 0xc237c7 in EThread::execute()
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:207
> #8 0xc201e8 in spawn_thread_internal
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #9 0x2ae1bc976df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> #10 0x2ae1be1df1ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x6060000541a8 is located 8 bytes inside of 56-byte region
> [0x6060000541a0,0x6060000541d8)
> freed by thread T4 ([ET_NET 3]) here:
> #0 0x2ae1ba573117 in operator delete(void*)
> ../../.././libsanitizer/asan/asan_new_delete.cc:81
> #1 0xb5d53e in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*)
> /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89
> #2 0xbb185f in Continuation::handleEvent(int, void*)
> ../../iocore/eventsystem/I_Continuation.h:145
> #3 0xbb185f in read_signal_and_update
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:139
> #4 0xbb185f in read_signal_done
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:200
> #5 0xbb185f in UnixNetVConnection::readSignalDone(int, NetHandler*)
> /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:950
> #6 0xb55a4d in SSLNetVConnection::net_read_io(NetHandler*, EThread*)
> /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:480
> #7 0xb7754c in NetHandler::mainNetEvent(int, Event*)
> /usr/local/src/trafficserver/iocore/net/UnixNet.cc:551
> #8 0xc24459 in Continuation::handleEvent(int, void*)
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #9 0xc24459 in EThread::process_event(Event*, int)
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #10 0xc24459 in EThread::execute()
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
> #11 0xc201e8 in spawn_thread_internal
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #12 0x2ae1bc976df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T4 ([ET_NET 3]) here:
> #0 0x2ae1ba572c9f in operator new(unsigned long)
> ../../.././libsanitizer/asan/asan_new_delete.cc:50
> #1 0xb5c2bb in SSLNextProtocolAccept::mainEvent(int, void*)
> /usr/local/src/trafficserver/iocore/net/SSLNextProtocolAccept.cc:134
> #2 0xb87109 in Continuation::handleEvent(int, void*)
> ../../iocore/eventsystem/I_Continuation.h:145
> #3 0xb87109 in NetAccept::acceptFastEvent(int, void*)
> /usr/local/src/trafficserver/iocore/net/UnixNetAccept.cc:466
> #4 0xc24459 in Continuation::handleEvent(int, void*)
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:145
> #5 0xc24459 in EThread::process_event(Event*, int)
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:128
> #6 0xc24459 in EThread::execute()
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:252
> #7 0xc201e8 in spawn_thread_internal
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:85
> #8 0x2ae1bc976df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T4 ([ET_NET 3]) created by T0 ([ET_NET 0]) here:
> #0 0x2ae1ba54186a in __interceptor_pthread_create
> ../../.././libsanitizer/asan/asan_interceptors.cc:183
> #1 0xc20e75 in ink_thread_create ../../lib/ts/ink_thread.h:150
> #2 0xc20e75 in Thread::start(char const*, unsigned long, void*
> (*)(void*), void*)
> /usr/local/src/trafficserver/iocore/eventsystem/Thread.cc:100
> #3 0xc293f6 in EventProcessor::start(int, unsigned long)
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
> #4 0x495b5b in main /usr/local/src/trafficserver/proxy/Main.cc:1633
> #5 0x2ae1be10aaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> SUMMARY: AddressSanitizer: heap-use-after-free
> ../../iocore/eventsystem/I_Continuation.h:145 Continuation::handleEvent(int,
> void*)
> Shadow bytes around the buggy address:
> 0x0c0c800027e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> 0x0c0c800027f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
> 0x0c0c80002800: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
> 0x0c0c80002810: fd fd fd fd fd fd fd fa fa fa fa fa 00 00 00 00
> 0x0c0c80002820: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
> =>0x0c0c80002830: fa fa fa fa fd[fd]fd fd fd fd fd fa fa fa fa fa
> 0x0c0c80002840: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
> 0x0c0c80002850: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 fa
> 0x0c0c80002860: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
> 0x0c0c80002870: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
> 0x0c0c80002880: fd fd fd fa fa fa fa fa 00 00 00 00 00 00 00 fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
> Addressable: 00
> Partially addressable: 01 02 03 04 05 06 07
> Heap left redzone: fa
> Heap right redzone: fb
> Freed heap region: fd
> Stack left redzone: f1
> Stack mid redzone: f2
> Stack right redzone: f3
> Stack partial redzone: f4
> Stack after return: f5
> Stack use after scope: f8
> Global redzone: f9
> Global init order: f6
> Poisoned by user: f7
> Contiguous container OOB:fc
> ASan internal: fe
> ==18563==ABORTING
> traffic_server: using root directory '/opt/ats'
> traffic_server: Terminated (Signal sent by kill() 18557 0)
> traffic_server: Terminated (Signal sent by kill() 3194 0)
> [E. Mgmt] log ==> [TrafficManager] using root directory '/opt/ats'
> [Jun 20 15:34:29.202] Manager {0x7f9e89a198c0} WARNING: Be aware that access
> control checks for HTTP/2 connections are not active!
> [Jun 20 15:34:29.202] Manager {0x7f9e89a198c0} WARNING: Be aware that access
> control checks for HTTP/2 connections are not active!
> traffic_server: using root directory '/opt/ats'
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
