[jira] [Created] (TS-3910) SSLNetVConnection and add_to_active_queue heap-use-after-free

Bryan Call (JIRA) Mon, 14 Sep 2015 09:44:52 -0700

Bryan Call created TS-3910:
------------------------------

             Summary: SSLNetVConnection and add_to_active_queue 
heap-use-after-free
                 Key: TS-3910
                 URL: https://issues.apache.org/jira/browse/TS-3910
             Project: Traffic Server
          Issue Type: Bug
          Components: Network, SSL
            Reporter: Bryan Call



{code}
==15615==ERROR: AddressSanitizer: heap-use-after-free on address 0x618000be6288 
at pc 0x9e756d bp 0x2b14e4f317d0 sp 0x2b14e4f317c8
WRITE of size 8 at 0x618000be6288 thread T6 ([ET_NET 5])
    #0 0x9e756c in DLL<UnixNetVConnection, 
UnixNetVConnection::Link_active_queue_link>::insert(UnixNetVConnection*, 
UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e756c)
    #1 0x9e6b98 in Queue<UnixNetVConnection, 
UnixNetVConnection::Link_active_queue_link>::insert(UnixNetVConnection*, 
UnixNetVConnection*) (/home/y/bin64/traffic_server+0x9e6b98)
    #2 0x9e5fe2 in Queue<UnixNetVConnection, 
UnixNetVConnection::Link_active_queue_link>::enqueue(UnixNetVConnection*) 
(/home/y/bin64/traffic_server+0x9e5fe2)
    #3 0x9e3cc8 in NetHandler::add_to_active_queue(UnixNetVConnection*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:733
    #4 0x9ddbe8 in UnixNetVConnection::add_to_active_queue() 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixConnection.cc:409
    #5 0x64b34c in HttpClientSession::new_transaction() 
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpClientSession.cc:124
    #6 0x64e27d in HttpClientSession::state_keep_alive(int, void*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpClientSession.cc:415
    #7 0x531046 in Continuation::handleEvent(int, void*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #8 0x9f4040 in read_signal_and_update 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
    #9 0x9fa8c3 in UnixNetVConnection::readSignalAndUpdate(int) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1013
    #10 0x9be342 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:605
    #11 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
    #12 0x531046 in Continuation::handleEvent(int, void*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #13 0xa405e4 in EThread::process_event(Event*, int) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #14 0xa411fc in EThread::execute() 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
    #15 0xa3ebbd in spawn_thread_internal 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
    #16 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
    #17 0x2b14ddc261ac in __clone (/lib64/libc.so.6+0xf61ac)

0x618000be6288 is located 520 bytes inside of 880-byte region 
[0x618000be6080,0x618000be63f0)
freed by thread T6 ([ET_NET 5]) here:
    #0 0x2b14da1b01d7 in __interceptor_free 
../../.././libsanitizer/asan/asan_malloc_linux.cc:62
    #1 0x2b14db0ab3b2 in ats_memalign_free 
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:139
    #2 0x2b14db0abf60 in ink_freelist_free 
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:292
    #3 0x9c7226 in ClassAllocator<SSLNetVConnection>::free(SSLNetVConnection*) 
(/home/y/bin64/traffic_server+0x9c7226)
    #4 0x9c1a72 in SSLNetVConnection::free(EThread*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:936
    #5 0x9f3f81 in close_UnixNetVConnection(UnixNetVConnection*, EThread*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:134
    #6 0x9f42f6 in read_signal_and_update 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:164
    #7 0x9f46f4 in read_signal_done 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
    #8 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
    #9 0x9be784 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:647
    #10 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
    #11 0x531046 in Continuation::handleEvent(int, void*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #12 0xa405e4 in EThread::process_event(Event*, int) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
    #13 0xa411fc in EThread::execute() 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
    #14 0xa3ebbd in spawn_thread_internal 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
    #15 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)

previously allocated by thread T48 ([ACCEPT 0:444]) here:
    #0 0x2b14da1b094b in __interceptor_posix_memalign 
../../.././libsanitizer/asan/asan_malloc_linux.cc:130
    #1 0x2b14db0ab233 in ats_memalign 
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:100
    #2 0x2b14db0abe0d in ink_freelist_new 
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:239
    #3 0x9ba049 in ClassAllocator<SSLNetVConnection>::alloc() 
../../lib/ts/Allocator.h:120
    #4 0x9b9ac7 in SSLNetProcessor::allocate_vc(EThread*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetProcessor.cc:134
    #5 0x9e9d0c in NetAccept::do_blocking_accept(EThread*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetAccept.cc:275
    #6 0x9ebf4d in NetAccept::acceptLoopEvent(int, Event*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetAccept.cc:492
    #7 0x531046 in Continuation::handleEvent(int, void*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
    #8 0xa414ad in EThread::execute() 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:275
    #9 0xa3ebbd in spawn_thread_internal 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
    #10 0x2b14dce95df4 in start_thread (/lib64/libpthread.so.0+0x7df4)

Thread T6 ([ET_NET 5]) created by T0 ([ET_NET 0]) here:
    #0 0x2b14da17f87a in __interceptor_pthread_create 
../../.././libsanitizer/asan/asan_interceptors.cc:183
    #1 0xa3e6ea in ink_thread_create ../../lib/ts/ink_thread.h:150
    #2 0xa3ed47 in Thread::start(char const*, unsigned long, void* (*)(void*), 
void*) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
    #3 0xa43dad in EventProcessor::start(int, unsigned long) 
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
    #4 0x59180f in main 
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
    #5 0x2b14ddb51af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

[jira] [Created] (TS-3910) SSLNetVConnection and add_to_active_queue heap-use-after-free

Reply via email to