Bryan Call created TS-3920:
------------------------------
Summary: MIMEHdr heap-use-after-free
Key: TS-3920
URL: https://issues.apache.org/jira/browse/TS-3920
Project: Traffic Server
Issue Type: Bug
Components: HTTP
Reporter: Bryan Call
{code}
==24576==ERROR: AddressSanitizer: heap-use-after-free on address 0x62501880600c
at pc 0x81aaea bp 0x2abfc0de7300 sp 0x2abfc0de72f8
READ of size 10 at 0x62501880600c thread T19 ([ET_NET 18])
#0 0x81aae9 in HdrHeap::duplicate_str(char const*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:320
#1 0x82faf7 in mime_field_value_set(HdrHeap*, MIMEHdrImpl*, MIMEField*,
char const*, int, bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.cc:2076
#2 0x5c2933 in MIMEField::value_set(HdrHeap*, MIMEHdrImpl*, char const*,
int) /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.h:810
#3 0x7138b5 in MIMEHdr::field_value_set(MIMEField*, char const*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.h:1296
#4 0x6c74fb in HttpTransact::ModifyRequest(HttpTransact::State*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpTransact.cc:1151
#5 0x69e65f in HttpSM::call_transact_and_set_next_state(void
(*)(HttpTransact::State*))
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:6881
#6 0x66bb6c in HttpSM::state_read_client_request_header(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:766
#7 0x679549 in HttpSM::main_handler(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:2542
#8 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#9 0x5a7f22 in PluginVC::process_read_side(bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:663
#10 0x5a6d02 in PluginVC::process_write_side(bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:555
#11 0x5a401d in PluginVC::main_handler(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:208
#12 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#13 0xa40450 in EThread::process_event(Event*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#14 0xa40903 in EThread::execute()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179
#15 0xa3ea29 in spawn_thread_internal
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
#16 0x2abfb58f0df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
#17 0x2abfb66811ac in __clone (/lib64/libc.so.6+0xf61ac)
0x62501880600c is located 12 bytes inside of 4096-byte region
[0x625018806000,0x625018807000)
freed by thread T19 ([ET_NET 18]) here:
#0 0x2abfb2c0b1d7 in __interceptor_free
../../.././libsanitizer/asan/asan_malloc_linux.cc:62
#1 0x2abfb3b063b2 in ats_memalign_free
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:139
#2 0x2abfb3b06f60 in ink_freelist_free
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:292
#3 0x4fae6e in Allocator::free_void(void*) ../../lib/ts/Allocator.h:68
#4 0x4fb85f in IOBufferData::dealloc()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:310
#5 0x4fb98b in IOBufferData::free()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:323
#6 0x742f42 in Ptr<RefCountObj>::operator=(RefCountObj*)
../../lib/ts/Ptr.h:366
#7 0x81b07c in HdrHeap::coalesce_str_heaps(int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:384
#8 0x81a900 in HdrHeap::allocate_str(int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:288
#9 0x81aa5f in HdrHeap::duplicate_str(char const*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:318
#10 0x834534 in mime_str_u16_set(HdrHeap*, char const*, int, char const**,
unsigned short*, bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.cc:2808
#11 0x82ce4d in mime_field_name_set(HdrHeap*, MIMEHdrImpl*, MIMEField*,
short, char const*, int, bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/MIME.cc:1712
#12 0x5c2aa3 in MIMEHdr::field_create(char const*, int)
../../proxy/hdrs/MIME.h:1083
#13 0x6c7491 in HttpTransact::ModifyRequest(HttpTransact::State*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpTransact.cc:1148
#14 0x69e65f in HttpSM::call_transact_and_set_next_state(void
(*)(HttpTransact::State*))
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:6881
#15 0x66bb6c in HttpSM::state_read_client_request_header(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:766
#16 0x679549 in HttpSM::main_handler(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/http/HttpSM.cc:2542
#17 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#18 0x5a7f22 in PluginVC::process_read_side(bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:663
#19 0x5a6d02 in PluginVC::process_write_side(bool)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:555
#20 0x5a401d in PluginVC::main_handler(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/PluginVC.cc:208
#21 0x531046 in Continuation::handleEvent(int, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
#22 0xa40450 in EThread::process_event(Event*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
#23 0xa40903 in EThread::execute()
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179
#24 0xa3ea29 in spawn_thread_internal
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
#25 0x2abfb58f0df4 in start_thread (/lib64/libpthread.so.0+0x7df4)
previously allocated by thread T19 ([ET_NET 18]) here:
#0 0x2abfb2c0b94b in __interceptor_posix_memalign
../../.././libsanitizer/asan/asan_malloc_linux.cc:130
#1 0x2abfb3b06233 in ats_memalign
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_memory.cc:100
#2 0x2abfb3b06e0d in ink_freelist_new
/home/bcall/ytrafficserver-6.0.x/trafficserver/lib/ts/ink_queue.cc:239
#3 0x530647 in Allocator::alloc_void() ../../lib/ts/Allocator.h:61
#4 0x531420 in IOBufferData::alloc(long, AllocType)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:284
#5 0x53123c in new_IOBufferData_internal(char const*, long, AllocType)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:255
#6 0x53162e in IOBufferBlock::alloc(long)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/P_IOBuffer.h:399
#7 0x531e6d in MIOBuffer::alloc(long)
../iocore/eventsystem/P_IOBuffer.h:1096
#8 0x531c8c in new_MIOBuffer_internal(char const*, long)
../iocore/eventsystem/P_IOBuffer.h:763
#9 0x530a54 in MIOBuffer_tracker::operator()(long)
../iocore/eventsystem/I_IOBuffer.h:1253
#10 0x532da5 in FetchSM::init_comm() FetchSM.h:62
#11 0x52efd3 in FetchSM::ext_init(Continuation*, char const*, char const*,
char const*, sockaddr const*, int)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/FetchSM.cc:536
#12 0x57c48a in TSFetchCreate
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/InkAPI.cc:7365
#13 0x762626 in spdy_fetcher_launch
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyCallbacks.cc:190
#14 0x7631e4 in spdy_process_syn_stream_frame
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyCallbacks.cc:297
#15 0x7634ac in spdy_on_ctrl_recv_callback(spdylay_session*,
spdylay_frame_type, spdylay_frame*, void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyCallbacks.cc:317
#16 0xa463df in spdylay_session_call_on_ctrl_frame_received
/home/bcall/ytrafficserver-6.0.x/spdylay-1.2.3/lib/spdylay_session.c:1634
#17 0xa463df in spdylay_session_on_syn_stream_received
/home/bcall/ytrafficserver-6.0.x/spdylay-1.2.3/lib/spdylay_session.c:1782
#18 0x100002117 (+0x7000b117)
Thread T19 ([ET_NET 18]) created by T0 ([ET_NET 0]) here:
#0 0x2abfb2bda87a in __interceptor_pthread_create
../../.././libsanitizer/asan/asan_interceptors.cc:183
#1 0xa3e556 in ink_thread_create ../../lib/ts/ink_thread.h:150
#2 0xa3ebb3 in Thread::start(char const*, unsigned long, void* (*)(void*),
void*)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
#3 0xa43c19 in EventProcessor::start(int, unsigned long)
/home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
#4 0x59180f in main
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
#5 0x2abfb65acaf4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
SUMMARY: AddressSanitizer: heap-use-after-free
/home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/hdrs/HdrHeap.cc:320
HdrHeap::duplicate_str(char const*, int)
Shadow bytes around the buggy address:
0x0c4a830f8bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a830f8bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a830f8bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a830f8be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4a830f8bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4a830f8c00: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a830f8c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a830f8c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a830f8c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a830f8c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4a830f8c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==24576==ABORTING
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
