[jira] [Commented] (TS-3909) SSLNextProtocolTrampoline heap-use-after-free

Fri, 15 Apr 2016 14:10:13 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3909?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15243658#comment-15243658
 ] 

ASF GitHub Bot commented on TS-3909:
------------------------------------

GitHub user shinrich opened a pull request:

    https://github.com/apache/trafficserver/pull/575

    TS-3909 Further trampoline crash fixes.

    We have been running with this fix in production since November or December 
2015.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/shinrich/trafficserver ts-3909

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/trafficserver/pull/575.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #575
    
----
commit 695ddbcde91e384f710f917afd7f52d24699d752
Author: Susan Hinrichs <[email protected]>
Date:   2016-04-15T17:13:21Z

    Further trampoline crash fixes.

----


> SSLNextProtocolTrampoline heap-use-after-free
> ---------------------------------------------
>
>                 Key: TS-3909
>                 URL: https://issues.apache.org/jira/browse/TS-3909
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>    Affects Versions: 6.0.0
>            Reporter: Bryan Call
>            Assignee: Susan Hinrichs
>             Fix For: 6.2.0
>
>         Attachments: ts-3909.diff
>
>
> {code}
> ==6232==ERROR: AddressSanitizer: heap-use-after-free on address 
> 0x606000538880 at pc 0x9c851c bp 0x2ac88a2d4880 sp 0x2ac88a2d4878
> READ of size 8 at 0x606000538880 thread T24 ([ET_NET 23])
>     #0 0x9c851b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:108
>     #1 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #2 0x9f4040 in read_signal_and_update 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #3 0x9f46f4 in read_signal_done 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
>     #4 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
>     #5 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542
>     #6 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
>     #7 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #8 0xa405e4 in EThread::process_event(Event*, int) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #9 0xa411fc in EThread::execute() 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #10 0xa3ebbd in spawn_thread_internal 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #11 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
>     #12 0x2ac87e74b1ac in __clone (/lib64/libc.so.6+0xf61ac)
> 0x606000538880 is located 0 bytes inside of 56-byte region 
> [0x606000538880,0x6060005388b8)
> freed by thread T24 ([ET_NET 23]) here:
>     #0 0x2ac87acd6127 in operator delete(void*) 
> ../../.././libsanitizer/asan/asan_new_delete.cc:81
>     #1 0x9c8613 in SSLNextProtocolTrampoline::~SSLNextProtocolTrampoline() 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:66
>     #2 0x9c83ea in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:89
>     #3 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #4 0x9f4040 in read_signal_and_update 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #5 0x9fbe75 in UnixNetVConnection::mainEvent(int, Event*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1175
>     #6 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #7 0x9e35e4 in NetHandler::_close_vc(UnixNetVConnection*, long, int&, 
> int&, int&, int&) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:678
>     #8 0x9e2c01 in NetHandler::manage_keep_alive_queue() 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:634
>     #9 0x9e3882 in NetHandler::add_to_keep_alive_queue(UnixNetVConnection*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:699
>     #10 0x9ddb48 in UnixNetVConnection::add_to_keep_alive_queue() 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixConnection.cc:397
>     #11 0x759044 in SpdyClientSession::init(NetVConnection*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:116
>     #12 0x7598da in SpdyClientSession::new_connection(NetVConnection*, 
> MIOBuffer*, IOBufferReader*, bool) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdyClientSession.cc:193
>     #13 0x7582dc in SpdySessionAccept::mainEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/spdy/SpdySessionAccept.cc:56
>     #14 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #15 0x9c78a5 in send_plugin_event 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:32
>     #16 0x9c842b in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:99
>     #17 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #18 0x9f4040 in read_signal_and_update 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:145
>     #19 0x9f46f4 in read_signal_done 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:206
>     #20 0x9fa8a1 in UnixNetVConnection::readSignalDone(int, NetHandler*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1006
>     #21 0x9bdd96 in SSLNetVConnection::net_read_io(NetHandler*, EThread*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNetVConnection.cc:542
>     #22 0x9e1a02 in NetHandler::mainNetEvent(int, Event*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNet.cc:516
>     #23 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #24 0xa405e4 in EThread::process_event(Event*, int) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #25 0xa411fc in EThread::execute() 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:252
>     #26 0xa3ebbd in spawn_thread_internal 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #27 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> previously allocated by thread T24 ([ET_NET 23]) here:
>     #0 0x2ac87acd5caf in operator new(unsigned long) 
> ../../.././libsanitizer/asan/asan_new_delete.cc:50
>     #1 0x9c7c2d in SSLNextProtocolAccept::mainEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/SSLNextProtocolAccept.cc:133
>     #2 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #3 0x9fb50d in UnixNetVConnection::acceptEvent(int, Event*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/net/UnixNetVConnection.cc:1100
>     #4 0x531046 in Continuation::handleEvent(int, void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/I_Continuation.h:146
>     #5 0xa405e4 in EThread::process_event(Event*, int) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:128
>     #6 0xa40a97 in EThread::execute() 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEThread.cc:179
>     #7 0xa3ebbd in spawn_thread_internal 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:86
>     #8 0x2ac87d9badf4 in start_thread (/lib64/libpthread.so.0+0x7df4)
> Thread T24 ([ET_NET 23]) created by T0 ([ET_NET 0]) here:
>     #0 0x2ac87aca487a in __interceptor_pthread_create 
> ../../.././libsanitizer/asan/asan_interceptors.cc:183
>     #1 0xa3e6ea in ink_thread_create ../../lib/ts/ink_thread.h:150
>     #2 0xa3ed47 in Thread::start(char const*, unsigned long, void* 
> (*)(void*), void*) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/Thread.cc:101
>     #3 0xa43dad in EventProcessor::start(int, unsigned long) 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/iocore/eventsystem/UnixEventProcessor.cc:140
>     #4 0x59180f in main 
> /home/bcall/ytrafficserver-6.0.x/trafficserver/proxy/Main.cc:1624
>     #5 0x2ac87e676af4 in __libc_start_main (/lib64/libc.so.6+0x21af4)
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to