[ 
https://issues.apache.org/jira/browse/TS-4424?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Phil Sorber updated TS-4424:
----------------------------
    Backport to Version: 6.2.1  (was: 6.2.2)

> proxy.config.ssl.max_record_size=-1 (dynamic rec size) can cause out-of-bound 
> memory access
> -------------------------------------------------------------------------------------------
>
>                 Key: TS-4424
>                 URL: https://issues.apache.org/jira/browse/TS-4424
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Core
>    Affects Versions: 6.2.0
>            Reporter: Leif Hedstrom
>            Assignee: Susan Hinrichs
>              Labels: crash
>             Fix For: 7.1.0
>
>
> From a few days ago:
> {code}
> [May  2 16:09:34.060] Manager {0x7f44c4e94800} WARNING: Be aware that access 
> control checks for HTTP/2 connections are not active!
> [May  2 16:09:34.060] Manager {0x7f44c4e94800} WARNING: Be aware that access 
> control checks for HTTP/2 connections are not active!
> =================================================================
> ==17268==ERROR: AddressSanitizer: heap-buffer-overflow on address 
> 0x62a0064b5000 at pc 0x2b8fd0a73615 bp 0x7ffd34d416e0 sp 0x7ffd34d40e90
> READ of size 16384 at 0x62a0064b5000 thread T0 ([ET_NET 0])
>     #0 0x2b8fd0a73614 in __asan_memcpy 
> ../../../../libsanitizer/asan/asan_interceptors.cc:367
>     #1 0x2b8fd26f7b63 in ssl3_write_bytes 
> (/opt/openssl/lib/libssl.so.1.0.0+0x29b63)
>     #2 0xbfe2e0 in SSLWriteBuffer(ssl_st*, void const*, long, long&) 
> /usr/local/src/trafficserver/iocore/net/SSLUtils.cc:2041
>     #3 0xbd2a6a in SSLNetVConnection::load_buffer_and_write(long, long&, 
> long&, MIOBufferAccessor&, int&) 
> /usr/local/src/trafficserver/iocore/net/SSLNetVConnection.cc:735
>     #4 0xc48dad in write_to_net_io(NetHandler*, UnixNetVConnection*, 
> EThread*) /usr/local/src/trafficserver/iocore/net/UnixNetVConnection.cc:511
>     #5 0xc0a8ba in NetHandler::mainNetEvent(int, Event*) 
> /usr/local/src/trafficserver/iocore/net/UnixNet.cc:529
>     #6 0xcf6da3 in Continuation::handleEvent(int, void*) 
> /usr/local/src/trafficserver/iocore/eventsystem/I_Continuation.h:153
>     #7 0xcf6da3 in EThread::process_event(Event*, int) 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:129
>     #8 0xcf9d4a in EThread::execute() 
> /usr/local/src/trafficserver/iocore/eventsystem/UnixEThread.cc:256
>     #9 0x498ad5 in main /usr/local/src/trafficserver/proxy/Main.cc:1909
>     #10 0x2b8fd475bb14 in __libc_start_main (/lib64/libc.so.6+0x21b14)
>     #11 0x4a8244  (/opt/ats/bin/traffic_server+0x4a8244)
> 0x62a0064b5000 is located 0 bytes to the right of 16384-byte region 
> [0x62a0064b1000,0x62a0064b5000)
> allocated by thread T0 ([ET_NET 0]) here:
>     #0 0x2b8fd0a7f9ae in __interceptor_posix_memalign 
> ../../../../libsanitizer/asan/asan_malloc_linux.cc:105
>     #1 0x2b8fd19b2ca9 in ats_memalign 
> /usr/local/src/trafficserver/lib/ts/ink_memory.cc:105
>     #2 0x2b8fd19b3f3e in ink_freelist_new 
> /usr/local/src/trafficserver/lib/ts/ink_queue.cc:183
>     #3 0x7d5670 in Allocator::alloc_void() ../../lib/ts/Allocator.h:63
>     #4 0x7d5670 in IOBufferData::alloc(long, AllocType) 
> ../../iocore/eventsystem/P_IOBuffer.h:282
>     #5 0x7d5670 in new_IOBufferData_internal(char const*, long, AllocType) 
> ../../iocore/eventsystem/P_IOBuffer.h:253
>     #6 0x7d5670 in IOBufferBlock::alloc(long) 
> ../../iocore/eventsystem/P_IOBuffer.h:396
>     #7 0x7d5670 in Http2Frame::alloc(int) 
> /usr/local/src/trafficserver/proxy/http2/Http2ClientSession.h:96
>     #8 0x7d5670 in Http2ConnectionState::send_data_frame(Http2Stream*) 
> /usr/local/src/trafficserver/proxy/http2/Http2ConnectionState.cc:959
>     #9 0x7ea209 in Http2Stream::update_write_request(IOBufferReader*, long, 
> bool) /usr/local/src/trafficserver/proxy/http2/Http2Stream.cc:462
>     #10 0x7efe96 in Http2Stream::reenable(VIO*) 
> /usr/local/src/trafficserver/proxy/http2/Http2Stream.cc:482
>     #11 0x777c49 in VIO::reenable() ../../iocore/eventsystem/P_VIO.h:111
>     #12 0x777c49 in HttpTunnel::producer_handler(int, HttpTunnelProducer*) 
> /usr/local/src/trafficserver/proxy/http/HttpTunnel.cc:1199
>     #13 0x77a0ee in HttpTunnel::main_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpTunnel.cc:1568
>     #14 0x9a2467 in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:153
>     #15 0x9a2467 in CacheVC::calluser(int) 
> ../../iocore/cache/P_CacheInternal.h:623
>     #16 0xb21d2c in CacheVC::openReadMain(int, Event*) 
> /usr/local/src/trafficserver/iocore/cache/CacheRead.cc:717
>     #17 0x9a284c in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:153
>     #18 0x9a284c in CacheVC::callcont(int) 
> ../../iocore/cache/P_CacheInternal.h:642
>     #19 0xb30df9 in CacheVC::openReadStartHead(int, Event*) 
> /usr/local/src/trafficserver/iocore/cache/CacheRead.cc:1162
>     #20 0xb29c07 in Continuation::handleEvent(int, void*) 
> ../../iocore/eventsystem/I_Continuation.h:153
>     #21 0xb29c07 in Cache::open_read(Continuation*, ats::CryptoHash const*, 
> HTTPHdr*, CacheLookupHttpConfig*, CacheFragType, char const*, int) 
> /usr/local/src/trafficserver/iocore/cache/CacheRead.cc:159
>     #22 0x648a63 in HttpCacheSM::do_cache_open_read(HttpCacheKey const&) 
> /usr/local/src/trafficserver/proxy/http/HttpCacheSM.cc:237
>     #23 0x648a63 in HttpCacheSM::open_read(HttpCacheKey const*, URL*, 
> HTTPHdr*, CacheLookupHttpConfig*, long) 
> /usr/local/src/trafficserver/proxy/http/HttpCacheSM.cc:270
>     #24 0x67fb65 in HttpSM::do_cache_lookup_and_read() 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:4457
>     #25 0x6be022 in HttpSM::set_next_state() 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:7168
>     #26 0x6b03c9 in HttpSM::state_api_callout(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1490
>     #27 0x6be667 in HttpSM::set_next_state() 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:7058
>     #28 0x6bd219 in HttpSM::set_next_state() 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:7072
>     #29 0x6b03c9 in HttpSM::state_api_callout(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1490
>     #30 0x6be667 in HttpSM::set_next_state() 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:7058
>     #31 0x6b03c9 in HttpSM::state_api_callout(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1490
>     #32 0x6c2bef in HttpSM::state_api_callback(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1287
>     #33 0x56c006 in TSHttpTxnReenable 
> /usr/local/src/trafficserver/proxy/InkAPI.cc:5635
>     #34 0x2b8fd9cbff45 in stats_origin 
> /usr/local/src/trafficserver/plugins/stats_over_http/stats_over_http.c:280
>     #35 0x5391e3 in INKContInternal::handle_event(int, void*) 
> /usr/local/src/trafficserver/proxy/InkAPI.cc:993
>     #36 0x6affe4 in HttpSM::state_api_callout(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:1408
>     #37 0x6be667 in HttpSM::set_next_state() 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:7058
>     #38 0x69574d in HttpSM::state_read_client_request_header(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:769
>     #39 0x6c30f7 in HttpSM::main_handler(int, void*) 
> /usr/local/src/trafficserver/proxy/http/HttpSM.cc:2600
> SUMMARY: AddressSanitizer: heap-buffer-overflow 
> ../../../../libsanitizer/asan/asan_interceptors.cc:367 __asan_memcpy
> Shadow bytes around the buggy address:
>   0x0c5480c8e9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c5480c8e9c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c5480c8e9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c5480c8e9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c5480c8e9f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> =>0x0c5480c8ea00:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c5480c8ea10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c5480c8ea20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c5480c8ea30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c5480c8ea40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c5480c8ea50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07
>   Heap left redzone:       fa
>   Heap right redzone:      fb
>   Freed heap region:       fd
>   Stack left redzone:      f1
>   Stack mid redzone:       f2
>   Stack right redzone:     f3
>   Stack partial redzone:   f4
>   Stack after return:      f5
>   Stack use after scope:   f8
>   Global redzone:          f9
>   Global init order:       f6
>   Poisoned by user:        f7
>   Container overflow:      fc
>   Array cookie:            ac
>   Intra object redzone:    bb
>   ASan internal:           fe
> ==17268==ABORTING
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to