Re: BUG: segfault with lua sample converters & wrong arg types
Thanks. the patch make sense. Willy, could you apply ? > On 15 Jun 2018, at 14:15, Frederic Lecaille wrote: > > On 06/14/2018 11:05 PM, Patrick Hemmer wrote: >> Haproxy segfaults if you pass the wrong argument type to a converter. >> Example: >> haproxy.cfg: >> global >> lua-load /tmp/haproxy.lua >> frontend f1 >> mode http >> bind :8000 >> default_backend b1 >> http-request lua.foo >> backend b1 >> mode http >> server s1 127.0.0.1:8080 >> haproxy.lua: >> core.register_action("foo", { "http-req" }, function(txn) >> txn.sc:ipmask(txn.f:src(), 24, 112) >> end) >> Result: >> * thread #1, queue = 'com.apple.main-thread', stop reason = >> EXC_BAD_ACCESS (code=1, address=0x18) >> frame #0: 0x7fffc9fcbf56 >> libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 >> libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell: >> -> 0x7fffc9fcbf56 <+182>: movb (%rsi,%r8), %cl >> 0x7fffc9fcbf5a <+186>: movb %cl, (%rdi,%r8) >> 0x7fffc9fcbf5e <+190>: subq $0x1, %rdx >> 0x7fffc9fcbf62 <+194>: je 0x7fffc9fcbf78; <+216> >> Target 0: (haproxy) stopped. >> (lldb) bt >> * thread #1, queue = 'com.apple.main-thread', stop reason = >> EXC_BAD_ACCESS (code=1, address=0x18) >> * frame #0: 0x7fffc9fcbf56 >> libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 >> frame #1: 0x7fffc9e7442e libsystem_c.dylib`__memcpy_chk + 22 >> frame #2: 0x00010002ec46 >> haproxy`hlua_lua2arg_check(L=0x00010120d298, first=3, >> argp=0x7fff5fbfe690, mask=196, p=0x000101817000) at hlua.c:749 >> frame #3: 0x00010001fa00 >> haproxy`hlua_run_sample_conv(L=0x00010120d298) at hlua.c:3393 >> frame #4: 0x00010032400b haproxy`luaD_precall + 747 >> frame #5: 0x0001003343c6 haproxy`luaV_execute + 3158 >> frame #6: 0x000100323429 haproxy`luaD_rawrunprotected + 89 >> frame #7: 0x000100324516 haproxy`lua_resume + 278 >> frame #8: 0x00010001b199 >> haproxy`hlua_ctx_resume(lua=0x000101205080, yield_allowed=1) at >> hlua.c:1080 >> frame #9: 0x000100027de8 >> haproxy`hlua_action(rule=0x00010101b180, px=0x000101817000, >> sess=0x00010120cb70, s=0x00010120cc00, flags=2) at hlua.c:6198 >> frame #10: 0x000100044bcd >> haproxy`http_req_get_intercept_rule(px=0x000101817000, >> rules=0x000101817048, s=0x00010120cc00, >> deny_status=0x7fff5fbfee78) at proto_http.c:2760 >> frame #11: 0x000100046182 >> haproxy`http_process_req_common(s=0x00010120cc00, >> req=0x00010120cc10, an_bit=16, px=0x000101817000) at >> proto_http.c:3461 >> frame #12: 0x000100094c50 >> haproxy`process_stream(t=0x00010120cf40, context=0x00010120cc00, >> state=9) at stream.c:1905 >> frame #13: 0x00010016179f haproxy`process_runnable_tasks at >> task.c:362 >> frame #14: 0x0001000ea0eb haproxy`run_poll_loop at haproxy.c:2403 >> frame #15: 0x0001000e7c74 >> haproxy`run_thread_poll_loop(data=0x7fff5fbff3a4) at haproxy.c:2464 >> frame #16: 0x0001000e4a49 haproxy`main(argc=3, >> argv=0x7fff5fbff590) at haproxy.c:3082 >> frame #17: 0x7fffc9db9235 libdyld.dylib`start + 1 >> Issue goes away if you change the lua txn.sc:ipmask() line to: >> txn.sc:ipmask(txn.f:src(), '24', '112') >> Reproduced with current master (9db0fed) and lua version 5.3.4. >> -Patrick > > It seems the patch attached to this mail fixes this issue. It at least make > the varnishtest test file pass. > > Must be checked by Thierry. > > > Fred. > <0001-BUG-MINOR-lua-Segfaults-with-wrong-usage-of-types.patch>
Re: BUG: segfault with lua sample converters & wrong arg types
On 06/15/2018 02:15 PM, Frederic Lecaille wrote: On 06/14/2018 11:05 PM, Patrick Hemmer wrote: Haproxy segfaults if you pass the wrong argument type to a converter. Example: haproxy.cfg: global lua-load /tmp/haproxy.lua frontend f1 mode http bind :8000 default_backend b1 http-request lua.foo backend b1 mode http server s1 127.0.0.1:8080 haproxy.lua: core.register_action("foo", { "http-req" }, function(txn) txn.sc:ipmask(txn.f:src(), 24, 112) end) Result: * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) frame #0: 0x7fffc9fcbf56 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell: -> 0x7fffc9fcbf56 <+182>: movb (%rsi,%r8), %cl 0x7fffc9fcbf5a <+186>: movb %cl, (%rdi,%r8) 0x7fffc9fcbf5e <+190>: subq $0x1, %rdx 0x7fffc9fcbf62 <+194>: je 0x7fffc9fcbf78 ; <+216> Target 0: (haproxy) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) * frame #0: 0x7fffc9fcbf56 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 frame #1: 0x7fffc9e7442e libsystem_c.dylib`__memcpy_chk + 22 frame #2: 0x00010002ec46 haproxy`hlua_lua2arg_check(L=0x00010120d298, first=3, argp=0x7fff5fbfe690, mask=196, p=0x000101817000) at hlua.c:749 frame #3: 0x00010001fa00 haproxy`hlua_run_sample_conv(L=0x00010120d298) at hlua.c:3393 frame #4: 0x00010032400b haproxy`luaD_precall + 747 frame #5: 0x0001003343c6 haproxy`luaV_execute + 3158 frame #6: 0x000100323429 haproxy`luaD_rawrunprotected + 89 frame #7: 0x000100324516 haproxy`lua_resume + 278 frame #8: 0x00010001b199 haproxy`hlua_ctx_resume(lua=0x000101205080, yield_allowed=1) at hlua.c:1080 frame #9: 0x000100027de8 haproxy`hlua_action(rule=0x00010101b180, px=0x000101817000, sess=0x00010120cb70, s=0x00010120cc00, flags=2) at hlua.c:6198 frame #10: 0x000100044bcd haproxy`http_req_get_intercept_rule(px=0x000101817000, rules=0x000101817048, s=0x00010120cc00, deny_status=0x7fff5fbfee78) at proto_http.c:2760 frame #11: 0x000100046182 haproxy`http_process_req_common(s=0x00010120cc00, req=0x00010120cc10, an_bit=16, px=0x000101817000) at proto_http.c:3461 frame #12: 0x000100094c50 haproxy`process_stream(t=0x00010120cf40, context=0x00010120cc00, state=9) at stream.c:1905 frame #13: 0x00010016179f haproxy`process_runnable_tasks at task.c:362 frame #14: 0x0001000ea0eb haproxy`run_poll_loop at haproxy.c:2403 frame #15: 0x0001000e7c74 haproxy`run_thread_poll_loop(data=0x7fff5fbff3a4) at haproxy.c:2464 frame #16: 0x0001000e4a49 haproxy`main(argc=3, argv=0x7fff5fbff590) at haproxy.c:3082 frame #17: 0x7fffc9db9235 libdyld.dylib`start + 1 Issue goes away if you change the lua txn.sc:ipmask() line to: txn.sc:ipmask(txn.f:src(), '24', '112') Reproduced with current master (9db0fed) and lua version 5.3.4. -Patrick It seems the patch attached to this mail fixes this issue. It at least make the varnishtest test file pass. Must be checked by Thierry. Should have mentionned that I could not reproduce this issue without compiling the thread support (USE_THREAD=1).
Re: BUG: segfault with lua sample converters & wrong arg types
On 06/14/2018 11:05 PM, Patrick Hemmer wrote: Haproxy segfaults if you pass the wrong argument type to a converter. Example: haproxy.cfg: global lua-load /tmp/haproxy.lua frontend f1 mode http bind :8000 default_backend b1 http-request lua.foo backend b1 mode http server s1 127.0.0.1:8080 haproxy.lua: core.register_action("foo", { "http-req" }, function(txn) txn.sc:ipmask(txn.f:src(), 24, 112) end) Result: * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) frame #0: 0x7fffc9fcbf56 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell: -> 0x7fffc9fcbf56 <+182>: movb (%rsi,%r8), %cl 0x7fffc9fcbf5a <+186>: movb %cl, (%rdi,%r8) 0x7fffc9fcbf5e <+190>: subq $0x1, %rdx 0x7fffc9fcbf62 <+194>: je 0x7fffc9fcbf78 ; <+216> Target 0: (haproxy) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) * frame #0: 0x7fffc9fcbf56 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 frame #1: 0x7fffc9e7442e libsystem_c.dylib`__memcpy_chk + 22 frame #2: 0x00010002ec46 haproxy`hlua_lua2arg_check(L=0x00010120d298, first=3, argp=0x7fff5fbfe690, mask=196, p=0x000101817000) at hlua.c:749 frame #3: 0x00010001fa00 haproxy`hlua_run_sample_conv(L=0x00010120d298) at hlua.c:3393 frame #4: 0x00010032400b haproxy`luaD_precall + 747 frame #5: 0x0001003343c6 haproxy`luaV_execute + 3158 frame #6: 0x000100323429 haproxy`luaD_rawrunprotected + 89 frame #7: 0x000100324516 haproxy`lua_resume + 278 frame #8: 0x00010001b199 haproxy`hlua_ctx_resume(lua=0x000101205080, yield_allowed=1) at hlua.c:1080 frame #9: 0x000100027de8 haproxy`hlua_action(rule=0x00010101b180, px=0x000101817000, sess=0x00010120cb70, s=0x00010120cc00, flags=2) at hlua.c:6198 frame #10: 0x000100044bcd haproxy`http_req_get_intercept_rule(px=0x000101817000, rules=0x000101817048, s=0x00010120cc00, deny_status=0x7fff5fbfee78) at proto_http.c:2760 frame #11: 0x000100046182 haproxy`http_process_req_common(s=0x00010120cc00, req=0x00010120cc10, an_bit=16, px=0x000101817000) at proto_http.c:3461 frame #12: 0x000100094c50 haproxy`process_stream(t=0x00010120cf40, context=0x00010120cc00, state=9) at stream.c:1905 frame #13: 0x00010016179f haproxy`process_runnable_tasks at task.c:362 frame #14: 0x0001000ea0eb haproxy`run_poll_loop at haproxy.c:2403 frame #15: 0x0001000e7c74 haproxy`run_thread_poll_loop(data=0x7fff5fbff3a4) at haproxy.c:2464 frame #16: 0x0001000e4a49 haproxy`main(argc=3, argv=0x7fff5fbff590) at haproxy.c:3082 frame #17: 0x7fffc9db9235 libdyld.dylib`start + 1 Issue goes away if you change the lua txn.sc:ipmask() line to: txn.sc:ipmask(txn.f:src(), '24', '112') Reproduced with current master (9db0fed) and lua version 5.3.4. -Patrick It seems the patch attached to this mail fixes this issue. It at least make the varnishtest test file pass. Must be checked by Thierry. Fred. >From 245592382b46458082be1cd440603dd4b92c500b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20L=C3=A9caille?= Date: Fri, 15 Jun 2018 13:56:04 +0200 Subject: [PATCH] BUG/MINOR: lua: Segfaults with wrong usage of types. Patrick reported that this simple configuration made haproxy segfaults: global lua-load /tmp/haproxy.lua frontend f1 mode http bind :8000 default_backend b1 http-request lua.foo backend b1 mode http server s1 127.0.0.1:8080 with this '/tmp/haproxy.lua' script: core.register_action("foo", { "http-req" }, function(txn) txn.sc:ipmask(txn.f:src(), 24, 112) end) This is due to missing initialization of the array of arguments passed to hlua_lua2arg_check() which makes it enter code with corrupted arguments. Thanks a lot to Patrick Hemmer for having reported this issue. Must be backported to 1.8, 1.7 and 1.6. --- src/hlua.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/hlua.c b/src/hlua.c index 716bd29..84debaf 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -3256,7 +3256,7 @@ __LJMP static int hlua_run_sample_fetch(lua_State *L) { struct hlua_smp *hsmp; struct sample_fetch *f; - struct arg args[ARGM_NBARGS + 1]; + struct arg args[ARGM_NBARGS + 1] = {{0}}; int i; struct sample smp; -- 2.1.4
Re: BUG: segfault with lua sample converters & wrong arg types
Hello Patrick, On 06/14/2018 11:05 PM, Patrick Hemmer wrote: Haproxy segfaults if you pass the wrong argument type to a converter. Example: haproxy.cfg: global lua-load /tmp/haproxy.lua frontend f1 mode http bind :8000 default_backend b1 http-request lua.foo backend b1 mode http server s1 127.0.0.1:8080 haproxy.lua: core.register_action("foo", { "http-req" }, function(txn) txn.sc:ipmask(txn.f:src(), 24, 112) end) Result: * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) frame #0: 0x7fffc9fcbf56 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell: -> 0x7fffc9fcbf56 <+182>: movb (%rsi,%r8), %cl 0x7fffc9fcbf5a <+186>: movb %cl, (%rdi,%r8) 0x7fffc9fcbf5e <+190>: subq $0x1, %rdx 0x7fffc9fcbf62 <+194>: je 0x7fffc9fcbf78 ; <+216> Target 0: (haproxy) stopped. (lldb) bt * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x18) * frame #0: 0x7fffc9fcbf56 libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 182 frame #1: 0x7fffc9e7442e libsystem_c.dylib`__memcpy_chk + 22 frame #2: 0x00010002ec46 haproxy`hlua_lua2arg_check(L=0x00010120d298, first=3, argp=0x7fff5fbfe690, mask=196, p=0x000101817000) at hlua.c:749 frame #3: 0x00010001fa00 haproxy`hlua_run_sample_conv(L=0x00010120d298) at hlua.c:3393 frame #4: 0x00010032400b haproxy`luaD_precall + 747 frame #5: 0x0001003343c6 haproxy`luaV_execute + 3158 frame #6: 0x000100323429 haproxy`luaD_rawrunprotected + 89 frame #7: 0x000100324516 haproxy`lua_resume + 278 frame #8: 0x00010001b199 haproxy`hlua_ctx_resume(lua=0x000101205080, yield_allowed=1) at hlua.c:1080 frame #9: 0x000100027de8 haproxy`hlua_action(rule=0x00010101b180, px=0x000101817000, sess=0x00010120cb70, s=0x00010120cc00, flags=2) at hlua.c:6198 frame #10: 0x000100044bcd haproxy`http_req_get_intercept_rule(px=0x000101817000, rules=0x000101817048, s=0x00010120cc00, deny_status=0x7fff5fbfee78) at proto_http.c:2760 frame #11: 0x000100046182 haproxy`http_process_req_common(s=0x00010120cc00, req=0x00010120cc10, an_bit=16, px=0x000101817000) at proto_http.c:3461 frame #12: 0x000100094c50 haproxy`process_stream(t=0x00010120cf40, context=0x00010120cc00, state=9) at stream.c:1905 frame #13: 0x00010016179f haproxy`process_runnable_tasks at task.c:362 frame #14: 0x0001000ea0eb haproxy`run_poll_loop at haproxy.c:2403 frame #15: 0x0001000e7c74 haproxy`run_thread_poll_loop(data=0x7fff5fbff3a4) at haproxy.c:2464 frame #16: 0x0001000e4a49 haproxy`main(argc=3, argv=0x7fff5fbff590) at haproxy.c:3082 frame #17: 0x7fffc9db9235 libdyld.dylib`start + 1 Issue goes away if you change the lua txn.sc:ipmask() line to: txn.sc:ipmask(txn.f:src(), '24', '112') Reproduced with current master (9db0fed) and lua version 5.3.4. -Patrick I have reproduced the same issue with varnishtest. Here is a linux backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:33 33 ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory. (gdb) bt #0 __memcpy_sse2_unaligned () at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:33 #1 0x0041b428 in hlua_lua2arg_check (L=L@entry=0xf1b528, first=first@entry=3, argp=argp@entry=0x7fffa27a2790, mask=196, p=0xee3600) at src/hlua.c:749 #2 0x0041c6ae in hlua_run_sample_conv (L=0xf1b528) at src/hlua.c:3393 #3 0x00508664 in luaD_precall () #4 0x0051350d in luaV_execute () #5 0x00507ebc in luaD_rawrunprotected () #6 0x00508af0 in lua_resume () #7 0x00423dec in hlua_ctx_resume (lua=0xf1b490, yield_allowed=yield_allowed@entry=1) at src/hlua.c:1080 #8 0x00428bb7 in hlua_action (rule=0xee51c0, px=0xee3600, sess=, s=0xf15690, flags=2) at src/hlua.c:6198 #9 0x00438a9c in http_req_get_intercept_rule (px=0xeb8d20, px@entry=0xee3600, rules=0xee3648, s=0xf15690, deny_status=0x726a606e, deny_status@entry=0x7fffa27a2d6c) at src/proto_http.c:2760 #10 0x0043e216 in http_process_req_common (s=s@entry=0xf15690, req=req@entry=0xf156a0, an_bit=an_bit@entry=16, px=0xee3600) at src/proto_http.c:3461 #11 0x0046fcb0 in process_stream (t=, context=0xf15690, state=) at src/stream.c:1905 #12 0x004efeca in process_runnable_tasks () at src/task.c:362 #13 0x004a25f4 i