AddressSanitizer: heap-use-after-free HQSession::main_event_handler

Open bneradt opened this issue 1 year ago • 2 comments
I saw this while running ATS in docs with ASan enabled and h3 configured via Alt-Svc:
[Apr  8 17:27:16.716] [ET_NET 5] DIAG: <Http3Transaction.cc:438 (~Http3Transaction)> (http3_trans) [] [18] Delete transaction
=================================================================
==1824542==ERROR: AddressSanitizer: heap-use-after-free on address 0x6260000c61a8 at pc 0x5556bb7b13f0 bp 0x7f2e7a86eac0 sp 0x7f2e7a86eab0
READ of size 8 at 0x6260000c61a8 thread T7 ([ET_NET 5])
    #0 0x5556bb7b13ef in HQSession::main_event_handler(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:165
    #1 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #2 0x5556bb637026 in QUICNetVConnection::_propagate_event(int) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:264
    #3 0x5556bb6362c4 in QUICNetVConnection::state_established(int, Event*) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:211
    #4 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #5 0x5556bb7389ce in EThread::process_event(Event*, int) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:162
    #6 0x5556bb738f22 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:197
    #7 0x5556bb7396d6 in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:276
    #8 0x5556bb739f65 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
    #9 0x5556bb736d7b in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
    #10 0x7f2e81bf7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
    #11 0x7f2e81b1c132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6260000c61a8 is located 168 bytes inside of 10968-byte region [0x6260000c6100,0x6260000c8bd8)
freed by thread T7 ([ET_NET 5]) here:
    #0 0x7f2e82a98c65 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:177
    #1 0x5556bb7b8fa4 in Http3Transaction::~Http3Transaction() /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:451
    #2 0x5556bb7b82b2 in HQTransaction::_delete_if_possible() /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:403
    #3 0x5556bb7bb2f7 in Http3Transaction::state_stream_closed(int, Event*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:547
    #4 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #5 0x5556bb7b13a4 in HQSession::main_event_handler(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:167
    #6 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #7 0x5556bb637026 in QUICNetVConnection::_propagate_event(int) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:264
    #8 0x5556bb6362c4 in QUICNetVConnection::state_established(int, Event*) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:211
    #9 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #10 0x5556bb7389ce in EThread::process_event(Event*, int) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:162
    #11 0x5556bb738f22 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:197
    #12 0x5556bb7396d6 in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:276
    #13 0x5556bb739f65 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
    #14 0x5556bb736d7b in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
    #15 0x7f2e81bf7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T7 ([ET_NET 5]) here:
    #0 0x7f2e82a97587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x5556bb7a6c40 in Http3App::_handle_bidi_stream_on_read_ready(int, VIO*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3App.cc:305
    #2 0x5556bb7a48e5 in Http3App::main_event_handler(int, Event*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3App.cc:149
    #3 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #4 0x5556bb7389ce in EThread::process_event(Event*, int) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:162
    #5 0x5556bb738f22 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:197
    #6 0x5556bb7394b9 in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:255
    #7 0x5556bb739f65 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
    #8 0x5556bb736d7b in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
    #9 0x7f2e81bf7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477

Thread T7 ([ET_NET 5]) created by T0 ([TS_MAIN]) here:
    #0 0x7f2e829c2815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
    #1 0x5556bb73688f in ink_thread_create /home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
    #2 0x5556bb736eaf in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:85
    #3 0x5556bb740853 in EventProcessor::spawn_event_threads(int, int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:467
    #4 0x5556bb74119f in EventProcessor::start(int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:548
    #5 0x5556baddc981 in main /home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2104
    #6 0x7f2e81a21082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:165 in HQSession::main_event_handler(int, void*)
Shadow bytes around the buggy address:
  0x0c4c80010be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4c80010c30: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00   
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa   
  Freed heap region:       fd   
  Stack left redzone:      f1   
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1824542==ABORTING
Apr 08 '24 21:04 bneradt
This is same as #11113, and I thought #11145 fixes it but it didn't. This is so weird.
Apr 17 '24 17:04 maskit