trafficserver
trafficserver copied to clipboard
apache
AddressSanitizer: heap-buffer-overflow on address in XpackDynamicTableStorage::write
Running ATS 10 (https://github.com/apache/trafficserver/commit/399d04ceace14fae66dc615d96ff93557b55ad00 specifically) in production under ASan, we see the following ASan buffer overflow error:
=================================================================
==3888081==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x625008bc3900 at pc 0x7f52c03d0a63 bp 0x7f52a25a0da0 sp 0x7f52a25a0548
WRITE of size 6238 at 0x625008bc3900 thread T30 ([ET_NET 28])
#0 0x7f52c03d0a62 in __interceptor_memcpy (/lib64/libasan.so.8+0x70a62) (BuildId: 71dbf393857c775be459ab5583ba7b5fcbd9c884)
#1 0xb38b3e in XpackDynamicTableStorage::write(char const*, unsigned int, char const*, unsigned int) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/hdrs/XPACK.cc:545
#2 0xb38b3e in XpackDynamicTable::insert_entry(char const*, unsigned long, char const*, unsigned long) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/hdrs/XPACK.cc:351
#3 0xb3936a in XpackDynamicTable::insert_entry(std::basic_string_view<char, std::char_traits<char> >, std::basic_string_view<char, std::char_traits<char> >) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/hdrs/XPACK.cc:366
#4 0x9ce105 in HpackIndexingTable::add_header_field(HpackHeaderField const&) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/HPACK.cc:367
#5 0x9ce105 in encode_literal_header_field_with_new_name(unsigned char*, unsigned char const*, HpackHeaderField const&, HpackIndexingTable&, HpackField) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/HPACK.cc:483
#6 0x9d0b83 in hpack_encode_header_block(HpackIndexingTable&, unsigned char*, unsigned long, HTTPHdr*, int) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/HPACK.cc:818
#7 0x93d29d in http2_encode_header_blocks(HTTPHdr*, unsigned char*, unsigned int, unsigned int*, HpackIndexingTable&, int) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/HTTP2.cc:426
#8 0x972da2 in Http2ConnectionState::send_headers_frame(Http2Stream*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2ConnectionState.cc:2363
#9 0x9a7ce2 in Http2Stream::update_write_request(bool) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2Stream.cc:821
...
0x625008bc3900 is located 0 bytes after 8192-byte region [0x625008bc1900,0x625008bc3900)
allocated by thread T30 ([ET_NET 28]) here:
#0 0x7f52c043d62f in malloc (/lib64/libasan.so.8+0xdd62f) (BuildId: 71dbf393857c775be459ab5583ba7b5fcbd9c884)
#1 0x7f52bfea2a25 in ats_malloc(unsigned long) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/tscore/ink_memory.cc:65
#2 0xb35a0d in XpackDynamicTableStorage::XpackDynamicTableStorage(unsigned int) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/hdrs/XPACK.cc:523
#3 0xb35a0d in XpackDynamicTable::XpackDynamicTable(unsigned int) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/hdrs/XPACK.cc:217
#4 0x95c3f5 in HpackIndexingTable::HpackIndexingTable(unsigned int) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/proxy/http2/HPACK.h:114
#5 0x95c3f5 in Http2ConnectionState::init(Http2CommonSession*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2ConnectionState.cc:1256
#6 0x9dbd51 in Http2ClientSession::start() /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2ClientSession.cc:79
#7 0xe4f874 in ProxySession::do_api_callout(TSHttpHookID) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/ProxySession.cc:150
#8 0x9da3b2 in Http2ClientSession::new_connection(NetVConnection*, MIOBuffer*, IOBufferReader*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2ClientSession.cc:134
#9 0x9b7a46 in Http2SessionAccept::accept(NetVConnection*, MIOBuffer*, IOBufferReader*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2SessionAccept.cc:62
#10 0x9b7518 in Http2SessionAccept::mainEvent(int, void*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2SessionAccept.cc:75
#11 0x9b7518 in Http2SessionAccept::mainEvent(int, void*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/proxy/http2/Http2SessionAccept.cc:68
#12 0xf3b7c6 in Continuation::handleEvent(int, void*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/iocore/eventsystem/Continuation.h:228
#13 0xf3b7c6 in Continuation::handleEvent(int, void*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/iocore/eventsystem/Continuation.h:224
#14 0xf3b7c6 in send_plugin_event /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/SSLNextProtocolAccept.cc:34
#15 0xf3bd91 in SSLNextProtocolTrampoline::ioCompletionEvent(int, void*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/SSLNextProtocolAccept.cc:117
#16 0xfe6d70 in Continuation::handleEvent(int, void*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/iocore/eventsystem/Continuation.h:228
#17 0xfe6d70 in Continuation::handleEvent(int, void*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/iocore/eventsystem/Continuation.h:224
#18 0xfe6d70 in read_signal_and_update /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/UnixNetVConnection.cc:87
#19 0xfec3b7 in read_signal_done /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/UnixNetVConnection.cc:154
#20 0xfec3b7 in UnixNetVConnection::readSignalDone(int, NetHandler*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/UnixNetVConnection.cc:969
#21 0xf2305c in SSLNetVConnection::net_read_io(NetHandler*, EThread*) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/SSLNetVConnection.cc:695
#22 0x1090278 in NetHandler::process_ready_list() /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/NetHandler.cc:276
#23 0x1090cd2 in NetHandler::waitForActivity(long) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/net/NetHandler.cc:364
#24 0x117ade1 in EThread::execute_regular() /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:299
#25 0x117b4c8 in EThread::execute() /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:348
#26 0x117b4c8 in EThread::execute() /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:326
#27 0x11741d7 in spawn_thread_internal /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/Thread.cc:75
#28 0x7f52bed3a1c9 in start_thread (/lib64/libpthread.so.0+0x81c9) (BuildId: e08f397aa6b7de799209cd5bc35aabe0496678f1)
Thread T30 ([ET_NET 28]) created by T0 ([TS_MAIN]) here:
#0 0x7f52c03a8ea5 in __interceptor_pthread_create (/lib64/libasan.so.8+0x48ea5) (BuildId: 71dbf393857c775be459ab5583ba7b5fcbd9c884)
#1 0x11748fc in ink_thread_create /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/tscore/ink_thread.h:129
#2 0x11748fc in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/Thread.cc:92
#3 0x11865f4 in EventProcessor::spawn_event_threads(int, int, unsigned long) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEventProcessor.cc:467
#4 0x118744a in EventProcessor::start(int, unsigned long) /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEventProcessor.cc:548
#5 0x56fe64 in main /sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/traffic_server/traffic_server.cc:2104
#6 0x7f52be9a7d84 in __libc_start_main (/lib64/libc.so.6+0x3ad84) (BuildId: 574d156ec0c828321a4038189fc1cfe74d0bb2ec)
SUMMARY: AddressSanitizer: heap-buffer-overflow (/lib64/libasan.so.8+0x70a62) (BuildId: 71dbf393857c775be459ab5583ba7b5fcbd9c884) in __interceptor_memcpy
