Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer: heap-use-after-free HQSession::main_event_handler #11227

Open
bneradt opened this issue Apr 8, 2024 · 1 comment
Open

AddressSanitizer: heap-use-after-free HQSession::main_event_handler #11227

bneradt opened this issue Apr 8, 2024 · 1 comment
Labels
HTTP/3 QUIC
Milestone
10.1.0

Comments

@bneradt
Copy link
Contributor

bneradt commented Apr 8, 2024

I saw this while running ATS in docs with ASan enabled and h3 configured via Alt-Svc:

[Apr  8 17:27:16.716] [ET_NET 5] DIAG: <Http3Transaction.cc:438 (~Http3Transaction)> (http3_trans) [] [18] Delete transaction
=================================================================
==1824542==ERROR: AddressSanitizer: heap-use-after-free on address 0x6260000c61a8 at pc 0x5556bb7b13f0 bp 0x7f2e7a86eac0 sp 0x7f2e7a86eab0
READ of size 8 at 0x6260000c61a8 thread T7 ([ET_NET 5])
    #0 0x5556bb7b13ef in HQSession::main_event_handler(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:165
    #1 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #2 0x5556bb637026 in QUICNetVConnection::_propagate_event(int) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:264
    #3 0x5556bb6362c4 in QUICNetVConnection::state_established(int, Event*) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:211
    #4 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #5 0x5556bb7389ce in EThread::process_event(Event*, int) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:162
    #6 0x5556bb738f22 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:197
    #7 0x5556bb7396d6 in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:276
    #8 0x5556bb739f65 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
    #9 0x5556bb736d7b in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
    #10 0x7f2e81bf7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
    #11 0x7f2e81b1c132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6260000c61a8 is located 168 bytes inside of 10968-byte region [0x6260000c6100,0x6260000c8bd8)
freed by thread T7 ([ET_NET 5]) here:
    #0 0x7f2e82a98c65 in operator delete(void*, unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:177
    #1 0x5556bb7b8fa4 in Http3Transaction::~Http3Transaction() /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:451
    #2 0x5556bb7b82b2 in HQTransaction::_delete_if_possible() /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:403
    #3 0x5556bb7bb2f7 in Http3Transaction::state_stream_closed(int, Event*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Transaction.cc:547
    #4 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #5 0x5556bb7b13a4 in HQSession::main_event_handler(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:167
    #6 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #7 0x5556bb637026 in QUICNetVConnection::_propagate_event(int) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:264
    #8 0x5556bb6362c4 in QUICNetVConnection::state_established(int, Event*) /home/bneradt/src/trafficserver_10/src/iocore/net/QUICNetVConnection.cc:211
    #9 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #10 0x5556bb7389ce in EThread::process_event(Event*, int) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:162
    #11 0x5556bb738f22 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:197
    #12 0x5556bb7396d6 in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:276
    #13 0x5556bb739f65 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
    #14 0x5556bb736d7b in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
    #15 0x7f2e81bf7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T7 ([ET_NET 5]) here:
    #0 0x7f2e82a97587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x5556bb7a6c40 in Http3App::_handle_bidi_stream_on_read_ready(int, VIO*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3App.cc:305
    #2 0x5556bb7a48e5 in Http3App::main_event_handler(int, Event*) /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3App.cc:149
    #3 0x5556badbc70a in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #4 0x5556bb7389ce in EThread::process_event(Event*, int) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:162
    #5 0x5556bb738f22 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:197
    #6 0x5556bb7394b9 in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:255
    #7 0x5556bb739f65 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:348
    #8 0x5556bb736d7b in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:68
    #9 0x7f2e81bf7608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477

Thread T7 ([ET_NET 5]) created by T0 ([TS_MAIN]) here:
    #0 0x7f2e829c2815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
    #1 0x5556bb73688f in ink_thread_create /home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
    #2 0x5556bb736eaf in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:85
    #3 0x5556bb740853 in EventProcessor::spawn_event_threads(int, int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:467
    #4 0x5556bb74119f in EventProcessor::start(int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:548
    #5 0x5556baddc981 in main /home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2104
    #6 0x7f2e81a21082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/bneradt/src/trafficserver_10/src/proxy/http3/Http3Session.cc:165 in HQSession::main_event_handler(int, void*)
Shadow bytes around the buggy address:
  0x0c4c80010be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4c80010c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4c80010c30: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4c80010c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00   
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa   
  Freed heap region:       fd   
  Stack left redzone:      f1   
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1824542==ABORTING
@bneradt bneradt added this to the 10.1.0 milestone Apr 8, 2024
@maskit
Copy link
Member

maskit commented Apr 17, 2024

This is same as #11113, and I thought #11145 fixes it but it didn't. This is so weird.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
HTTP/3 QUIC
Projects
ATS v10.0.x
Status: No status
Milestone
10.1.0
Development

No branches or pull requests
2 participants
@maskit @bneradt