This is an automated email from the ASF dual-hosted git repository.
bneradt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 69e1c94db9 txn_box: Address use after free in Do_upstream_rsp_body
(#11428)
69e1c94db9 is described below
commit 69e1c94db9f47d597ed61f09419b46e0aad3a7bb
Author: Brian Neradt <[email protected]>
AuthorDate: Tue Jun 11 09:35:11 2024 -0500
txn_box: Address use after free in Do_upstream_rsp_body (#11428)
ASan reported a use-after-free in Do_upstream_rsp_body. This adds
clearing the Continuation's data of the State member upon destruction
because any use of it will be a use after free by definition.
```
=================================================================
==764533==ERROR: AddressSanitizer: heap-use-after-free on address
0x62d006090610 at pc 0x7f5702f4d0d2 bp 0x7f5833a15ca0 sp 0x7f5833a15c90
READ of size 8 at 0x62d006090610 thread T24 ([ET_NET 22])
#0 0x7f5702f4d0d1 in operator()
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/plugins/experimental/txn_box/plugin/src/Machinery.cc:2579
#1 0x7f5702f4d0d1 in _FUN
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/plugins/experimental/txn_box/plugin/src/Machinery.cc:2591
#2 0x1251b2a in INKContInternal::handle_event(int, void*)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/api/InkContInternal.cc:153
#3 0x116b304 in Continuation::handleEvent(int, void*)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/iocore/eventsystem/Continuation.h:228
#4 0x116b304 in Continuation::handleEvent(int, void*)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/iocore/eventsystem/Continuation.h:224
#5 0x116b304 in EThread::process_event(Event*, int)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:162
#6 0x116d132 in EThread::process_queue(Queue<Event, Event::Link_link>*,
int*, int*)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:197
#7 0x116e07f in EThread::execute_regular()
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:255
#8 0x116f7d8 in EThread::execute()
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:348
#9 0x116f7d8 in EThread::execute()
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEThread.cc:326
#10 0x11684e7 in spawn_thread_internal
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/Thread.cc:75
#11 0x7f58493031c9 in start_thread (/lib64/libpthread.so.0+0x81c9)
(BuildId: e08f397aa6b7de799209cd5bc35aabe0496678f1)
#12 0x7f5848f6fe72 in __clone (/lib64/libc.so.6+0x39e72) (BuildId:
574d156ec0c828321a4038189fc1cfe74d0bb2ec)
0x62d006090610 is located 528 bytes inside of 32752-byte region
[0x62d006090400,0x62d0060983f0)
freed by thread T24 ([ET_NET 22]) here:
#0 0x7f584aa05170 in __interceptor_free.part.0
(/lib64/libasan.so.8+0xdc170) (BuildId:
71dbf393857c775be459ab5583ba7b5fcbd9c884)
#1 0x7f5849b71665 in swoc::_1_5_12::MemArena::Block::operator
delete(void*)
_sdk/release_posix-x86_64_gcc_12/libswoc_1.5.12/include/swoc/MemArena.h:646
#2 0x7f5849b71665 in swoc::_1_5_12::MemArena::~MemArena()
_scm/libswoc/code/src/MemArena.cc:276
previously allocated by thread T24 ([ET_NET 22]) here:
#0 0x7f584aa0662f in malloc (/lib64/libasan.so.8+0xdd62f) (BuildId:
71dbf393857c775be459ab5583ba7b5fcbd9c884)
#1 0x7f5849b718ab in swoc::_1_5_12::MemArena::make_block(unsigned long)
_scm/libswoc/code/src/MemArena.cc:99
Thread T24 ([ET_NET 22]) created by T0 ([TS_MAIN]) here:
#0 0x7f584a971ea5 in __interceptor_pthread_create
(/lib64/libasan.so.8+0x48ea5) (BuildId:
71dbf393857c775be459ab5583ba7b5fcbd9c884)
#1 0x1168c0c in ink_thread_create
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/include/tscore/ink_thread.h:129
#2 0x1168c0c in Thread::start(char const*, void*, unsigned long,
std::function<void ()> const&)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/Thread.cc:92
#3 0x117a904 in EventProcessor::spawn_event_threads(int, int, unsigned
long)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEventProcessor.cc:467
#4 0x117b75a in EventProcessor::start(int, unsigned long)
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/iocore/eventsystem/UnixEventProcessor.cc:548
#5 0x56dc74 in main
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/src/traffic_server/traffic_server.cc:2104
#6 0x7f5848f70d84 in __libc_start_main (/lib64/libc.so.6+0x3ad84)
(BuildId: 574d156ec0c828321a4038189fc1cfe74d0bb2ec)
SUMMARY: AddressSanitizer: heap-use-after-free
/sd/workspace/src/git.ouryahoo.com/Edge/build/_scm/trafficserver10.0_asan/plugins/experimental/txn_box/plugin/src/Machinery.cc:2579
in operator()
Shadow bytes around the buggy address:
0x62d006090380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x62d006090400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090480: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x62d006090600: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x62d006090880: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==764533==ABORTING
```
---
plugins/experimental/txn_box/plugin/src/Machinery.cc | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/plugins/experimental/txn_box/plugin/src/Machinery.cc
b/plugins/experimental/txn_box/plugin/src/Machinery.cc
index 7685f6a241..758173c499 100644
--- a/plugins/experimental/txn_box/plugin/src/Machinery.cc
+++ b/plugins/experimental/txn_box/plugin/src/Machinery.cc
@@ -2538,9 +2538,13 @@ Do_upstream_rsp_body::invoke(Context &ctx)
struct State {
TextView _view; ///< Source view for body.
TSIOBuffer _tsio_buff = nullptr; ///< Buffer used to write body.
+ TSCont _cont = nullptr; ///< Transform continuation with which
State is associated.
/// Clean up the @c IOBuffer.
~State()
{
+ if (_cont != nullptr) {
+ TSContDataSet(_cont, nullptr);
+ }
if (_tsio_buff) {
TSIOBufferDestroy(_tsio_buff);
}
@@ -2550,6 +2554,10 @@ Do_upstream_rsp_body::invoke(Context &ctx)
auto static transform = [](TSCont contp, TSEvent ev_code, void *) -> int {
if (TSVConnClosedGet(contp)) {
// IOBuffer is cleaned up at transaction close, not here.
+ if (auto state = static_cast<State *>(TSContDataGet(contp)); state) {
+ state->_cont = nullptr;
+ TSContDataSet(contp, nullptr);
+ }
TSContDestroy(contp);
return 0;
}
@@ -2614,6 +2622,7 @@ Do_upstream_rsp_body::invoke(Context &ctx)
auto state = ctx.make<State>();
ctx.mark_for_cleanup(state);
auto cont = TSTransformCreate(transform, ctx._txn);
+ state->_cont = cont;
state->_view = *content;
TSContDataSet(cont, state);
TSHttpTxnHookAdd(ctx._txn, TS_HTTP_RESPONSE_TRANSFORM_HOOK, cont);
