#1852: Use-after-free situtation on ESI include
----------------------+-------------------
Reporter: daghf | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: trunk
Severity: normal | Keywords:
----------------------+-------------------
Spotted a use after free situation by running make check with Address
Sanitizer enabled.
Triggered in e00011.vtc, e00018.vtc, r00590.vtc, r00612.vtc and
r00961.vtc.
Full test log attached. Excerpt below.
{{{
==12171==ERROR: AddressSanitizer: heap-use-after-free on address
0x60200000af50 at pc 0x7f0c62cd3666 bp 0x7f0c5ba56bd0 sp 0x7f0c5ba56380\n
READ of size 14 at 0x60200000af50 thread T14 (cache-worker)\n
#0 0x7f0c62cd3665 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45665)\n
#1 0x7f0c62cd39fc in writev (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x459fc)\n
#2 0x4daa6a in V1L_Flush http1/cache_http1_line.c:186\n
#3 0x4d3d4c in v1d_bytes http1/cache_http1_deliver.c:54\n
#4 0x430b3b in VDP_bytes cache/cache_deliver_proc.c:51\n
#5 0x436cac in VDP_ESI cache/cache_esi_deliver.c:374\n
#6 0x430b3b in VDP_bytes cache/cache_deliver_proc.c:51\n
#7 0x431842 in vdp_objiterator cache/cache_deliver_proc.c:120\n
#8 0x51d631 in sml_iterator storage/storage_simple.c:250\n
#9 0x47851c in ObjIterate cache/cache_obj.c:76\n
#10 0x431998 in VDP_DeliverObj cache/cache_deliver_proc.c:129\n
#11 0x4d4a3d in V1D_Deliver http1/cache_http1_deliver.c:131\n
#12 0x486845 in cnt_vdp cache/cache_req_fsm.c:108\n
#13 0x487b7d in cnt_deliver cache/cache_req_fsm.c:202\n
#14 0x48eb12 in CNT_Request ../../include/tbl/steps.h:54\n
#15 0x4d916e in HTTP1_Session http1/cache_http1_fsm.c:267\n
#16 0x4948be in SES_Proto_Req cache/cache_session.c:318\n
#17 0x4c6b83 in Pool_Work_Thread cache/cache_wrk.c:341\n
#18 0x4c3480 in WRK_Thread cache/cache_wrk.c:121\n
#19 0x4c6f88 in pool_thread cache/cache_wrk.c:371\n
#20 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
#21 0x7f0c6151c74c in clone (/lib/x86_64-linux-
gnu/libc.so.6+0xe874c)\n
\n
0x60200000af50 is located 0 bytes inside of 14-byte region
[0x60200000af50,0x60200000af5e)\n
freed by thread T14 (cache-worker) here:\n
#0 0x7f0c62d21bfa in __interceptor_free (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x93bfa)\n
#1 0x50c447 in sma_free storage/storage_malloc.c:146\n
#2 0x51bbe3 in sml_stv_free storage/storage_simple.c:79\n
#3 0x51ceb7 in sml_slim storage/storage_simple.c:194\n
#4 0x479db8 in ObjSlim cache/cache_obj.c:242\n
#5 0x487d7e in cnt_deliver cache/cache_req_fsm.c:214\n
#6 0x48eb12 in CNT_Request ../../include/tbl/steps.h:54\n
#7 0x434f90 in ved_include cache/cache_esi_deliver.c:161\n
#8 0x4366f9 in VDP_ESI cache/cache_esi_deliver.c:335\n
#9 0x430b3b in VDP_bytes cache/cache_deliver_proc.c:51\n
#10 0x431842 in vdp_objiterator cache/cache_deliver_proc.c:120\n
#11 0x51d631 in sml_iterator storage/storage_simple.c:250\n
#12 0x47851c in ObjIterate cache/cache_obj.c:76\n
#13 0x431998 in VDP_DeliverObj cache/cache_deliver_proc.c:129\n
#14 0x4d4a3d in V1D_Deliver http1/cache_http1_deliver.c:131\n
#15 0x486845 in cnt_vdp cache/cache_req_fsm.c:108\n
#16 0x487b7d in cnt_deliver cache/cache_req_fsm.c:202\n
#17 0x48eb12 in CNT_Request ../../include/tbl/steps.h:54\n
#18 0x4d916e in HTTP1_Session http1/cache_http1_fsm.c:267\n
#19 0x4948be in SES_Proto_Req cache/cache_session.c:318\n
#20 0x4c6b83 in Pool_Work_Thread cache/cache_wrk.c:341\n
#21 0x4c3480 in WRK_Thread cache/cache_wrk.c:121\n
#22 0x4c6f88 in pool_thread cache/cache_wrk.c:371\n
#23 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
previously allocated by thread T13 (cache-worker) here:\n
#0 0x7f0c62d21e9a in malloc (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x93e9a)\n
#1 0x50ba5c in sma_alloc storage/storage_malloc.c:95\n
#2 0x51b8d3 in sml_stv_alloc storage/storage_simple.c:59\n
#3 0x51e144 in objallocwithnuke storage/storage_simple.c:334\n
#4 0x51e884 in sml_getspace storage/storage_simple.c:370\n
#5 0x4787f7 in ObjGetSpace cache/cache_obj.c:99\n
#6 0x456a10 in VFP_GetStorage cache/cache_fetch_proc.c:86\n
#7 0x44f97a in vbf_fetch_body_helper cache/cache_fetch.c:505\n
#8 0x451a91 in vbf_stp_fetch cache/cache_fetch.c:660\n
#9 0x454e7f in vbf_fetch_thread ../../include/tbl/steps.h:63\n
#10 0x4c6b83 in Pool_Work_Thread cache/cache_wrk.c:341\n
#11 0x4c3480 in WRK_Thread cache/cache_wrk.c:121\n
#12 0x4c6f88 in pool_thread cache/cache_wrk.c:371\n
#13 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
Thread T14 (cache-worker) created by T5 here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x4c73b0 in pool_breed cache/cache_wrk.c:396\n
#2 0x4c7a51 in pool_herder cache/cache_wrk.c:445\n
#3 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
Thread T5 created by T4 (pool_herder) here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x4814f3 in pool_mkpool cache/cache_pool.c:167\n
#2 0x481639 in pool_poolherder cache/cache_pool.c:199\n
#3 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
Thread T4 (pool_herder) created by T0 (cache-main) here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x481933 in Pool_Init cache/cache_pool.c:239\n
#2 0x4741e1 in child_main cache/cache_main.c:246\n
#3 0x4e6955 in mgt_launch_child mgt/mgt_child.c:379\n
#4 0x4e7eff in mcf_server_startstop mgt/mgt_child.c:610\n
#5 0x7f0c62a5d1fb in cls_dispatch /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:235\n
#6 0x7f0c62a5da61 in cls_vlu2 /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:295\n
#7 0x7f0c62a5e524 in cls_vlu /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:360\n
#8 0x7f0c62a70456 in LineUpProcess /home/daghf/varnish-
master/lib/libvarnish/vlu.c:98\n
#9 0x7f0c62a708d7 in VLU_Fd /home/daghf/varnish-
master/lib/libvarnish/vlu.c:123\n
#10 0x7f0c62a60b42 in VCLS_PollFd /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:513\n
#11 0x4ea1c4 in mgt_cli_callback2 mgt/mgt_cli.c:373\n
#12 0x7f0c62a6d7f2 in vev_schedule_one /home/daghf/varnish-
master/lib/libvarnish/vev.c:502\n
#13 0x7f0c62a6c3a8 in vev_schedule /home/daghf/varnish-
master/lib/libvarnish/vev.c:367\n
#14 0x4e8987 in MGT_Run mgt/mgt_child.c:721\n
#15 0x4f37db in main mgt/mgt_main.c:829\n
#16 0x7f0c6145486f in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x2086f)\n
\n
Thread T13 (cache-worker) created by T5 here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x4c73b0 in pool_breed cache/cache_wrk.c:396\n
#2 0x4c7a51 in pool_herder cache/cache_wrk.c:445\n
#3 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??\n
Shadow bytes around the buggy address:\n
0x0c047fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
=>0x0c047fff95e0: fa fa fa fa fa fa fa fa fa fa[fd]fd fa fa fd fd\n
0x0c047fff95f0: fa fa 00 05 fa fa fd fd fa fa fd fd fa fa 00 07\n
0x0c047fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
Shadow byte legend (one shadow byte represents 8 application bytes):\n
Addressable: 00\n
Partially addressable: 01 02 03 04 05 06 07 \n
Heap left redzone: fa\n
Heap right redzone: fb\n
Freed heap region: fd\n
Stack left redzone: f1\n
Stack mid redzone: f2\n
Stack right redzone: f3\n
Stack partial redzone: f4\n
Stack after return: f5\n
Stack use after scope: f8\n
Global redzone: f9\n
Global init order: f6\n
Poisoned by user: f7\n
Container overflow: fc\n
Array cookie: ac\n
Intra object redzone: bb\n
ASan internal: fe\n
==12171==ABORTING\n
}}}
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1852>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
_______________________________________________
varnish-bugs mailing list
varnish-bugs@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs
----------------------+-------------------
Reporter: daghf | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: varnishd | Version: trunk
Severity: normal | Keywords:
----------------------+-------------------
Spotted a use after free situation by running make check with Address
Sanitizer enabled.
Triggered in e00011.vtc, e00018.vtc, r00590.vtc, r00612.vtc and
r00961.vtc.
Full test log attached. Excerpt below.
{{{
==12171==ERROR: AddressSanitizer: heap-use-after-free on address
0x60200000af50 at pc 0x7f0c62cd3666 bp 0x7f0c5ba56bd0 sp 0x7f0c5ba56380\n
READ of size 14 at 0x60200000af50 thread T14 (cache-worker)\n
#0 0x7f0c62cd3665 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x45665)\n
#1 0x7f0c62cd39fc in writev (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x459fc)\n
#2 0x4daa6a in V1L_Flush http1/cache_http1_line.c:186\n
#3 0x4d3d4c in v1d_bytes http1/cache_http1_deliver.c:54\n
#4 0x430b3b in VDP_bytes cache/cache_deliver_proc.c:51\n
#5 0x436cac in VDP_ESI cache/cache_esi_deliver.c:374\n
#6 0x430b3b in VDP_bytes cache/cache_deliver_proc.c:51\n
#7 0x431842 in vdp_objiterator cache/cache_deliver_proc.c:120\n
#8 0x51d631 in sml_iterator storage/storage_simple.c:250\n
#9 0x47851c in ObjIterate cache/cache_obj.c:76\n
#10 0x431998 in VDP_DeliverObj cache/cache_deliver_proc.c:129\n
#11 0x4d4a3d in V1D_Deliver http1/cache_http1_deliver.c:131\n
#12 0x486845 in cnt_vdp cache/cache_req_fsm.c:108\n
#13 0x487b7d in cnt_deliver cache/cache_req_fsm.c:202\n
#14 0x48eb12 in CNT_Request ../../include/tbl/steps.h:54\n
#15 0x4d916e in HTTP1_Session http1/cache_http1_fsm.c:267\n
#16 0x4948be in SES_Proto_Req cache/cache_session.c:318\n
#17 0x4c6b83 in Pool_Work_Thread cache/cache_wrk.c:341\n
#18 0x4c3480 in WRK_Thread cache/cache_wrk.c:121\n
#19 0x4c6f88 in pool_thread cache/cache_wrk.c:371\n
#20 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
#21 0x7f0c6151c74c in clone (/lib/x86_64-linux-
gnu/libc.so.6+0xe874c)\n
\n
0x60200000af50 is located 0 bytes inside of 14-byte region
[0x60200000af50,0x60200000af5e)\n
freed by thread T14 (cache-worker) here:\n
#0 0x7f0c62d21bfa in __interceptor_free (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x93bfa)\n
#1 0x50c447 in sma_free storage/storage_malloc.c:146\n
#2 0x51bbe3 in sml_stv_free storage/storage_simple.c:79\n
#3 0x51ceb7 in sml_slim storage/storage_simple.c:194\n
#4 0x479db8 in ObjSlim cache/cache_obj.c:242\n
#5 0x487d7e in cnt_deliver cache/cache_req_fsm.c:214\n
#6 0x48eb12 in CNT_Request ../../include/tbl/steps.h:54\n
#7 0x434f90 in ved_include cache/cache_esi_deliver.c:161\n
#8 0x4366f9 in VDP_ESI cache/cache_esi_deliver.c:335\n
#9 0x430b3b in VDP_bytes cache/cache_deliver_proc.c:51\n
#10 0x431842 in vdp_objiterator cache/cache_deliver_proc.c:120\n
#11 0x51d631 in sml_iterator storage/storage_simple.c:250\n
#12 0x47851c in ObjIterate cache/cache_obj.c:76\n
#13 0x431998 in VDP_DeliverObj cache/cache_deliver_proc.c:129\n
#14 0x4d4a3d in V1D_Deliver http1/cache_http1_deliver.c:131\n
#15 0x486845 in cnt_vdp cache/cache_req_fsm.c:108\n
#16 0x487b7d in cnt_deliver cache/cache_req_fsm.c:202\n
#17 0x48eb12 in CNT_Request ../../include/tbl/steps.h:54\n
#18 0x4d916e in HTTP1_Session http1/cache_http1_fsm.c:267\n
#19 0x4948be in SES_Proto_Req cache/cache_session.c:318\n
#20 0x4c6b83 in Pool_Work_Thread cache/cache_wrk.c:341\n
#21 0x4c3480 in WRK_Thread cache/cache_wrk.c:121\n
#22 0x4c6f88 in pool_thread cache/cache_wrk.c:371\n
#23 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
previously allocated by thread T13 (cache-worker) here:\n
#0 0x7f0c62d21e9a in malloc (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x93e9a)\n
#1 0x50ba5c in sma_alloc storage/storage_malloc.c:95\n
#2 0x51b8d3 in sml_stv_alloc storage/storage_simple.c:59\n
#3 0x51e144 in objallocwithnuke storage/storage_simple.c:334\n
#4 0x51e884 in sml_getspace storage/storage_simple.c:370\n
#5 0x4787f7 in ObjGetSpace cache/cache_obj.c:99\n
#6 0x456a10 in VFP_GetStorage cache/cache_fetch_proc.c:86\n
#7 0x44f97a in vbf_fetch_body_helper cache/cache_fetch.c:505\n
#8 0x451a91 in vbf_stp_fetch cache/cache_fetch.c:660\n
#9 0x454e7f in vbf_fetch_thread ../../include/tbl/steps.h:63\n
#10 0x4c6b83 in Pool_Work_Thread cache/cache_wrk.c:341\n
#11 0x4c3480 in WRK_Thread cache/cache_wrk.c:121\n
#12 0x4c6f88 in pool_thread cache/cache_wrk.c:371\n
#13 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
Thread T14 (cache-worker) created by T5 here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x4c73b0 in pool_breed cache/cache_wrk.c:396\n
#2 0x4c7a51 in pool_herder cache/cache_wrk.c:445\n
#3 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
Thread T5 created by T4 (pool_herder) here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x4814f3 in pool_mkpool cache/cache_pool.c:167\n
#2 0x481639 in pool_poolherder cache/cache_pool.c:199\n
#3 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
Thread T4 (pool_herder) created by T0 (cache-main) here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x481933 in Pool_Init cache/cache_pool.c:239\n
#2 0x4741e1 in child_main cache/cache_main.c:246\n
#3 0x4e6955 in mgt_launch_child mgt/mgt_child.c:379\n
#4 0x4e7eff in mcf_server_startstop mgt/mgt_child.c:610\n
#5 0x7f0c62a5d1fb in cls_dispatch /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:235\n
#6 0x7f0c62a5da61 in cls_vlu2 /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:295\n
#7 0x7f0c62a5e524 in cls_vlu /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:360\n
#8 0x7f0c62a70456 in LineUpProcess /home/daghf/varnish-
master/lib/libvarnish/vlu.c:98\n
#9 0x7f0c62a708d7 in VLU_Fd /home/daghf/varnish-
master/lib/libvarnish/vlu.c:123\n
#10 0x7f0c62a60b42 in VCLS_PollFd /home/daghf/varnish-
master/lib/libvarnish/cli_serve.c:513\n
#11 0x4ea1c4 in mgt_cli_callback2 mgt/mgt_cli.c:373\n
#12 0x7f0c62a6d7f2 in vev_schedule_one /home/daghf/varnish-
master/lib/libvarnish/vev.c:502\n
#13 0x7f0c62a6c3a8 in vev_schedule /home/daghf/varnish-
master/lib/libvarnish/vev.c:367\n
#14 0x4e8987 in MGT_Run mgt/mgt_child.c:721\n
#15 0x4f37db in main mgt/mgt_main.c:829\n
#16 0x7f0c6145486f in __libc_start_main (/lib/x86_64-linux-
gnu/libc.so.6+0x2086f)\n
\n
Thread T13 (cache-worker) created by T5 here:\n
#0 0x7f0c62cc3ef4 in pthread_create (/usr/lib/x86_64-linux-
gnu/libasan.so.2+0x35ef4)\n
#1 0x4c73b0 in pool_breed cache/cache_wrk.c:396\n
#2 0x4c7a51 in pool_herder cache/cache_wrk.c:445\n
#3 0x7f0c617df283 in start_thread (/lib/x86_64-linux-
gnu/libpthread.so.0+0x7283)\n
\n
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??\n
Shadow bytes around the buggy address:\n
0x0c047fff9590: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff95d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
=>0x0c047fff95e0: fa fa fa fa fa fa fa fa fa fa[fd]fd fa fa fd fd\n
0x0c047fff95f0: fa fa 00 05 fa fa fd fd fa fa fd fd fa fa 00 07\n
0x0c047fff9600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff9610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff9620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
0x0c047fff9630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n
Shadow byte legend (one shadow byte represents 8 application bytes):\n
Addressable: 00\n
Partially addressable: 01 02 03 04 05 06 07 \n
Heap left redzone: fa\n
Heap right redzone: fb\n
Freed heap region: fd\n
Stack left redzone: f1\n
Stack mid redzone: f2\n
Stack right redzone: f3\n
Stack partial redzone: f4\n
Stack after return: f5\n
Stack use after scope: f8\n
Global redzone: f9\n
Global init order: f6\n
Poisoned by user: f7\n
Container overflow: fc\n
Array cookie: ac\n
Intra object redzone: bb\n
ASan internal: fe\n
==12171==ABORTING\n
}}}
--
Ticket URL: <https://www.varnish-cache.org/trac/ticket/1852>
Varnish <https://varnish-cache.org/>
The Varnish HTTP Accelerator
_______________________________________________
varnish-bugs mailing list
varnish-bugs@varnish-cache.org
https://www.varnish-cache.org/lists/mailman/listinfo/varnish-bugs