10.1.0: ASan buffer overrun in StripeSM::evac_range

[bneradt]

I put the following 10.1.x release down on docs (the latest commit on the branch at the time):

commit 42f2920bce6df86e0e21a8de85e33a1795e9eff5 (HEAD -> 10.1.x, origin/10.1.x)                                                                                                                                                                                                                                               Author: Chris McFarlen <chris@mcfarlen.us>                                                                                                                     
Date:   Tue Mar 11 11:51:42 2025 -0500                                         
                                                                               
    Move defaulting install prefix before layout setup (#12085)       
                                                                                                                                                                                                                                                                                                                              
    Co-authored-by: Chris McFarlen <cmcfarlen@apple.com>                                                                                                                                                                                                                                                                      
    (cherry picked from commit 9a1ef119f3b7a017583c9aa5d088b2437101b92a)                                                                                                                                                                                                                                                      

Docs were stable at first, but the following ASan buffer overrun started happening which made our ATS docs site inaccessible:

=================================================================
==178668==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x616000010188 at pc 0x5632e13fcdb8 bp 0x7f3595672480 sp 0x7f3595672470
READ of size 8 at 0x616000010188 thread T4 ([ET_NET 2])
    #0 0x5632e13fcdb7 in StripeSM::evac_range(long, long, int) /home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:1097
    #1 0x5632e13f90ce in StripeSM::aggWrite(int, void*) /home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:815
    #2 0x5632e13c63b0 in CacheVC::handleWrite(int, Event*) /home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:264
    #3 0x5632e13b60fa in CacheVC::do_write_call() /home/bneradt/src/trafficserver_10/src/iocore/cache/P_CacheInternal.h:286
    #4 0x5632e13c59cc in CacheVC::updateVector(int, Event*) /home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:195
    #5 0x5632e13c97a3 in CacheVC::openWriteClose(int, Event*) /home/bneradt/src/trafficserver_10/src/iocore/cache/CacheWrite.cc:460
    #6 0x5632e1368321 in CacheVC::die() /home/bneradt/src/trafficserver_10/src/iocore/cache/P_CacheInternal.h:308
    #7 0x5632e13b7d6d in CacheVC::do_io_close(int) /home/bneradt/src/trafficserver_10/src/iocore/cache/CacheVC.cc:232
    #8 0x5632e0f8b6a6 in HttpCacheSM::close_write() /home/bneradt/src/trafficserver_10/include/proxy/http/HttpCacheSM.h:180
    #9 0x5632e0f676d1 in HttpSM::issue_cache_update() /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:6517
    #10 0x5632e0f77e4c in HttpSM::set_next_state() /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:8137
    #11 0x5632e0f754b2 in HttpSM::call_transact_and_set_next_state(void (*)(HttpTransact::State*)) /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:7837
    #12 0x5632e0f33db6 in HttpSM::handle_api_return() /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:1578
    #13 0x5632e0f33798 in HttpSM::state_api_callout(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:1510
    #14 0x5632e0f31e22 in HttpSM::state_api_callback(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:1310
    #15 0x7f359d379de9 in TSHttpTxnReenable(tsapi_httptxn*, TSEvent) /home/bneradt/src/trafficserver_10/src/api/InkAPI.cc:5045
    #16 0x7f35913d23e1 in transform_plugin /home/bneradt/src/trafficserver_10/plugins/compress/compress.cc:959
    #17 0x5632e1835def in INKContInternal::handle_event(int, void*) /home/bneradt/src/trafficserver_10/src/api/InkContInternal.cc:160
    #18 0x5632e0dde8f8 in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #19 0x5632e18384d8 in APIHook::invoke(int, void*) const /home/bneradt/src/trafficserver_10/src/api/APIHook.cc:60
    #20 0x5632e0f32fa5 in HttpSM::state_api_callout(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:1434
    #21 0x5632e0f6023c in HttpSM::do_api_callout_internal() /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:5778
    #22 0x5632e0f96518 in HttpSM::do_api_callout() (/opt/ats/bin/traffic_server+0xc9b518)
    #23 0x5632e0f38946 in HttpSM::state_read_server_response_header(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:2056
    #24 0x5632e0f3f413 in HttpSM::main_handler(int, void*) /home/bneradt/src/trafficserver_10/src/proxy/http/HttpSM.cc:2650
    #25 0x5632e0dde8f8 in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #26 0x5632e1630fdb in read_signal_and_update /home/bneradt/src/trafficserver_10/src/iocore/net/UnixNetVConnection.cc:85
    #27 0x5632e16359cd in UnixNetVConnection::net_read_io(NetHandler*) /home/bneradt/src/trafficserver_10/src/iocore/net/UnixNetVConnection.cc:610
    #28 0x5632e16bfe48 in NetHandler::process_ready_list() /home/bneradt/src/trafficserver_10/src/iocore/net/NetHandler.cc:284
    #29 0x5632e16c07d6 in NetHandler::waitForActivity(long) /home/bneradt/src/trafficserver_10/src/iocore/net/NetHandler.cc:375
    #30 0x5632e175a1e5 in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:307
    #31 0x5632e175a726 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:358
    #32 0x5632e17573ac in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:75
    #33 0x7f359c614608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477
    #34 0x7f359c539352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)

0x616000010188 is located 0 bytes to the right of 520-byte region [0x61600000ff80,0x616000010188)
allocated by thread T9 ([ET_NET 7]) here:
    #0 0x7f359d623157 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x5632e0e53656 in ats_malloc(unsigned long) /home/bneradt/src/trafficserver_10/src/tscore/ink_memory.cc:65
    #2 0x5632e13d77f1 in PreservationTable::PreservationTable(int) /home/bneradt/src/trafficserver_10/src/iocore/cache/PreservationTable.cc:52
    #3 0x5632e13f0c6c in StripeSM::StripeSM(CacheDisk*, long, long, int, int) /home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:120
    #4 0x5632e135e1c8 in Cache::open(bool, bool) /home/bneradt/src/trafficserver_10/src/iocore/cache/Cache.cc:276
    #5 0x5632e139405d in CacheProcessor::diskInitialized() /home/bneradt/src/trafficserver_10/src/iocore/cache/CacheProcessor.cc:814
    #6 0x5632e137cbdf in CacheDisk::openDone(int, void*) /home/bneradt/src/trafficserver_10/src/iocore/cache/CacheDisk.cc:218
    #7 0x5632e137ca82 in CacheDisk::openStart(int, void*) /home/bneradt/src/trafficserver_10/src/iocore/cache/CacheDisk.cc:210
    #8 0x5632e0dde8f8 in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #9 0x5632e1418bfa in AIOCallback::io_complete(int, void*) /home/bneradt/src/trafficserver_10/src/iocore/aio/AIO.cc:100
    #10 0x5632e0dde8f8 in Continuation::handleEvent(int, void*) /home/bneradt/src/trafficserver_10/include/iocore/eventsystem/Continuation.h:228
    #11 0x5632e1759170 in EThread::process_event(Event*, int) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:166
    #12 0x5632e17596c4 in EThread::process_queue(Queue<Event, Event::Link_link>*, int*, int*) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:201
    #13 0x5632e1759c5b in EThread::execute_regular() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:259
    #14 0x5632e175a726 in EThread::execute() /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEThread.cc:358
    #15 0x5632e17573ac in spawn_thread_internal /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:75
    #16 0x7f359c614608 in start_thread /build/glibc-LcI20x/glibc-2.31/nptl/pthread_create.c:477

Thread T4 ([ET_NET 2]) created by T0 ([TS_MAIN]) here:
    #0 0x7f359d5caa65 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5632e1756e23 in ink_thread_create /home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
    #2 0x5632e17574df in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:92
    #3 0x5632e17615a5 in EventProcessor::spawn_event_threads(int, int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:476
    #4 0x5632e1761ef1 in EventProcessor::start(int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:557
    #5 0x5632e0dfc56e in main /home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2152
    #6 0x7f359c43e082 in __libc_start_main ../csu/libc-start.c:308

Thread T9 ([ET_NET 7]) created by T0 ([TS_MAIN]) here:
    #0 0x7f359d5caa65 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
    #1 0x5632e1756e23 in ink_thread_create /home/bneradt/src/trafficserver_10/include/tscore/ink_thread.h:129
    #2 0x5632e17574df in Thread::start(char const*, void*, unsigned long, std::function<void ()> const&) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/Thread.cc:92
    #3 0x5632e17615a5 in EventProcessor::spawn_event_threads(int, int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:476
    #4 0x5632e1761ef1 in EventProcessor::start(int, unsigned long) /home/bneradt/src/trafficserver_10/src/iocore/eventsystem/UnixEventProcessor.cc:557
    #5 0x5632e0dfc56e in main /home/bneradt/src/trafficserver_10/src/traffic_server/traffic_server.cc:2152
    #6 0x7f359c43e082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/bneradt/src/trafficserver_10/src/iocore/cache/StripeSM.cc:1097 in StripeSM::evac_range(long, long, int)
Shadow bytes around the buggy address:
  0x0c2c7fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fffa000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fffa010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fffa020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2c7fffa030: 00[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fffa080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==178668==ABORTING

[JosiahWI]

@bneradt Does #12127 resolve this issue?

[bneradt]

@bneradt Does #12127 resolve this issue?

Yes, it seems to. I put #12127 on docs and both the startup crash and this overrun are resolved. I'll close this as a duplicate of #12124.

Thank you for the quick turn around.