-
Notifications
You must be signed in to change notification settings - Fork 4.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[conn_pool] fix use after free in H/1 connection pool #14220
Conversation
Signed-off-by: Asra Ali <[email protected]>
Going to close this until I figure out more test failures. |
This reverts commit b48aee6. Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for taking on the debugging and fixing of this crash.
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Working on reproducing the test failure in opt mode (doesn't reproduce locally with bazel) |
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
The new test case is crashing on the gcc build and possibly others. Please take a look. |
Seems to be an issue clearing the deferred delete list which contains a connection pool. When conn pool is destroyed, it destroys it's clients, which calls clear deferred delete again, and then recurses. This wouldn't happen wit ha real dispatcher, so working on modifying the clearDeferredDeleteList to change. |
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
MockDestructSchedulableCallback* upstream_ready_cb) | ||
: ConnPoolImplForTest(dispatcher, cluster, random_generator, upstream_ready_cb) {} | ||
|
||
~ConnPoolImplNoDestructForTest() override {} = default; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You could remove this empty destructor override.
At the very least change to:
~ConnPoolImplNoDestructForTest() override = default;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ended up getting rid of it, I dealt with the client destruction in the test instead of in this special connpool
Signed-off-by: Asra Ali <[email protected]>
Signed-off-by: Asra Ali <[email protected]>
@@ -253,6 +250,9 @@ class ConnPoolImplBase : protected Logger::Loggable<Logger::Id::pool> { | |||
// The number of streams that can be immediately dispatched | |||
// if all CONNECTING connections become connected. | |||
uint32_t connecting_stream_capacity_{0}; | |||
|
|||
void onUpstreamReady(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Usual ordering of elements in the private section according to style guide is:
- classes/structs
- functions
- data members
* master: (41 commits) event: Remove a source of non-determinism by always running deferred deletion before post callbacks (envoyproxy#14293) Fix TSAN bug in integration test (envoyproxy#14327) tracing: Add hostname to Zipkin config. (envoyproxy#14186) (envoyproxy#14187) [conn_pool] fix use after free in H/1 connection pool (envoyproxy#14220) lua: update deprecated lua_open to luaL_newstate (envoyproxy#14297) extension: use bool_flag to control extension link (envoyproxy#14240) stats: Factor out creation of cluster-stats StatNames from creation of the stats, to save CPU during xDS updates (envoyproxy#14028) test: add scaled timer integration test (envoyproxy#14290) [Win32 Signals] Add term and ctrl-c signal handlers (envoyproxy#13954) config: v2 transport API fatal-by-default. (envoyproxy#14223) matcher: fix UB bug caused by dereferencing a bad optional (envoyproxy#14271) test: putting fake upstream config in a struct (envoyproxy#14266) wasm: use Bazel rules from Proxy-Wasm Rust SDK. (envoyproxy#14292) docs: fix typo (envoyproxy#14237) dependencies: allowlist CVE-2018-21270 to prevent false positives. (envoyproxy#14294) typo in redis doc (envoyproxy#14248) access_loggers: removed redundant dep (envoyproxy#14274) fix http2 flaky test (envoyproxy#14261) test: disable flaky xds_integration_test. (envoyproxy#14287) http: add functionality to configure kill header in KillRequest proto (envoyproxy#14288) ... Signed-off-by: Michael Puncel <[email protected]>
Signed-off-by: Asra Ali [email protected]
Commit Message: Fixes (thanks @yanavlasov @antoniovicente) use after free when dispatcher tries to run
conn_pool->onUpstreamReady()
after the connection pool was destroyed. Reverts back to a schedulable callback per https://github.com/envoyproxy/envoy/pull/13867/filesRisk Level: Medium
Testing: Added test. This test fails with the use after free at head:
This test had to be modified now that there is a schedulable callback.What I don't like about the fix/test is that the callback is never scheduled after the fix because it is guarded by
hasPendingStreams()
which ends up false in this test, so there is never a potential for use after free if I add that if condition. I don't know if in production crashes this is exactly the problem or not. Trying to understand how to make this test better..