[asterisk-bugs] [JIRA] (ASTERISK-25718) file: Use after free during shutdown

Corey Farrell (JIRA) noreply at issues.asterisk.org
Fri Feb 12 10:40:33 CST 2016 

     [ https://issues.asterisk.org/jira/browse/ASTERISK-25718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Corey Farrell closed ASTERISK-25718.
------------------------------------

    Resolution: Cannot Reproduce

[~slavon]: It is likely that many races exist when using Ctrl+C or 'core stop now' (both are actually the same thing).  The idea of this shutdown mode is to exit asterisk as fast as possible.  Databases and logs are flushed, but active threads are not shutdown, most components are left running.  Any issue with this style shutdown requires a backtrace showing all threads, otherwise it's not possible to determine how this happened.

Even with a backtrace of all threads it might not be possible / desirable to fix.  The problem is that fast shutdown purposefully ignores the normal rule of cleanup after yourself,  and this can cause a race between threads that are still running and things done by libc after the call to {{exit}}.  In general I recommend using 'core stop gracefully' for all testing of this kind.

Note if you run across any bug where this fast shutdown mode can produce persistent corruption (like in a database), that would be a different type of bug.

> file: Use after free during shutdown
> ------------------------------------
>
>                 Key: ASTERISK-25718
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-25718
>             Project: Asterisk
>          Issue Type: Bug
>      Security Level: None
>          Components: Core/General
>    Affects Versions: 13.7.0
>            Reporter: Badalian Vyacheslav
>            Assignee: Unassigned
>            Severity: Minor
>
> On Ctrl+C exit with active calls
> {code}
> ==28264==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00016b350 at pc 0x00000065c33d bp 0x7feb7cd23c30 sp 0x7feb7cd23c20
> WRITE of size 4 at 0x60d00016b350 thread T131
>     #0 0x65c33c in ast_atomic_fetchadd_int /root/asterisk-13.7.0/include/asterisk/lock.h:685
>     #1 0x665265 in __ast_module_unref /root/asterisk-13.7.0/main/loader.c:1564
>     #2 0x61b355 in filestream_destructor /root/asterisk-13.7.0/main/file.c:428
>     #3 0x492fdb in internal_ao2_ref /root/asterisk-13.7.0/main/astobj2.c:445
>     #4 0x4932fa in __ao2_ref /root/asterisk-13.7.0/main/astobj2.c:516
>     #5 0x61de42 in ast_closestream /root/asterisk-13.7.0/main/file.c:1054
>     #6 0x61918e in ast_stopstream /root/asterisk-13.7.0/main/file.c:194
>     #7 0x61ffe6 in waitstream_core /root/asterisk-13.7.0/main/file.c:1418
>     #8 0x621042 in ast_waitstream /root/asterisk-13.7.0/main/file.c:1601
>     #9 0x7feb9b745f58 in playback_exec /root/asterisk-13.7.0/apps/app_playback.c:489
>     #10 0x6c5a4d in pbx_exec /root/asterisk-13.7.0/main/pbx.c:1722
>     #11 0x6dc083 in pbx_extension_helper /root/asterisk-13.7.0/main/pbx.c:4994
>     #12 0x6e20cf in ast_spawn_extension /root/asterisk-13.7.0/main/pbx.c:6216
>     #13 0x6e483c in __ast_pbx_run /root/asterisk-13.7.0/main/pbx.c:6633
>     #14 0x6e6e70 in pbx_thread /root/asterisk-13.7.0/main/pbx.c:6953
>     #15 0x7d981c in dummy_start /root/asterisk-13.7.0/main/utils.c:1237
>     #16 0x7febb03cedc4 in start_thread (/lib64/libpthread.so.0+0x7dc4)
>     #17 0x7febaf6ae21c in clone (/lib64/libc.so.6+0xf621c)
> ASAN:SIGSEGV
> ==28264==AddressSanitizer: while reporting a bug found another one. Ignoring.
> {code}



--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list