[BUG] New memory invalid read regression in resolver since nginx 1.7.5

Tue Sep 30 22:10:42 UTC 2014

Hello!

I've noticed that the code re-factoring in the resolver in nginx 1.7.5
introduces a new regression that can cause memory invalid reads when
--with-debug is used to build the nginx. The issue still exists in
nginx 1.7.6.

The following standalone and minimal example can trigger this:

    location = /main {
        return 200 "foo";
        addition_types text/plain;
        add_after_body /sub;
    }

    location = /sub {
        resolver 8.8.8.8;
        set $myurl "http://not-exist.agentzh.org";
        proxy_pass $myurl;
    }

Accessing /main with valgrind yields the following error:

    ==16903== Invalid read of size 4
    ==16903==    at 0x41FDE6: ngx_event_del_timer (ngx_event_timer.h:38)
    ==16903==    by 0x420A86: ngx_resolve_name_done (ngx_resolver.c:415)
    ==16903==    by 0x46B90A: ngx_http_upstream_finalize_request
(ngx_http_upstream.c:3586)
    ==16903==    by 0x466090: ngx_http_upstream_resolve_handler
(ngx_http_upstream.c:941)
    ==16903==    by 0x422D0B: ngx_resolver_process_a (ngx_resolver.c:1580)
    ==16903==    by 0x422715: ngx_resolver_process_response
(ngx_resolver.c:1369)
    ==16903==    by 0x42221A: ngx_resolver_read_response (ngx_resolver.c:1239)
    ==16903==    by 0x438C9A: ngx_epoll_process_events (ngx_epoll_module.c:685)
    ==16903==    by 0x4296CC: ngx_process_events_and_timers (ngx_event.c:248)
    ==16903==    by 0x4356CB: ngx_single_process_cycle (ngx_process_cycle.c:319)
    ==16903==    by 0x403700: main (nginx.c:404)
    ==16903==  Address 0x4e7e448 is 24 bytes inside a block of size 128 free'd
    ==16903==    at 0x4A07577: free (vg_replace_malloc.c:468)
    ==16903==    by 0x424CF8: ngx_resolver_free_locked (ngx_resolver.c:2888)
    ==16903==    by 0x424C42: ngx_resolver_free_node (ngx_resolver.c:2838)
    ==16903==    by 0x422CD6: ngx_resolver_process_a (ngx_resolver.c:1571)
    ==16903==    by 0x422715: ngx_resolver_process_response
(ngx_resolver.c:1369)
    ==16903==    by 0x42221A: ngx_resolver_read_response (ngx_resolver.c:1239)
    ==16903==    by 0x438C9A: ngx_epoll_process_events (ngx_epoll_module.c:685)
    ==16903==    by 0x4296CC: ngx_process_events_and_timers (ngx_event.c:248)
    ==16903==    by 0x4356CB: ngx_single_process_cycle (ngx_process_cycle.c:319)
    ==16903==    by 0x403700: main (nginx.c:404)
    ==16903==

The offending line is ngx_event_timer.h:38:

    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ev->log, 0,
                   "event timer del: %d: %M",
                    ngx_event_ident(ev->data), ev->timer.key);

while ev->data here is the resolver node that has already been freed
up earlier in ngx_resolver_free_node.

nginx -V output:

    $ /opt/nginx/sbin/nginx -V
    nginx version: nginx/1.7.5
    built by gcc 4.8.3 20140911 (Red Hat 4.8.3-7) (GCC)
    configure arguments: --with-cc-opt=-O0 --prefix=/opt/nginx
--with-debug --with-http_addition_module

Regards,
-agentzh