Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PRIV_TOP is broken for "sibling" access on esi_level > 1 #3496

Closed
nigoroll opened this issue Jan 13, 2021 · 0 comments
Closed

PRIV_TOP is broken for "sibling" access on esi_level > 1 #3496

nigoroll opened this issue Jan 13, 2021 · 0 comments

Comments

@nigoroll
Copy link
Member

proforma bug for fix on the way:

VRT_priv_top() uses the wrong workspace here:

priv = vrt_priv_dynamic(req->ws, top->privs, (uintptr_t)vmod_id);

The correct workspace is the top requests's.

This bug will trigger whenever a PRIV_TOP is requested only from esi_level > 0 and used by a "sibling" ESI request, that is, another request on the same ESI level or its descendants.

The bug was introduced by someone(tm) here 542bf9b: I removed req = req->top->topreq but continued to use the workspace from req->ws.

The bug is exposed with this change to v00043.vtc

@@ -40,15 +55,23 @@ varnish v1 -cliok "param.set debug +syncvsl" -vcl+backend {
 
        sub vcl_init {
                new o = debug.obj();
+               new o2 = debug.obj();
        }
 
        sub vcl_recv {
                set req.http.x0 = debug.test_priv_top(req.url + req.esi_level);
-               o.test_priv_top(req.url + req.esi_level);
+               if (req.url == "/foo1") {
+                       o.test_priv_top(req.url + req.esi_level);
+               } else {
+                       o2.test_priv_top(req.url + req.esi_level);
+               }
        }
 
        sub vcl_miss {
                set req.http.x1 = debug.test_priv_top("");
+               if (req.esi_level > 0) {
+                       set req.http.o1 = o.test_priv_top("");
+               }
        }
 
        sub vcl_backend_response {

panic:

***  v1    debug|Error: Child (22847) Panic at: Wed, 13 Jan 2021 10:05:23 GMT
***  v1    debug|Wrong turn at cache/cache_main.c:287:
***  v1    debug|Signal 11 (Segmentation fault) received at (nil) si_code 128
***  v1    debug|version = varnish-trunk revision 996aff5148d32611ba43deecdad7a2f784a7b5f4, vrt api = 13.0
***  v1    debug|ident = Linux,4.9.0-14-amd64,x86_64,-jnone,-sdefault,-sdefault,-hcritbit,epoll
***  v1    debug|now = 6041.950826 (mono), 1610532323.305869 (real)
***  v1    debug|Backtrace:
***  v1    debug|  0x45ac80: varnishd() [0x45ac80]
***  v1    debug|  0x45aa22: varnishd() [0x45aa22]
***  v1    debug|  0x523e35: varnishd(VAS_Fail+0x55) [0x523e35]
***  v1    debug|  0x454c95: varnishd() [0x454c95]
***  v1    debug|  0x7f5987f6a0e0: /lib/x86_64-linux-gnu/libpthread.so.0(+0x110e0) [0x7f5987f6a0e0]
***  v1    debug|  0x483ad8: varnishd() [0x483ad8]
***  v1    debug|  0x483c2a: varnishd() [0x483c2a]
***  v1    debug|  0x4834de: varnishd() [0x4834de]
***  v1    debug|  0x4837de: varnishd(VRT_priv_top+0x2ae) [0x4837de]
***  v1    debug|  0x7f59845f3594: ./vmod_cache/_vmod_debug.b7d15acd5a2606d56bc48c92562f31622e358b0468dcd1999caefa89ade98505(+0xb594) [0x7f59845f3594]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant