Project

General

Profile

Bug #1762

Review LAPD code for race conditions regarding state, particularly in RELEASE

Added by laforge over 5 years ago. Updated 7 months ago.

Status:
New
Priority:
Normal
Assignee:
Category:
libosmogsm
Target version:
-
Start date:
07/03/2016
Due date:
% Done:

10%

Spec Reference:

Description

See #1760 and #1761, there are quite some problems that apparently need a more thorough review and/or testing.

Maybe implementing (part of?) the Q.921bis LAPD conformance tests might be an option to catch all of those kind of bugs?

See https://www.itu.int/rec/T-REC-Q.921bis-199303-I/en


Related issues

Related to libosmocore - Bug #1760: LAPD: segfault in T200 call-backClosed07/03/2016

Related to OsmoBSC - Bug #1761: LAPD: segfault when bootstrapping Nokia InSiteResolved07/03/2016

Related to libosmocore - Bug #1982: LAPD: segfault in lapd_est_req functionResolved03/14/2017

Related to OsmocomBB - Bug #2694: SIGSEGV in lapdm codeNew11/30/2017

Associated revisions

Revision d2a61179 (diff)
Added by laforge 10 months ago

lapd_core: Don't dereference data link after sending PRIM_DL_REL

We must always send the RELEASE.{indication,confirm} last before
returning from a function. We cannot rely on the datalink to
still be around after the call, as the SAP user might have destroyed
the data link meanwhile.

This fixes a heap use-after-free (at least) with RBS2000 when the BTS
is fully brought up and the OML data link is lost, see OS#1762

Change-Id: I8ccca8d5e5d07b666557afe12ab8ac4910ddfb00
Related: OS#1761
Related: OS#1762

History

#1 Updated by laforge over 5 years ago

  • Related to Bug #1760: LAPD: segfault in T200 call-back added

#2 Updated by laforge over 5 years ago

  • Related to Bug #1761: LAPD: segfault when bootstrapping Nokia InSite added

#3 Updated by laforge over 5 years ago

Mh. Q.021bis contains TTNC.MP (machine parseable TTCN), but I don't think there are any FOSS tools for old TTCN (pre-TTCN3) available :/

#4 Updated by laforge over 4 years ago

  • Related to Bug #1982: LAPD: segfault in lapd_est_req function added

#5 Updated by laforge almost 2 years ago

  • Assignee set to laforge

#6 Updated by laforge over 1 year ago

  • Related to Bug #2694: SIGSEGV in lapdm code added

#7 Updated by laforge 10 months ago

  • % Done changed from 0 to 10

I'm currently seeing a related osmo-bsc heap-use-after-free:

The RBS6k is first fully brought up, and then the cable removed (or the RBS powered down)

<0019> input/dahdi.c:140 E1TS(0:1) Line 0((null)) / TS 1 DAHDI EVENT HDLC ABORT
<0019> input/dahdi.c:140 E1TS(0:1) Line 0((null)) / TS 1 DAHDI EVENT ALARM
<0004> bts_ericsson_rbs2000.c:118 inp_sig_cb(): Input signal 'LINE-ALARM' received
<0016> input/lapd.c:550 (0:1-T62-S62): LAPD DL-RELEASE request TEI=62 SAPI=62
<0016> input/lapd.c:550 (0:1-T0-S62): LAPD DL-RELEASE request TEI=0 SAPI=62
<0016> input/lapd.c:550 (0:1-T0-S0): LAPD DL-RELEASE request TEI=0 SAPI=0
<0016> lapd_core.c:426 ((0:1-T0-S0)) sending MDL-ERROR-IND cause 1 from state LAPD_STATE_DISC_SENT
<0016> input/lapd.c:663 ((0:1-T0-S0)) LAPD DL-RELEASE confirm TEI=0 SAPI=0
<0016> input/lapd.c:288 (0:1-T0-S0): LAPD Freeing SAP for SAPI=0 / TEI=0 (dl=0x615000001c80, sap=0x615000001c60)
<0004> bts_ericsson_rbs2000.c:118 inp_sig_cb(): Input signal 'TEI-DOWN' received
<0004> bts_ericsson_rbs2000.c:138 Line-0 TS-1 TEI-0 SAPI-0: Link Lost for Ericsson RBS2000. Re-starting DL Establishment
<0004> abis_om2000.c:2344 OM2000-TRX(0-0)[0x612000008320]{DONE}: Received Event RESET
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-07)[0x6120000093a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-07)[0x6120000093a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-06)[0x612000009220]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-06)[0x612000009220]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-05)[0x6120000090a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-05)[0x6120000090a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-04)[0x612000008f20]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-04)[0x612000008f20]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-03)[0x612000008da0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-03)[0x612000008da0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-02)[0x612000008c20]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-02)[0x612000008c20]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-01)[0x612000008aa0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-01)[0x612000008aa0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TS-00-00-00)[0x612000008920]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TS-00-00-00)[0x612000008920]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-RX-00-ff-00)[0x6120000087a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-RX-00-ff-00)[0x6120000087a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TX-00-ff-00)[0x612000008620]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TX-00-ff-00)[0x612000008620]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2212 OM2000-MO(0-0-TRXC-00-ff-00)[0x6120000084a0]{DONE}: Received Event RESET
<0004> abis_om2000.c:1858 OM2000-MO(0-0-TRXC-00-ff-00)[0x6120000084a0]{DONE}: state_chg to INIT
<0004> abis_om2000.c:2213 OM2000-TRX(0-0)[0x612000008320]{DONE}: state_chg to INIT
<0019> osmo_bsc_main.c:401 (bts=0,trx=0) Lost E1 RSL link
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000096a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-0)[0x6120000096a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000009820]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-1)[0x612000009820]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000099a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-2)[0x6120000099a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000009b20]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-0-CCCH_SDCCH4-3)[0x612000009b20]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-1-TCH_F-0)[0x612000009ca0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-1-TCH_F-0)[0x612000009ca0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-2-TCH_F-0)[0x612000009e20]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-2-TCH_F-0)[0x612000009e20]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-3-TCH_F-0)[0x612000009fa0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-3-TCH_F-0)[0x612000009fa0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-4-TCH_F-0)[0x61200000a120]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-4-TCH_F-0)[0x61200000a120]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-5-TCH_F-0)[0x61200000a2a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-5-TCH_F-0)[0x61200000a2a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-6-TCH_F-0)[0x61200000a420]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-6-TCH_F-0)[0x61200000a420]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
<000f> lchan_fsm.c:81 lchan(0-0-7-TCH_F-0)[0x61200000a5a0]{UNUSED}: (type=NONE) lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR
<000f> lchan_fsm.c:145 lchan(0-0-7-TCH_F-0)[0x61200000a5a0]{UNUSED}: (type=NONE) lchan activation failed (lchan allocation failed in state UNUSED: LCHAN_EV_TS_ERROR)
=================================================================
==11023==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000001da0 at pc 0x7faedf41519a bp 0x7ffc715bc340 sp 0x7ffc715bc338
READ of size 8 at 0x615000001da0 thread T0
    #0 0x7faedf415199 in llist_empty ../include/osmocom/core/linuxlist.h:171
    #1 0x7faedf415199 in msgb_dequeue /space/home/laforge/projects/git/libosmocore/src/msgb.c:149
    #2 0x7faedf5ed9a7 in lapd_dl_flush_tx src/gsm/lapd_core.c:179
    #3 0x7faedf5ee65e in lapd_t200_cb src/gsm/lapd_core.c:630
    #4 0x7faedf40f2b6 in osmo_timers_update /space/home/laforge/projects/git/libosmocore/src/timer.c:273
    #5 0x7faedf412e72 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:373
    #6 0x7faedf4134f8 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:434
    #7 0x55d45ac4f2f0 in main /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1001
    #8 0x7faede5bc09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #9 0x55d45ac502c9 in _start (/root/osmo-bsc+0x5d82c9)

0x615000001da0 is located 416 bytes inside of 504-byte region [0x615000001c00,0x615000001df8)
freed by thread T0 here:
    #0 0x7faedf736b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
    #1 0x7faedf6524d2 in _talloc_free (/lib/x86_64-linux-gnu/libtalloc.so.2+0x64d2)
    #2 0x7faedf303bc0 in send_dlsap input/lapd.c:664
    #3 0x7faedf5ee656 in send_dl_l3 src/gsm/lapd_core.c:408
    #4 0x7faedf5ee656 in send_dl_simple src/gsm/lapd_core.c:415
    #5 0x7faedf5ee656 in lapd_t200_cb src/gsm/lapd_core.c:628
    #6 0x7faedf40f2b6 in osmo_timers_update /space/home/laforge/projects/git/libosmocore/src/timer.c:273
    #7 0x7faedf412e72 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:373
    #8 0x7faedf4134f8 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:434
    #9 0x55d45ac4f2f0 in main /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1001
    #10 0x7faede5bc09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #11 0x55d45ac502c9 in _start (/root/osmo-bsc+0x5d82c9)

previously allocated by thread T0 here:
    #0 0x7faedf736e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7faedf655140 in _talloc_zero (/lib/x86_64-linux-gnu/libtalloc.so.2+0x9140)
    #2 0x7faedf303c4a in lapd_sap_alloc input/lapd.c:245
    #3 0x7faedf304cfb in lapd_sap_start input/lapd.c:519
    #4 0x55d45add9f17 in start_sabm_in_line /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:81
    #5 0x55d45adda898 in inp_sig_cb /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:158
    #6 0x55d45adda898 in inp_sig_cb /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:109
    #7 0x7faedf4149bc in osmo_signal_dispatch /space/home/laforge/projects/git/libosmocore/src/signal.c:118
    #8 0x7faedf2fc318 in e1inp_line_update src/e1_input.c:887
    #9 0x55d45ae08184 in e1_reconfig_bts /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/e1_config.c:206
    #10 0x55d45ac4e246 in bsc_network_configure /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:550
    #11 0x55d45ac4e246 in main /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:916
    #12 0x7faede5bc09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
    #13 0x55d45ac502c9 in _start (/root/osmo-bsc+0x5d82c9)

The problem is that lapd_core first sends the PRIM_DL_REL.ind up the stack, and aftrewards still wants to access the datalink. We must always first performa any operations of the datalink before dispatching the primitive to the user. Afterwards the datalink might no longer be around.

#8 Updated by laforge 7 months ago

  • Category set to libosmogsm

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)