Project

General

Profile

Bug #3282

heap use after free in handle_ts1_write_input()

Added by stsp over 1 year ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
05/22/2018
Due date:
% Done:

90%

Spec Reference:

Description

Address sanitizer reports a heap-use-after-free in osmo-bsc.

I can trigger this by running the TTCN3 BTS test suite.

Tue May 22 11:55:59 2018 DRSL <0004> acc_ramp.c:166 (bts=0,trx=0) ACC RAMP: operational state Enabled -> Enabled
Tue May 22 11:55:59 2018 DRSL <0004> acc_ramp.c:175 (bts=0,trx=0) ACC RAMP: ignoring state change because RSL link is down
Tue May 22 11:55:59 2018 DLINP <0013> input/ipaccess.c:244 Sign link problems, closing socket. Reason: Connection reset by peer
Tue May 22 11:55:59 2018 DLINP <0013> input/ipaccess.c:71 Forcing socket shutdown with no signal link set
Tue May 22 11:55:59 2018 DLINP <0013> bts_ipaccess_nanobts.c:426 (bts=0) Dropping OML link.
Tue May 22 11:55:59 2018 DLMI <0015> bsc_init.c:411 Lost some E1 TEI link: 1 0x7f4c41e69860
=================================================================
==28697==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000408a68 at pc 0x7f4c3fbc3bc6 bp 0x7fff331629f0 sp 0x7fff331629e0
READ of size 8 at 0x62e000408a68 thread T0
    #0 0x7f4c3fbc3bc5 in handle_ts1_write input/ipaccess.c:379
    #1 0x7f4c3fbc3ceb in ipaccess_fd_cb input/ipaccess.c:399
    #2 0x7f4c3feea763 in osmo_fd_disp_fds /home/stsp/osmo/libosmocore/src/select.c:217
    #3 0x7f4c3feeaa64 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:257
    #4 0x563ad5314aa8 in main /home/stsp/osmo/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:532
    #5 0x7f4c3e451b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #6 0x563ad5312339 in _start (/home/stsp/osmo/prefix/bin/osmo-bsc+0x234339)

0x62e000408a68 is located 1640 bytes inside of 48072-byte region [0x62e000408400,0x62e000413fc8)
freed by thread T0 here:
    #0 0x7f4c40f347b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x7f4c4092fa52 in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x3a52)

previously allocated by thread T0 here:
    #0 0x7f4c40f34b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f4c40931d20 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d20)

SUMMARY: AddressSanitizer: heap-use-after-free input/ipaccess.c:379 in handle_ts1_write
Shadow bytes around the buggy address:
  0x0c5c800790f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c80079140: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
  0x0c5c80079150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c5c80079190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28697==ABORTING

History

#1 Updated by pespin over 1 year ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 90

Submited fix in gerrit:

https://gerrit.osmocom.org/#/c/libosmo-abis/+/9262
https://gerrit.osmocom.org/#/c/libosmo-abis/+/9263

After these changes, I'm not able to trigger the issue anymore.

#2 Updated by stsp over 1 year ago

  • Status changed from Feedback to Resolved

Fixed by above patches.

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)