Bug #5201
closeduse after free during make check in osmo-mgw since commit 'mgcp_ratectr: add stats items to monitor trunk usage'
100%
Description
Building with address sanitizer, i get a heap-use-after-free during mgcp_test.c in test_retransmission().
<0010> ../../../../src/osmo-mgw/src/libosmo-mgcp/mgcp_protocol.c:1091 endpoint:rtpbridge/7@mgw CI:B56C87C0 CRCX: connection successfully created
=================================================================
==19776==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000023188 at pc 0x7f127af94fb6 bp 0x7ffc57de92d0 sp 0x7ffc57de92c8
WRITE of size 8 at 0x60e000023188 thread T0
#0 0x7f127af94fb5 in __llist_add (/usr/local/lib/libosmocore.so.17+0x16afb5)
#1 0x7f127af9514d in llist_add (/usr/local/lib/libosmocore.so.17+0x16b14d)
#2 0x7f127af96134 in osmo_stat_item_group_alloc (/usr/local/lib/libosmocore.so.17+0x16c134)
#3 0x55985cac69a3 in mgcp_stat_trunk_alloc (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0x1159a3)
#4 0x55985cac345c in mgcp_trunk_alloc (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0x11245c)
#5 0x55985ca85d96 in mgcp_config_alloc (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0xd4d96)
#6 0x55985ca6627f in test_retransmission ../../../../src/osmo-mgw/tests/mgcp/mgcp_test.c:933
#7 0x55985ca71944 in main ../../../../src/osmo-mgw/tests/mgcp/mgcp_test.c:2255
#8 0x7f1279c4c09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#9 0x55985ca61b39 in _start (/home/neels/osmo-dev/make/osmo-mgw/tests/mgcp/mgcp_test+0xb0b39)
I bisected to identify this commit as the cause:
commit 6bad138c96ef0e2a93ef7de42e897880131c0b43
Author: Philipp Maier <pmaier@sysmocom.de>
mgcp_ratectr: add stats items to monitor trunk usage
I took a very brief look and couldn't figure it out directly, so decided to revert the commit instead.
dexter please take a look and re-submit a fixed patch version
Updated by daniel over 2 years ago
I believe you need to add talloc_set_destructor(stats->common, free_stat_item_group);
and free the stat_item group in there.
It's weird that the jenkins job didn't catch that. Do we not use ASAN for these?
Updated by daniel over 2 years ago
ASAN is not enabled for osmo-mgw. Patch here: https://gerrit.osmocom.org/c/osmo-mgw/+/25031
Updated by dexter over 2 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
I have uploaded a corrected version of the patch to gerrit now:
https://gerrit.osmocom.org/c/osmo-mgw/+/25041 mgcp_ratectr: add stats items to monitor trunk usage
Updated by dexter over 2 years ago
- Status changed from In Progress to Resolved
- % Done changed from 90 to 100
The use after free problem is fixed, there is only a follow up patch still in review: https://gerrit.osmocom.org/c/osmo-mgw/+/25103, however since this patch has technically nothing to do with this problem. I set this to resolved.
