Project

General

Profile

Actions

Bug #3198

closed

omo-msc: heap-use-after-free in setup_trig_pag_evt running test voice:octphy

Added by pespin almost 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
04/23/2018
Due date:
% Done:

100%

Resolution:
Spec Reference:

Description

While running osmo-gsm-tester test voice:octphy.

[0;m20180423131415949 [1;34mDLSCCP[0;m <001e> sccp_scoc.c:1615 Received SCCP User Primitive N-DATA.request)
[0;m20180423131415949 [1;34mDLSCCP[0;m <001e> sccp_scoc.c:1657 SCCP-SCOC(3)[0x6120000102a0]{ACTIVE}: Received Event N-DATA.req
[0;m20180423131415950 [1;34mDLSS7[0;m <001d> sccp_scrc.c:391 sccp_scrc_rx_scoc_conn_msg:  HDR=(CO:CODT,V=0,LEN=0),
    PART(T=Routing Context,L=4,D=00000000),
    PART(T=Destination Reference,L=4,D=00000004),
    PART(T=Data,L=9,D=010006832d0802819b)
[0;m20180423131415950 [1;34mDLSS7[0;m <001d> osmo_ss7_hmrt.c:278 m3ua_hmdc_rx_from_l2(): dpc=2=0.0.2 not local, message is for routing
[0;m20180423131415950 [1;34mDLSS7[0;m <001d> osmo_ss7_hmrt.c:227 Found route for dpc=2=0.0.2: pc=0=0.0.0 mask=0x0=0.0.0 via AS as0 proto=m3ua
[0;m20180423131415950 [1;34mDLSS7[0;m <001d> osmo_ss7_hmrt.c:233 rt->dest.as proto is M3UA for dpc=2=0.0.2
[0;m20180423131415950 [1;34mDLSS7[0;m <001d> m3ua.c:507 XUA_AS(as0)[0x61200000b920]{AS_ACTIVE}: Received Event AS-TRANSFER.req
[0;m20180423131415950 [1;31mDMGCP[0;m <0007> msc_mgcp.c:1123 (subscriber:MSISDN:1035) invalid conn, call release failed
[0;m=================================================================
==18864==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000016f18 at pc 0x55f1b29eee5c bp 0x7ffdaa2ac000 sp 0x7ffdaa2abff8
WRITE of size 8 at 0x61a000016f18 thread T0
    #0 0x55f1b29eee5b in setup_trig_pag_evt /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/libmsc/gsm_04_08.c:1490
    #1 0x55f1b2a086c1 in subscr_paging_dispatch /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/libmsc/gsm_subscriber.c:101
    #2 0x7fb88e07c1c9 in osmo_timers_update /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/libosmocore/src/timer.c:257
    #3 0x7fb88e07f1b1 in osmo_select_main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/libosmocore/src/select.c:253
    #4 0x55f1b29b600b in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/osmo-msc/msc_main.c:694
    #5 0x7fb88bebe2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #6 0x55f1b29b69f9 in _start (/home/jenkins/workspace/osmo-gsm-tester_run-prod/trial-886/inst/osmo-msc/bin/osmo-msc+0xf09f9)

0x61a000016f18 is located 152 bytes inside of 1208-byte region [0x61a000016e80,0x61a000017338)
freed by thread T0 here:
    #0 0x7fb88f0caa10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7fb88eafd86a in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x486a)

previously allocated by thread T0 here:
    #0 0x7fb88f0cad28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7fb88eaffacd in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6acd)

SUMMARY: AddressSanitizer: heap-use-after-free /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-msc/osmo-msc/src/libmsc/gsm_04_08.c:1490 in setup_trig_pag_evt
Shadow bytes around the buggy address:
  0x0c347fffad90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffada0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c347fffadb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffadc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffadd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c347fffade0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffadf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffae00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffae10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffae20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffae30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18864==ABORTING

Files

trial-886-run.tgz trial-886-run.tgz 7.86 MB pespin, 04/23/2018 02:26 PM
Actions #1

Updated by pespin almost 6 years ago

  • Status changed from New to In Progress
  • Assignee changed from neels to pespin
Actions #2

Updated by pespin almost 6 years ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 80
Actions #3

Updated by pespin almost 6 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 80 to 100

Merged, closing.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)