Actions
Bug #3282
closedheap use after free in handle_ts1_write_input()
Start date:
05/22/2018
Due date:
% Done:
90%
Spec Reference:
Description
Address sanitizer reports a heap-use-after-free in osmo-bsc.
I can trigger this by running the TTCN3 BTS test suite.
Tue May 22 11:55:59 2018 DRSL <0004> acc_ramp.c:166 (bts=0,trx=0) ACC RAMP: operational state Enabled -> Enabled Tue May 22 11:55:59 2018 DRSL <0004> acc_ramp.c:175 (bts=0,trx=0) ACC RAMP: ignoring state change because RSL link is down Tue May 22 11:55:59 2018 DLINP <0013> input/ipaccess.c:244 Sign link problems, closing socket. Reason: Connection reset by peer Tue May 22 11:55:59 2018 DLINP <0013> input/ipaccess.c:71 Forcing socket shutdown with no signal link set Tue May 22 11:55:59 2018 DLINP <0013> bts_ipaccess_nanobts.c:426 (bts=0) Dropping OML link. Tue May 22 11:55:59 2018 DLMI <0015> bsc_init.c:411 Lost some E1 TEI link: 1 0x7f4c41e69860 ================================================================= ==28697==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000408a68 at pc 0x7f4c3fbc3bc6 bp 0x7fff331629f0 sp 0x7fff331629e0 READ of size 8 at 0x62e000408a68 thread T0 #0 0x7f4c3fbc3bc5 in handle_ts1_write input/ipaccess.c:379 #1 0x7f4c3fbc3ceb in ipaccess_fd_cb input/ipaccess.c:399 #2 0x7f4c3feea763 in osmo_fd_disp_fds /home/stsp/osmo/libosmocore/src/select.c:217 #3 0x7f4c3feeaa64 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:257 #4 0x563ad5314aa8 in main /home/stsp/osmo/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:532 #5 0x7f4c3e451b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #6 0x563ad5312339 in _start (/home/stsp/osmo/prefix/bin/osmo-bsc+0x234339) 0x62e000408a68 is located 1640 bytes inside of 48072-byte region [0x62e000408400,0x62e000413fc8) freed by thread T0 here: #0 0x7f4c40f347b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) #1 0x7f4c4092fa52 in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x3a52) previously allocated by thread T0 here: #0 0x7f4c40f34b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7f4c40931d20 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d20) SUMMARY: AddressSanitizer: heap-use-after-free input/ipaccess.c:379 in handle_ts1_write Shadow bytes around the buggy address: 0x0c5c800790f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c5c80079140: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd 0x0c5c80079150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c5c80079190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28697==ABORTING
Updated by pespin almost 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 90
Submited fix in gerrit:
https://gerrit.osmocom.org/#/c/libosmo-abis/+/9262
https://gerrit.osmocom.org/#/c/libosmo-abis/+/9263
After these changes, I'm not able to trigger the issue anymore.
Actions