Actions
Bug #3282
closedheap use after free in handle_ts1_write_input()
Start date:
05/22/2018
Due date:
% Done:
90%
Spec Reference:
Description
Address sanitizer reports a heap-use-after-free in osmo-bsc.
I can trigger this by running the TTCN3 BTS test suite.
Tue May 22 11:55:59 2018 DRSL <0004> acc_ramp.c:166 (bts=0,trx=0) ACC RAMP: operational state Enabled -> Enabled
Tue May 22 11:55:59 2018 DRSL <0004> acc_ramp.c:175 (bts=0,trx=0) ACC RAMP: ignoring state change because RSL link is down
Tue May 22 11:55:59 2018 DLINP <0013> input/ipaccess.c:244 Sign link problems, closing socket. Reason: Connection reset by peer
Tue May 22 11:55:59 2018 DLINP <0013> input/ipaccess.c:71 Forcing socket shutdown with no signal link set
Tue May 22 11:55:59 2018 DLINP <0013> bts_ipaccess_nanobts.c:426 (bts=0) Dropping OML link.
Tue May 22 11:55:59 2018 DLMI <0015> bsc_init.c:411 Lost some E1 TEI link: 1 0x7f4c41e69860
=================================================================
==28697==ERROR: AddressSanitizer: heap-use-after-free on address 0x62e000408a68 at pc 0x7f4c3fbc3bc6 bp 0x7fff331629f0 sp 0x7fff331629e0
READ of size 8 at 0x62e000408a68 thread T0
#0 0x7f4c3fbc3bc5 in handle_ts1_write input/ipaccess.c:379
#1 0x7f4c3fbc3ceb in ipaccess_fd_cb input/ipaccess.c:399
#2 0x7f4c3feea763 in osmo_fd_disp_fds /home/stsp/osmo/libosmocore/src/select.c:217
#3 0x7f4c3feeaa64 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:257
#4 0x563ad5314aa8 in main /home/stsp/osmo/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:532
#5 0x7f4c3e451b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#6 0x563ad5312339 in _start (/home/stsp/osmo/prefix/bin/osmo-bsc+0x234339)
0x62e000408a68 is located 1640 bytes inside of 48072-byte region [0x62e000408400,0x62e000413fc8)
freed by thread T0 here:
#0 0x7f4c40f347b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
#1 0x7f4c4092fa52 in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x3a52)
previously allocated by thread T0 here:
#0 0x7f4c40f34b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7f4c40931d20 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d20)
SUMMARY: AddressSanitizer: heap-use-after-free input/ipaccess.c:379 in handle_ts1_write
Shadow bytes around the buggy address:
0x0c5c800790f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079120: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5c80079140: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c5c80079150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5c80079190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==28697==ABORTING
Updated by pespin almost 6 years ago
- Status changed from New to Feedback
- % Done changed from 0 to 90
Submited fix in gerrit:
https://gerrit.osmocom.org/#/c/libosmo-abis/+/9262
https://gerrit.osmocom.org/#/c/libosmo-abis/+/9263
After these changes, I'm not able to trigger the issue anymore.
Actions
