Bug #3415
closedheap overflow in trxcon / tch_fr_disassemble()
0%
Description
Using trxconn and libosmocore from latest master with address-sanitizer enabled, running TTCN3 BTS tests crashes trxconn:
<0005> sched_trx.c:420 Activating lchan=BCCH on ts=0 <0005> sched_trx.c:420 Activating lchan=RACH on ts=0 <0005> sched_trx.c:420 Activating lchan=CCCH on ts=0 <0001> l1ctl.c:502 Received RACH request (offset=0 ra=0x17) <0005> sched_clck.c:140 Clock indication: fn=204 <0001> l1ctl.c:547 Received L1CTL_DM_EST_REQ (arfcn=871, chan_nr=0x09, tsc=7, tch_mode=0x00) <0005> sched_trx.c:192 Add a new TDMA timeslot #1 <0005> sched_trx.c:263 (Re)configure TDMA timeslot #1 as TCH/F+SACCH <0005> sched_trx.c:420 Activating lchan=TCH/F on ts=1 <0005> sched_trx.c:420 Activating lchan=SACCH/TF on ts=1 <0006> sched_lchan_tchf.c:110 Received incomplete traffic frame at fn=0 (0/104) for TCH/F ================================================================= ==17561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000072413 at pc 0x7f917349b1ff bp 0x7ffdfc7b3cd0 sp 0x7ffdfc7b3cc0 READ of size 1 at 0x60d000072413 thread T0 #0 0x7f917349b1fe in tch_fr_disassemble /home/stsp/osmo/libosmocore/src/coding/gsm0503_coding.c:1546 #1 0x7f917349f540 in gsm0503_tch_fr_encode /home/stsp/osmo/libosmocore/src/coding/gsm0503_coding.c:1902 #2 0x561c306d5a72 in tx_tchf_fn /home/stsp/osmo/osmocom-bb/src/host/trxcon/sched_lchan_tchf.c:243 #3 0x561c306db384 in sched_frame_clck_cb /home/stsp/osmo/osmocom-bb/src/host/trxcon/sched_trx.c:118 #4 0x561c306d7f02 in sched_clck_tick /home/stsp/osmo/osmocom-bb/src/host/trxcon/sched_clck.c:93 #5 0x7f9173787fe0 in osmo_timers_update /home/stsp/osmo/libosmocore/src/timer.c:257 #6 0x7f917378ace4 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:254 #7 0x561c306c4c6e in main /home/stsp/osmo/osmocom-bb/src/host/trxcon/trxcon.c:304 #8 0x7f9171ea6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96) #9 0x561c306c5009 in _start (/home/stsp/osmo/prefix/bin/trxcon+0x2b009) 0x60d000072413 is located 0 bytes to the right of 131-byte region [0x60d000072390,0x60d000072413) allocated by thread T0 here: #0 0x7f9173dc7b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50) #1 0x7f9173ad9d20 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d20) SUMMARY: AddressSanitizer: heap-buffer-overflow /home/stsp/osmo/libosmocore/src/coding/gsm0503_coding.c:1546 in tch_fr_disassemble Shadow bytes around the buggy address: 0x0c1a80006430: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fd fd 0x0c1a80006440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c1a80006450: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x0c1a80006460: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa 0x0c1a80006470: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a80006480: 00 00[03]fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c1a80006490: 00 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa 0x0c1a800064a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a800064b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a800064c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a800064d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==17561==ABORTING
Related issues
Updated by stsp over 5 years ago
- Subject changed from heap overflow in trxcon to heap overflow in trxcon's tch_fr_disassemble()
Updated by stsp over 5 years ago
The specific test which triggers the crash is BTS_Tests.TC_meas_res_sign_tchf
Updated by stsp over 5 years ago
- Subject changed from heap overflow in trxcon's tch_fr_disassemble() to heap overflow in trxcon / tch_fr_disassemble()
Updated by stsp over 5 years ago
The culprit seems to be this event:
<0006> sched_lchan_tchf.c:110 Received incomplete traffic frame at fn=0 (0/104) for TCH/F
It looks like this event causes a short allocation of payload data which violates libosmocore's assumptions
about minimum buffer size.
I can fix the problem by ensuring that sched_prim_init() allocates at least GSM_BURST_PL_LEN bytes of payload:
https://gerrit.osmocom.org/c/osmocom-bb/+/10131
Updated by fixeria over 5 years ago
- Status changed from New to Feedback
The fix has been submitted: https://gerrit.osmocom.org/10137/
Please also abandon: https://gerrit.osmocom.org/10131/
Updated by fixeria over 5 years ago
- Status changed from Feedback to Closed
The fix has been merged. AFAIK, no segfaults observed now.
This also helped to find a problem in TTCN-3 tests, which generate L2
frames with an incorrect (lower than 23) length, e.g. 19...
Updated by stsp over 5 years ago
- Related to Bug #3418: BTS TTCN-3 tests generate L2 frames with incorrect length added