Project

General

Profile

Actions

Bug #3415

closed

heap overflow in trxcon / tch_fr_disassemble()

Added by stsp over 5 years ago. Updated over 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
trxcon
Target version:
-
Start date:
07/24/2018
Due date:
% Done:

0%

Resolution:
Spec Reference:

Description

Using trxconn and libosmocore from latest master with address-sanitizer enabled, running TTCN3 BTS tests crashes trxconn:

<0005> sched_trx.c:420 Activating lchan=BCCH on ts=0
<0005> sched_trx.c:420 Activating lchan=RACH on ts=0
<0005> sched_trx.c:420 Activating lchan=CCCH on ts=0
<0001> l1ctl.c:502 Received RACH request (offset=0 ra=0x17)
<0005> sched_clck.c:140 Clock indication: fn=204
<0001> l1ctl.c:547 Received L1CTL_DM_EST_REQ (arfcn=871, chan_nr=0x09, tsc=7, tch_mode=0x00)
<0005> sched_trx.c:192 Add a new TDMA timeslot #1
<0005> sched_trx.c:263 (Re)configure TDMA timeslot #1 as TCH/F+SACCH
<0005> sched_trx.c:420 Activating lchan=TCH/F on ts=1
<0005> sched_trx.c:420 Activating lchan=SACCH/TF on ts=1
<0006> sched_lchan_tchf.c:110 Received incomplete traffic frame at fn=0 (0/104) for TCH/F
=================================================================
==17561==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000072413 at pc 0x7f917349b1ff bp 0x7ffdfc7b3cd0 sp 0x7ffdfc7b3cc0
READ of size 1 at 0x60d000072413 thread T0
    #0 0x7f917349b1fe in tch_fr_disassemble /home/stsp/osmo/libosmocore/src/coding/gsm0503_coding.c:1546
    #1 0x7f917349f540 in gsm0503_tch_fr_encode /home/stsp/osmo/libosmocore/src/coding/gsm0503_coding.c:1902
    #2 0x561c306d5a72 in tx_tchf_fn /home/stsp/osmo/osmocom-bb/src/host/trxcon/sched_lchan_tchf.c:243
    #3 0x561c306db384 in sched_frame_clck_cb /home/stsp/osmo/osmocom-bb/src/host/trxcon/sched_trx.c:118
    #4 0x561c306d7f02 in sched_clck_tick /home/stsp/osmo/osmocom-bb/src/host/trxcon/sched_clck.c:93
    #5 0x7f9173787fe0 in osmo_timers_update /home/stsp/osmo/libosmocore/src/timer.c:257
    #6 0x7f917378ace4 in osmo_select_main /home/stsp/osmo/libosmocore/src/select.c:254
    #7 0x561c306c4c6e in main /home/stsp/osmo/osmocom-bb/src/host/trxcon/trxcon.c:304
    #8 0x7f9171ea6b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #9 0x561c306c5009 in _start (/home/stsp/osmo/prefix/bin/trxcon+0x2b009)

0x60d000072413 is located 0 bytes to the right of 131-byte region [0x60d000072390,0x60d000072413)
allocated by thread T0 here:
    #0 0x7f9173dc7b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x7f9173ad9d20 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d20)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/stsp/osmo/libosmocore/src/coding/gsm0503_coding.c:1546 in tch_fr_disassemble
Shadow bytes around the buggy address:
  0x0c1a80006430: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fd fd
  0x0c1a80006440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1a80006450: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1a80006460: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c1a80006470: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c1a80006480: 00 00[03]fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c1a80006490: 00 00 00 00 00 00 00 00 00 00 00 00 03 fa fa fa
  0x0c1a800064a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a800064b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a800064c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1a800064d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17561==ABORTING

Related issues

Related to OsmoBTS - Bug #3418: BTS TTCN-3 tests generate L2 frames with incorrect lengthClosedfixeria07/25/2018

Actions
Actions #1

Updated by stsp over 5 years ago

  • Subject changed from heap overflow in trxcon to heap overflow in trxcon's tch_fr_disassemble()
Actions #2

Updated by stsp over 5 years ago

  • Assignee changed from fixeria to 118
Actions #3

Updated by stsp over 5 years ago

The specific test which triggers the crash is BTS_Tests.TC_meas_res_sign_tchf

Actions #4

Updated by stsp over 5 years ago

  • Subject changed from heap overflow in trxcon's tch_fr_disassemble() to heap overflow in trxcon / tch_fr_disassemble()
Actions #5

Updated by stsp over 5 years ago

The culprit seems to be this event:

<0006> sched_lchan_tchf.c:110 Received incomplete traffic frame at fn=0 (0/104) for TCH/F

It looks like this event causes a short allocation of payload data which violates libosmocore's assumptions
about minimum buffer size.

I can fix the problem by ensuring that sched_prim_init() allocates at least GSM_BURST_PL_LEN bytes of payload:
https://gerrit.osmocom.org/c/osmocom-bb/+/10131

Actions #6

Updated by fixeria over 5 years ago

  • Status changed from New to Feedback

The fix has been submitted: https://gerrit.osmocom.org/10137/
Please also abandon: https://gerrit.osmocom.org/10131/

Actions #7

Updated by fixeria over 5 years ago

  • Status changed from Feedback to Closed

The fix has been merged. AFAIK, no segfaults observed now.
This also helped to find a problem in TTCN-3 tests, which generate L2
frames with an incorrect (lower than 23) length, e.g. 19...

Actions #8

Updated by stsp over 5 years ago

  • Related to Bug #3418: BTS TTCN-3 tests generate L2 frames with incorrect length added
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)