Project

General

Profile

Bug #4316

osmo-pcu: memory corruption during CS pagin on PACCH

Added by pespin 11 months ago. Updated 11 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
12/09/2019
Due date:
% Done:

100%

Spec Reference:

Description

While testing new WIP CS paging tests on TTNC3:


20191209122749934 DL1IF DEBUG Paging request received: chan_needed=0 length=252 (pcu_l1_if.cpp:637)
20191209122749934 DRLCMAC INFO Add RR paging: chan-needed=0 MI=0e a1 d4 bd 84 be 3b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 00 00 00 e0 45 27 03 3a 56 00 00 60 1f 26 95 fe 7f 00 00 63 ac 54 01 3a 56 00 00 c5 3d ee 5d 01 00 00 00 e0 45 27
03 3a 56 00 00 e0 70 a9  (bts.cpp:373)
20191209122749934 DTBF DEBUG TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) uses TRX=0 TS=7, so we mark (bts.cpp:398)
20191209122749934 DRLCMAC INFO Paging on PACCH of TRX=0 TS=7 (bts.cpp:420)
*** Error in `osmo-pcu': malloc(): memory corruption: 0x0000563a03274340 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7fde4ca81bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7fde4ca87fc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x79089)[0x7fde4ca8a089]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fde4ca8bf64]
/usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_named_const+0x375)[0x7fde4dd0f765]
/usr/lib/x86_64-linux-gnu/libosmocore.so.12(msgb_alloc_c+0x22)[0x7fde4d876622]
/usr/lib/x86_64-linux-gnu/libosmocore.so.12(+0x170ec)[0x7fde4d8810ec]
/usr/lib/x86_64-linux-gnu/libosmocore.so.12(osmo_vlogp+0x16f)[0x7fde4d8804df]
/usr/lib/x86_64-linux-gnu/libosmocore.so.12(logp2+0x87)[0x7fde4d8806c7]
osmo-pcu(+0x3c962)[0x563a0153a962]
osmo-pcu(+0x28518)[0x563a01526518]
osmo-pcu(+0x2897f)[0x563a0152697f]
osmo-pcu(+0x4ca7a)[0x563a0154aa7a]
osmo-pcu(+0x4cc63)[0x563a0154ac63]
/usr/lib/x86_64-linux-gnu/libosmocore.so.12(+0xbbbf)[0x7fde4d875bbf]
/usr/lib/x86_64-linux-gnu/libosmocore.so.12(osmo_select_main+0x6)[0x7fde4d876236]
osmo-pcu(+0x1c796)[0x563a0151a796]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fde4ca312e1]
osmo-pcu(+0x1bd0a)[0x563a01519d0a]
======= Memory map: ========
563a014fe000-563a0157a000 r-xp 00000000 00:19 26281                      /usr/local/bin/osmo-pcu
563a0177a000-563a01797000 r--p 0007c000 00:19 26281                      /usr/local/bin/osmo-pcu
563a01797000-563a0179a000 rw-p 00099000 00:19 26281                      /usr/local/bin/osmo-pcu
563a0179a000-563a017a4000 rw-p 00000000 00:00 0
563a03182000-563a03295000 rw-p 00000000 00:00 0                          [heap]
7fde44000000-7fde44021000 rw-p 00000000 00:00 0
7fde44021000-7fde48000000 ---p 00000000 00:00 0

After enabling ASan:

20191209123741152 DL1IF DEBUG Paging request received: chan_needed=0 length=102 (pcu_l1_if.cpp:637)
20191209123741152 DRLCMAC INFO Add RR paging: chan-needed=0 MI=5a 67 cd dc 7a b2 6c 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  (bts.cpp:373)
20191209123741152 DTBF DEBUG TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) uses TRX=0 TS=7, so we mark (bts.cpp:398)
=================================================================
==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000020c40 at pc 0x7f8171ebad7b bp 0x7ffea1ff5350 sp 0x7ffea1ff4b00
WRITE of size 103 at 0x60c000020c40 thread T0
    #0 0x7f8171ebad7a  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
    #1 0x561dbae63e0f in gprs_rlcmac_pdch::add_paging(unsigned char, unsigned char*) /tmp/osmo-pcu/src/pdch.cpp:261
    #2 0x561dbae5cf89 in BTS::add_paging(unsigned char, unsigned char*) /tmp/osmo-pcu/src/bts.cpp:417
    #3 0x561dbae1ecc0 in pcu_rx_pag_req /tmp/osmo-pcu/src/pcu_l1_if.cpp:640
    #4 0x561dbae1faa4 in pcu_rx(unsigned char, gsm_pcu_if*) /tmp/osmo-pcu/src/pcu_l1_if.cpp:719
    #5 0x561dbae8ac90 in pcu_sock_read /tmp/osmo-pcu/src/osmobts_sock.cpp:152
    #6 0x561dbae8b1ff in pcu_sock_cb /tmp/osmo-pcu/src/osmobts_sock.cpp:208
    #7 0x7f8170f67bbe  (/usr/lib/x86_64-linux-gnu/libosmocore.so.12+0xbbbe)
    #8 0x7f8170f68235 in osmo_select_main (/usr/lib/x86_64-linux-gnu/libosmocore.so.12+0xc235)
    #9 0x561dbadfa20d in main /tmp/osmo-pcu/src/pcu_main.cpp:354
    #10 0x7f816f40c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #11 0x561dbadf7a39 in _start (/usr/local/bin/osmo-pcu+0x15da39)

0x60c000020c40 is located 0 bytes to the right of 128-byte region [0x60c000020bc0,0x60c000020c40)
allocated by thread T0 here:
    #0 0x7f8171f1fd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7f8171401acd in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6acd)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a)
Shadow bytes around the buggy address:
  0x0c187fffc130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fffc140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fffc150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fffc160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c187fffc170: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c187fffc180: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c187fffc190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c187fffc1a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c187fffc1b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c187fffc1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c187fffc1d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7==ABORTING
0: stopped pid 7 with status 1


Related issues

Related to OsmoPCU - Bug #3927: Missing PCU_Tests.ttcn Paging testsResolved04/15/2019

History

#1 Updated by pespin 11 months ago

  • Related to Bug #3927: Missing PCU_Tests.ttcn Paging tests added

#2 Updated by pespin 11 months ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 90

Should be fixed by:
https://gerrit.osmocom.org/c/osmo-pcu/+/16527 pcu_l1_if: Check pag_req id_lv len fits buffer

#3 Updated by pespin 11 months ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)