Actions
Bug #4316
closedosmo-pcu: memory corruption during CS pagin on PACCH
Start date:
12/09/2019
Due date:
% Done:
100%
Spec Reference:
Description
While testing new WIP CS paging tests on TTNC3:
20191209122749934 DL1IF DEBUG Paging request received: chan_needed=0 length=252 (pcu_l1_if.cpp:637) 20191209122749934 DRLCMAC INFO Add RR paging: chan-needed=0 MI=0e a1 d4 bd 84 be 3b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 00 00 00 e0 45 27 03 3a 56 00 00 60 1f 26 95 fe 7f 00 00 63 ac 54 01 3a 56 00 00 c5 3d ee 5d 01 00 00 00 e0 45 27 03 3a 56 00 00 e0 70 a9 (bts.cpp:373) 20191209122749934 DTBF DEBUG TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) uses TRX=0 TS=7, so we mark (bts.cpp:398) 20191209122749934 DRLCMAC INFO Paging on PACCH of TRX=0 TS=7 (bts.cpp:420) *** Error in `osmo-pcu': malloc(): memory corruption: 0x0000563a03274340 *** ======= Backtrace: ========= /lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7fde4ca81bfb] /lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7fde4ca87fc6] /lib/x86_64-linux-gnu/libc.so.6(+0x79089)[0x7fde4ca8a089] /lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7fde4ca8bf64] /usr/lib/x86_64-linux-gnu/libtalloc.so.2(talloc_named_const+0x375)[0x7fde4dd0f765] /usr/lib/x86_64-linux-gnu/libosmocore.so.12(msgb_alloc_c+0x22)[0x7fde4d876622] /usr/lib/x86_64-linux-gnu/libosmocore.so.12(+0x170ec)[0x7fde4d8810ec] /usr/lib/x86_64-linux-gnu/libosmocore.so.12(osmo_vlogp+0x16f)[0x7fde4d8804df] /usr/lib/x86_64-linux-gnu/libosmocore.so.12(logp2+0x87)[0x7fde4d8806c7] osmo-pcu(+0x3c962)[0x563a0153a962] osmo-pcu(+0x28518)[0x563a01526518] osmo-pcu(+0x2897f)[0x563a0152697f] osmo-pcu(+0x4ca7a)[0x563a0154aa7a] osmo-pcu(+0x4cc63)[0x563a0154ac63] /usr/lib/x86_64-linux-gnu/libosmocore.so.12(+0xbbbf)[0x7fde4d875bbf] /usr/lib/x86_64-linux-gnu/libosmocore.so.12(osmo_select_main+0x6)[0x7fde4d876236] osmo-pcu(+0x1c796)[0x563a0151a796] /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7fde4ca312e1] osmo-pcu(+0x1bd0a)[0x563a01519d0a] ======= Memory map: ======== 563a014fe000-563a0157a000 r-xp 00000000 00:19 26281 /usr/local/bin/osmo-pcu 563a0177a000-563a01797000 r--p 0007c000 00:19 26281 /usr/local/bin/osmo-pcu 563a01797000-563a0179a000 rw-p 00099000 00:19 26281 /usr/local/bin/osmo-pcu 563a0179a000-563a017a4000 rw-p 00000000 00:00 0 563a03182000-563a03295000 rw-p 00000000 00:00 0 [heap] 7fde44000000-7fde44021000 rw-p 00000000 00:00 0 7fde44021000-7fde48000000 ---p 00000000 00:00 0
After enabling ASan:
20191209123741152 DL1IF DEBUG Paging request received: chan_needed=0 length=102 (pcu_l1_if.cpp:637) 20191209123741152 DRLCMAC INFO Add RR paging: chan-needed=0 MI=5a 67 cd dc 7a b2 6c 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (bts.cpp:373) 20191209123741152 DTBF DEBUG TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) uses TRX=0 TS=7, so we mark (bts.cpp:398) ================================================================= ==7==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000020c40 at pc 0x7f8171ebad7b bp 0x7ffea1ff5350 sp 0x7ffea1ff4b00 WRITE of size 103 at 0x60c000020c40 thread T0 #0 0x7f8171ebad7a (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) #1 0x561dbae63e0f in gprs_rlcmac_pdch::add_paging(unsigned char, unsigned char*) /tmp/osmo-pcu/src/pdch.cpp:261 #2 0x561dbae5cf89 in BTS::add_paging(unsigned char, unsigned char*) /tmp/osmo-pcu/src/bts.cpp:417 #3 0x561dbae1ecc0 in pcu_rx_pag_req /tmp/osmo-pcu/src/pcu_l1_if.cpp:640 #4 0x561dbae1faa4 in pcu_rx(unsigned char, gsm_pcu_if*) /tmp/osmo-pcu/src/pcu_l1_if.cpp:719 #5 0x561dbae8ac90 in pcu_sock_read /tmp/osmo-pcu/src/osmobts_sock.cpp:152 #6 0x561dbae8b1ff in pcu_sock_cb /tmp/osmo-pcu/src/osmobts_sock.cpp:208 #7 0x7f8170f67bbe (/usr/lib/x86_64-linux-gnu/libosmocore.so.12+0xbbbe) #8 0x7f8170f68235 in osmo_select_main (/usr/lib/x86_64-linux-gnu/libosmocore.so.12+0xc235) #9 0x561dbadfa20d in main /tmp/osmo-pcu/src/pcu_main.cpp:354 #10 0x7f816f40c2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #11 0x561dbadf7a39 in _start (/usr/local/bin/osmo-pcu+0x15da39) 0x60c000020c40 is located 0 bytes to the right of 128-byte region [0x60c000020bc0,0x60c000020c40) allocated by thread T0 here: #0 0x7f8171f1fd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28) #1 0x7f8171401acd in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6acd) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cd7a) Shadow bytes around the buggy address: 0x0c187fffc130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffc140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffc150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffc160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c187fffc170: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c187fffc180: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa 0x0c187fffc190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa 0x0c187fffc1a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c187fffc1b0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c187fffc1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa 0x0c187fffc1d0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==7==ABORTING 0: stopped pid 7 with status 1
Related issues
Actions