Bug #4644: heap-buffer-overflow on OM2k bring-up with DAHDI - OsmoBSC - Open Source Mobile Communications

Actions

Copy link

Bug #4644

closed

heap-buffer-overflow on OM2k bring-up with DAHDI

Added by laforge almost 4 years ago. Updated almost 4 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

laforge

Category:

Ericsson BTS

Target version:

Start date:

07/03/2020

Due date:

% Done:

90%

Spec Reference:

Description

when trying to bring up an RBS2308 with address sanitizer on current osmo-bsc 1.6.0.166-b8425 + libosmo-abis 0.8.0.34.3616, I get the following

<0004> bts_ericsson_rbs2000.c:125 inp_sig_cb(): Input signal 'LINE-INIT' received
<0014> input/lapd.c:248 (0:1-T62-S62): LAPD Allocating SAP for SAPI=62 / TEI=62 (dl=0x615000001780, sap=0x615000001760)
<0014> input/lapd.c:258 (0:1-T62-S62): k=1 N200=50 N201=260 T200=0.300000 T203=10.0
<0014> input/lapd.c:521 (0:1-T62-S62): LAPD DL-ESTABLISH request TEI=62 SAPI=62
=================================================================
==20115==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000004de0 at pc 0x7f237ad181e5 bp 0x7ffdd5e42f80 sp 0x7ffdd5e42730
READ of size 5 at 0x612000004de0 thread T0
    #0 0x7f237ad181e4  (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x951e4)
    #1 0x7f237ab6da5d in dahdi_write_msg input/dahdi.c:227
    #2 0x7f237ab68a6e in send_ph_data_req input/lapd.c:634
    #3 0x7f237abf1c8e in lapd_est_req src/gsm/lapd_core.c:1727
    #4 0x7f237ab697dd in lapd_sap_start input/lapd.c:529
    #5 0x5634391cc644 in start_sabm_in_line /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:87
    #6 0x5634391cd46e in inp_sig_cb /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:159
    #7 0x5634391cd46e in inp_sig_cb /root/git/osmo-bsc/src/osmo-bsc/bts_ericsson_rbs2000.c:115
    #8 0x7f237aba00bb in osmo_signal_dispatch src/signal.c:118
    #9 0x7f237ab61118 in e1inp_line_update src/e1_input.c:878
    #10 0x5634391f62c4 in e1_reconfig_bts /root/git/osmo-bsc/src/osmo-bsc/e1_config.c:205
    #11 0x5634390582ea in bsc_network_configure /root/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:538
    #12 0x5634390582ea in main /root/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:868
    #13 0x7f2379e2309a in __libc_start_main ../csu/libc-start.c:308
    #14 0x56343905a2f9 in _start (/root/git/osmo-bsc/src/osmo-bsc/osmo-bsc+0x5322f9)

0x612000004de0 is located 0 bytes to the right of 288-byte region [0x612000004cc0,0x612000004de0)
allocated by thread T0 here:
    #0 0x7f237ad6c330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x7f237ac4fe80 in talloc_named_const (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x8e80)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x951e4) 
Shadow bytes around the buggy address:
  0x0c247fff8960: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff8970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff8980: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c247fff8990: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff89a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c247fff89b0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c247fff89c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c247fff89d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c247fff89e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 fa
  0x0c247fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c247fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==20115==ABORTING

Actions

Copy link

Updated by laforge almost 4 years ago

Status changed from New to In Progress

The culprit likely is:

write(bfd->fd, msg->data, msg->len + 2);

Where we might read one or two bytes beyond the end of the msgb buffer. This is done as the DAHDI driver will replace those two bytes with the FCS (frame check sequence).

Actions

Copy link

Updated by laforge almost 4 years ago

% Done changed from 0 to 50

should be fixed by the following patch series:

Actions

Copy link

Updated by laforge almost 4 years ago

problem confirmed gone with those patches.

However, there appears to be similar problems in other parts of the code:

<0004> abis_om2000.c:2898 Rx MO=CF/00/ff/00 Negotiation Request (80 80 00 25 01 06 0a 00 ff 00 90 1d 02 02 00 47 31 32 52 30 35 47 31 32 52 30 36 02 01 47 30 31 52 30 38 47 30 31 52 30 39 )
<0004> abis_om2000.c:2623       IWD Type 0 Gen G12 Rev R05
<0004> abis_om2000.c:2623       IWD Type 0 Gen G12 Rev R06
<0004> abis_om2000.c:2623       IWD Type 1 Gen G01 Rev R08
<0004> abis_om2000.c:2623       IWD Type 1 Gen G01 Rev R09
<0004> abis_om2000.c:2575 Tx MO=CF/00/ff/00 Negotiation Request ACK
<0017> input/dahdi.c:257 E1TS(0:1) TX: 80 80 00 17 01 04 0a 00 ff 00 91 0f 02 00 47 31 32 52 30 36 01 47 30 31 52 30 39 
msgb(0x612000018220): Not enough tailroom msgb_put (allocated 4294967243, head at 0, len 31, tailroom 0 < want tailroom 2)
backtrace() returned 14 addresses

Actions

Copy link