Project

General

Profile

Actions
Copy link

Bug #4970

closed

heap buffer overflow on CBSP WRITE-REPLACE with all 15 pages

Added by laforge about 3 years ago. Updated about 3 years ago.

Status:
Rejected
Priority:
Normal
Assignee:
laforge
Category:
-
Target version:
-
Start date:
01/22/2021
Due date:
% Done:

0%

Spec Reference:

Description

If OsmoBSC receives a CBSP WRITE-REPLACe with 15 pages, at least in some circumstances, it produces a heap-overflow:

<0012> cbch_scheduler.c:114 (bts=0) Unable to schedule first instance of very first SMSCB MsgId=0x007b/SerialNr=0x7000/Pages=15/Period=5/NumBcastReq=888 ?!?
<0012> smscb.c:214 (bts=0) Failure Cause 0x06
=================================================================
==21996==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000086340 at pc 0x7f411ebf1dc1 bp 0x7ffd49be9ae0 sp 0x7ffd49be9ad8
READ of size 1 at 0x60c000086340 thread T0
    #0 0x7f411ebf1dc0 in msgb_put_cbsp_fail_list /space/home/laforge/projects/git/libosmocore/src/gsm/cbsp.c:80
    #1 0x7f411ebfa0ec in cbsp_enc_write_repl_fail /space/home/laforge/projects/git/libosmocore/src/gsm/cbsp.c:219
    #2 0x7f411ebfa0ec in osmo_cbsp_encode /space/home/laforge/projects/git/libosmocore/src/gsm/cbsp.c:420
    #3 0x55f340e4deb5 in cbsp_tx_decoded /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/cbsp_link.c:304
    #4 0x55f340e3eaac in cbsp_rx_write_replace /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/smscb.c:731
    #5 0x55f340e3eaac in cbsp_rx_decoded /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/smscb.c:832
    #6 0x55f340e492f3 in cbsp_client_read_cb /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/cbsp_link.c:196
    #7 0x7f411e4d80c0 in osmo_stream_cli_read /space/home/laforge/projects/git/libosmo-netif/src/stream.c:325
    #8 0x7f411e4d80c0 in osmo_stream_cli_fd_cb /space/home/laforge/projects/git/libosmo-netif/src/stream.c:414
    #9 0x7f411e6257d1 in poll_disp_fds /space/home/laforge/projects/git/libosmocore/src/select.c:350
    #10 0x7f411e6257d1 in _osmo_select_main /space/home/laforge/projects/git/libosmocore/src/select.c:378
    #11 0x7f411e625c08 in osmo_select_main_ctx /space/home/laforge/projects/git/libosmocore/src/select.c:434
    #12 0x55f340abb4e0 in main /space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:1026
    #13 0x7f411d34bd09 in __libc_start_main ../csu/libc-start.c:308
    #14 0x55f340abc4b9 in _start (/space/home/laforge/projects/git/osmo-bsc/src/osmo-bsc/osmo-bsc+0x5ee4b9)

0x60c000086340 is located 0 bytes to the right of 128-byte region [0x60c0000862c0,0x60c000086340)
allocated by thread T0 here:
    #0 0x7f411f259e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
    #1 0x7f411f00fecb in __talloc_with_prefix ../../talloc.c:782

SUMMARY: AddressSanitizer: heap-buffer-overflow /space/home/laforge/projects/git/libosmocore/src/gsm/cbsp.c:80 in msgb_put_cbsp_fail_list
Shadow bytes around the buggy address:
  0x0c1880008c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1880008c20: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880008c30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1880008c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1880008c50: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c1880008c60: 00 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa
  0x0c1880008c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880008c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880008c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880008ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880008cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==21996==ABORTING

I'm attaching a PCAP file of the specific WRITE-REPLACE that created the problem

Files

write-replace-causing-overflow.pcap write-replace-causing-overflow.pcap 1.36 KB laforge, 01/22/2021 09:53 PM
Actions
Copy link
 #1

Updated by laforge about 3 years ago

  • Status changed from New to Rejected

it was an unclean build due to ABI changes of libosmogsm.

Actions
Copy link

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)