Project

General

Profile

Bug #5200

CTRL command nsvc-state causes memory corruption

Added by daniel 7 days ago. Updated 7 days ago.

Status:
In Progress
Priority:
High
Assignee:
Target version:
-
Start date:
07/19/2021
Due date:
% Done:

80%

Spec Reference:

Description

ASan crashes with heap-use-after-free /home/daniel/scm/osmo/libosmocore/src/select.c:294 in poll_fill_fds

osmo_ctrl.py -d localhost -p 4263 -g nsvc-state
Breakpoint 1, __asan::ReportGenericError (pc=140737325940093, bp=bp@entry=140737488346384, sp=sp@entry=140737488346376, 
    addr=106652627902132, is_write=is_write@entry=false, access_size=access_size@entry=4, exp=0, fatal=true)
    at ../../../../src/libsanitizer/asan/asan_report.cpp:458
458    ../../../../src/libsanitizer/asan/asan_report.cpp: No such file or directory.
(gdb) bt
#0  __asan::ReportGenericError (pc=140737325940093, bp=bp@entry=140737488346384, sp=sp@entry=140737488346376, addr=106652627902132, 
    is_write=is_write@entry=false, access_size=access_size@entry=4, exp=0, fatal=true)
    at ../../../../src/libsanitizer/asan/asan_report.cpp:458
#1  0x00007ffff764b8a8 in __asan::__asan_report_load4 (addr=<optimized out>) at ../../../../src/libsanitizer/asan/asan_rtl.cpp:119
#2  0x00007ffff651bd7d in poll_fill_fds () at select.c:294
#3  0x00007ffff651e9b4 in _osmo_select_main (polling=polling@entry=0) at select.c:377
#4  0x00007ffff651ead5 in osmo_select_main (polling=polling@entry=0) at select.c:432
#5  0x00005555555b299e in main (argc=3, argv=0x7fffffffdec8) at gb_proxy_main.c:362
(gdb) 

So somehow the list of fds gets corrupted

History

#1 Updated by daniel 7 days ago

(gdb) f 2
#2  0x00007ffff651bd7d in poll_fill_fds () at select.c:294
294            if (!ufd->when)
(gdb) list
289        unsigned int i = 0;
290    
291        llist_for_each_entry(ufd, &osmo_fds, list) {
292            struct pollfd *p;
293    
294            if (!ufd->when)
295                continue;
296    
297            p = &g_poll.poll[i++];
298    
(gdb) p ufd
$1 = (struct osmo_fd *) 0x610000001ea0
(gdb) p *ufd
$2 = {list = {next = 0x297064752c317630, prev = 0x302e302e3732315b}, fd = 979185966, when = 808465202, cb = 0x2e3732315b3e3c30, 
  data = 0x3a5d30312e302e30, priv_nr = 926365495}
(gdb) p osmo_fds
$3 = {next = 0x7ffff6656320 <osmo_stats_timer>, prev = 0x611000007630}
(gdb) p &osmo_fds
$4 = (struct llist_head *) 0x7ffff4f889c0
(gdb) p osmo_fds->next
$5 = (struct llist_head *) 0x7ffff6656320 <osmo_stats_timer>
(gdb) p *osmo_fds->next
$6 = {next = 0x612000001720, prev = 0x7ffff4f889c0}
(gdb) p *osmo_fds->next->next
$7 = {next = 0x6120000021a0, prev = 0x7ffff6656320 <osmo_stats_timer>}
(gdb) p *osmo_fds->next->next->next
$8 = {next = 0x7ffff67f71e0 <server_socket>, prev = 0x612000001720}
(gdb) p *osmo_fds->next->next->next->next
$9 = {next = 0x610000001ea0, prev = 0x6120000021a0}
(gdb) p *osmo_fds->next->next->next->next->next
$10 = {next = 0x297064752c317630, prev = 0x302e302e3732315b}
(gdb) 

#2 Updated by daniel 7 days ago

  • % Done changed from 0 to 20

Ok, I think I found it. ctrl_nsvc_state_cb() was expecting a struct nsvc_cb_data as ctx, but we were passing it just the struct ctrl_cmd. Obviously this command has never been tested..

It works with my patch:

$ osmo_ctrl.py -d localhost -p 4263 -g nsvc-state
Got message: b'GET_REPLY 6409974032755247648 nsvc-state 101,udp)[127.0.0.1]:23000<>[127.0.0.10]:7777,UNCONFIGURED,SGSN\n102,udp)[127.0.0.1]:23000<>[127.0.0.11]:8888,UNCONFIGURED,SGSN\n'

#3 Updated by daniel 7 days ago

  • % Done changed from 20 to 80

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)