Project

General

Profile

Actions

Bug #5302

closed

ns2: ASan heap-use-after-free in ns2_nse_notify_unblocked() when running GBProxy_Tests.TC_bvc_reset_blocked_ptp_from_sgsn

Added by daniel 28 days ago. Updated 27 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
-
Target version:
-
Start date:
11/10/2021
Due date:
% Done:

100%

Spec Reference:

Description

Backtrace:

==103449==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000009456 at pc 0x7f4e2bb00fb1 bp 0x7ffc1be40c30 s
p 0x7ffc1be40c28
READ of size 1 at 0x611000009456 thread T0
    #0 0x7f4e2bb00fb0 in ns2_nse_notify_unblocked /home/daniel/scm/osmo/libosmocore/src/gb/gprs_ns2.c:1410
    #1 0x7f4e2bb1b98b in ns2_st_alive_onenter /home/daniel/scm/osmo/libosmocore/src/gb/gprs_ns2_vc_fsm.c:488
    #2 0x7f4e2b5a504a in state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:699
    #3 0x7f4e2b5a6a4f in _osmo_fsm_inst_state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:748
    #4 0x7f4e2bb19f4f in alive_timeout_handler /home/daniel/scm/osmo/libosmocore/src/gb/gprs_ns2_vc_fsm.c:247
    #5 0x7f4e2b58ab54 in osmo_timers_update /home/daniel/scm/osmo/libosmocore/src/timer.c:273
    #6 0x7f4e2b58e444 in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:388
    #7 0x7f4e2b58e4a9 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:432
    #8 0x5576a6cc4d23 in main /home/daniel/scm/osmo/osmo-gbproxy/src/gb_proxy_main.c:362
    #9 0x7f4e2a961e49 in __libc_start_main ../csu/libc-start.c:314
    #10 0x5576a6caca59 in _start (/home/daniel/scm/osmo/osmo-gbproxy/src/osmo-gbproxy+0x48a59)

0x611000009456 is located 150 bytes inside of 216-byte region [0x6110000093c0,0x611000009498)

It's probably the NSE that has was freed:

ns2_nse_notify_unblocked (nsvc=0x611000009560, unblocked=unblocked@entry=false) at gprs_ns2.c:1410
1410            if (unblocked == nse->alive)


Related issues

Related to Core testing infrastructure - Bug #5301: Run TTCN3 docker tests with sanitizer enabledNewosmith11/10/2021

Actions
Actions #1

Updated by daniel 28 days ago

What happens is: alive_timeout_handler() changes the state to RECOVERING which calls into ns2_st_alive_onenter()->ns2_nse_notify_unblocked(unblocked=false)->ns2_sns_notify_alive(unblocked=false)

Since all (signalling) NSVCs have failed and gss->role is SGSN and not persistent sns_failed() calls gprs_ns2_free_nse() which talloc_free()s the nse before returning.

The next line in ns2_nse_notify_unblocked() is the if (unblocked == nse->alive) which then causes the use-after-free.

Actions #3

Updated by daniel 27 days ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Patch merged

Actions #4

Updated by daniel 27 days ago

  • Related to Bug #5301: Run TTCN3 docker tests with sanitizer enabled added
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)