Project

General

Profile

Actions

Bug #5828

closed

Use-after-free in ipa_keepalive FSM

Added by daniel about 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Abis
Target version:
-
Start date:
12/13/2022
Due date:
% Done:

100%

Spec Reference:

Description

With asan enabled osmo-bts reports a use-after-free when the abis FSM reconnects:

osmo-bts 82d92f703aadf5d4b2ac3c2455cef08c78099018
libosmocore 7c1b6cb4cd6aa548f8dbba1859113f29efb63b46
libosmo-abis ce70074476a95b159573884fa34b75c2f64c4508

DABIS <000d> abis.c:418 abis_link(abis_link)[0x6120000054a0]{CONNECTING}: Received Event SIGN_LINK_DOWN   
DABIS <000d> abis.c:204 abis_link(abis_link)[0x6120000054a0]{CONNECTING}: state_chg to WAIT_RECONNECT

DABIS <000d> fsm.c:317 abis_link(abis_link)[0x6120000054a0]{WAIT_RECONNECT}: Timeout of T0   
DABIS <000d> abis.c:287 abis_link(abis_link)[0x6120000054a0]{WAIT_RECONNECT}: state_chg to CONNECTING
DABIS <000d> abis.c:161 A-bis connection establishment to BSC (127.0.0.1) in progress...     
DLINP <0012> input/ipaccess.c:1095 enabling ipaccess BTS mode, OML connecting to 127.0.0.1:3002

Breakpoint 1, __asan::ReportGenericError (pc=140737336409383, bp=bp@entry=140737488344864, sp=sp@entry=140737488344856, addr=106790066870192, is_write=is_write@entry=false, 
access_size=access_size@entry=8, exp=0, fatal=true) at ../../../../src/libsanitizer/asan/asan_report.cpp:462
(gdb) c                      
Continuing.
=================================================================
==1282976==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000057b0 at pc 0x7ffff6f17d27 bp 0x7fffffffd720 sp 0x7fffffffd718
READ of size 8 at 0x6120000057b0 thread T0
    #0 0x7ffff6f17d26 in ipa_keepalive_fsm_stop input/ipa_keepalive.c:330
    #1 0x7ffff6f1d489 in ipaccess_keepalive_fsm_cleanup input/ipaccess.c:80
    #2 0x7ffff6f1d489 in ipaccess_bts_keepalive_fsm_alloc input/ipaccess.c:194
    #3 0x7ffff6f256b2 in ipaccess_line_update input/ipaccess.c:1132
    #4 0x7ffff6efe10d in e1inp_line_update /home/daniel/scm/osmo/libosmo-abis/src/e1_input.c:945
    #5 0x5555557c1e43 in abis_link_connecting_onenter /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:184
    #6 0x7ffff6b1204e in state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:697
    #7 0x7ffff6b14410 in _osmo_fsm_inst_state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:746
    #8 0x5555557bf657 in abis_link_fsm_timer_cb /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:287
    #9 0x7ffff6b1a2b4 in fsm_tmr_cb /home/daniel/scm/osmo/libosmocore/src/fsm.c:320                                                                                          
    #10 0x7ffff6af7e2e in osmo_timers_update /home/daniel/scm/osmo/libosmocore/src/timer.c:269
    #11 0x7ffff6afb866 in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:394
    #12 0x7ffff6afb8d4 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:438
    #13 0x5555557b4d85 in bts_main /home/daniel/scm/osmo/osmo-bts/src/common/main.c:423
    #14 0x5555556ede7b in main /home/daniel/scm/osmo/osmo-bts/src/osmo-bts-virtual/main.c:146
    #15 0x7ffff6046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #16 0x7ffff6046244 in __libc_start_main_impl ../csu/libc-start.c:381
    #17 0x5555556ed390 in _start (/home/daniel/local/osmo-master/bin/osmo-bts-virtual+0x199390)

0x6120000057b0 is located 112 bytes inside of 296-byte region [0x612000005740,0x612000005868)
freed by thread T0 here:
    #0 0x7ffff78b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
    #1 0x7ffff7f322e1  (/lib/x86_64-linux-gnu/libtalloc.so.2+0x42e1)
    #2 0x7ffff6f2549b in ipaccess_line_update input/ipaccess.c:1102
    #3 0x7ffff6efe10d in e1inp_line_update /home/daniel/scm/osmo/libosmo-abis/src/e1_input.c:945
    #4 0x5555557c1e43 in abis_link_connecting_onenter /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:184
    #5 0x7ffff6b1204e in state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:697
    #6 0x7ffff6b14410 in _osmo_fsm_inst_state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:746
    #7 0x5555557bf657 in abis_link_fsm_timer_cb /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:287
    #8 0x7ffff6b1a2b4 in fsm_tmr_cb /home/daniel/scm/osmo/libosmocore/src/fsm.c:320
    #9 0x7ffff6af7e2e in osmo_timers_update /home/daniel/scm/osmo/libosmocore/src/timer.c:269
    #10 0x7ffff6afb866 in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:394
    #11 0x7ffff6afb8d4 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:438
    #12 0x5555557b4d85 in bts_main /home/daniel/scm/osmo/osmo-bts/src/common/main.c:423
    #13 0x5555556ede7b in main /home/daniel/scm/osmo/osmo-bts/src/osmo-bts-virtual/main.c:146
    #14 0x7ffff6046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

previously allocated by thread T0 here:
    #0 0x7ffff78b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
    #1 0x7ffff7f33b6d  (/lib/x86_64-linux-gnu/libtalloc.so.2+0x5b6d)

SUMMARY: AddressSanitizer: heap-use-after-free input/ipa_keepalive.c:330 in ipa_keepalive_fsm_stop
Actions #1

Updated by daniel about 2 months ago

This happens because the ipa_ka_fsm_timer_cb() in libosmo-abis returns 1 on timeout which terminates and frees the fsm.

Additionally, ipaccess_keepalive_fsm_cleanup() calls ipa_keepalive_fsm_stop() and unsets the fsm, but will not terminate it. This should leak fsm insts.

Instead call osmo_fsm_inst_term() in cleanup()

Actions #2

Updated by daniel about 2 months ago

  • Status changed from New to In Progress
  • % Done changed from 0 to 30
Actions #3

Updated by daniel about 2 months ago

  • % Done changed from 30 to 60
Actions #4

Updated by daniel about 2 months ago

  • Status changed from In Progress to Resolved
  • % Done changed from 60 to 100
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)