Project

General

Profile

Actions

Bug #3300

closed

Avoid heap-use-after-free in osmo_wqueue_bfd_cb

Added by pespin almost 6 years ago. Updated almost 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Target version:
-
Start date:
05/29/2018
Due date:
% Done:

100%

Spec Reference:

Description

<0015> /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_filter.c:209 Whitelisted with rule 0
<0015> /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_sccp.c:136 Created 0x30006 <-> 0x50006 mapping for con 0x616000052be0
<0015> /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_nat.c:1317 The connection to the BSC Nr: -1 was lost. Cleaning it
=================================================================
==27028==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000c521c at pc 0x7ffff606b056 bp 0x7fffffffe170 sp 0x7fffffffe168
READ of size 4 at 0x6160000c521c thread T0
    #0 0x7ffff606b055 in osmo_wqueue_bfd_cb /home/data/pespin/git/libosmocore/src/write_queue.c:65
    #1 0x7ffff6055c3b in osmo_fd_disp_fds /home/data/pespin/git/libosmocore/src/select.c:217
    #2 0x7ffff6055ed5 in osmo_select_main /home/data/pespin/git/libosmocore/src/select.c:257
    #3 0x421c82 in main /home/data/pespin/git/openbsc/openbsc/src/osmo-bsc_nat/bsc_nat.c:1713
    #4 0x7ffff4803b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
    #5 0x406438 (/home/data/pespin/build/2g-nitb/out/bin/osmo-bsc_nat+0x406438)

0x6160000c521c is located 156 bytes inside of 568-byte region [0x6160000c5180,0x6160000c53b8)
freed by thread T0 here:
    #0 0x7ffff6f59527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
    #1 0x7ffff69fd522 in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x3522)

previously allocated by thread T0 here:
    #0 0x7ffff6f5973f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
    #1 0x7ffff6a01630 in _talloc_zero (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x7630)

SUMMARY: AddressSanitizer: heap-use-after-free /home/data/pespin/git/libosmocore/src/write_queue.c:65 osmo_wqueue_bfd_cb
Shadow bytes around the buggy address:
  0x0c2c800109f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80010a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c80010a10: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c2c80010a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c80010a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2c80010a40: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd

Required fixed is probably similar to that of #3206


Related issues

Related to OsmoBSC - Bug #3206: osmo-bsc: heap-use-after-free at osmo_wqueue_bfd_cbResolvedpespin04/24/2018

Actions
Actions #1

Updated by pespin almost 6 years ago

  • Related to Bug #3206: osmo-bsc: heap-use-after-free at osmo_wqueue_bfd_cb added
Actions #2

Updated by pespin almost 6 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 90
Actions #3

Updated by pespin almost 6 years ago

  • Status changed from Feedback to Resolved
  • % Done changed from 90 to 100

Merged, closing.

Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)