Project

General

Profile

Actions

Bug #3494

closed

osmo-bsc: heap-use-after-free in abis_nm_dump_foh with nanobts with 2 TRX

Added by pespin over 5 years ago. Updated over 5 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
A-bis OML
Target version:
-
Start date:
08/22/2018
Due date:
% Done:

100%

Spec Reference:

Description

Caught by osmo-gsm-tester when testing new setup of 2 nanoBTS attached forming a multiTRX setup (-s voice:nanobts+band-900+mod-bts0-numtrx2+mod-bts0-chanallocdescend -T -l dbg).

[0;m[1;36m20180822120155984 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:1992 OC=CHANNEL(03) INST=(00,01,04): Sending OPSTART
[0;m[1;36m20180822120155984 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:383 OC=CHANNEL(03) INST=(00,01,04): Software Activated Report
[0;m[1;36m20180822120155985 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:218 OC=CHANNEL(03) INST=(00,01,05): STATE CHG: [0;m[1;36mOP_STATE=Disabled [0;m[1;36mAVAIL=Dependency(05) [0;m[1;36m
[0;m[1;36m20180822120155985 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:1889 OC=CHANNEL(03) INST=(00,01,05): Set Chan Attr (bts=0,trx=1,ts=5)
[0;m[1;36m20180822120155986 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:1925 OC=CHANNEL(03) INST=(00,01,05): abis_nm_set_channel_attr(): sending 80 80 00 09 47 03 00 01 05 0d 00 40 07 
[0;m[1;36m20180822120155986 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:1992 OC=CHANNEL(03) INST=(00,01,05): Sending OPSTART
[0;m[1;36m20180822120155988 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:383 OC=CHANNEL(03) INST=(00,01,05): Software Activated Report
[0;m[1;36m20180822120155989 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:218 OC=CHANNEL(03) INST=(00,01,06): STATE CHG: [0;m[1;36mOP_STATE=Disabled [0;m[1;36mAVAIL=Dependency(05) [0;m[1;36m
[0;m[1;36m20180822120155990 [1;34mDNM[0;m[1;36m <0004> abis_nm.c:1889 OC=CHANNEL(03) INST=(00,01,06): Set Chan Attr (bts=0,trx=1,ts=6)
[0;m=================================================================
==16465==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00002b3f0 at pc 0x7f587f44c0db bp 0x7ffc59e31df0 sp 0x7ffc59e31de8
READ of size 1 at 0x61a00002b3f0 thread T0
    #0 0x7f587f44c0da in abis_nm_dump_foh /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/gsm/abis_nm.c:937
    #1 0x561e09e1532c in abis_nm_set_channel_attr /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/abis_nm.c:1892
    #2 0x561e09efd269 in nm_statechg_event /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:168
    #3 0x561e09efd269 in bts_ipa_nm_sig_cb /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/bts_ipaccess_nanobts.c:335
    #4 0x7f587efb3d16 in osmo_signal_dispatch /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/signal.c:120
    #5 0x561e09e18e31 in abis_nm_rx_statechg_rep /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/abis_nm.c:255
    #6 0x561e09e18e31 in abis_nm_rcvmsg_report /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/abis_nm.c:380
    #7 0x561e09e18e31 in abis_nm_rcvmsg_fom /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/abis_nm.c:778
    #8 0x561e09e1dc19 in abis_nm_rcvmsg /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/abis_nm.c:926
    #9 0x7f587ec90cc2 in handle_ts1_read input/ipaccess.c:274
    #10 0x7f587ec90cc2 in ipaccess_fd_cb input/ipaccess.c:389
    #11 0x7f587efb1ca8 in osmo_fd_disp_fds /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:217
    #12 0x7f587efb1ca8 in osmo_select_main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/select.c:257
    #13 0x561e09e049d6 in main /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/osmo-bsc/src/osmo-bsc/osmo_bsc_main.c:922
    #14 0x7f587d53a2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #15 0x561e09e054e9 in _start (/home/jenkins/workspace/osmo-gsm-tester_manual-run/trial-128/inst/osmo-bsc/bin/osmo-bsc+0x34d4e9)

0x61a00002b3f0 is located 368 bytes inside of 1256-byte region [0x61a00002b280,0x61a00002b768)
freed by thread T0 here:
    #0 0x7f5880058a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
    #1 0x7f587fa8586a in _talloc_free (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x486a)

previously allocated by thread T0 here:
    #0 0x7f5880058d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
    #1 0x7f587fa87764 in talloc_named_const (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x6764)

SUMMARY: AddressSanitizer: heap-use-after-free /home/osmocom-build/jenkins/workspace/osmo-gsm-tester_build-osmo-bsc/libosmocore/src/gsm/abis_nm.c:937 in abis_nm_dump_foh
Shadow bytes around the buggy address:
  0x0c347fffd620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffd630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffd640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c347fffd650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffd660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c347fffd670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c347fffd680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffd690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffd6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffd6b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c347fffd6c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16465==ABORTING

Files

trial-128-run.tgz trial-128-run.tgz 97.9 KB pespin, 08/22/2018 10:07 AM
Actions #1

Updated by pespin over 5 years ago

  • Description updated (diff)
Actions #2

Updated by pespin over 5 years ago

  • Status changed from New to Feedback
  • % Done changed from 0 to 100

Should be fixed by:
https://gerrit.osmocom.org/#/c/osmo-bsc/+/10566 abis_nm: Fix heap-use-after-free in abis_nm_set_channel_attr

Actions #3

Updated by pespin over 5 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 48.8 MB)