https://projects.osmocom.org/https://projects.osmocom.org/favicon.ico?16647414092019-05-15T17:28:29ZOpen Source Mobile CommunicationsOsmoMSC - Bug #4003: msc crashes with sigsegv on "sh subscriber msisdn xxxxx" via vtyhttps://projects.osmocom.org/issues/4003?journal_id=144582019-05-15T17:28:29Zlaforge
<ul><li><strong>Assignee</strong> set to <i>pespin</i></li><li><strong>Priority</strong> changed from <i>Normal</i> to <i>High</i></li></ul> OsmoMSC - Bug #4003: msc crashes with sigsegv on "sh subscriber msisdn xxxxx" via vtyhttps://projects.osmocom.org/issues/4003?journal_id=144592019-05-15T17:40:24Zfixeria
<ul></ul><p>I have managed to reproduce this segfault, but in a simper way:</p>
<p>1) compile OsmoMSC with ASAN (--enable-sanitize);<br />2) register a subscriber with known MSISDN;<br />3) in the VTY, do <em>'show subscriber extension MSISDN'</em>.</p>
<p>Result:</p>
<pre>
=================================================================
==2581==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000017d00 at pc 0x000000562c9e bp 0x7ffd48b0ec60 sp 0x7ffd48b0ec58
READ of size 8 at 0x61d000017d00 thread T0
#0 0x562c9d in msub_msc_a /home/wmn/osmocom/osmo-msc/src/libmsc/msub.c:273:7
#1 0x512599 in vty_dump_one_conn /home/wmn/osmocom/osmo-msc/src/libmsc/msc_vty.c:651:24
#2 0x510f01 in subscr_dump_full_vty /home/wmn/osmocom/osmo-msc/src/libmsc/msc_vty.c:827:4
#3 0x50f66b in show_subscr /home/wmn/osmocom/osmo-msc/src/libmsc/msc_vty.c:985:2
#4 0x7fb273582d36 in cmd_execute_command_real /opt/osmocom/libosmocore/src/vty/command.c:2320
#5 0x7fb273587940 in vty_command /opt/osmocom/libosmocore/src/vty/vty.c:431
#6 0x7fb273587940 in vty_execute /opt/osmocom/libosmocore/src/vty/vty.c:695
#7 0x7fb273587940 in vty_read /opt/osmocom/libosmocore/src/vty/vty.c:1419
#8 0x7fb273589b08 in client_data /opt/osmocom/libosmocore/src/vty/telnet_interface.c:147
#9 0x7fb272cd8cb3 in osmo_fd_disp_fds /opt/osmocom/libosmocore/src/select.c:223
#10 0x7fb272cd8cb3 in osmo_select_main /opt/osmocom/libosmocore/src/select.c:263
#11 0x4fe771 in main /home/wmn/osmocom/osmo-msc/src/osmo-msc/msc_main.c:747:3
#12 0x7fb270d03f44 in __libc_start_main /build/eglibc-xkFqqE/eglibc-2.19/csu/libc-start.c:287
#13 0x4225db in _start (/home/wmn/osmocom/osmo-msc/src/osmo-msc/osmo-msc+0x4225db)
0x61d000017d00 is located 128 bytes inside of 2104-byte region [0x61d000017c80,0x61d0000184b8)
freed by thread T0 here:
#0 0x4cdc12 in __interceptor_free (/home/wmn/osmocom/osmo-msc/src/osmo-msc/osmo-msc+0x4cdc12)
#1 0x7fb273372c23 (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x9c23)
previously allocated by thread T0 here:
#0 0x4cdf93 in malloc (/home/wmn/osmocom/osmo-msc/src/osmo-msc/osmo-msc+0x4cdf93)
#1 0x7fb27336e2a8 in talloc_named_const (/usr/lib/x86_64-linux-gnu/libtalloc.so.2+0x52a8)
SUMMARY: AddressSanitizer: heap-use-after-free /home/wmn/osmocom/osmo-msc/src/libmsc/msub.c:273:7 in msub_msc_a
Shadow bytes around the buggy address:
0x0c3a7fffaf50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffaf60: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c3a7fffaf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffaf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffaf90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a7fffafa0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffafb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffafc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffafd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffafe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffaff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2581==ABORTING
</pre> OsmoMSC - Bug #4003: msc crashes with sigsegv on "sh subscriber msisdn xxxxx" via vtyhttps://projects.osmocom.org/issues/4003?journal_id=144602019-05-15T18:01:32Zfixeria
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>50</i></li></ul><p>Please see: <a class="external" href="https://gerrit.osmocom.org/#/c/osmo-msc/+/14061">https://gerrit.osmocom.org/#/c/osmo-msc/+/14061</a></p>
<p>This change fixes the segfault for me. TBH, I still don't know <strong>how this fixes</strong> the problem.<br />From the API point of view, using msub_for_vsub() looks more logical.</p>
<p><a class="user active" href="https://projects.osmocom.org/users/72">roh</a> could you please test again?</p> OsmoMSC - Bug #4003: msc crashes with sigsegv on "sh subscriber msisdn xxxxx" via vtyhttps://projects.osmocom.org/issues/4003?journal_id=144662019-05-16T08:53:42Zlaforge
<ul><li><strong>Assignee</strong> changed from <i>pespin</i> to <i>fixeria</i></li><li><strong>% Done</strong> changed from <i>50</i> to <i>80</i></li></ul><p>fixeria wrote:</p>
<blockquote>
<p>This change fixes the segfault for me. TBH, I still don't know <strong>how this fixes</strong> the problem.</p>
</blockquote>
<p>msc_conn_ref points to 'msc_a', not to a msub! That's the danger with passing 'void *' around all the time :/ The initial idea was to separate the VLR data structures from the MSC data structures, and use 'void *' to indicate that the VLR doesn't care about what you pass it.</p>
<p>There are two ways to reduce this kind of problem:</p>
<p>a) don't use 'void *' in the VLR, but actually use a 'struct msc_a *' everywhere. One can still declare that as an opaquae type ("struct msc_a;") without any definition to prevent the VLR from looking inside.</p>
<p>b) In MSC code, don't directly dereference msc_conn_ref members, but always use some kind of accessor inline function or macro, which then returns the "correct" type.</p> OsmoMSC - Bug #4003: msc crashes with sigsegv on "sh subscriber msisdn xxxxx" via vtyhttps://projects.osmocom.org/issues/4003?journal_id=144672019-05-16T08:54:34Zlaforge
<ul></ul><p>patch has been merged, it's an obvious fix.</p> OsmoMSC - Bug #4003: msc crashes with sigsegv on "sh subscriber msisdn xxxxx" via vtyhttps://projects.osmocom.org/issues/4003?journal_id=144822019-05-17T17:25:41Zroh
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li><li><strong>% Done</strong> changed from <i>80</i> to <i>100</i></li></ul><p>tested with new nightly build</p>
<p>i am not able to get it to crash anymore.</p>