Actions
Bug #4838
closedosmo-pcu: ASan stack-buffer-underflow in csn1 decoder (PktPagingRequest)
Start date:
10/30/2020
Due date:
% Done:
100%
Spec Reference:
Description
While doing some changes (non-related changed to CSN1) and running TTCN3 PCU tests I got into this (I had --enable-sanitize on libosmocore and osmo-pcu):
20201030181602024 DBSSGP DEBUG Sending FLOW CONTROL BVC, Bmax = 200000, R = 20000, Bmax_MS = 100000, R_MS = 10000, avg_dly = 0 (gprs_bssgp_pcu.cpp:895) 20201030181602027 DLNS DEBUG GPRS-NS2-VC[0x6120000078a0]{UNBLOCKED}: Received Event UNITDATA (gprs_ns2_vc_fsm.c:655) 20201030181602027 DBSSGP DEBUG rx BVCI_PTP=1234 gprs_bssgp_rx_ptp (gprs_bssgp_pcu.cpp:483) 20201030181602027 DRLCMAC INFO Add RR paging: chan-needed=0 MI=IMSI-262420000000042 (bts.cpp:375) 20201030181602027 DTBF DEBUG TBF(TFI=0 TLLI=0x00000000 DIR=UL STATE=FLOW) uses TRX=0 TS=7, so we mark (bts.cpp:401) 20201030181602027 DRLCMAC INFO Paging on PACCH of TRX=0 TS=7 (bts.cpp:423) 20201030181602027 DLNS DEBUG GPRS-NS2-VC[0x6120000078a0]{UNBLOCKED}: Received Event UNITDATA (gprs_ns2_vc_fsm.c:655) 20201030181602028 DBSSGP DEBUG rx BVCI_PTP=1234 gprs_bssgp_rx_ptp (gprs_bssgp_pcu.cpp:483) 20201030181602028 DBSSGP DEBUG Rx BSSGP BVCI=1234 (PTP) FLOW-CONTROL-BVC-ACK (gprs_bssgp_pcu.cpp:280) 20201030181602044 DL1IF DEBUG RTS request received: trx=0 ts=7 sapi=5 arfcn=871 fn=13 cur_fn=8 block=0 (pcu_l1_if.cpp:420) 20201030181602044 DRLCMACSCHED DEBUG Received RTS for PDCH: TRX=0 TS=7 FN=13 block_nr=0 scheduling USF=0 for required uplink resource of UL TFI=0 (gprs_rlcmac_ sched.cpp:118) 20201030181602044 DRLCMAC DEBUG Scheduling paging (pdch.cpp:190) 20201030181602044 DRLCMAC DEBUG Paging MI - IMSI-262420000000042 (pdch.cpp:213) 20201030181602044 DRLCMAC DEBUG +++++++++++++++++++++++++ TX : Packet Paging Request +++++++++++++++++++++++++ (pdch.cpp:251) 20201030181602044 DCSN1 INFO csnStreamDecoder (type: Pkt Paging Request (34): MESSAGE_TYPE = 34 | PAGE_MODE = 0 | Exist_PERSISTENCE_LEVEL = 0 | Exist_NLN = 0 | Repeated_Page_info = Exist | u.Page_req_RR = 1 | : u.Page_req_RR | u.Mobile_Identity = 1 | : u.Mobile_Identity | Length_of_Mobile_Identity_contents = 8 | ================================================================= ==81==ERROR: AddressSanitizer: stack-buffer-underflow on address 0x7ffc51180350 at pc 0x7fa695fe6305 bp 0x7ffc5117f9c0 sp 0x7ffc5117f9b8 READ of size 4 at 0x7ffc51180350 thread T0 #0 0x7fa695fe6304 in bitvec_read_field /tmp/libosmocore/src/bitvec.c:481 #1 0x55ba180dab86 in csnStreamDecoder (/usr/local/bin/osmo-pcu+0x29db86) #2 0x55ba180d8aa4 in csnStreamDecoder (/usr/local/bin/osmo-pcu+0x29baa4) #3 0x55ba180d8aa4 in csnStreamDecoder (/usr/local/bin/osmo-pcu+0x29baa4) #4 0x55ba180db89d in csnStreamDecoder (/usr/local/bin/osmo-pcu+0x29e89d) #5 0x55ba180c6fb0 in decode_gsm_rlcmac_downlink (/usr/local/bin/osmo-pcu+0x289fb0) #6 0x55ba180875ac in gprs_rlcmac_pdch::packet_paging_request() (/usr/local/bin/osmo-pcu+0x24a5ac) #7 0x55ba180c1d87 in sched_select_ctrl_msg(unsigned char, unsigned char, unsigned int, unsigned char, gprs_rlcmac_pdch*, gprs_rlcmac_tbf*, gprs_rlcmac_tbf*, gprs_rlcmac_ul_tbf*) (/usr/local/bin/osmo-pcu+0x284d87) #8 0x55ba180c4054 in gprs_rlcmac_rcv_rts_block(gprs_rlcmac_bts*, unsigned char, unsigned char, unsigned int, unsigned char) (/usr/local/bin/osmo-pcu+0x287054) #9 0x55ba1801607f in pcu_rx_rts_req_pdtch (/usr/local/bin/osmo-pcu+0x1d907f) #10 0x55ba1801679b in pcu_rx_rts_req(gsm_pcu_if_rts_req*) (/usr/local/bin/osmo-pcu+0x1d979b) #11 0x55ba1801e66b in pcu_rx(unsigned char, gsm_pcu_if*) (/usr/local/bin/osmo-pcu+0x1e166b) #12 0x55ba180b5da3 in pcu_sock_read(osmo_fd*) (/usr/local/bin/osmo-pcu+0x278da3) #13 0x55ba180b6229 in pcu_sock_cb(osmo_fd*, unsigned int) (/usr/local/bin/osmo-pcu+0x279229) #14 0x7fa695fd8816 in osmo_fd_disp_fds /tmp/libosmocore/src/select.c:265 #15 0x7fa695fd8816 in _osmo_select_main /tmp/libosmocore/src/select.c:407 #16 0x7fa695fdbbda in osmo_select_main /tmp/libosmocore/src/select.c:417 #17 0x55ba17fee167 in main (/usr/local/bin/osmo-pcu+0x1b1167) #18 0x7fa6943da2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #19 0x55ba17feb579 in _start (/usr/local/bin/osmo-pcu+0x1ae579) Address 0x7ffc51180350 is located in stack of thread T0 at offset 0 in frame #0 0x55ba180c5e16 in decode_gsm_rlcmac_downlink (/usr/local/bin/osmo-pcu+0x288e16) This frame has 2 object(s): [32, 36) 'readIndex' [96, 108) 'ar' HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-underflow /tmp/libosmocore/src/bitvec.c:481 in bitvec_read_field Shadow bytes around the buggy address: 0x10000a228010: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 0x10000a228020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000a228030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10000a228040: f1 f1 f1 f1 00 04 f4 f4 f2 f2 f2 f2 00 00 00 00 0x10000a228050: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 =>0x10000a228060: 00 00 00 00 00 00 00 00 00 00[f1]f1 f1 f1 04 f4 0x10000a228070: f4 f4 f2 f2 f2 f2 00 04 f4 f4 f3 f3 f3 f3 00 00 0x10000a228080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 0x10000a228090: f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 f4 f2 f2 0x10000a2280a0: f2 f2 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 0x10000a2280b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==81==ABORTING 25: stopped pid 81 with status 1
Probably something is broken in our TTCN3 (not yet finished) and I also saw lots of TTCN3 RLCMAC encoder output around the same time, but still, that packet should crash osmo-pcu.
Files
Actions