Actions
Bug #5200
closedCTRL command nsvc-state causes memory corruption
Start date:
07/19/2021
Due date:
% Done:
100%
Spec Reference:
Description
ASan crashes with heap-use-after-free /home/daniel/scm/osmo/libosmocore/src/select.c:294 in poll_fill_fds
osmo_ctrl.py -d localhost -p 4263 -g nsvc-state
Breakpoint 1, __asan::ReportGenericError (pc=140737325940093, bp=bp@entry=140737488346384, sp=sp@entry=140737488346376, addr=106652627902132, is_write=is_write@entry=false, access_size=access_size@entry=4, exp=0, fatal=true) at ../../../../src/libsanitizer/asan/asan_report.cpp:458 458 ../../../../src/libsanitizer/asan/asan_report.cpp: No such file or directory. (gdb) bt #0 __asan::ReportGenericError (pc=140737325940093, bp=bp@entry=140737488346384, sp=sp@entry=140737488346376, addr=106652627902132, is_write=is_write@entry=false, access_size=access_size@entry=4, exp=0, fatal=true) at ../../../../src/libsanitizer/asan/asan_report.cpp:458 #1 0x00007ffff764b8a8 in __asan::__asan_report_load4 (addr=<optimized out>) at ../../../../src/libsanitizer/asan/asan_rtl.cpp:119 #2 0x00007ffff651bd7d in poll_fill_fds () at select.c:294 #3 0x00007ffff651e9b4 in _osmo_select_main (polling=polling@entry=0) at select.c:377 #4 0x00007ffff651ead5 in osmo_select_main (polling=polling@entry=0) at select.c:432 #5 0x00005555555b299e in main (argc=3, argv=0x7fffffffdec8) at gb_proxy_main.c:362 (gdb)
So somehow the list of fds gets corrupted
Updated by daniel almost 3 years ago
(gdb) f 2 #2 0x00007ffff651bd7d in poll_fill_fds () at select.c:294 294 if (!ufd->when) (gdb) list 289 unsigned int i = 0; 290 291 llist_for_each_entry(ufd, &osmo_fds, list) { 292 struct pollfd *p; 293 294 if (!ufd->when) 295 continue; 296 297 p = &g_poll.poll[i++]; 298 (gdb) p ufd $1 = (struct osmo_fd *) 0x610000001ea0 (gdb) p *ufd $2 = {list = {next = 0x297064752c317630, prev = 0x302e302e3732315b}, fd = 979185966, when = 808465202, cb = 0x2e3732315b3e3c30, data = 0x3a5d30312e302e30, priv_nr = 926365495} (gdb) p osmo_fds $3 = {next = 0x7ffff6656320 <osmo_stats_timer>, prev = 0x611000007630} (gdb) p &osmo_fds $4 = (struct llist_head *) 0x7ffff4f889c0 (gdb) p osmo_fds->next $5 = (struct llist_head *) 0x7ffff6656320 <osmo_stats_timer> (gdb) p *osmo_fds->next $6 = {next = 0x612000001720, prev = 0x7ffff4f889c0} (gdb) p *osmo_fds->next->next $7 = {next = 0x6120000021a0, prev = 0x7ffff6656320 <osmo_stats_timer>} (gdb) p *osmo_fds->next->next->next $8 = {next = 0x7ffff67f71e0 <server_socket>, prev = 0x612000001720} (gdb) p *osmo_fds->next->next->next->next $9 = {next = 0x610000001ea0, prev = 0x6120000021a0} (gdb) p *osmo_fds->next->next->next->next->next $10 = {next = 0x297064752c317630, prev = 0x302e302e3732315b} (gdb)
Updated by daniel almost 3 years ago
- % Done changed from 0 to 20
Ok, I think I found it. ctrl_nsvc_state_cb() was expecting a struct nsvc_cb_data as ctx, but we were passing it just the struct ctrl_cmd. Obviously this command has never been tested..
It works with my patch:
$ osmo_ctrl.py -d localhost -p 4263 -g nsvc-state Got message: b'GET_REPLY 6409974032755247648 nsvc-state 101,udp)[127.0.0.1]:23000<>[127.0.0.10]:7777,UNCONFIGURED,SGSN\n102,udp)[127.0.0.1]:23000<>[127.0.0.11]:8888,UNCONFIGURED,SGSN\n'
Updated by daniel almost 3 years ago
- % Done changed from 20 to 80
Fixes for this (and one other) crash:
https://gerrit.osmocom.org/c/osmo-gbproxy/+/24964
https://gerrit.osmocom.org/c/osmo-gbproxy/+/24965
Updated by daniel almost 3 years ago
- Status changed from In Progress to Resolved
- % Done changed from 80 to 100
Patches have been merged
Actions