Actions
Bug #5302
closedns2: ASan heap-use-after-free in ns2_nse_notify_unblocked() when running GBProxy_Tests.TC_bvc_reset_blocked_ptp_from_sgsn
Start date:
11/10/2021
Due date:
% Done:
100%
Spec Reference:
Description
Backtrace:
==103449==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000009456 at pc 0x7f4e2bb00fb1 bp 0x7ffc1be40c30 s p 0x7ffc1be40c28 READ of size 1 at 0x611000009456 thread T0 #0 0x7f4e2bb00fb0 in ns2_nse_notify_unblocked /home/daniel/scm/osmo/libosmocore/src/gb/gprs_ns2.c:1410 #1 0x7f4e2bb1b98b in ns2_st_alive_onenter /home/daniel/scm/osmo/libosmocore/src/gb/gprs_ns2_vc_fsm.c:488 #2 0x7f4e2b5a504a in state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:699 #3 0x7f4e2b5a6a4f in _osmo_fsm_inst_state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:748 #4 0x7f4e2bb19f4f in alive_timeout_handler /home/daniel/scm/osmo/libosmocore/src/gb/gprs_ns2_vc_fsm.c:247 #5 0x7f4e2b58ab54 in osmo_timers_update /home/daniel/scm/osmo/libosmocore/src/timer.c:273 #6 0x7f4e2b58e444 in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:388 #7 0x7f4e2b58e4a9 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:432 #8 0x5576a6cc4d23 in main /home/daniel/scm/osmo/osmo-gbproxy/src/gb_proxy_main.c:362 #9 0x7f4e2a961e49 in __libc_start_main ../csu/libc-start.c:314 #10 0x5576a6caca59 in _start (/home/daniel/scm/osmo/osmo-gbproxy/src/osmo-gbproxy+0x48a59) 0x611000009456 is located 150 bytes inside of 216-byte region [0x6110000093c0,0x611000009498)
It's probably the NSE that has was freed:
ns2_nse_notify_unblocked (nsvc=0x611000009560, unblocked=unblocked@entry=false) at gprs_ns2.c:1410 1410 if (unblocked == nse->alive)
Related issues
Updated by daniel over 2 years ago
What happens is: alive_timeout_handler() changes the state to RECOVERING which calls into ns2_st_alive_onenter()->ns2_nse_notify_unblocked(unblocked=false)->ns2_sns_notify_alive(unblocked=false)
Since all (signalling) NSVCs have failed and gss->role is SGSN and not persistent sns_failed() calls gprs_ns2_free_nse() which talloc_free()s the nse before returning.
The next line in ns2_nse_notify_unblocked() is the if (unblocked == nse->alive) which then causes the use-after-free.
Updated by daniel over 2 years ago
Updated by daniel over 2 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Patch merged
Updated by daniel over 2 years ago
- Related to Bug #5301: Run TTCN3 docker tests with sanitizer enabled added
Actions