Actions
Bug #5828
closedUse-after-free in ipa_keepalive FSM
Start date:
12/13/2022
Due date:
% Done:
100%
Spec Reference:
Description
With asan enabled osmo-bts reports a use-after-free when the abis FSM reconnects:
osmo-bts 82d92f703aadf5d4b2ac3c2455cef08c78099018
libosmocore 7c1b6cb4cd6aa548f8dbba1859113f29efb63b46
libosmo-abis ce70074476a95b159573884fa34b75c2f64c4508
DABIS <000d> abis.c:418 abis_link(abis_link)[0x6120000054a0]{CONNECTING}: Received Event SIGN_LINK_DOWN DABIS <000d> abis.c:204 abis_link(abis_link)[0x6120000054a0]{CONNECTING}: state_chg to WAIT_RECONNECT DABIS <000d> fsm.c:317 abis_link(abis_link)[0x6120000054a0]{WAIT_RECONNECT}: Timeout of T0 DABIS <000d> abis.c:287 abis_link(abis_link)[0x6120000054a0]{WAIT_RECONNECT}: state_chg to CONNECTING DABIS <000d> abis.c:161 A-bis connection establishment to BSC (127.0.0.1) in progress... DLINP <0012> input/ipaccess.c:1095 enabling ipaccess BTS mode, OML connecting to 127.0.0.1:3002 Breakpoint 1, __asan::ReportGenericError (pc=140737336409383, bp=bp@entry=140737488344864, sp=sp@entry=140737488344856, addr=106790066870192, is_write=is_write@entry=false, access_size=access_size@entry=8, exp=0, fatal=true) at ../../../../src/libsanitizer/asan/asan_report.cpp:462 (gdb) c Continuing. ================================================================= ==1282976==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120000057b0 at pc 0x7ffff6f17d27 bp 0x7fffffffd720 sp 0x7fffffffd718 READ of size 8 at 0x6120000057b0 thread T0 #0 0x7ffff6f17d26 in ipa_keepalive_fsm_stop input/ipa_keepalive.c:330 #1 0x7ffff6f1d489 in ipaccess_keepalive_fsm_cleanup input/ipaccess.c:80 #2 0x7ffff6f1d489 in ipaccess_bts_keepalive_fsm_alloc input/ipaccess.c:194 #3 0x7ffff6f256b2 in ipaccess_line_update input/ipaccess.c:1132 #4 0x7ffff6efe10d in e1inp_line_update /home/daniel/scm/osmo/libosmo-abis/src/e1_input.c:945 #5 0x5555557c1e43 in abis_link_connecting_onenter /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:184 #6 0x7ffff6b1204e in state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:697 #7 0x7ffff6b14410 in _osmo_fsm_inst_state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:746 #8 0x5555557bf657 in abis_link_fsm_timer_cb /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:287 #9 0x7ffff6b1a2b4 in fsm_tmr_cb /home/daniel/scm/osmo/libosmocore/src/fsm.c:320 #10 0x7ffff6af7e2e in osmo_timers_update /home/daniel/scm/osmo/libosmocore/src/timer.c:269 #11 0x7ffff6afb866 in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:394 #12 0x7ffff6afb8d4 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:438 #13 0x5555557b4d85 in bts_main /home/daniel/scm/osmo/osmo-bts/src/common/main.c:423 #14 0x5555556ede7b in main /home/daniel/scm/osmo/osmo-bts/src/osmo-bts-virtual/main.c:146 #15 0x7ffff6046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 #16 0x7ffff6046244 in __libc_start_main_impl ../csu/libc-start.c:381 #17 0x5555556ed390 in _start (/home/daniel/local/osmo-master/bin/osmo-bts-virtual+0x199390) 0x6120000057b0 is located 112 bytes inside of 296-byte region [0x612000005740,0x612000005868) freed by thread T0 here: #0 0x7ffff78b76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52 #1 0x7ffff7f322e1 (/lib/x86_64-linux-gnu/libtalloc.so.2+0x42e1) #2 0x7ffff6f2549b in ipaccess_line_update input/ipaccess.c:1102 #3 0x7ffff6efe10d in e1inp_line_update /home/daniel/scm/osmo/libosmo-abis/src/e1_input.c:945 #4 0x5555557c1e43 in abis_link_connecting_onenter /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:184 #5 0x7ffff6b1204e in state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:697 #6 0x7ffff6b14410 in _osmo_fsm_inst_state_chg /home/daniel/scm/osmo/libosmocore/src/fsm.c:746 #7 0x5555557bf657 in abis_link_fsm_timer_cb /home/daniel/scm/osmo/osmo-bts/src/common/abis.c:287 #8 0x7ffff6b1a2b4 in fsm_tmr_cb /home/daniel/scm/osmo/libosmocore/src/fsm.c:320 #9 0x7ffff6af7e2e in osmo_timers_update /home/daniel/scm/osmo/libosmocore/src/timer.c:269 #10 0x7ffff6afb866 in _osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:394 #11 0x7ffff6afb8d4 in osmo_select_main /home/daniel/scm/osmo/libosmocore/src/select.c:438 #12 0x5555557b4d85 in bts_main /home/daniel/scm/osmo/osmo-bts/src/common/main.c:423 #13 0x5555556ede7b in main /home/daniel/scm/osmo/osmo-bts/src/osmo-bts-virtual/main.c:146 #14 0x7ffff6046189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 previously allocated by thread T0 here: #0 0x7ffff78b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69 #1 0x7ffff7f33b6d (/lib/x86_64-linux-gnu/libtalloc.so.2+0x5b6d) SUMMARY: AddressSanitizer: heap-use-after-free input/ipa_keepalive.c:330 in ipa_keepalive_fsm_stop
Updated by daniel over 1 year ago
This happens because the ipa_ka_fsm_timer_cb()
in libosmo-abis returns 1 on timeout which terminates and frees the fsm.
Additionally, ipaccess_keepalive_fsm_cleanup()
calls ipa_keepalive_fsm_stop()
and unsets the fsm, but will not terminate it. This should leak fsm insts.
Instead call osmo_fsm_inst_term()
in cleanup()
Updated by daniel over 1 year ago
- Status changed from New to In Progress
- % Done changed from 0 to 30
Updated by daniel over 1 year ago
- % Done changed from 30 to 60
Updated by daniel over 1 year ago
- Status changed from In Progress to Resolved
- % Done changed from 60 to 100
Actions