Actions
Bug #6441
openuse-after-free on RAU with invalid Old RAI
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
04/22/2024
Due date:
% Done:
0%
Spec Reference:
Description
As I explained in #6439, I accidentally broke SGSN_Tests.TC_attach_rau_a_b
and it started to crash osmo-sgsn:
20240421165147281 DLGSUP INFO GSUP link to 127.0.0.103:4222 DOWN (gsup_client.c:151) 20240421165148281 DLGSUP NOTICE GSUP connecting to 127.0.0.103:4222 (gsup_client.c:74) 20240421165148281 DLGSUP INFO GSUP link to 127.0.0.103:4222 DOWN (gsup_client.c:151) 20240421165149282 DLGSUP NOTICE GSUP connecting to 127.0.0.103:4222 (gsup_client.c:74) 20240421165149282 DLGSUP INFO GSUP link to 127.0.0.103:4222 DOWN (gsup_client.c:151) 20240421165149841 DLGLOBAL INFO Accept()ed new telnet connection r=127.0.0.1:43888<->l=127.0.0.10:4245 (telnet_interface.c:192) 20240421165149843 DMM INFO MM(262420000000038/e95c24ac) Cancelled, deleting context silently (gprs_gmm.c:1056) 20240421165149843 DMM INFO MM(262420000000038/e95c24ac) Cleaning MM context due to access cancelled (gprs_gmm.c:195) 20240421165149843 DMM DEBUG GMM(gmm_fsm)[0x55555574c700]{Registered.NORMAL}: Received Event E_GMM_CLEANUP (gprs_gmm.c:198) 20240421165149843 DMM DEBUG GMM(gmm_fsm)[0x55555574c700]{Registered.NORMAL}: state_chg to Deregistered (gprs_gmm_fsm.c:223) 20240421165149843 DMM DEBUG MM_STATE_Gb(0)[0x55555574c960]{Ready}: Received Event E_MM_GPRS_DETACH (gprs_gmm.c:205) 20240421165149843 DMM DEBUG MM_STATE_Gb(0)[0x55555574c960]{Ready}: state_chg to Idle (gprs_mm_state_gb_fsm.c:76) 20240421165149843 DLLC NOTICE LLME(527b5d30/36396334){(null)} LLGM Assign pre (36396334 => ffffffff) (gprs_llc.c:1079) 20240421165149843 DLLC NOTICE LLME(00000000/00000000){UNASSIGNED} LLGM Assign post (36396334 => ffffffff) (gprs_llc.c:1125) Program received signal SIGABRT, Aborted. 0x00007ffff75e332c in ?? () from /usr/lib/libc.so.6 (gdb) bt #0 0x00007ffff75e332c in ?? () from /usr/lib/libc.so.6 #1 0x00007ffff75926c8 in raise () from /usr/lib/libc.so.6 #2 0x00007ffff757a4b8 in abort () from /usr/lib/libc.so.6 #3 0x00007ffff78270d3 in ?? () from /usr/lib/libtalloc.so.2 #4 0x000055555557dd74 in llme_free (llme=0x555555753550) at ../../../../src/osmo-sgsn/src/sgsn/gprs_llc.c:605 #5 gprs_llgmm_assign (llme=0x555555753550, old_tlli=909730612, new_tlli=new_tlli@entry=4294967295) at ../../../../src/osmo-sgsn/src/sgsn/gprs_llc.c:1129 #6 0x000055555557e07d in gprs_llgmm_unassign (llme=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/gprs_llc.c:1137 #7 0x00005555555673f5 in st_mm_idle_on_enter (fi=<optimized out>, prev_state=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c:51 #8 0x00007ffff797f7e0 in state_chg (fi=fi@entry=0x55555574c960, new_state=new_state@entry=0, keep_timer=keep_timer@entry=false, timeout_ms=timeout_ms@entry=0, T=0, file=file@entry=0x55555558d838 "../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c", line=76) at ../../../../src/libosmocore/src/core/fsm.c:697 #9 0x00007ffff7980180 in _osmo_fsm_inst_state_chg (fi=fi@entry=0x55555574c960, new_state=new_state@entry=0, timeout_secs=timeout_secs@entry=0, T=<optimized out>, file=file@entry=0x55555558d838 "../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c", line=line@entry=76) at ../../../../src/libosmocore/src/core/fsm.c:746 #10 0x00007ffff799b090 in _osmo_tdef_fsm_inst_state_chg (fi=fi@entry=0x55555574c960, state=state@entry=0, timeouts_array=timeouts_array@entry=0x55555559a8c0 <mm_state_gb_fsm_timeouts>, tdefs=<optimized out>, default_timeout=93824992461304, default_timeout@entry=-1, file=file@entry=0x55555558d838 "../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c", line=76) at ../../../../src/libosmocore/src/core/tdef.c:344 #11 0x0000555555567358 in st_mm_ready (fi=0x55555574c960, event=<optimized out>, data=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c:76 #12 0x00007ffff79803bc in _osmo_fsm_inst_dispatch (fi=0x55555574c960, event=event@entry=1, data=data@entry=0x0, file=file@entry=0x55555558c1f8 "../../../../src/osmo-sgsn/src/sgsn/gprs_gmm.c", line=line@entry=205) at ../../../../src/libosmocore/src/core/fsm.c:875 #13 0x000055555555efbc in mm_ctx_cleanup_free (ctx=0x55555574c060, log_text=0x55555559768a "access cancelled") at ../../../../src/osmo-sgsn/src/sgsn/gprs_gmm.c:205 #14 0x0000555555575eaa in reset_sgsn_state (self=<optimized out>, vty=0x5555556d5f90, argc=<optimized out>, argv=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/sgsn_vty.c:1052 #15 0x00007ffff79c7445 in cmd_execute_command_real (vline=<optimized out>, vty=<optimized out>, cmd=cmd@entry=0x101508d7ae252000) at ../../../../src/libosmocore/src/vty/command.c:2671 #16 0x00007ffff79c7f1d in cmd_execute_command (vline=<optimized out>, vty=<optimized out>, cmd=0x101508d7ae252000, vtysh=<optimized out>) at ../../../../src/libosmocore/src/vty/command.c:2723 #17 0x00007ffff79ca696 in vty_command (vty=0x5555556d5f90) at ../../../../src/libosmocore/src/vty/vty.c:464 #18 vty_execute (vty=0x5555556d5f90) at ../../../../src/libosmocore/src/vty/vty.c:729 #19 vty_read (vty=<optimized out>) at ../../../../src/libosmocore/src/vty/vty.c:1471 #20 0x00007ffff79cd3ae in client_data (fd=0x55555574ba68, what=1) at ../../../../src/libosmocore/src/vty/telnet_interface.c:161 #21 0x00007ffff798f94f in poll_disp_fds (n_fd=<optimized out>) at ../../../../src/libosmocore/src/core/select.c:419 #22 _osmo_select_main (polling=polling@entry=0) at ../../../../src/libosmocore/src/core/select.c:457 #23 0x00007ffff798fa2e in osmo_select_main (polling=polling@entry=0) at ../../../../src/libosmocore/src/core/select.c:496 #24 0x000055555555d4e7 in main (argc=<optimized out>, argv=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/sgsn_main.c:498
I have fixed the regression in SGSN_Tests.TC_attach_rau_a_b
and created a separate testcase reproducing the crash:
https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36625 sgsn: add TC_attach_rau_invalid_old_rai [NEW]
Even though it's not a normal scenario (we expect the MS to indicate correct Old RAI), it's still something that can happen e.g. due to a bug in the MS.
Related issues
Updated by fixeria 11 days ago
Below is the output of ASAN:
20240422201514945 DMM INFO MM(---/ffffffff) -> GMM RA UPDATE REQUEST type="RA updating" (gprs_gmm.c:1642) 20240422201514945 DMM INFO MM(262420000000138/eebdd912) Looked up by matching TLLI and P_TMSI. BSSGP TLLI: eebdd912, P-TMSI: eebdd912 (00000000), TLLI: eebdd912 (eebdd912), RA: 262-42-13135-0 (gprs_gmm.c:1712) 20240422201514945 DMM DEBUG GMM(gmm_fsm)[0x512000005020]{Registered.NORMAL}: Received Event E_GMM_COMMON_PROC_INIT_REQ (gprs_gmm.c:1717) 20240422201514945 DMM DEBUG GMM(gmm_fsm)[0x512000005020]{Registered.NORMAL}: state_chg to CommonProcedureInitiated (gprs_gmm_fsm.c:81) 20240422201514945 DMM DEBUG GMM(gmm_fsm)[0x512000005020]{CommonProcedureInitiated}: Received Event E_GMM_COMMON_PROC_INIT_REQ (gprs_gmm.c:1145) ================================================================= ==1773325==ERROR: AddressSanitizer: heap-use-after-free on address 0x521000258178 at pc 0x5555558e5332 bp 0x7fffffff8070 sp 0x7fffffff8068 READ of size 4 at 0x521000258178 thread T0 [Detaching after fork from child process 1775405] #0 0x5555558e5331 in gprs_llgmm_assign /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1079:2 #1 0x5555557d5fb9 in gsm48_rx_gmm_ra_upd_req /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:1805:3 #2 0x5555557c8107 in gsm0408_rcv_gmm /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2102:8 #3 0x5555557f09f8 in gsm0408_gprs_rcvmsg_gb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2358:8 #4 0x5555558df87d in gprs_llc_rcvmsg /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1025:9 #5 0x5555557a305b in sgsn_bssgp_rx_prim /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_bssgp.c:44:11 #6 0x55555588dd80 in bssgp_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:104:9 #7 0x7ffff7f42eea in bssgp_rx_ul_ud /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:530:9 #8 0x7ffff7f42eea in bssgp_rx_ptp /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:988:8 #9 0x7ffff7f42eea in bssgp_rcvmsg /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:1223:8 #10 0x5555558046a8 in gprs_ns_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_ns.c:88:8 #11 0x7ffff7f53230 in ns2_recv_unitdata.isra.0 /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:627:2 #12 0x7ffff798037d in _osmo_fsm_inst_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/fsm.c:863:3 #13 0x7ffff7f54017 in ns2_vc_rx /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:964:3 #14 0x7ffff7f4bd49 in ns2_recv_vc /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2.c:1362:10 #15 0x7ffff7f4e6e6 in handle_nsip_recvfrom /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_udp.c:218:2 #16 0x7ffff798d566 in iofd_poll_ofd_cb_recvmsg_sendmsg /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:77:3 #17 0x7ffff798d705 in iofd_poll_ofd_cb_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:115:2 #18 0x7ffff798f94e in poll_disp_fds /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:419:4 #19 0x7ffff798f94e in _osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:457:9 #20 0x7ffff798fa2d in osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:496:11 #21 0x55555588f02d in main /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:498:8 #22 0x7ffff7545ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) #23 0x7ffff7545d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) #24 0x555555669d84 in _start (/home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/osmo-sgsn+0x115d84) (BuildId: d08b9be06c81c4124ca492c4f9987304181ed2ed) 0x521000258178 is located 120 bytes inside of 4408-byte region [0x521000258100,0x521000259238) freed by thread T0 here: #0 0x555555757f32 in free.part.0 asan_malloc_linux.cpp.o #1 0x7ffff7828002 (/usr/lib/libtalloc.so.2+0x4002) (BuildId: c2045ea495285a6bf27614b8bac2cc4e82e696f9) #2 0x5555558e71e7 in gprs_llgmm_assign /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1129:3 #3 0x5555558e74f4 in gprs_llgmm_unassign /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1137:9 #4 0x5555557d6b9b in gsm48_rx_gmm_ra_upd_req /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:1831:3 #5 0x5555557c8107 in gsm0408_rcv_gmm /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2102:8 #6 0x5555557f09f8 in gsm0408_gprs_rcvmsg_gb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2358:8 #7 0x5555558df87d in gprs_llc_rcvmsg /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1025:9 #8 0x5555557a305b in sgsn_bssgp_rx_prim /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_bssgp.c:44:11 #9 0x55555588dd80 in bssgp_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:104:9 #10 0x7ffff7f42eea in bssgp_rx_ul_ud /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:530:9 #11 0x7ffff7f42eea in bssgp_rx_ptp /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:988:8 #12 0x7ffff7f42eea in bssgp_rcvmsg /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:1223:8 #13 0x5555558046a8 in gprs_ns_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_ns.c:88:8 #14 0x7ffff7f53230 in ns2_recv_unitdata.isra.0 /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:627:2 #15 0x7ffff798037d in _osmo_fsm_inst_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/fsm.c:863:3 #16 0x7ffff7f54017 in ns2_vc_rx /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:964:3 #17 0x7ffff7f4bd49 in ns2_recv_vc /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2.c:1362:10 #18 0x7ffff7f4e6e6 in handle_nsip_recvfrom /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_udp.c:218:2 #19 0x7ffff798d566 in iofd_poll_ofd_cb_recvmsg_sendmsg /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:77:3 #20 0x7ffff798d705 in iofd_poll_ofd_cb_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:115:2 #21 0x7ffff798f94e in poll_disp_fds /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:419:4 #22 0x7ffff798f94e in _osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:457:9 #23 0x7ffff798fa2d in osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:496:11 #24 0x55555588f02d in main /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:498:8 #25 0x7ffff7545ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af) previously allocated by thread T0 here: #0 0x555555758f69 in malloc (/home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/osmo-sgsn+0x204f69) (BuildId: d08b9be06c81c4124ca492c4f9987304181ed2ed) #1 0x7ffff7828a76 (/usr/lib/libtalloc.so.2+0x4a76) (BuildId: c2045ea495285a6bf27614b8bac2cc4e82e696f9) SUMMARY: AddressSanitizer: heap-use-after-free /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1079:2 in gprs_llgmm_assign Shadow bytes around the buggy address: 0x521000257e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x521000257f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x521000257f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x521000258000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x521000258080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x521000258100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd] 0x521000258180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x521000258200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x521000258280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x521000258300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x521000258380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1773325==ABORTING
osmo-sgsn.git 1ede89a35ad754c682d8ab826b4540d1d07c306a
Actions