Actions
Bug #6441
openuse-after-free on RAU with invalid Old RAI
Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
04/22/2024
Due date:
% Done:
0%
Spec Reference:
Description
As I explained in #6439, I accidentally broke SGSN_Tests.TC_attach_rau_a_b and it started to crash osmo-sgsn:
20240421165147281 DLGSUP INFO GSUP link to 127.0.0.103:4222 DOWN (gsup_client.c:151)
20240421165148281 DLGSUP NOTICE GSUP connecting to 127.0.0.103:4222 (gsup_client.c:74)
20240421165148281 DLGSUP INFO GSUP link to 127.0.0.103:4222 DOWN (gsup_client.c:151)
20240421165149282 DLGSUP NOTICE GSUP connecting to 127.0.0.103:4222 (gsup_client.c:74)
20240421165149282 DLGSUP INFO GSUP link to 127.0.0.103:4222 DOWN (gsup_client.c:151)
20240421165149841 DLGLOBAL INFO Accept()ed new telnet connection r=127.0.0.1:43888<->l=127.0.0.10:4245 (telnet_interface.c:192)
20240421165149843 DMM INFO MM(262420000000038/e95c24ac) Cancelled, deleting context silently (gprs_gmm.c:1056)
20240421165149843 DMM INFO MM(262420000000038/e95c24ac) Cleaning MM context due to access cancelled (gprs_gmm.c:195)
20240421165149843 DMM DEBUG GMM(gmm_fsm)[0x55555574c700]{Registered.NORMAL}: Received Event E_GMM_CLEANUP (gprs_gmm.c:198)
20240421165149843 DMM DEBUG GMM(gmm_fsm)[0x55555574c700]{Registered.NORMAL}: state_chg to Deregistered (gprs_gmm_fsm.c:223)
20240421165149843 DMM DEBUG MM_STATE_Gb(0)[0x55555574c960]{Ready}: Received Event E_MM_GPRS_DETACH (gprs_gmm.c:205)
20240421165149843 DMM DEBUG MM_STATE_Gb(0)[0x55555574c960]{Ready}: state_chg to Idle (gprs_mm_state_gb_fsm.c:76)
20240421165149843 DLLC NOTICE LLME(527b5d30/36396334){(null)} LLGM Assign pre (36396334 => ffffffff) (gprs_llc.c:1079)
20240421165149843 DLLC NOTICE LLME(00000000/00000000){UNASSIGNED} LLGM Assign post (36396334 => ffffffff) (gprs_llc.c:1125)
Program received signal SIGABRT, Aborted.
0x00007ffff75e332c in ?? () from /usr/lib/libc.so.6
(gdb) bt
#0 0x00007ffff75e332c in ?? () from /usr/lib/libc.so.6
#1 0x00007ffff75926c8 in raise () from /usr/lib/libc.so.6
#2 0x00007ffff757a4b8 in abort () from /usr/lib/libc.so.6
#3 0x00007ffff78270d3 in ?? () from /usr/lib/libtalloc.so.2
#4 0x000055555557dd74 in llme_free (llme=0x555555753550) at ../../../../src/osmo-sgsn/src/sgsn/gprs_llc.c:605
#5 gprs_llgmm_assign (llme=0x555555753550, old_tlli=909730612, new_tlli=new_tlli@entry=4294967295) at ../../../../src/osmo-sgsn/src/sgsn/gprs_llc.c:1129
#6 0x000055555557e07d in gprs_llgmm_unassign (llme=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/gprs_llc.c:1137
#7 0x00005555555673f5 in st_mm_idle_on_enter (fi=<optimized out>, prev_state=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c:51
#8 0x00007ffff797f7e0 in state_chg (fi=fi@entry=0x55555574c960, new_state=new_state@entry=0, keep_timer=keep_timer@entry=false, timeout_ms=timeout_ms@entry=0, T=0,
file=file@entry=0x55555558d838 "../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c", line=76) at ../../../../src/libosmocore/src/core/fsm.c:697
#9 0x00007ffff7980180 in _osmo_fsm_inst_state_chg (fi=fi@entry=0x55555574c960, new_state=new_state@entry=0, timeout_secs=timeout_secs@entry=0, T=<optimized out>,
file=file@entry=0x55555558d838 "../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c", line=line@entry=76) at ../../../../src/libosmocore/src/core/fsm.c:746
#10 0x00007ffff799b090 in _osmo_tdef_fsm_inst_state_chg (fi=fi@entry=0x55555574c960, state=state@entry=0, timeouts_array=timeouts_array@entry=0x55555559a8c0 <mm_state_gb_fsm_timeouts>, tdefs=<optimized out>,
default_timeout=93824992461304, default_timeout@entry=-1, file=file@entry=0x55555558d838 "../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c", line=76) at ../../../../src/libosmocore/src/core/tdef.c:344
#11 0x0000555555567358 in st_mm_ready (fi=0x55555574c960, event=<optimized out>, data=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/gprs_mm_state_gb_fsm.c:76
#12 0x00007ffff79803bc in _osmo_fsm_inst_dispatch (fi=0x55555574c960, event=event@entry=1, data=data@entry=0x0, file=file@entry=0x55555558c1f8 "../../../../src/osmo-sgsn/src/sgsn/gprs_gmm.c", line=line@entry=205)
at ../../../../src/libosmocore/src/core/fsm.c:875
#13 0x000055555555efbc in mm_ctx_cleanup_free (ctx=0x55555574c060, log_text=0x55555559768a "access cancelled") at ../../../../src/osmo-sgsn/src/sgsn/gprs_gmm.c:205
#14 0x0000555555575eaa in reset_sgsn_state (self=<optimized out>, vty=0x5555556d5f90, argc=<optimized out>, argv=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/sgsn_vty.c:1052
#15 0x00007ffff79c7445 in cmd_execute_command_real (vline=<optimized out>, vty=<optimized out>, cmd=cmd@entry=0x101508d7ae252000) at ../../../../src/libosmocore/src/vty/command.c:2671
#16 0x00007ffff79c7f1d in cmd_execute_command (vline=<optimized out>, vty=<optimized out>, cmd=0x101508d7ae252000, vtysh=<optimized out>) at ../../../../src/libosmocore/src/vty/command.c:2723
#17 0x00007ffff79ca696 in vty_command (vty=0x5555556d5f90) at ../../../../src/libosmocore/src/vty/vty.c:464
#18 vty_execute (vty=0x5555556d5f90) at ../../../../src/libosmocore/src/vty/vty.c:729
#19 vty_read (vty=<optimized out>) at ../../../../src/libosmocore/src/vty/vty.c:1471
#20 0x00007ffff79cd3ae in client_data (fd=0x55555574ba68, what=1) at ../../../../src/libosmocore/src/vty/telnet_interface.c:161
#21 0x00007ffff798f94f in poll_disp_fds (n_fd=<optimized out>) at ../../../../src/libosmocore/src/core/select.c:419
#22 _osmo_select_main (polling=polling@entry=0) at ../../../../src/libosmocore/src/core/select.c:457
#23 0x00007ffff798fa2e in osmo_select_main (polling=polling@entry=0) at ../../../../src/libosmocore/src/core/select.c:496
#24 0x000055555555d4e7 in main (argc=<optimized out>, argv=<optimized out>) at ../../../../src/osmo-sgsn/src/sgsn/sgsn_main.c:498
I have fixed the regression in SGSN_Tests.TC_attach_rau_a_b and created a separate testcase reproducing the crash:
https://gerrit.osmocom.org/c/osmo-ttcn3-hacks/+/36625 sgsn: add TC_attach_rau_invalid_old_rai [NEW]
Even though it's not a normal scenario (we expect the MS to indicate correct Old RAI), it's still something that can happen e.g. due to a bug in the MS.
Related issues
Updated by fixeria 11 days ago
Below is the output of ASAN:
20240422201514945 DMM INFO MM(---/ffffffff) -> GMM RA UPDATE REQUEST type="RA updating" (gprs_gmm.c:1642)
20240422201514945 DMM INFO MM(262420000000138/eebdd912) Looked up by matching TLLI and P_TMSI. BSSGP TLLI: eebdd912, P-TMSI: eebdd912 (00000000), TLLI: eebdd912 (eebdd912), RA: 262-42-13135-0 (gprs_gmm.c:1712)
20240422201514945 DMM DEBUG GMM(gmm_fsm)[0x512000005020]{Registered.NORMAL}: Received Event E_GMM_COMMON_PROC_INIT_REQ (gprs_gmm.c:1717)
20240422201514945 DMM DEBUG GMM(gmm_fsm)[0x512000005020]{Registered.NORMAL}: state_chg to CommonProcedureInitiated (gprs_gmm_fsm.c:81)
20240422201514945 DMM DEBUG GMM(gmm_fsm)[0x512000005020]{CommonProcedureInitiated}: Received Event E_GMM_COMMON_PROC_INIT_REQ (gprs_gmm.c:1145)
=================================================================
==1773325==ERROR: AddressSanitizer: heap-use-after-free on address 0x521000258178 at pc 0x5555558e5332 bp 0x7fffffff8070 sp 0x7fffffff8068
READ of size 4 at 0x521000258178 thread T0
[Detaching after fork from child process 1775405]
#0 0x5555558e5331 in gprs_llgmm_assign /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1079:2
#1 0x5555557d5fb9 in gsm48_rx_gmm_ra_upd_req /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:1805:3
#2 0x5555557c8107 in gsm0408_rcv_gmm /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2102:8
#3 0x5555557f09f8 in gsm0408_gprs_rcvmsg_gb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2358:8
#4 0x5555558df87d in gprs_llc_rcvmsg /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1025:9
#5 0x5555557a305b in sgsn_bssgp_rx_prim /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_bssgp.c:44:11
#6 0x55555588dd80 in bssgp_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:104:9
#7 0x7ffff7f42eea in bssgp_rx_ul_ud /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:530:9
#8 0x7ffff7f42eea in bssgp_rx_ptp /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:988:8
#9 0x7ffff7f42eea in bssgp_rcvmsg /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:1223:8
#10 0x5555558046a8 in gprs_ns_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_ns.c:88:8
#11 0x7ffff7f53230 in ns2_recv_unitdata.isra.0 /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:627:2
#12 0x7ffff798037d in _osmo_fsm_inst_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/fsm.c:863:3
#13 0x7ffff7f54017 in ns2_vc_rx /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:964:3
#14 0x7ffff7f4bd49 in ns2_recv_vc /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2.c:1362:10
#15 0x7ffff7f4e6e6 in handle_nsip_recvfrom /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_udp.c:218:2
#16 0x7ffff798d566 in iofd_poll_ofd_cb_recvmsg_sendmsg /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:77:3
#17 0x7ffff798d705 in iofd_poll_ofd_cb_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:115:2
#18 0x7ffff798f94e in poll_disp_fds /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:419:4
#19 0x7ffff798f94e in _osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:457:9
#20 0x7ffff798fa2d in osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:496:11
#21 0x55555588f02d in main /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:498:8
#22 0x7ffff7545ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#23 0x7ffff7545d89 in __libc_start_main (/usr/lib/libc.so.6+0x25d89) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
#24 0x555555669d84 in _start (/home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/osmo-sgsn+0x115d84) (BuildId: d08b9be06c81c4124ca492c4f9987304181ed2ed)
0x521000258178 is located 120 bytes inside of 4408-byte region [0x521000258100,0x521000259238)
freed by thread T0 here:
#0 0x555555757f32 in free.part.0 asan_malloc_linux.cpp.o
#1 0x7ffff7828002 (/usr/lib/libtalloc.so.2+0x4002) (BuildId: c2045ea495285a6bf27614b8bac2cc4e82e696f9)
#2 0x5555558e71e7 in gprs_llgmm_assign /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1129:3
#3 0x5555558e74f4 in gprs_llgmm_unassign /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1137:9
#4 0x5555557d6b9b in gsm48_rx_gmm_ra_upd_req /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:1831:3
#5 0x5555557c8107 in gsm0408_rcv_gmm /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2102:8
#6 0x5555557f09f8 in gsm0408_gprs_rcvmsg_gb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_gmm.c:2358:8
#7 0x5555558df87d in gprs_llc_rcvmsg /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1025:9
#8 0x5555557a305b in sgsn_bssgp_rx_prim /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_bssgp.c:44:11
#9 0x55555588dd80 in bssgp_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:104:9
#10 0x7ffff7f42eea in bssgp_rx_ul_ud /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:530:9
#11 0x7ffff7f42eea in bssgp_rx_ptp /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:988:8
#12 0x7ffff7f42eea in bssgp_rcvmsg /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_bssgp.c:1223:8
#13 0x5555558046a8 in gprs_ns_prim_cb /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_ns.c:88:8
#14 0x7ffff7f53230 in ns2_recv_unitdata.isra.0 /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:627:2
#15 0x7ffff798037d in _osmo_fsm_inst_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/fsm.c:863:3
#16 0x7ffff7f54017 in ns2_vc_rx /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_vc_fsm.c:964:3
#17 0x7ffff7f4bd49 in ns2_recv_vc /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2.c:1362:10
#18 0x7ffff7f4e6e6 in handle_nsip_recvfrom /home/fixeria/osmo-dev/build/libosmocore/src/gb/../../../../src/libosmocore/src/gb/gprs_ns2_udp.c:218:2
#19 0x7ffff798d566 in iofd_poll_ofd_cb_recvmsg_sendmsg /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:77:3
#20 0x7ffff798d705 in iofd_poll_ofd_cb_dispatch /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/osmo_io_poll.c:115:2
#21 0x7ffff798f94e in poll_disp_fds /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:419:4
#22 0x7ffff798f94e in _osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:457:9
#23 0x7ffff798fa2d in osmo_select_main /home/fixeria/osmo-dev/build/libosmocore/src/core/../../../../src/libosmocore/src/core/select.c:496:11
#24 0x55555588f02d in main /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/sgsn_main.c:498:8
#25 0x7ffff7545ccf (/usr/lib/libc.so.6+0x25ccf) (BuildId: c0caa0b7709d3369ee575fcd7d7d0b0fc48733af)
previously allocated by thread T0 here:
#0 0x555555758f69 in malloc (/home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/osmo-sgsn+0x204f69) (BuildId: d08b9be06c81c4124ca492c4f9987304181ed2ed)
#1 0x7ffff7828a76 (/usr/lib/libtalloc.so.2+0x4a76) (BuildId: c2045ea495285a6bf27614b8bac2cc4e82e696f9)
SUMMARY: AddressSanitizer: heap-use-after-free /home/fixeria/projects/osmocom/osmo-sgsn/src/sgsn/gprs_llc.c:1079:2 in gprs_llgmm_assign
Shadow bytes around the buggy address:
0x521000257e80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x521000257f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x521000257f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x521000258000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x521000258080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x521000258100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
0x521000258180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x521000258200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x521000258280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x521000258300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x521000258380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1773325==ABORTING
osmo-sgsn.git 1ede89a35ad754c682d8ab826b4540d1d07c306a
Actions
