May 2023 - gerrit-log - lists.osmocom.org

[M] Change in libosmo-abis[rel-1.4.1]: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc()

by fixeria

fixeria has restored this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32664 ) Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ...................................................................... Restored -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32664 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Gerrit-Change-Number: 32664 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-MessageType: restore

2 years, 1 month

1
0
0 0

[S] Change in libosmo-abis[rel-1.4.1]: Bump version: 1.4.0.2-5e77 → 1.4.1

by fixeria

fixeria has abandoned this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32665 ) Change subject: Bump version: 1.4.0.2-5e77 → 1.4.1 ...................................................................... Abandoned -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32665 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: I39f004e9f52c835a1f275b57a2c59f4458a13235 Gerrit-Change-Number: 32665 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-MessageType: abandon

2 years, 1 month

1
0
0 0

[M] Change in libosmo-abis[rel-1.4.1]: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc()

by fixeria

fixeria has abandoned this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32664 ) Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ...................................................................... Abandoned -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32664 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Gerrit-Change-Number: 32664 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-MessageType: abandon

2 years, 1 month

1
0
0 0

[S] Change in libosmo-abis[rel-1.4.1]: cosmetic: e1inp_ipa_bts_rsl_close_n(): cache ipa_client_conn

by fixeria

fixeria has abandoned this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32663 ) Change subject: cosmetic: e1inp_ipa_bts_rsl_close_n(): cache ipa_client_conn ...................................................................... Abandoned -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32663 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: I9bdb4b1778d702c97890149a9f98590ae8ec54be Gerrit-Change-Number: 32663 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-MessageType: abandon

2 years, 1 month

1
0
0 0

[S] Change in libosmo-abis[rel-1.4.1]: Bump version: 1.4.0.2-5e77 → 1.4.1

by fixeria

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32665 ) Change subject: Bump version: 1.4.0.2-5e77 → 1.4.1 ...................................................................... Bump version: 1.4.0.2-5e77 → 1.4.1 Change-Id: I39f004e9f52c835a1f275b57a2c59f4458a13235 --- M debian/changelog 1 file changed, 16 insertions(+), 0 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/65/32665/1 diff --git a/debian/changelog b/debian/changelog index 8d5d065..6d73737 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libosmo-abis (1.4.1) unstable; urgency=medium + + * cosmetic: e1inp_ipa_bts_rsl_close_n(): cache ipa_client_conn + * fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() + + -- Vadim Yanitskiy <vyanitskiy(a)sysmocom.de> Mon, 08 May 2023 22:40:39 +0700 + libosmo-abis (1.4.0) unstable; urgency=medium [ Pau Espin Pedrol ] -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32665 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: I39f004e9f52c835a1f275b57a2c59f4458a13235 Gerrit-Change-Number: 32665 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-MessageType: newchange

2 years, 1 month

1
0
0 0

[S] Change in libosmo-abis[rel-1.4.1]: cosmetic: e1inp_ipa_bts_rsl_close_n(): cache ipa_client_conn

by fixeria

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32663 ) Change subject: cosmetic: e1inp_ipa_bts_rsl_close_n(): cache ipa_client_conn ...................................................................... cosmetic: e1inp_ipa_bts_rsl_close_n(): cache ipa_client_conn Change-Id: I9bdb4b1778d702c97890149a9f98590ae8ec54be (cherry picked from commit 0de8a853a660f8822c9ce78cb7c3fea558c3c6b3) --- M src/input/ipaccess.c 1 file changed, 15 insertions(+), 3 deletions(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/63/32663/1 diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c index 8a52591..114389e 100644 --- a/src/input/ipaccess.c +++ b/src/input/ipaccess.c @@ -1206,6 +1206,7 @@ /* Close the underlying IPA TCP socket of an RSL link */ int e1inp_ipa_bts_rsl_close_n(struct e1inp_line *line, uint8_t trx_nr) { + struct ipa_client_conn *conn; struct ipaccess_line *il; if (E1INP_SIGN_RSL+trx_nr-1 >= NUM_E1_TS) { @@ -1218,9 +1219,10 @@ if (!il) return 0; /* Nothing to do, no lines created */ - if (il->ipa_cli[1 + trx_nr]) { - ipa_client_conn_close(il->ipa_cli[1 + trx_nr]); - ipa_client_conn_destroy(il->ipa_cli[1 + trx_nr]); + conn = il->ipa_cli[1 + trx_nr]; + if (conn != NULL) { + ipa_client_conn_close(conn); + ipa_client_conn_destroy(conn); il->ipa_cli[1 + trx_nr] = NULL; } return 0; -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32663 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: I9bdb4b1778d702c97890149a9f98590ae8ec54be Gerrit-Change-Number: 32663 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-MessageType: newchange

2 years, 1 month

1
0
0 0

[M] Change in libosmo-abis[rel-1.4.1]: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc()

by fixeria

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32664 ) Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ...................................................................... fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() In ipaccess_bts_keepalive_fsm_alloc() we allocate a keepalive FSM instance as a child of the respective struct ipa_client_conn, and store the pointer to the respective struct e1inp_ts. + struct e1inp_line | ---+ struct ipaccess_line (void *driver_data) | | | ---+ struct ipa_client_conn *ipa_cli[NUM_E1_TS] // <-- parent | ---+ struct e1inp_ts ts[NUM_E1_TS] | | | ---+ .driver.ipaccess.ka_fsm // <-- pointer When an ipaccess connection (be it OML or RSL) goes down and then up again, for instance if the BSC gets restarted, osmo-bts crashes. The problem is that struct ipa_client_conn gets free()ed before the associated FSM instance gets terminated: * e1inp_ipa_bts_rsl_connect_n() is called ** calling e1inp_ipa_bts_rsl_close_n() *** this function free()s struct ipa_client_conn *** (!) as well as the struct osmo_fsm_inst (talloc child) ** calling ipaccess_bts_keepalive_fsm_alloc() *** calling ipaccess_keepalive_fsm_cleanup() **** accessing free()d e1i_ts->driver.ipaccess.ka_fsm **** BOOOM! segmentation fault Fix this by calling ipaccess_keepalive_fsm_cleanup() before free()ing the associated struct ipa_client_conn. Note that ipaccess_bsc_keepalive_fsm_alloc() is not affected because it's allocating keepalive FSMs using the global tall_ipa_ctx. Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Related: SYS#6438 (cherry picked from commit f6bde0f521155f1d2a073181cfca97df83de2684) --- M src/input/ipaccess.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/64/32664/1 diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c index 114389e..48a1d40 100644 --- a/src/input/ipaccess.c +++ b/src/input/ipaccess.c @@ -192,7 +192,7 @@ struct e1inp_line *line = e1i_ts->line; struct osmo_fsm_inst *ka_fsm; - ipaccess_keepalive_fsm_cleanup(e1i_ts); + OSMO_ASSERT(e1i_ts->driver.ipaccess.ka_fsm == NULL); if (!line->ipa_kap) return; @@ -1208,6 +1208,7 @@ { struct ipa_client_conn *conn; struct ipaccess_line *il; + struct e1inp_ts *e1i_ts; if (E1INP_SIGN_RSL+trx_nr-1 >= NUM_E1_TS) { LOGP(DLINP, LOGL_ERROR, @@ -1219,6 +1220,9 @@ if (!il) return 0; /* Nothing to do, no lines created */ + e1i_ts = e1inp_line_ipa_rsl_ts(line, trx_nr); + ipaccess_keepalive_fsm_cleanup(e1i_ts); + conn = il->ipa_cli[1 + trx_nr]; if (conn != NULL) { ipa_client_conn_close(conn); -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32664 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: rel-1.4.1 Gerrit-Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Gerrit-Change-Number: 32664 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-MessageType: newchange

2 years, 1 month

1
0
0 0

[S] Change in libosmo-abis[2023q1]: Run struct_endianness.py

by fixeria

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32662 ) Change subject: Run struct_endianness.py ...................................................................... Run struct_endianness.py Ensure there is no diff to prepare to run this in CI. Related: OS#5884 Change-Id: Ib78f02bcd63455abedd713fa5ca6a67020a17594 (cherry picked from commit 3dacef93ca00e3880285c8b4006cbffe5a563530) --- M src/e1_input.c 1 file changed, 14 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/62/32662/1 diff --git a/src/e1_input.c b/src/e1_input.c index 02f3b30..60718b6 100644 --- a/src/e1_input.c +++ b/src/e1_input.c @@ -126,7 +126,7 @@ uint8_t tei : 7; uint8_t control_foo; /* fake UM's ... */ #elif OSMO_IS_BIG_ENDIAN -/* auto-generated from the little endian part above (libosmocore/contrib/struct_endianess.py) */ +/* auto-generated from the little endian part above (libosmocore/contrib/struct_endianness.py) */ uint8_t sapi:6, cr:1, ea1:1; uint8_t tei:7, ea2:1; uint8_t control_foo; -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32662 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: 2023q1 Gerrit-Change-Id: Ib78f02bcd63455abedd713fa5ca6a67020a17594 Gerrit-Change-Number: 32662 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-CC: osmith <osmith(a)sysmocom.de> Gerrit-MessageType: newchange

2 years, 1 month

1
0
0 0

[M] Change in libosmo-abis[2023q1]: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc()

by fixeria

fixeria has uploaded this change for review. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32661 ) Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ...................................................................... fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() In ipaccess_bts_keepalive_fsm_alloc() we allocate a keepalive FSM instance as a child of the respective struct ipa_client_conn, and store the pointer to the respective struct e1inp_ts. + struct e1inp_line | ---+ struct ipaccess_line (void *driver_data) | | | ---+ struct ipa_client_conn *ipa_cli[NUM_E1_TS] // <-- parent | ---+ struct e1inp_ts ts[NUM_E1_TS] | | | ---+ .driver.ipaccess.ka_fsm // <-- pointer When an ipaccess connection (be it OML or RSL) goes down and then up again, for instance if the BSC gets restarted, osmo-bts crashes. The problem is that struct ipa_client_conn gets free()ed before the associated FSM instance gets terminated: * e1inp_ipa_bts_rsl_connect_n() is called ** calling e1inp_ipa_bts_rsl_close_n() *** this function free()s struct ipa_client_conn *** (!) as well as the struct osmo_fsm_inst (talloc child) ** calling ipaccess_bts_keepalive_fsm_alloc() *** calling ipaccess_keepalive_fsm_cleanup() **** accessing free()d e1i_ts->driver.ipaccess.ka_fsm **** BOOOM! segmentation fault Fix this by calling ipaccess_keepalive_fsm_cleanup() before free()ing the associated struct ipa_client_conn. Note that ipaccess_bsc_keepalive_fsm_alloc() is not affected because it's allocating keepalive FSMs using the global tall_ipa_ctx. Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Related: SYS#6438 (cherry picked from commit f6bde0f521155f1d2a073181cfca97df83de2684) --- M src/input/ipaccess.c 1 file changed, 50 insertions(+), 1 deletion(-) git pull ssh://gerrit.osmocom.org:29418/libosmo-abis refs/changes/61/32661/1 diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c index 8a52591..418606e 100644 --- a/src/input/ipaccess.c +++ b/src/input/ipaccess.c @@ -192,7 +192,7 @@ struct e1inp_line *line = e1i_ts->line; struct osmo_fsm_inst *ka_fsm; - ipaccess_keepalive_fsm_cleanup(e1i_ts); + OSMO_ASSERT(e1i_ts->driver.ipaccess.ka_fsm == NULL); if (!line->ipa_kap) return; @@ -1207,6 +1207,7 @@ int e1inp_ipa_bts_rsl_close_n(struct e1inp_line *line, uint8_t trx_nr) { struct ipaccess_line *il; + struct e1inp_ts *e1i_ts; if (E1INP_SIGN_RSL+trx_nr-1 >= NUM_E1_TS) { LOGP(DLINP, LOGL_ERROR, @@ -1218,6 +1219,9 @@ if (!il) return 0; /* Nothing to do, no lines created */ + e1i_ts = e1inp_line_ipa_rsl_ts(line, trx_nr); + ipaccess_keepalive_fsm_cleanup(e1i_ts); + if (il->ipa_cli[1 + trx_nr]) { ipa_client_conn_close(il->ipa_cli[1 + trx_nr]); ipa_client_conn_destroy(il->ipa_cli[1 + trx_nr]); -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32661 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: 2023q1 Gerrit-Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Gerrit-Change-Number: 32661 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-MessageType: newchange

2 years, 1 month

1
0
0 0

[M] Change in libosmo-abis[master]: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc()

by fixeria

fixeria has submitted this change. ( https://gerrit.osmocom.org/c/libosmo-abis/+/32641 ) Change subject: fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() ...................................................................... fix use-after-free in ipaccess_bts_keepalive_fsm_alloc() In ipaccess_bts_keepalive_fsm_alloc() we allocate a keepalive FSM instance as a child of the respective struct ipa_client_conn, and store the pointer to the respective struct e1inp_ts. + struct e1inp_line | ---+ struct ipaccess_line (void *driver_data) | | | ---+ struct ipa_client_conn *ipa_cli[NUM_E1_TS] // <-- parent | ---+ struct e1inp_ts ts[NUM_E1_TS] | | | ---+ .driver.ipaccess.ka_fsm // <-- pointer When an ipaccess connection (be it OML or RSL) goes down and then up again, for instance if the BSC gets restarted, osmo-bts crashes. The problem is that struct ipa_client_conn gets free()ed before the associated FSM instance gets terminated: * e1inp_ipa_bts_rsl_connect_n() is called ** calling e1inp_ipa_bts_rsl_close_n() *** this function free()s struct ipa_client_conn *** (!) as well as the struct osmo_fsm_inst (talloc child) ** calling ipaccess_bts_keepalive_fsm_alloc() *** calling ipaccess_keepalive_fsm_cleanup() **** accessing free()d e1i_ts->driver.ipaccess.ka_fsm **** BOOOM! segmentation fault Fix this by calling ipaccess_keepalive_fsm_cleanup() before free()ing the associated struct ipa_client_conn. Note that ipaccess_bsc_keepalive_fsm_alloc() is not affected because it's allocating keepalive FSMs using the global tall_ipa_ctx. Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Related: SYS#6438 --- M src/input/ipaccess.c 1 file changed, 49 insertions(+), 1 deletion(-) Approvals: Jenkins Builder: Verified pespin: Looks good to me, but someone else must approve laforge: Looks good to me, but someone else must approve Hoernchen: Looks good to me, but someone else must approve fixeria: Looks good to me, approved diff --git a/src/input/ipaccess.c b/src/input/ipaccess.c index 114389e..48a1d40 100644 --- a/src/input/ipaccess.c +++ b/src/input/ipaccess.c @@ -192,7 +192,7 @@ struct e1inp_line *line = e1i_ts->line; struct osmo_fsm_inst *ka_fsm; - ipaccess_keepalive_fsm_cleanup(e1i_ts); + OSMO_ASSERT(e1i_ts->driver.ipaccess.ka_fsm == NULL); if (!line->ipa_kap) return; @@ -1208,6 +1208,7 @@ { struct ipa_client_conn *conn; struct ipaccess_line *il; + struct e1inp_ts *e1i_ts; if (E1INP_SIGN_RSL+trx_nr-1 >= NUM_E1_TS) { LOGP(DLINP, LOGL_ERROR, @@ -1219,6 +1220,9 @@ if (!il) return 0; /* Nothing to do, no lines created */ + e1i_ts = e1inp_line_ipa_rsl_ts(line, trx_nr); + ipaccess_keepalive_fsm_cleanup(e1i_ts); + conn = il->ipa_cli[1 + trx_nr]; if (conn != NULL) { ipa_client_conn_close(conn); -- To view, visit https://gerrit.osmocom.org/c/libosmo-abis/+/32641 To unsubscribe, or for help writing mail filters, visit https://gerrit.osmocom.org/settings Gerrit-Project: libosmo-abis Gerrit-Branch: master Gerrit-Change-Id: Ic56c4b5b7b24b63104908a0c24f2f645ba4c5c1b Gerrit-Change-Number: 32641 Gerrit-PatchSet: 1 Gerrit-Owner: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: Hoernchen <ewild(a)sysmocom.de> Gerrit-Reviewer: Jenkins Builder Gerrit-Reviewer: fixeria <vyanitskiy(a)sysmocom.de> Gerrit-Reviewer: laforge <laforge(a)osmocom.org> Gerrit-Reviewer: osmith <osmith(a)sysmocom.de> Gerrit-Reviewer: pespin <pespin(a)sysmocom.de> Gerrit-MessageType: merged

2 years, 1 month

1
0
0 0

2025

2024

2023

2022

gerrit-log May 2023