27 Nov
2023
27 Nov
'23
10:31 p.m.
Hi,
libasan reports heap overflow in tetra-rx
To reproduce:
checkout latest osmo-tetra
optionally modify Makefile to add -DDEBUG to CFLAGS
make debug (compiling this on debian 12 using the prepackaged
libosmocore)
dd if=/dev/zero of=testbits.bin bs=1k count=4
mkdir r
./tetra-rx -d r testbits.bin
[...]
burst_sync_in: 64 bits, state 0
-> trying to find training sequence between bit 0 and 4032
burst_sync_in: 64 bits, state 0
-> trying to find training sequence between bit 0 and 4096
=================================================================
==169038==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x621000001178 at pc 0x55e8c5b1acd0 bp 0x7ffee4666cf0 sp 0x7ffee4666ce8
READ of size 1 at 0x621000001178 thread T0
#0 0x55e8c5b1accf in tetra_find_train_seq phy/tetra_burst.c:294
#1 0x55e8c5b19d30 in tetra_burst_sync_in phy/tetra_burst_sync.c:75
#2 0x55e8c5b19917 in main
/home/sq5bpf/tetra2/osmo-tetra-orig/src/tetra-rx.c:94
#3 0x7fc9714461c9 in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
#4 0x7fc971446284 in __libc_start_main_impl ../csu/libc-start.c:360
#5 0x55e8c5b19540 in _start
(/home/sq5bpf/tetra2/osmo-tetra-orig/src/tetra-rx+0xc540)
0x621000001178 is located 0 bytes to the right of 4216-byte region
[0x621000000100,0x621000001178)
allocated by thread T0 here:
#0 0x7fc9716b89cf in __interceptor_malloc
../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7fc971cb0d53 (/lib/x86_64-linux-gnu/libtalloc.so.2+0x5d53)
SUMMARY: AddressSanitizer: heap-buffer-overflow phy/tetra_burst.c:294 in
tetra_find_train_seq
Shadow bytes around the buggy address:
0x0c427fff81d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff81e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff81f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c427fff8210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fff8220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]
0x0c427fff8230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c427fff8270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
This is some off-by-one bug but not obvious to me while looking at the
code.
Jacek
28 Nov
28 Nov
10:16 a.m.
Sorry for responding to myself. Found it.
The following patch to tetra_burst.c ifdefs out a patch from 2018 that was
done to improve performance. This solves the problem, although it would be
better to fix the patch and not just drop it.
jacek
641
days inactive
642
days old
1 comments
1 participants
participants (1)
-
Jacek Lipkowski