[asterisk-bugs] [JIRA] (ASTERISK-24805) ASAN: Race condition (heap-use-after-free) on asterisk closing
Badalian Vyacheslav (JIRA)
noreply at issues.asterisk.org
Tue Feb 17 17:23:34 CST 2015
[ https://issues.asterisk.org/jira/browse/ASTERISK-24805?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Badalian Vyacheslav updated ASTERISK-24805:
-------------------------------------------
Description:
Bugs:
{code}
==24513==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000055d0 at pc 0x604543 bp 0x7f49e2653810 sp 0x7f49e2653808
READ of size 4 at 0x60d0000055d0 thread T44
#0 0x604542 in ast_hashtab_lookup /root/asterisk-11.15.0/main/hashtab.c:543
#1 0x6a76b7 in find_context /root/asterisk-11.15.0/main/pbx.c:6948
#2 0x6a76b7 in pbx_find_extension /root/asterisk-11.15.0/main/pbx.c:3150
#3 0x6b24a1 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4840
#4 0x6b2d98 in ast_exists_extension /root/asterisk-11.15.0/main/pbx.c:6012
#5 0x7f49f054140a in get_destination /root/asterisk-11.15.0/channels/chan_sip.c:17530
#6 0x7f49f06100d7 in handle_request_invite /root/asterisk-11.15.0/channels/chan_sip.c:25628
#7 0x7f49f061d212 in handle_incoming /root/asterisk-11.15.0/channels/chan_sip.c:28339
#8 0x7f49f06222da in handle_request_do /root/asterisk-11.15.0/channels/chan_sip.c:28548
#9 0x7f49f0623a71 in _sip_tcp_helper_thread /root/asterisk-11.15.0/channels/chan_sip.c:3041
#10 0x7339b4 in handle_tcptls_connection /root/asterisk-11.15.0/main/tcptls.c:684
#11 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
#12 0x7f4a080629d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
#13 0x7f4a087e88fc in clone (/lib64/libc.so.6+0xe88fc)
0x60d0000055d0 is located 106446469485936 bytes inside
{code}
{code}
==23657==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002fb08 at pc 0x69b388 bp 0x7f1fa219c320 sp 0x7f1fa219c318
READ of size 8 at 0x60b00002fb08 thread T111
#0 0x69b387 in pbx_exec /root/asterisk-11.15.0/main/pbx.c:1623
#1 0x6b2273 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4915
#2 0x6c0aa8 in ast_spawn_extension /root/asterisk-11.15.0/main/pbx.c:6037
#3 0x6c0aa8 in __ast_pbx_run /root/asterisk-11.15.0/main/pbx.c:6512
#4 0x6c30ca in pbx_thread /root/asterisk-11.15.0/main/pbx.c:6842
#5 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
#6 0x7f1fd66db9d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
#7 0x7f1fd6e618fc in clone (/lib64/libc.so.6+0xe88fc)
0x60b00002fb08 is located 106309030705832 bytes inside
{code}
To reproduce:
# add to chan_sip.conf
{code}
[sipp]
type=friend
context=from-internal
host=dynamic
port=6000
user=sipp
canreinvite=no
disallow=all
allow=alaw
allow=ulaw
{code}
# add to extentions.conf
{code}
[from-internal]
exten => 766,1,Answer()
exten => 766,n,MusicOnHold(,5)
exten => 766,n,Hangup
{code}
# run {{asterisk -gc}} with ASAN (valgrind i think also found this bug)
# run at another console {{./sipp -sn uac -d 10000 -s 766 127.0.0.1 -mp 5606 -s 766 -l 1000 -r 100 -t t1}}
# stop asterisk with {{core stop now}} or {{ctrl+c}}
You will see race condition in thread closing order and then use after free. As i show at start of description
was:
Bugs:
{code}
==24513==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000055d0 at pc 0x604543 bp 0x7f49e2653810 sp 0x7f49e2653808
READ of size 4 at 0x60d0000055d0 thread T44
#0 0x604542 in ast_hashtab_lookup /root/asterisk-11.15.0/main/hashtab.c:543
#1 0x6a76b7 in find_context /root/asterisk-11.15.0/main/pbx.c:6948
#2 0x6a76b7 in pbx_find_extension /root/asterisk-11.15.0/main/pbx.c:3150
#3 0x6b24a1 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4840
#4 0x6b2d98 in ast_exists_extension /root/asterisk-11.15.0/main/pbx.c:6012
#5 0x7f49f054140a in get_destination /root/asterisk-11.15.0/channels/chan_sip.c:17530
#6 0x7f49f06100d7 in handle_request_invite /root/asterisk-11.15.0/channels/chan_sip.c:25628
#7 0x7f49f061d212 in handle_incoming /root/asterisk-11.15.0/channels/chan_sip.c:28339
#8 0x7f49f06222da in handle_request_do /root/asterisk-11.15.0/channels/chan_sip.c:28548
#9 0x7f49f0623a71 in _sip_tcp_helper_thread /root/asterisk-11.15.0/channels/chan_sip.c:3041
#10 0x7339b4 in handle_tcptls_connection /root/asterisk-11.15.0/main/tcptls.c:684
#11 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
#12 0x7f4a080629d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
#13 0x7f4a087e88fc in clone (/lib64/libc.so.6+0xe88fc)
{code}
{code}
==23657==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002fb08 at pc 0x69b388 bp 0x7f1fa219c320 sp 0x7f1fa219c318
READ of size 8 at 0x60b00002fb08 thread T111
#0 0x69b387 in pbx_exec /root/asterisk-11.15.0/main/pbx.c:1623
#1 0x6b2273 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4915
#2 0x6c0aa8 in ast_spawn_extension /root/asterisk-11.15.0/main/pbx.c:6037
#3 0x6c0aa8 in __ast_pbx_run /root/asterisk-11.15.0/main/pbx.c:6512
#4 0x6c30ca in pbx_thread /root/asterisk-11.15.0/main/pbx.c:6842
#5 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
#6 0x7f1fd66db9d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
#7 0x7f1fd6e618fc in clone (/lib64/libc.so.6+0xe88fc)
{code}
To reproduce:
# add to chan_sip.conf
{code}
[sipp]
type=friend
context=from-internal
host=dynamic
port=6000
user=sipp
canreinvite=no
disallow=all
allow=alaw
allow=ulaw
{code}
# add to extentions.conf
{code}
[from-internal]
exten => 766,1,Answer()
exten => 766,n,MusicOnHold(,5)
exten => 766,n,Hangup
{code}
# run {{asterisk -gc}} with ASAN (valgrind i think also found this bug)
# run at another console {{./sipp -sn uac -d 10000 -s 766 127.0.0.1 -mp 5606 -s 766 -l 1000 -r 100 -t t1}}
# stop asterisk with {{core stop now}} or {{ctrl+c}}
You will see race condition in thread closing order and then use after free. As i show at start of description
> ASAN: Race condition (heap-use-after-free) on asterisk closing
> --------------------------------------------------------------
>
> Key: ASTERISK-24805
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-24805
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Affects Versions: 11.15.0
> Reporter: Badalian Vyacheslav
> Severity: Minor
>
> Bugs:
> {code}
> ==24513==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000055d0 at pc 0x604543 bp 0x7f49e2653810 sp 0x7f49e2653808
> READ of size 4 at 0x60d0000055d0 thread T44
> #0 0x604542 in ast_hashtab_lookup /root/asterisk-11.15.0/main/hashtab.c:543
> #1 0x6a76b7 in find_context /root/asterisk-11.15.0/main/pbx.c:6948
> #2 0x6a76b7 in pbx_find_extension /root/asterisk-11.15.0/main/pbx.c:3150
> #3 0x6b24a1 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4840
> #4 0x6b2d98 in ast_exists_extension /root/asterisk-11.15.0/main/pbx.c:6012
> #5 0x7f49f054140a in get_destination /root/asterisk-11.15.0/channels/chan_sip.c:17530
> #6 0x7f49f06100d7 in handle_request_invite /root/asterisk-11.15.0/channels/chan_sip.c:25628
> #7 0x7f49f061d212 in handle_incoming /root/asterisk-11.15.0/channels/chan_sip.c:28339
> #8 0x7f49f06222da in handle_request_do /root/asterisk-11.15.0/channels/chan_sip.c:28548
> #9 0x7f49f0623a71 in _sip_tcp_helper_thread /root/asterisk-11.15.0/channels/chan_sip.c:3041
> #10 0x7339b4 in handle_tcptls_connection /root/asterisk-11.15.0/main/tcptls.c:684
> #11 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
> #12 0x7f4a080629d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
> #13 0x7f4a087e88fc in clone (/lib64/libc.so.6+0xe88fc)
> 0x60d0000055d0 is located 106446469485936 bytes inside
> {code}
> {code}
> ==23657==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002fb08 at pc 0x69b388 bp 0x7f1fa219c320 sp 0x7f1fa219c318
> READ of size 8 at 0x60b00002fb08 thread T111
> #0 0x69b387 in pbx_exec /root/asterisk-11.15.0/main/pbx.c:1623
> #1 0x6b2273 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4915
> #2 0x6c0aa8 in ast_spawn_extension /root/asterisk-11.15.0/main/pbx.c:6037
> #3 0x6c0aa8 in __ast_pbx_run /root/asterisk-11.15.0/main/pbx.c:6512
> #4 0x6c30ca in pbx_thread /root/asterisk-11.15.0/main/pbx.c:6842
> #5 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
> #6 0x7f1fd66db9d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
> #7 0x7f1fd6e618fc in clone (/lib64/libc.so.6+0xe88fc)
> 0x60b00002fb08 is located 106309030705832 bytes inside
> {code}
> To reproduce:
> # add to chan_sip.conf
> {code}
> [sipp]
> type=friend
> context=from-internal
> host=dynamic
> port=6000
> user=sipp
> canreinvite=no
> disallow=all
> allow=alaw
> allow=ulaw
> {code}
> # add to extentions.conf
> {code}
> [from-internal]
> exten => 766,1,Answer()
> exten => 766,n,MusicOnHold(,5)
> exten => 766,n,Hangup
> {code}
> # run {{asterisk -gc}} with ASAN (valgrind i think also found this bug)
> # run at another console {{./sipp -sn uac -d 10000 -s 766 127.0.0.1 -mp 5606 -s 766 -l 1000 -r 100 -t t1}}
> # stop asterisk with {{core stop now}} or {{ctrl+c}}
> You will see race condition in thread closing order and then use after free. As i show at start of description
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list