[asterisk-bugs] [JIRA] (ASTERISK-28159) SIGABRT caused by stack corruption in hashkeys_read when no matching keys present

Michael Walton (JIRA) noreply at issues.asterisk.org
Sun Nov 11 20:23:47 CST 2018 

Michael Walton created ASTERISK-28159:
-----------------------------------------

             Summary: SIGABRT caused by stack corruption in hashkeys_read when no matching keys present
                 Key: ASTERISK-28159
                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-28159
             Project: Asterisk
          Issue Type: Bug
      Security Level: None
          Components: Functions/func_strings
    Affects Versions: 13.15.0
         Environment: Ubuntu 16.04, arm64
            Reporter: Michael Walton


On an arm64 build of Asterisk 13, a SIGABRT is raised, causing core dump. This was seen, and reproducible on a FreePBX 14 system in the macro-dial-one Dial() application, which causes a gosub to func-apply-sipheaders. This macro in turn reads HASHKEYS(SIPHEADERS), invoking the hashkeys_read() function via ast_func_read(). If there are no hash keys that match, asterisk crashes - on return from ast_func_read(), the compiler stack check fails with "stack smashing detected", causing SIGABRT. Stack trace is:
{noformat}
#0  0x0000ffff995ba528 in __GI_raise (sig=sig at entry=6)
    at ../sysdeps/unix/sysv/linux/raise.c:54
#1  0x0000ffff995bb9e0 in __GI_abort () at abort.c:89
#2  0x0000ffff995f18c4 in __libc_message (do_abort=do_abort at entry=1, 
    fmt=fmt at entry=0xffff996a57e0 "*** %s ***: %s terminated\n")
    at ../sysdeps/posix/libc_fatal.c:175
#3  0x0000ffff9965f668 in __GI___fortify_fail (
    msg=msg at entry=0xffff996a57c0 "stack smashing detected")
    at fortify_fail.c:37
#4  0x0000ffff9965f5fc in __stack_chk_fail () at stack_chk_fail.c:28
#5  0x000000000054a910 in ast_func_read (chan=chan at entry=0xffff50003bb8, 
    function=function at entry=0xffff1943cc50 "HASHKEYS(SIPHEADERS)", 
    workspace=workspace at entry=0xffff1943bc40 "", len=len at entry=4096)
    at pbx_functions.c:640
#6  0x000000000054e238 in pbx_substitute_variables_helper_full (
    c=c at entry=0xffff50003bb8, headp=0xffff50004380, 
    cp1=cp1 at entry=0xffff1943ddd0 "SIPHEADERKEYS=${HASHKEYS(SIPHEADERS)}", 
    cp2=0xffff1943e2d6 "", cp2 at entry=0xffff1943e2c8 "SIPHEADERKEYS=", 
    count=8177, count at entry=8191, used=used at entry=0xffff1943dda0)
    at pbx_variables.c:693
#7  0x000000000054e898 in pbx_substitute_variables_helper (
    c=c at entry=0xffff50003bb8, 
    cp1=cp1 at entry=0xffff1943ddd0 "SIPHEADERKEYS=${HASHKEYS(SIPHEADERS)}", 
---Type <return> to continue, or q <return> to quit---
    cp2=cp2 at entry=0xffff1943e2c8 "SIPHEADERKEYS=", count=count at entry=8191)
    at pbx_variables.c:790
#8  0x000000000053d278 in pbx_extension_helper (c=0xffff50003bb8, 
    con=con at entry=0x0, context=0xffff50004570 "func-apply-sipheaders", 
    exten=0xffff500045c0 "s", priority=2, label=label at entry=0x0, 
    callerid=<optimized out>, action=action at entry=E_SPAWN, 
    found=0xffff194403d4, combined_find_spawn=1) at pbx.c:2873
#9  0x000000000053e25c in ast_spawn_extension (c=<optimized out>, 
    context=<optimized out>, exten=<optimized out>, priority=<optimized out>, 
    callerid=<optimized out>, found=<optimized out>, 
    combined_find_spawn=<optimized out>) at pbx.c:4109
#10 0x0000ffff9561a748 in ?? ()
{noformat}




--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list