[asterisk-bugs] [JIRA] (ASTERISK-28159) SIGABRT caused by stack corruption in hashkeys_read when no matching keys present
Michael Walton (JIRA)
noreply at issues.asterisk.org
Sun Nov 11 20:27:47 CST 2018
[ https://issues.asterisk.org/jira/browse/ASTERISK-28159?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=245412#comment-245412 ]
Michael Walton commented on ASTERISK-28159:
-------------------------------------------
The corruption arises as a result of the following statement:
{code:func_strings.c}
static int hashkeys_read(struct ast_channel *chan, const char *cmd, char *data, char *buf, size_t len)
{
...
/* Trim the trailing comma */
buf[strlen(buf); - 1] = '\0';
return 0;
}
{code}
Also equivalent at end of hashkeys_read2().
> SIGABRT caused by stack corruption in hashkeys_read when no matching keys present
> ---------------------------------------------------------------------------------
>
> Key: ASTERISK-28159
> URL: https://issues.asterisk.org/jira/browse/ASTERISK-28159
> Project: Asterisk
> Issue Type: Bug
> Security Level: None
> Components: Functions/func_strings
> Affects Versions: 13.15.0
> Environment: Ubuntu 16.04, arm64
> Reporter: Michael Walton
>
> On an arm64 build of Asterisk 13, a SIGABRT is raised, causing core dump. This was seen, and reproducible on a FreePBX 14 system in the macro-dial-one Dial() application, which causes a gosub to func-apply-sipheaders. This macro in turn reads HASHKEYS(SIPHEADERS), invoking the hashkeys_read() function via ast_func_read(). If there are no hash keys that match, asterisk crashes - on return from ast_func_read(), the compiler stack check fails with "stack smashing detected", causing SIGABRT. Stack trace is:
> {noformat}
> #0 0x0000ffff995ba528 in __GI_raise (sig=sig at entry=6)
> at ../sysdeps/unix/sysv/linux/raise.c:54
> #1 0x0000ffff995bb9e0 in __GI_abort () at abort.c:89
> #2 0x0000ffff995f18c4 in __libc_message (do_abort=do_abort at entry=1,
> fmt=fmt at entry=0xffff996a57e0 "*** %s ***: %s terminated\n")
> at ../sysdeps/posix/libc_fatal.c:175
> #3 0x0000ffff9965f668 in __GI___fortify_fail (
> msg=msg at entry=0xffff996a57c0 "stack smashing detected")
> at fortify_fail.c:37
> #4 0x0000ffff9965f5fc in __stack_chk_fail () at stack_chk_fail.c:28
> #5 0x000000000054a910 in ast_func_read (chan=chan at entry=0xffff50003bb8,
> function=function at entry=0xffff1943cc50 "HASHKEYS(SIPHEADERS)",
> workspace=workspace at entry=0xffff1943bc40 "", len=len at entry=4096)
> at pbx_functions.c:640
> #6 0x000000000054e238 in pbx_substitute_variables_helper_full (
> c=c at entry=0xffff50003bb8, headp=0xffff50004380,
> cp1=cp1 at entry=0xffff1943ddd0 "SIPHEADERKEYS=${HASHKEYS(SIPHEADERS)}",
> cp2=0xffff1943e2d6 "", cp2 at entry=0xffff1943e2c8 "SIPHEADERKEYS=",
> count=8177, count at entry=8191, used=used at entry=0xffff1943dda0)
> at pbx_variables.c:693
> #7 0x000000000054e898 in pbx_substitute_variables_helper (
> c=c at entry=0xffff50003bb8,
> cp1=cp1 at entry=0xffff1943ddd0 "SIPHEADERKEYS=${HASHKEYS(SIPHEADERS)}",
> ---Type <return> to continue, or q <return> to quit---
> cp2=cp2 at entry=0xffff1943e2c8 "SIPHEADERKEYS=", count=count at entry=8191)
> at pbx_variables.c:790
> #8 0x000000000053d278 in pbx_extension_helper (c=0xffff50003bb8,
> con=con at entry=0x0, context=0xffff50004570 "func-apply-sipheaders",
> exten=0xffff500045c0 "s", priority=2, label=label at entry=0x0,
> callerid=<optimized out>, action=action at entry=E_SPAWN,
> found=0xffff194403d4, combined_find_spawn=1) at pbx.c:2873
> #9 0x000000000053e25c in ast_spawn_extension (c=<optimized out>,
> context=<optimized out>, exten=<optimized out>, priority=<optimized out>,
> callerid=<optimized out>, found=<optimized out>,
> combined_find_spawn=<optimized out>) at pbx.c:4109
> #10 0x0000ffff9561a748 in ?? ()
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
More information about the asterisk-bugs
mailing list