[asterisk-bugs] [JIRA] (DAHLIN-398) NULL pointer de-ref

Harald Welte (JIRA) noreply at issues.asterisk.org
Sat Apr 16 06:46:57 CDT 2022 

Harald Welte created DAHLIN-398:
-----------------------------------

             Summary: NULL pointer de-ref
                 Key: DAHLIN-398
                 URL: https://issues.asterisk.org/jira/browse/DAHLIN-398
             Project: DAHDI-Linux
          Issue Type: Bug
      Security Level: None
          Components: dahdi (the module)
    Affects Versions: 2.11.1, 3.0.1, 3.1.0
            Reporter: Harald Welte
            Assignee: Duncan Patterson
            Severity: Critical


[83851.069345] BUG: kernel NULL pointer dereference, address: 0000000000000084
[83851.070440] #PF: supervisor read access in kernel mode
[83851.071289] #PF: error_code(0x0000) - not-present page
[83851.072217] PGD 0 P4D 0 
[83851.072750] Oops: 0000 [#1] SMP NOPTI
[83851.073407] CPU: 3 PID: 0 Comm: swapper/3 Tainted: G           OE     5.10.0-13-amd64 #1 Debian 5.10.106-1
[83851.074750] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
[83851.075933] RIP: 0010:__putbuf_chunk.constprop.0+0x87c/0x8c0 [dahdi]
[83851.076925] Code: 3f 82 c8 48 8b 7c 24 08 e9 f7 f8 ff ff be 1d 00 00 00 48 89 df e8 b4 d2 ff ff e9 06 fe ff ff 48 8b 34 24 48 8b 96 a0 01 00 00 <8b> 8a 84 00 00 00 85 c9 0f 84 23 f7 00 00 c7 83 9c 08 00 00 00 00
[83851.079604] RSP: 0018:ffffc38dc0120d08 EFLAGS: 00010046
[83851.080498] RAX: 0000000000000000 RBX: ffff9fa081f57000 RCX: 0000000000000200
[83851.081612] RDX: 0000000000000000 RSI: ffff9fa081f57000 RDI: 0000000000000000
[83851.082727] RBP: ffff9fa08307a158 R08: ffff9fa081f58000 R09: 000000008307a158
[83851.083845] R10: 0000000000000018 R11: 000000000000001e R12: 0000000000000000
[83851.084972] R13: 0000000000000000 R14: 0000000000000019 R15: 000000000000000a
[83851.086099] FS:  0000000000000000(0000) GS:ffff9fa0fbd80000(0000) knlGS:0000000000000000
[83851.087343] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[83851.088323] CR2: 0000000000000084 CR3: 0000000102898001 CR4: 0000000000770ee0
[83851.089473] PKRU: 55555554
[83851.090122] Call Trace:
[83851.090743]  <IRQ>
[83851.091310]  ? try_to_wake_up+0x1d1/0x4f0
[83851.092106]  __dahdi_receive_chunk+0x7e/0x1120 [dahdi]
[83851.093031]  ? pollwake+0x74/0x90
[83851.093750]  _dahdi_receive+0x28d/0x350 [dahdi]
[83851.094600]  td_d_sync_tick+0x13d/0x1a0 [dahdi_trunkdev]
[83851.095540]  _process_masterspan+0x5fc/0x680 [dahdi]
[83851.096440]  _dahdi_receive+0x332/0x350 [dahdi]
[83851.097291]  ? try_to_wake_up+0x1d1/0x4f0
[83851.098078]  t4_prep_gen2+0xc4/0x110 [wct4xxp]
[83851.098910]  t4_interrupt_gen2+0xb4/0x430 [wct4xxp]
[83851.099791]  __handle_irq_event_percpu+0x3d/0x160
[83851.100654]  handle_irq_event+0x57/0xb0
[83851.101416]  handle_fasteoi_irq+0x78/0x1c0
[83851.102204]  asm_call_irq_on_stack+0x12/0x20
[83851.103009]  </IRQ>
[83851.103570]  common_interrupt+0xb0/0x130
[83851.104337]  asm_common_interrupt+0x1e/0x40

Some more debugging in https://osmocom.org/issues/5531 - we can see that the culprit is the unconditional ss->span->alarms de-reference in __putbuf_chunk on a Pseudo channel.

Pseudo channels are characterized by the fact that they have their span member set to NULL.  This is illustrated by the is_pseudo_chan() function.
    
However, when using RXMIRROR/TXMIRROR, __putbuf_chunk() is called not just on the real channel, but also on the mirror (pseudo) channel.

Hence, __putbuf_chunk() and friends must not dereference the ->span member without first checking that this channel actually does have a non-NULL span assigned.
    
I originally thought that those unconditional de-references must have been introduced after the RXMIRROR/TXMIRROR was merged - but checked the git history and it seems like the bug has been present ever since this functionality was merged in 2010 in commit 9090c6fcd289b497e00e8e5fb9cc3546e0dfe7d6




--
This message was sent by Atlassian JIRA
(v6.2#6252)

More information about the asterisk-bugs mailing list