[Home]

Summary:ASTERISK-24717: ASAN: global-buffer-overflow codec_{ilbc | gsm | adpcm | ipc10}
Reporter:Badalian Vyacheslav (slavon)Labels:
Date Opened:2015-01-23 16:08:27.000-0600Date Closed:2015-06-01 16:24:04
Priority:MajorRegression?
Status:Closed/CompleteComponents:Codecs/codec_adpcm Codecs/codec_gsm Codecs/codec_ilbc Codecs/codec_lpc10
Versions:11.15.0 11.16.0 11.17.0 13.3.2 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:{code}
=================================================================
==22341==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f02e83058a0 at pc 0x7f03017a7832 bp 0x7fffe8cb66d0 sp 0x7fffe8cb5e90
READ of size 320 at 0x7f02e83058a0 thread T0
   #0 0x7f03017a7831 (/usr/lib64/libasan.so.1+0x2e831)
   #1 0x7f02e80e5684 in memcpy /usr/include/bits/string3.h:52
   #2 0x7f02e80e5684 in lintoilbc_framein /root/asterisk-11.15.0/codecs/codec_ilbc.c:144
   #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
   #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
   #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
   #6 0x7f02e80e57c1 in load_module /root/asterisk-11.15.0/codecs/codec_ilbc.c:223
   #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
   #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
   #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
   #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
   #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
   #12 0x7f0301200d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
   #13 0x42d394 (/usr/sbin/asterisk+0x42d394)

0x7f02e83058a0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_ilbc.c' (0x7f02e8305800) of size 160
0x7f02e83058a0 is located 32 bytes to the left of global variable 'f' from 'codec_ilbc.c' (0x7f02e83058c0) of size 368
0x7f02e83058a0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_ilbc.c' (0x7f02e8305800) of size 160
0x7f02e83058a0 is located 32 bytes to the left of global variable 'f' from 'codec_ilbc.c' (0x7f02e83058c0) of size 368
0x7f02e83058a0 is located 139650462144576 bytes insideASAN:SIGSEGV
==22341==AddressSanitizer: while reporting a bug found another one.Ignoring.
{code}

{code}
=================================================================
==22382==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fc20ef2d520 at pc 0x7fc2274a7832 bp 0x7fff79735070 sp 0x7fff79734830
READ of size 320 at 0x7fc20ef2d520 thread T0
   #0 0x7fc2274a7831 (/usr/lib64/libasan.so.1+0x2e831)
   #1 0x7fc20ed1a7a0 in memcpy /usr/include/bits/string3.h:52
   #2 0x7fc20ed1a7a0 in lintogsm_framein /root/asterisk-11.15.0/codecs/codec_gsm.c:133
   #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
   #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
   #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
   #6 0x7fc20ed1a5b1 in load_module /root/asterisk-11.15.0/codecs/codec_gsm.c:221
   #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
   #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
   #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
   #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
   #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
   #12 0x7fc226f00d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
   #13 0x42d394 (/usr/sbin/asterisk+0x42d394)

0x7fc20ef2d520 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_gsm.c' (0x7fc20ef2d480) of size 160
0x7fc20ef2d520 is located 32 bytes to the left of global variable 'f' from 'codec_gsm.c' (0x7fc20ef2d540) of size 368
0x7fc20ef2d520 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_gsm.c' (0x7fc20ef2d480) of size 160
0x7fc20ef2d520 is located 32 bytes to the left of global variable 'f' from 'codec_gsm.c' (0x7fc20ef2d540) of size 368
0x7fc20ef2d520 is located 140471451178176 bytes insideASAN:SIGSEGV
==22382==AddressSanitizer: while reporting a bug found another one.Ignoring.
{code}

{code}
=================================================================
==22423==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fdbfe4293e0 at pc 0x7fdc13449832 bp 0x7fff496a7b10 sp 0x7fff496a72d0
READ of size 320 at 0x7fdbfe4293e0 thread T0
   #0 0x7fdc13449831 (/usr/lib64/libasan.so.1+0x2e831)
   #1 0x7fdbfe227534 in memcpy /usr/include/bits/string3.h:52
   #2 0x7fdbfe227534 in lintoadpcm_framein /root/asterisk-11.15.0/codecs/codec_adpcm.c:252
   #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
   #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
   #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
   #6 0x7fdbfe227631 in load_module /root/asterisk-11.15.0/codecs/codec_adpcm.c:338
   #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
   #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
   #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
   #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
   #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
   #12 0x7fdc12ea2d5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
   #13 0x42d394 (/usr/sbin/asterisk+0x42d394)

0x7fdbfe4293e0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_adpcm.c' (0x7fdbfe429340) of size 160
0x7fdbfe4293e0 is located 32 bytes to the left of global variable 'f' from 'codec_adpcm.c' (0x7fdbfe429400) of size 368
0x7fdbfe4293e0 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_adpcm.c' (0x7fdbfe429340) of size 160
0x7fdbfe4293e0 is located 32 bytes to the left of global variable 'f' from 'codec_adpcm.c' (0x7fdbfe429400) of size 368
0x7fdbfe4293e0 is located 140582840341376 bytes insideASAN:SIGSEGV
==22423==AddressSanitizer: while reporting a bug found another one.Ignoring.
{code}

{code}
=================================================================
==22502==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f68d9ab6960 at pc 0x7f68e7332832 bp 0x7fff4d2a6810 sp 0x7fff4d2a5fd0
READ of size 320 at 0x7f68d9ab6960 thread T0
   #0 0x7f68e7332831 (/usr/lib64/libasan.so.1+0x2e831)
   #1 0x7f68d989e050 in memcpy /usr/include/bits/string3.h:52
   #2 0x7f68d989e050 in lintolpc10_framein /root/asterisk-11.15.0/codecs/codec_lpc10.c:155
   #3 0x73cca5 in framein /root/asterisk-11.15.0/main/translate.c:359
   #4 0x73cca5 in generate_computational_cost /root/asterisk-11.15.0/main/translate.c:609
   #5 0x743a6c in __ast_register_translator /root/asterisk-11.15.0/main/translate.c:1110
   #6 0x7f68d989de91 in load_module /root/asterisk-11.15.0/codecs/codec_lpc10.c:249
   #7 0x61c5c3 in start_resource /root/asterisk-11.15.0/main/loader.c:861
   #8 0x61e73f in start_resource /root/asterisk-11.15.0/main/loader.c:1053
   #9 0x61e73f in load_resource_list /root/asterisk-11.15.0/main/loader.c:1063
   #10 0x62142f in load_modules /root/asterisk-11.15.0/main/loader.c:1216
   #11 0x429cd3 in main /root/asterisk-11.15.0/main/asterisk.c:4337
   #12 0x7f68e6d8bd5c in __libc_start_main (/lib64/libc.so.6+0x1ed5c)
   #13 0x42d394 (/usr/sbin/asterisk+0x42d394)

0x7f68d9ab6960 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_lpc10.c' (0x7f68d9ab68c0) of size 160
0x7f68d9ab6960 is located 32 bytes to the left of global variable 'f' from 'codec_lpc10.c' (0x7f68d9ab6980) of size 368
0x7f68d9ab6960 is located 0 bytes to the right of global variable 'ex_slin8' from 'codec_lpc10.c' (0x7f68d9ab68c0) of size 160
0x7f68d9ab6960 is located 32 bytes to the left of global variable 'f' from 'codec_lpc10.c' (0x7f68d9ab6980) of size 368
0x7f68d9ab6960 is located 140088305215744 bytes insideASAN:SIGSEGV
==22502==AddressSanitizer: while reporting a bug found another one.Ignoring.

{code}
Comments:By: Matt Jordan (mjordan) 2015-01-23 16:43:43.766-0600

I'm not sure what to make of this report.

Can you provide some context to the report and how you are generating the errors? How is it determining the errors, and is it causing an actual problem?

Once you have provided that contact, given that many of these are from libraries that are embedded, it may make sense to see if the upstream code base contains the errors still, and if it might make sense to update the source.


By: Badalian Vyacheslav (slavon) 2015-01-23 17:50:22.180-0600

Apply ASTERISK-24718 and run {{asterisk -gvvvc}}.
Google detect and fix may bugs using address-sanitizer. It's "best practics" now in development. We also use it in our products (and more other products like static code analysis).
This is bug? Need to use static code analysis? Need to use address-sanitizer or other sanitizer? - It's your choose.

By: Rusty Newton (rnewton) 2015-02-10 17:59:30.025-0600

{quote}
Apply ASTERISK-24718 and run asterisk -gvvvc.
{quote}

Run Asterisk with no configuration or sample configuration?

By: Badalian Vyacheslav (slavon) 2015-02-17 08:46:24.747-0600

Sorry for the long answer. Was on vacation.

Any confguration with this module enabled. ASAN errors on module loading.

By: Badalian Vyacheslav (slavon) 2015-04-03 04:10:31.785-0500

my analyse:

then you register codec:
{code}
       memcpy(tmp->buf + pvt->samples, f->data.ptr, f->datalen);
{code}

{code}
(gdb) p f->datalen
$1 = 320
(gdb) p f->data.ptr
$2 = (void *) 0x7fffdaa554c0 <ex_slin8>
{code}

but ex_slin8 have size 160. You do buffer overflow!
maybe datalen must be 160 or you must use {{ex_slin16}}?

looks to mistake in
./include/asterisk/slin.h
{code}
-                .datalen = sizeof(ex_slin8)*2,
+                .datalen = sizeof(ex_slin8),
{code}

{code}
-                .datalen = sizeof(ex_slin16)*2,
+                .datalen = sizeof(ex_slin16),
{code}


By: Badalian Vyacheslav (slavon) 2015-04-13 09:37:00.281-0500

anyone? some comments? :)


By: Badalian Vyacheslav (slavon) 2015-04-14 09:02:13.206-0500

Confirmed for 13.3.2