Summary: | ASTERISK-24805: [patch] - ASAN: Race condition (heap-use-after-free) on asterisk closing | ||
Reporter: | Badalian Vyacheslav (slavon) | Labels: | |
Date Opened: | 2015-02-17 17:15:00.000-0600 | Date Closed: | 2015-03-26 17:17:58 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | Core/PBX |
Versions: | 11.15.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Attachments: | ( 0) ASTERISK-24805.patch | |
Description: | Bugs:
{code} ==24513==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000055d0 at pc 0x604543 bp 0x7f49e2653810 sp 0x7f49e2653808 READ of size 4 at 0x60d0000055d0 thread T44 #0 0x604542 in ast_hashtab_lookup /root/asterisk-11.15.0/main/hashtab.c:543 #1 0x6a76b7 in find_context /root/asterisk-11.15.0/main/pbx.c:6948 #2 0x6a76b7 in pbx_find_extension /root/asterisk-11.15.0/main/pbx.c:3150 #3 0x6b24a1 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4840 #4 0x6b2d98 in ast_exists_extension /root/asterisk-11.15.0/main/pbx.c:6012 #5 0x7f49f054140a in get_destination /root/asterisk-11.15.0/channels/chan_sip.c:17530 #6 0x7f49f06100d7 in handle_request_invite /root/asterisk-11.15.0/channels/chan_sip.c:25628 #7 0x7f49f061d212 in handle_incoming /root/asterisk-11.15.0/channels/chan_sip.c:28339 #8 0x7f49f06222da in handle_request_do /root/asterisk-11.15.0/channels/chan_sip.c:28548 #9 0x7f49f0623a71 in _sip_tcp_helper_thread /root/asterisk-11.15.0/channels/chan_sip.c:3041 #10 0x7339b4 in handle_tcptls_connection /root/asterisk-11.15.0/main/tcptls.c:684 #11 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223 #12 0x7f4a080629d0 in start_thread (/lib64/libpthread.so.0+0x79d0) #13 0x7f4a087e88fc in clone (/lib64/libc.so.6+0xe88fc) 0x60d0000055d0 is located 106446469485936 bytes inside {code} {code} ==23657==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002fb08 at pc 0x69b388 bp 0x7f1fa219c320 sp 0x7f1fa219c318 READ of size 8 at 0x60b00002fb08 thread T111 #0 0x69b387 in pbx_exec /root/asterisk-11.15.0/main/pbx.c:1623 #1 0x6b2273 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4915 #2 0x6c0aa8 in ast_spawn_extension /root/asterisk-11.15.0/main/pbx.c:6037 #3 0x6c0aa8 in __ast_pbx_run /root/asterisk-11.15.0/main/pbx.c:6512 #4 0x6c30ca in pbx_thread /root/asterisk-11.15.0/main/pbx.c:6842 #5 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223 #6 0x7f1fd66db9d0 in start_thread (/lib64/libpthread.so.0+0x79d0) #7 0x7f1fd6e618fc in clone (/lib64/libc.so.6+0xe88fc) 0x60b00002fb08 is located 106309030705832 bytes inside {code} To reproduce: # add to chan_sip.conf {code} [sipp] type=friend context=from-internal host=dynamic port=6000 user=sipp canreinvite=no disallow=all allow=alaw allow=ulaw {code} # add to extentions.conf {code} [from-internal] exten => 766,1,Answer() exten => 766,n,MusicOnHold(,5) exten => 766,n,Hangup {code} # run {{asterisk -gc}} with ASAN (valgrind i think also found this bug) # run at another console {{./sipp -sn uac -d 10000 -s 766 127.0.0.1 -mp 5606 -s 766 -l 1000 -r 100 -t t1}} # stop asterisk with {{core stop now}} or {{ctrl+c}} You will see race condition in thread closing order and then use after free. As i show at start of description | ||
Comments: | By: Matt Jordan (mjordan) 2015-02-18 19:30:17.110-0600 Thanks for providing instructions for reproducing the issue! By: Corey Farrell (coreyfarrell) 2015-02-20 21:24:02.961-0600 This patch changes the cleanup for pbx.c so it only happens for graceful shutdown. It should resolve this issue. During 'core stop now' or ctrl-c, modules like chan_sip are not shutdown, so pbx.c needs to skip shutdown. |