[Home]

Summary:ASTERISK-24805: [patch] - ASAN: Race condition (heap-use-after-free) on asterisk closing
Reporter:Badalian Vyacheslav (slavon)Labels:
Date Opened:2015-02-17 17:15:00.000-0600Date Closed:2015-03-26 17:17:58
Priority:MinorRegression?
Status:Closed/CompleteComponents:Core/PBX
Versions:11.15.0 Frequency of
Occurrence
Related
Issues:
Environment:Attachments:( 0) ASTERISK-24805.patch
Description:Bugs:

{code}
==24513==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0000055d0 at pc 0x604543 bp 0x7f49e2653810 sp 0x7f49e2653808
READ of size 4 at 0x60d0000055d0 thread T44
   #0 0x604542 in ast_hashtab_lookup /root/asterisk-11.15.0/main/hashtab.c:543
   #1 0x6a76b7 in find_context /root/asterisk-11.15.0/main/pbx.c:6948
   #2 0x6a76b7 in pbx_find_extension /root/asterisk-11.15.0/main/pbx.c:3150
   #3 0x6b24a1 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4840
   #4 0x6b2d98 in ast_exists_extension /root/asterisk-11.15.0/main/pbx.c:6012
   #5 0x7f49f054140a in get_destination /root/asterisk-11.15.0/channels/chan_sip.c:17530
   #6 0x7f49f06100d7 in handle_request_invite /root/asterisk-11.15.0/channels/chan_sip.c:25628
   #7 0x7f49f061d212 in handle_incoming /root/asterisk-11.15.0/channels/chan_sip.c:28339
   #8 0x7f49f06222da in handle_request_do /root/asterisk-11.15.0/channels/chan_sip.c:28548
   #9 0x7f49f0623a71 in _sip_tcp_helper_thread /root/asterisk-11.15.0/channels/chan_sip.c:3041
   #10 0x7339b4 in handle_tcptls_connection /root/asterisk-11.15.0/main/tcptls.c:684
   #11 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
   #12 0x7f4a080629d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
   #13 0x7f4a087e88fc in clone (/lib64/libc.so.6+0xe88fc)

0x60d0000055d0 is located 106446469485936 bytes inside
{code}

{code}
==23657==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00002fb08 at pc 0x69b388 bp 0x7f1fa219c320 sp 0x7f1fa219c318
READ of size 8 at 0x60b00002fb08 thread T111
   #0 0x69b387 in pbx_exec /root/asterisk-11.15.0/main/pbx.c:1623
   #1 0x6b2273 in pbx_extension_helper /root/asterisk-11.15.0/main/pbx.c:4915
   #2 0x6c0aa8 in ast_spawn_extension /root/asterisk-11.15.0/main/pbx.c:6037
   #3 0x6c0aa8 in __ast_pbx_run /root/asterisk-11.15.0/main/pbx.c:6512
   #4 0x6c30ca in pbx_thread /root/asterisk-11.15.0/main/pbx.c:6842
   #5 0x74f33f in dummy_start /root/asterisk-11.15.0/main/utils.c:1223
   #6 0x7f1fd66db9d0 in start_thread (/lib64/libpthread.so.0+0x79d0)
   #7 0x7f1fd6e618fc in clone (/lib64/libc.so.6+0xe88fc)

0x60b00002fb08 is located 106309030705832 bytes inside
{code}

To reproduce:
# add to chan_sip.conf
{code}
[sipp]
type=friend
context=from-internal
host=dynamic
port=6000
user=sipp
canreinvite=no
disallow=all
allow=alaw
allow=ulaw
{code}

# add to extentions.conf
{code}
[from-internal]
exten => 766,1,Answer()
exten => 766,n,MusicOnHold(,5)
exten => 766,n,Hangup
{code}

# run {{asterisk -gc}} with ASAN (valgrind i think also found this bug)
# run at another console {{./sipp -sn uac -d 10000 -s 766 127.0.0.1  -mp 5606 -s 766 -l 1000 -r 100  -t t1}}
# stop asterisk with {{core stop now}} or {{ctrl+c}}

You will see race condition in thread closing order and then use after free. As i show at start of description
Comments:By: Matt Jordan (mjordan) 2015-02-18 19:30:17.110-0600

Thanks for providing instructions for reproducing the issue!

By: Corey Farrell (coreyfarrell) 2015-02-20 21:24:02.961-0600

This patch changes the cleanup for pbx.c so it only happens for graceful shutdown.  It should resolve this issue.  During 'core stop now' or ctrl-c, modules like chan_sip are not shutdown, so pbx.c needs to skip shutdown.