ASTERISK-25761: USAN: Potential runtime errors causing undefined behavior

[Home]

Summary: ASTERISK-25761: USAN: Potential runtime errors causing undefined behavior

Reporter: Badalian Vyacheslav (slavon) Labels:

Date Opened: 2016-02-09 18:20:19.000-0600 Date Closed:

Priority: Minor Regression?

Status: Open/New Components:

Versions: 13.7.0 13.12.1 Frequency of
Occurrence

Related
Issues:

Environment: gcc version 5.2.1 20150902 (Red Hat 5.2.1-2) (GCC) Attachments:

Description: Hello!

I send you a list of the errors found. Usan test. All errors are shown at the time of loading of modules. I hope you would be interested :)

{code}
/root/asterisk-13.7.0/include/asterisk/strings.h 1181 15 runtime error signed integer overflow 193410279 * 33 cannot be represented in type 'int'
/root/asterisk-13.7.0/include/asterisk/strings.h 1221 15 runtime error signed integer overflow 193404514 * 33 cannot be represented in type 'int'
chan_iax2.c 13511 2 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 8724 2 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 8725 2 runtime error left shift of 3 by 30 places cannot be represented in type 'int'
chan_sip.c 29976 3 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 29977 3 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 30304 2 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 30305 2 runtime error left shift of 3 by 30 places cannot be represented in type 'int'
codec_adpcm.c 151 23 runtime error left shift of negative value -4
codec_g726.c 621 25 runtime error left shift of negative value -12
codec_g726.c 678 25 runtime error left shift of negative value -12
el.c 244 21 runtime error left shift of negative value -2
format_cap.c 173 7 runtime error null pointer passed as argument 2, which is declared to never be null
g722/g722_decode.c 80 39 runtime error left shift of negative value -192
g722/g722_decode.c 373 49 runtime error left shift of negative value -1
g722/g722_encode.c 80 39 runtime error left shift of negative value -1
src/lpc.c 156 28 runtime error left shift of negative value -2961983
src/lpc.c 235 42 runtime error left shift of negative value -3457934
src/preprocess.c 92 8 runtime error left shift of negative value -4
src/rpe.c 336 16 runtime error left shift of negative value -4
src/rpe.c 380 8 runtime error left shift of negative value -1
src/short_term.c 64 2 runtime error left shift of negative value -18
src/short_term.c 67 2 runtime error left shift of negative value -2560
src/short_term.c 70 2 runtime error left shift of negative value -1792
src/short_term.c 71 2 runtime error left shift of negative value -341
src/short_term.c 72 2 runtime error left shift of negative value -1
stasis_message_router.c 113 8 runtime error null pointer passed as argument 2, which is declared to never be null
stasis.c 913 8 runtime error null pointer passed as argument 2, which is declared to never be null
stdtime/localtime.c 828 20 runtime error left shift of negative value -1
{code}

Comments: By: Asterisk Team (asteriskteam) 2016-02-09 18:20:20.944-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].
By: Corey Farrell (coreyfarrell) 2016-02-12 10:56:44.897-0600

-I've just looked at some of the reports against chan_sip. I think the scanner is wrong. It claims "left shift of 1 by 31 places cannot be represented in type 'int'". The fields being operated on are actually 'unsigned int', so (1 << 31) is valid.-

This was incorrect, though I still don't believe the warning has any real effect.
By: Corey Farrell (coreyfarrell) 2016-02-12 13:00:40.941-0600

I've commented on each of the findings.

I think these should be ignored, the hash functions are not actually undefined,
{quote}
/root/asterisk-13.7.0/include/asterisk/strings.h 1181 15 runtime error signed integer overflow 193410279 * 33 cannot be represented in type 'int'
/root/asterisk-13.7.0/include/asterisk/strings.h 1221 15 runtime error signed integer overflow 193404514 * 33 cannot be represented in type 'int'
{quote}

These should have slight modification to the code. Instead of {{(1 << 31)}} it should say {{(1U << 31)}} for chan_sip flags, {{(1ULL << 31)}} for chan_iax flags.
{quote}
chan_iax2.c 13511 2 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 8724 2 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 8725 2 runtime error left shift of 3 by 30 places cannot be represented in type 'int'
chan_sip.c 29976 3 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 29977 3 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 30304 2 runtime error left shift of 1 by 31 places cannot be represented in type 'int'
chan_sip.c 30305 2 runtime error left shift of 3 by 30 places cannot be represented in type 'int'
{quote}

This looks like an actual bug. The header contains {{#define EDIT_DISABLED 1<<2}}, then the source uses {{el->el_flags &= ~EDIT_DISABLED;}}. This source becomes {{el->el_flags &= (~1)<<2;}}. Is this an issue on the real editline library? If so a ticket should be opened upstream (and maybe with the major distros).
{quote}
el.c 244 21 runtime error left shift of negative value -2
{quote}

These each require a backtrace to troubleshoot.
{quote}
format_cap.c 173 7 runtime error null pointer passed as argument 2, which is declared to never be null
stasis_message_router.c 113 8 runtime error null pointer passed as argument 2, which is declared to never be null
stasis.c 913 8 runtime error null pointer passed as argument 2, which is declared to never be null
{quote}

The following are codecs. I'm not sure if these are coding error's, if they should be unsigned variables instead of signed, or if they are intentionally taking advantage of the behavior. Can the "left shift of negative value" warning be suppressed for everything within the codecs folder?
{quote}
codec_adpcm.c 151 23 runtime error left shift of negative value -4
codec_g726.c 621 25 runtime error left shift of negative value -12
codec_g726.c 678 25 runtime error left shift of negative value -12
g722/g722_decode.c 80 39 runtime error left shift of negative value -192
g722/g722_decode.c 373 49 runtime error left shift of negative value -1
g722/g722_encode.c 80 39 runtime error left shift of negative value -1
src/lpc.c 156 28 runtime error left shift of negative value -2961983
src/lpc.c 235 42 runtime error left shift of negative value -3457934
src/preprocess.c 92 8 runtime error left shift of negative value -4
src/rpe.c 336 16 runtime error left shift of negative value -4
src/rpe.c 380 8 runtime error left shift of negative value -1
src/short_term.c 64 2 runtime error left shift of negative value -18
src/short_term.c 67 2 runtime error left shift of negative value -2560
src/short_term.c 70 2 runtime error left shift of negative value -1792
src/short_term.c 71 2 runtime error left shift of negative value -341
src/short_term.c 72 2 runtime error left shift of negative value -1
{quote}

Well {{~0L}} does equal -1. I'm not sure if this is a problem, or how we would fix/suppress this warning. I'm also unsure if/how this would cause incorrect behavior.
{quote}
stdtime/localtime.c 828 20 runtime error left shift of negative value -1
{quote}
By: Badalian Vyacheslav (slavon) 2016-02-12 13:11:43.803-0600

used lineedit from asterisk:
{code}
[root@vm-asterisk04t asterisk]# find . -name "el.c"
./main/editline/el.c
{code}
becouse if i was use system we don't see debug info

{quote}
The following are codecs. I'm not sure if these are coding error's, if they should be unsigned variables instead of signed, or if they are intentionally taking advantage of the behavior. Can the "left shift of negative value" warning be suppressed for everything within the codecs folder?
{quote}
USAN does not have supression list :(

{quote}
These each require a backtrace to troubleshoot.
{quote}
gcc have compile flag to halt on first USAN, but before you must fix other behavior. usan does not have supression list :(

By: Badalian Vyacheslav (slavon) 2016-10-30 13:43:34.115-0500

Pump UP!
I propose to treat all undefiled santaizer bugs

By: Joshua C. Colp (jcolp) 2016-10-30 13:47:52.393-0500

This issue is already in the queue to get looked into.
By: Mateusz (mmazur) 2017-09-01 05:57:53.923-0500

Hi! Probably we have a problem with it, stackstace:

#0 0x00007f76e2b6d07d in malloc_consolidate (av=0x7f75f8000020) at malloc.c:5218
#1 0x00007f76e2b70d08 in _int_malloc (av=0x7f75f8000020, bytes=<value optimized out>) at malloc.c:4425
#2 0x00007f76e2b718cd in __libc_calloc (n=<value optimized out>, elem_size=<value optimized out>) at malloc.c:4103
#3 0x0000000000505091 in _ast_calloc (framed=0x7f75f81a9150, cap=0x7f75f8131580, format=0x1da1fb0, framing=0) at /vagrant/rpmbuild/BUILD/asterisk-13.9.1/include/asterisk/utils.h:573
#4 format_cap_framed_init (framed=0x7f75f81a9150, cap=0x7f75f8131580, format=0x1da1fb0, framing=0) at format_cap.c:173
#5 0x00000000005c35fc in ast_translate_available_formats (dest=0x7f75f81a62d0, src=0x7f75f81aad80, result=0x7f75f8131580) at translate.c:1475
#6 0x00007f761fb8227f in sip_call (ast=0x7f75f81c11a8, dest=<value optimized out>, timeout=<value optimized out>) at chan_sip.c:6430
#7 0x00000000004a377c in ast_call (chan=0x7f75f81c11a8, addr=0x7f75f8131ab0 "123456789@111.111.111.111", timeout=0) at channel.c:6192
#8 0x00007f762ef4d452 in dial_exec_full (chan=0x7f75f001f938, data=<value optimized out>, peerflags=0x7f75c52645d0, continue_exec=0x0) at app_dial.c:2623
#9 0x00007f762ef501d6 in dial_exec (chan=<value optimized out>, data=<value optimized out>) at app_dial.c:3160
#10 0x0000000000562595 in pbx_exec (c=0x7f75f001f938, app=0x331fb40, data=0x7f75c5264b60 "SIP/123456789@111.111.111.111,S(10800)grCM(answe^823^10168025^28020679^^Local/123456789@answe-00008da7;2)E(28020679)") at pbx_app.c:485

It crashes Asterisk with SegFault. I suppose that could be:

format_cap.c 173 7 runtime error null pointer passed as argument 2, which is declared to never be null