[Home]

Summary:ASTERISK-25814: Segfault at f ip in res_pjsip_refer.so
Reporter:Sergio Medina Toledo (lumasepa)Labels:
Date Opened:2016-02-26 03:24:32.000-0600Date Closed:2016-03-18 08:10:21
Priority:MajorRegression?
Status:Closed/CompleteComponents:Resources/res_pjsip_refer
Versions:13.6.0 Frequency of
Occurrence
One Time
Related
Issues:
Environment:Linux 3.13.0-68-generic #111-Ubuntu SMP x86_64 GNU/Linux Ubuntu 14.04.3 LTS Attachments:
Description:Hi guys, I have a segmentation fault in a production server of asterisk 13.6, as it is production it doesn't have debug symbols or core dumps activated, looking at the kern.log it says that
{code} "asterisk[32690]: segfault at f ip 00007f11881919bc sp 00007f11837fc740 error 6 in         res_pjsip_refer.so[7f118818e000+7000]"
{code}
The error 6 in the kern.log message means a write access in user mode.

So I subtract the library loaded direction "7f118818e000" to the instruction pointer "00007f11881919bc" that gives me the direction (39bc) of the bad instruction in my res_pjsip_refer.so lib

I made a objdump of the library to see the what instruction is failing and what is happening and find this asm procedure:

{code}
   39b2:       48 8b 50 40             mov    0x40(%rax),%rdx
   39b6:       48 8b 40 48             mov    0x48(%rax),%rax
   39ba:       31 c9                       xor    %ecx,%ecx
X 39bc:       c6 04 02 00             movb   $0x0,(%rdx,%rax,1)
   39c0:       49 8b 55 48             mov    0x48(%r13),%rdx
   39c4:       49 8b 75 40             mov    0x40(%r13),%rsi
   39c8:       49 8b 3c 24             mov    (%r12),%rdi
   39cc:       e8 df ea ff ff             callq  24b0 <pjsip_parse_uri@plt>
   39d1:       48 85 c0                  test   %rax,%rax
   39d4:       49 89 c6                  mov    %rax,%r14
   39d7:       74 3e                       je     3a17 <pjsip_xfer_init_module@plt+0x1497>
{code}

As you can see in the asm code it call the pjsip_parse_uri, in the c code of the module res_pjsip_refer.so it only calls that function in one point so it was easy to found the code corresponding to that asm procedure (arround line 1013), is the next :

{code}
/* This is done on purpose (and is safe) - it's done so that the value passed to
* pjsip_parse_uri is NULL terminated as required
*/
uri = refer_to->hvalue.ptr;
uri[refer_to->hvalue.slen] = '\0';
{code}

The comment says that it's secure but for me doesn't seems secure, for me it is a segmentation fault so I asked myself why it isn't failing always, so looking at the code that allocated the memory of refer_to->hvalue.ptr I found that it happens in the pjsip library and that library uses a pool of memory. Thinking about it, the segmentation fault only happens when the allocated string is at the end of a page of the pool, in other cases this produces a write in a part of memory that it shouldn't but because it is allocated by the pool it doesn't happen the segfault.

I think that this can be a fix :

{code}
/* This is done on purpose (and is safe) - it's done so that the value passed to
* pjsip_parse_uri is NULL terminated as required
*/
uri = malloc(refer_to->hvalue.slen + 1);
strncpy(uri, refer_to->hvalue.ptr, refer_to->hvalue.slen);
uri[refer_to->hvalue.slen] = '\0';

target = pjsip_parse_uri(rdata->tp_info.pool, uri, refer_to->hvalue.slen, 0);
free(uri);

{code}
Comments:By: Asterisk Team (asteriskteam) 2016-02-26 03:24:33.301-0600

Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution.

A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report.

Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process].

By: Rusty Newton (rnewton) 2016-02-29 18:31:22.130-0600

Sergio do you want to submit a patch?

If you follow the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process] you can get the patch up on Gerrit where it can be peer-reviewed and processed for merging if it is what is needed.

By: Sergio Medina Toledo (lumasepa) 2016-03-01 08:06:03.740-0600

I can submit a patch in gerrit, just let me some time to do it


By: Rusty Newton (rnewton) 2016-03-01 15:07:08.515-0600

Thanks. Be sure to test in 13.7.2 first as there were a few fixes between your version and that one. The crash may be fixed already.

In the meantime you might also get a full backtrace of the crash and attach it to the issue for clarity.

By: Rusty Newton (rnewton) 2016-03-01 15:10:43.678-0600

Thanks again for working on the patch. We really appreciate it. That will help things move along quickly. If you have any questions about the patch process feel free to ask in #asterisk-dev on irc.freenode.net

By: Sergio Medina Toledo (lumasepa) 2016-03-02 03:14:44.251-0600

I can't get a traceback as I can't reproduce the segmentation fault voluntary, as it only happens when the "Refer-to" uri is at the end of a block of memory of the pool of memory of pjsip, anyways I think the problem is clearly visible in the snippet of code.