fixup build #4
Merged
fixup build #4
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
neochapay
pushed a commit
to neochapay/ofono-new
that referenced
this pull request
Dec 9, 2022
While adding the sim pin cache feature, pin_name could cause issue in cases when sim pin is not there. log: ofonod[27810]: drivers/atmodem/sim.c:at_cpin_cb() crsm_pin_cb: READY ofonod[27810]: src/sim.c:sim_pin_query_cb() sim->pin_type: 0, pin_type: 0 ofonod[27810]: Aborting (signal 11) [./src/ofonod] ofonod[27810]: ++++++++ backtrace ++++++++ ofonod[27810]: #0 0x7fb7a7586cb0 in /lib/x86_64-linux-gnu/libc.so.6 ofonod[27810]: #1 0x7fb7a7693cd8 in /lib/x86_64-linux-gnu/libc.so.6 ofonod[27810]: sailfish-on-dontbeevil#2 0x4d899b in sim_pin_query_cb() at src/sim.c:3174 ofonod[27810]: sailfish-on-dontbeevil#3 0x4649e7 in at_cpin_cb() at drivers/atmodem/sim.c:1304 ofonod[27810]: sailfish-on-dontbeevil#4 0x4a5d70 in at_chat_finish_command() at gatchat/gatchat.c:462
neochapay
pushed a commit
to neochapay/ofono-new
that referenced
this pull request
Dec 9, 2022
When closing down a cmux object, the address sanitizer detects a
use-after-free in gatmux.c (see below).
Avoid this by taking a reference to the mux object during the processing
in received_data().
ofonod[3640549]: ../git/plugins/quectel.c:cfun_disable() 0x610000000b40
ofonod[3640549]: ../git/plugins/quectel.c:close_serial() 0x610000000b40
ofonod[3640549]: ../git/plugins/quectel.c:close_mux() 0x610000000b40
ofonod[3640549]: ../git/examples/emulator.c:powered_watch() Removing modem 0x610000000b40 from the list
ofonod[3640549]: ../git/examples/emulator.c:powered_watch() Removing server watch: 106
ofonod[3640549]: ../git/src/modem.c:modem_change_state() old state: 0, new state: 0
=================================================================
==3640549==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100073dd28 at pc 0x5566b6402a21 bp 0x7ffe7a2db0e0 sp 0x7ffe7a2db0d0
READ of size 8 at 0x62100073dd28 thread T0
#0 0x5566b6402a20 in debug ../git/gatchat/gatmux.c:109
#1 0x5566b6404bd7 in channel_close ../git/gatchat/gatmux.c:525
sailfish-on-dontbeevil#2 0x7fa0516e44a6 in g_io_channel_shutdown (/usr/lib/libglib-2.0.so.0+0x774a6)
sailfish-on-dontbeevil#3 0x7fa0516e4644 in g_io_channel_unref (/usr/lib/libglib-2.0.so.0+0x77644)
sailfish-on-dontbeevil#4 0x5566b64048a4 in watch_finalize ../git/gatchat/gatmux.c:474
sailfishos#5 0x7fa0516d6f6f (/usr/lib/libglib-2.0.so.0+0x69f6f)
sailfishos#6 0x7fa0516ac6a7 in g_slist_foreach (/usr/lib/libglib-2.0.so.0+0x3f6a7)
sailfishos#7 0x7fa0516b277b in g_slist_free_full (/usr/lib/libglib-2.0.so.0+0x4577b)
sailfishos#8 0x5566b6403413 in dispatch_sources ../git/gatchat/gatmux.c:224
sailfishos#9 0x5566b64039ea in received_data ../git/gatchat/gatmux.c:268
sailfishos#10 0x7fa0516d727e in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x6a27e)
sailfishos#11 0x7fa0516d91c0 (/usr/lib/libglib-2.0.so.0+0x6c1c0)
sailfishos#12 0x7fa0516da0d2 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x6d0d2)
sailfishos#13 0x5566b6429b1b in main ../git/src/main.c:286
sailfishos#14 0x7fa05147fee2 in __libc_start_main (/usr/lib/libc.so.6+0x26ee2)
sailfishos#15 0x5566b62531ad in _start (/home/martin/projects/ofono/x86/src/ofonod+0xfc1ad)
0x62100073dd28 is located 40 bytes inside of 4672-byte region [0x62100073dd00,0x62100073ef40)
freed by thread T0 here:
#0 0x7fa0519256c0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x5566b64052d7 in g_at_mux_unref ../git/gatchat/gatmux.c:645
sailfish-on-dontbeevil#2 0x5566b63d6d19 in close_mux ../git/plugins/quectel.c:199
sailfish-on-dontbeevil#3 0x5566b63d7047 in close_serial ../git/plugins/quectel.c:223
sailfish-on-dontbeevil#4 0x5566b63db62a in cfun_disable ../git/plugins/quectel.c:1056
sailfishos#5 0x5566b63f6ae1 in at_chat_finish_command ../git/gatchat/gatchat.c:459
sailfishos#6 0x5566b63f701b in at_chat_handle_command_response ../git/gatchat/gatchat.c:521
sailfishos#7 0x5566b63f785b in have_line ../git/gatchat/gatchat.c:600
sailfishos#8 0x5566b63f87f1 in new_bytes ../git/gatchat/gatchat.c:759
sailfishos#9 0x5566b640174c in received_data ../git/gatchat/gatio.c:122
sailfishos#10 0x5566b64047b4 in watch_dispatch ../git/gatchat/gatmux.c:464
sailfishos#11 0x5566b640313b in dispatch_sources ../git/gatchat/gatmux.c:183
sailfishos#12 0x5566b64039ea in received_data ../git/gatchat/gatmux.c:268
sailfishos#13 0x7fa0516d727e in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x6a27e)
previously allocated by thread T0 here:
#0 0x7fa051925ce8 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x5566b6405009 in g_at_mux_new ../git/gatchat/gatmux.c:606
sailfish-on-dontbeevil#2 0x5566b6407f6b in g_at_mux_new_gsm0710_basic ../git/gatchat/gatmux.c:1165
sailfish-on-dontbeevil#3 0x5566b63da9ba in cmux_cb ../git/plugins/quectel.c:882
sailfish-on-dontbeevil#4 0x5566b63f6ae1 in at_chat_finish_command ../git/gatchat/gatchat.c:459
sailfishos#5 0x5566b63f701b in at_chat_handle_command_response ../git/gatchat/gatchat.c:521
sailfishos#6 0x5566b63f785b in have_line ../git/gatchat/gatchat.c:600
sailfishos#7 0x5566b63f87f1 in new_bytes ../git/gatchat/gatchat.c:759
sailfishos#8 0x5566b640174c in received_data ../git/gatchat/gatio.c:122
sailfishos#9 0x7fa0516d727e in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x6a27e)
SUMMARY: AddressSanitizer: heap-use-after-free ../git/gatchat/gatmux.c:109 in debug
Shadow bytes around the buggy address:
0x0c42800dfb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800dfb60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800dfb70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800dfb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c42800dfb90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c42800dfba0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c42800dfbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c42800dfbc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c42800dfbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c42800dfbe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c42800dfbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3640549==ABORTING
neochapay
pushed a commit
to neochapay/ofono-new
that referenced
this pull request
Dec 9, 2022
With the reference in place in received_data(), the address sanitizer
now encounters a use-after-free when the destroy notification is
dispatched for the read watcher (see below).
Fix this by remove the destroy notification callback, as it isn't really
used except in the shutdown function.
==5797==ERROR: AddressSanitizer: heap-use-after-free on address 0x621000ac5904 at pc 0x55c1243b1f14 bp 0x7ffdef001340 sp 0x7ffdef001330
WRITE of size 4 at 0x621000ac5904 thread T0
#0 0x55c1243b1f13 in read_watcher_destroy_notify ../git/gatchat/gatmux.c:660
#1 0x7f08a8676742 (/usr/lib/libglib-2.0.so.0+0x62742)
sailfish-on-dontbeevil#2 0x7f08a867e2e4 in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x6a2e4)
sailfish-on-dontbeevil#3 0x7f08a8680210 (/usr/lib/libglib-2.0.so.0+0x6c210)
sailfish-on-dontbeevil#4 0x7f08a8681122 in g_main_loop_run (/usr/lib/libglib-2.0.so.0+0x6d122)
sailfishos#5 0x55c1243d6703 in main ../git/src/main.c:286
sailfishos#6 0x7f08a8423152 in __libc_start_main (/usr/lib/libc.so.6+0x27152)
sailfishos#7 0x55c1241fe1ad in _start (/home/martin/projects/ofono/x86/src/ofonod+0xfd1ad)
0x621000ac5904 is located 4 bytes inside of 4672-byte region [0x621000ac5900,0x621000ac6b40)
freed by thread T0 here:
#0 0x7f08a88cc6b0 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:122
#1 0x55c1243b1ebf in g_at_mux_unref ../git/gatchat/gatmux.c:652
sailfish-on-dontbeevil#2 0x55c1243b062c in received_data ../git/gatchat/gatmux.c:276
sailfish-on-dontbeevil#3 0x7f08a867e2ce in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x6a2ce)
previously allocated by thread T0 here:
#0 0x7f08a88cccd8 in __interceptor_calloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:153
#1 0x55c1243b1bf1 in g_at_mux_new ../git/gatchat/gatmux.c:613
sailfish-on-dontbeevil#2 0x55c1243b4b53 in g_at_mux_new_gsm0710_basic ../git/gatchat/gatmux.c:1172
sailfish-on-dontbeevil#3 0x55c124386abd in cmux_gatmux ../git/plugins/quectel.c:871
sailfish-on-dontbeevil#4 0x55c12438779f in cmux_cb ../git/plugins/quectel.c:1023
sailfishos#5 0x55c1243a368e in at_chat_finish_command ../git/gatchat/gatchat.c:459
sailfishos#6 0x55c1243a3bc8 in at_chat_handle_command_response ../git/gatchat/gatchat.c:521
sailfishos#7 0x55c1243a4408 in have_line ../git/gatchat/gatchat.c:600
sailfishos#8 0x55c1243a539e in new_bytes ../git/gatchat/gatchat.c:759
sailfishos#9 0x55c1243ae2f9 in received_data ../git/gatchat/gatio.c:122
sailfishos#10 0x7f08a867e2ce in g_main_context_dispatch (/usr/lib/libglib-2.0.so.0+0x6a2ce)
SUMMARY: AddressSanitizer: heap-use-after-free ../git/gatchat/gatmux.c:660 in read_watcher_destroy_notify
Shadow bytes around the buggy address:
0x0c4280150ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280150ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280150af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280150b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280150b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4280150b20:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4280150b30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4280150b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4280150b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4280150b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c4280150b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==5797==ABORTING
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.