[sr-dev] [kamailio/kamailio] asan: probable stack-buffer-overflow (Issue #2953)

sergey-safarov notifications at github.com
Wed Nov 24 13:32:52 CET 2021 

### Description

Kamailio (744bc8f9e12b698cd6b8bc5ef63c84df7a3aea90) compiled with ASAN.
During the start, I got the message

```
 0(52607) INFO: <core> [core/tcp_main.c:4997]: init_tcp(): using epoll_lt as the io watch method (auto detected)
 0(52607) WARNING: <core> [core/daemonize.c:348]: daemonize(): pid file contains old pid, replacing pid
 0(52607) INFO: cfgutils [cfgutils.c:869]: mod_init(): no hash_file given, disable hash functionality
=================================================================
==52607==ERROR: AddressSanitizer: stack-buffer-overflow on address 0xffffc6e64058 at pc 0x000000d02d10 bp 0xffffc6e63dc0 sp 0xffffc6e63de0
READ of size 4 at 0xffffc6e64058 thread T0
    #0 0xd02d0f in fixup_get_param_type core/sr_module.c:1061
    #1 0xd13a33 in fixup_var_pve_str_12 core/sr_module.c:1474
    #2 0xffffa8ca8203 in redirect_init /usr/src/debug/kamailio-5.6.0-dev2.0.el8.centos.aarch64/src/modules/uac_redirect/uac_redirect.c:278
    #3 0xd0021f  (/usr/sbin/kamailio+0xd0021f)
    #4 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #5 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #6 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #7 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #8 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #9 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #10 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #11 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #12 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #13 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #14 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #15 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #16 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #17 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #18 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #19 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #20 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #21 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #22 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #23 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #24 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #25 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #26 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #27 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #28 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #29 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #30 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #31 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #32 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #33 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #34 0xcfefef  (/usr/sbin/kamailio+0xcfefef)
    #35 0xd015ab in init_modules (/usr/sbin/kamailio+0xd015ab)

    #36 0x49fa6b in main (/usr/sbin/kamailio+0x49fa6b)
    #37 0xfffface10de3 in __libc_start_main (/lib64/libc.so.6+0x20de3)
    #38 0x4204eb  (/usr/sbin/kamailio+0x4204eb)

Address 0xffffc6e64058 is located in stack of thread T0 at offset 88 in frame
    #0 0xffffa8ca70e7 in redirect_init /usr/src/debug/kamailio-5.6.0-dev2.0.el8.centos.aarch64/src/modules/uac_redirect/uac_redirect.c:265

  This frame has 8 object(s):
    [32, 40) 'filter'
    [96, 104) 'p' <== Memory access at offset 88 underflows this variable
    [160, 224) '__kld'
    [256, 320) '__kld'
    [352, 416) '__kld'
    [448, 512) '__kld'
    [544, 608) '__kld'
    [640, 704) '__kld'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow core/sr_module.c:1061 in fixup_get_param_type
Shadow bytes around the buggy address:
  0x200ff8dcc7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff8dcc7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200ff8dcc7d0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
  0x200ff8dcc7e0: 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x200ff8dcc7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x200ff8dcc800: f1 f1 f1 f1 00 f2 f2 f2 f2 f2 f2[f2]00 f2 f2 f2
  0x200ff8dcc810: f2 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x200ff8dcc820: 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00
  0x200ff8dcc830: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
  0x200ff8dcc840: f2 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x200ff8dcc850: 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==52607==ABORTING
```
I do not know this is important or not.
ASAN reports
```
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
```



-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/kamailio/kamailio/issues/2953
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-dev/attachments/20211124/aa1e1111/attachment-0001.htm>

More information about the sr-dev mailing list