Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(mme): Null terminates string to stop buffer overflow #11925

Merged
merged 1 commit into from
Mar 5, 2022
Merged

fix(mme): Null terminates string to stop buffer overflow #11925

merged 1 commit into from
Mar 5, 2022

Conversation

electronjoe
Copy link
Member

@electronjoe electronjoe commented Mar 3, 2022
edited
Loading

Addresses one finding (more exist) of #11826.

Zero-initialized all instances of plmn_array[PLMN_BYTES] (so that they will be null terminated) and enlarged the array by one char to accommodate the null termination.

Fixes the finding:

[ RUN      ] TestAMFStateConverter.TestUEm5gmmContextToProto
=================================================================
==15482==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee811fc86 at pc 0x7f3038dada6d bp 0x7ffee811faa0 sp 0x7ffee811f248
READ of size 7 at 0x7ffee811fc86 thread T0
    #0 0x7f3038dada6c  (/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
    #1 0x7f302e641e9b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x145e9b)
    #2 0x7f30383b85f6 in magma::lte::oai::Tai::set_mcc_mnc(char const*) bazel-out/k8-dbg/bin/lte/protos/oai/nas_state_cpp_proto_pb/lte/protos/oai/nas_state.pb.h:11239

Test Plan

Using prototype Bazel build with --config=asan validated ASAN finding
is resolved.

Signed-off-by: Scott Moeller electrojoe@gmail.com

@electronjoe electronjoe requested review from a team and ssanadhya March 3, 2022 14:06
@pull-request-size pull-request-size bot added the size/XS Denotes a PR that changes 0-9 lines. label Mar 3, 2022
@electronjoe electronjoe changed the title fix(mme): Null terminates string to stop bufer overflow fix(mme): Null terminates string to stop buffer overflow Mar 3, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2022

Thanks for opening a PR! 💯

A couple initial guidelines

Howto

  • Reviews. The "Reviewers" listed for this PR are the Magma maintainers who will shepherd it.
  • Checks. All required CI checks must pass before merge.
  • Merge. Once approved and passing CI checks, use the ready2merge label to indicate the maintainers can merge your PR.

More info

Please take a moment to read through the Magma project's

If this is your first Magma PR, also consider reading

@github-actions github-actions bot added the component: agw Access gateway-related issue label Mar 3, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2022
edited
Loading

Oops! Looks like you failed the DCO check. Be sure to sign all your commits.

Howto

♻️ Updated: ✅ The check is passing the DCO check after the last commit.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2022
edited
Loading

feg-workflow

    2 files  202 suites   33s ⏱️
363 tests 363 ✔️ 0 💤 0
377 runs  377 ✔️ 0 💤 0

Results for commit 4d7982e.

♻️ This comment has been updated with latest results.

@github-actions
Copy link
Contributor

github-actions bot commented Mar 3, 2022
edited
Loading

agw-workflow

  54 files    84 suites   3m 51s ⏱️
738 tests 729 ✔️ 9 💤 0
923 runs  914 ✔️ 9 💤 0

Results for commit 4d7982e.

♻️ This comment has been updated with latest results.

ssanadhya
ssanadhya approved these changes Mar 3, 2022
View reviewed changes
Copy link
Collaborator

@ssanadhya ssanadhya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@ssanadhya
Copy link
Collaborator

@electronjoe , since you modified the PLMN_BYTES macro, can you update the changes made in https://github.com/magma/magma/pull/11891/files too?

ssanadhya
ssanadhya requested changes Mar 4, 2022
View reviewed changes
Copy link
Collaborator

@ssanadhya ssanadhya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please update the usage of PLMN_BYTES in state_converter.cpp too

@electronjoe
fix(mme): Null terminates string to stop bufer overflow
4d7982e 
Addresses one finding (more exist) of magma#11826.

Test Plan

Using prototype Bazel build with `--config=asan` validated ASAN finding
is resolved.

Signed-off-by: Scott Moeller <electronjoe@gmail.com>
@pull-request-size pull-request-size bot added size/S Denotes a PR that changes 10-29 lines. and removed size/XS Denotes a PR that changes 0-9 lines. labels Mar 4, 2022
@electronjoe
Copy link
Member Author

Please update the usage of PLMN_BYTES in state_converter.cpp too

Thanks for the corrective advice Shruti! I've migrated all instances to zero-init (so that we get the null termination). Please take a look at the updated PR!

@LKreutzer LKreutzer mentioned this pull request Mar 4, 2022
Closed
LKreutzer
LKreutzer approved these changes Mar 4, 2022
View reviewed changes
Copy link
Contributor

@LKreutzer LKreutzer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested locally

ssanadhya
ssanadhya approved these changes Mar 4, 2022
View reviewed changes
Copy link
Collaborator

@ssanadhya ssanadhya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@electronjoe electronjoe merged commit 331551e into magma:master Mar 5, 2022
@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2022
edited
Loading

Unit Test Results

  26 files    26 suites   26m 9s ⏱️
176 tests 172 ✔️ 3 💤 0  1 🔥

For more details on these errors, see this check.

Results for commit 331551e.

♻️ This comment has been updated with latest results.

@ardzoht ardzoht linked an issue Mar 7, 2022 that may be closed by this pull request
[mme] Crash running multiple EXTENDED_TESTS S1AP cases #11977
Closed
@themarwhal themarwhal linked an issue Mar 7, 2022 that may be closed by this pull request
Explore failing //lte/gateway/c/core/oai/test/nas:nas_converter_test with --config=asan #11827
Closed
@themarwhal themarwhal added the backport-v1.7 MME fixes to be backported for 1.7 label Mar 9, 2022
@ardzoht ardzoht removed the backport-v1.7 MME fixes to be backported for 1.7 label Mar 11, 2022
ardzoht pushed a commit that referenced this pull request Mar 30, 2022
@electronjoe @ardzoht
fix(mme): Null terminates string to stop bufer overflow (#11925)
8bda2ea 
Addresses one finding (more exist) of #11826.

Zero-initialized all instances of `plmn_array[PLMN_BYTES]` (so that they will be null terminated) and enlarged the array by one char to accommodate the null termination.

Fixes the finding:

```
[ RUN      ] TestAMFStateConverter.TestUEm5gmmContextToProto
=================================================================
==15482==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee811fc86 at pc 0x7f3038dada6d bp 0x7ffee811faa0 sp 0x7ffee811f248
READ of size 7 at 0x7ffee811fc86 thread T0
    #0 0x7f3038dada6c  (/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
    #1 0x7f302e641e9b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x145e9b)
    #2 0x7f30383b85f6 in magma::lte::oai::Tai::set_mcc_mnc(char const*) bazel-out/k8-dbg/bin/lte/protos/oai/nas_state_cpp_proto_pb/lte/protos/oai/nas_state.pb.h:11239
```

## Test Plan

Using prototype Bazel build with `--config=asan` validated ASAN finding
is resolved.

Signed-off-by: Scott Moeller <electrojoe@gmail.com>
@MAAHamid MAAHamid mentioned this pull request Apr 7, 2022
Closed
@electronjoe electronjoe deleted the pr-asan-amf branch April 15, 2022 19:13
emakeev pushed a commit to emakeev/magma that referenced this pull request Aug 5, 2022
@electronjoe @emakeev
fix(mme): Null terminates string to stop bufer overflow (magma#11925)
fbca257 
Addresses one finding (more exist) of magma#11826.

Zero-initialized all instances of `plmn_array[PLMN_BYTES]` (so that they will be null terminated) and enlarged the array by one char to accommodate the null termination.

Fixes the finding:

```
[ RUN      ] TestAMFStateConverter.TestUEm5gmmContextToProto
=================================================================
==15482==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffee811fc86 at pc 0x7f3038dada6d bp 0x7ffee811faa0 sp 0x7ffee811f248
READ of size 7 at 0x7ffee811fc86 thread T0
    #0 0x7f3038dada6c  (/lib/x86_64-linux-gnu/libasan.so.5+0x67a6c)
    magma#1 0x7f302e641e9b in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(char const*, std::allocator<char> const&) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x145e9b)
    magma#2 0x7f30383b85f6 in magma::lte::oai::Tai::set_mcc_mnc(char const*) bazel-out/k8-dbg/bin/lte/protos/oai/nas_state_cpp_proto_pb/lte/protos/oai/nas_state.pb.h:11239
```

## Test Plan

Using prototype Bazel build with `--config=asan` validated ASAN finding
is resolved.

Signed-off-by: Scott Moeller <electrojoe@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ssanadhya ssanadhya ssanadhya approved these changes

@lionelgo lionelgo lionelgo approved these changes

@LKreutzer LKreutzer LKreutzer approved these changes

Assignees
No one assigned
Labels
component: agw Access gateway-related issue size/S Denotes a PR that changes 10-29 lines.
Projects
None yet
Milestone
No milestone
6 participants
@electronjoe @ssanadhya @lionelgo @LKreutzer @ardzoht @themarwhal