Heap-use-after-free in UE MAC
[PHY] [UE0] In synch, rx_offset 109696 samples
[PHY] [UE 0] Measured Carrier Frequency 3619200010 Hz (offset 10 Hz)
[PHY] HW: Configuring channel 0 (rf_chain 0): setting tx_freq 3619200010 Hz, rx_freq 3619200010 Hz, tune_offset 0
[PHY] Got synch: hw_slot_offset 7, carrier off 10 Hz, rxgain 0.000000 (DL 3619200010.000000 Hz, UL 3619200010.000000 Hz)
Entering ITTI signals handler
TYPE <CTRL-C> TO TERMINATE
[PHY] UE synchronized! decoded_frame_rx=200 UE->init_sync_frame=1 trashed_frames=48
[PHY] Resynchronizing RX by 109696 samples
[NR_RRC] SIB1 decoded
[NR_MAC] NR band duplex spacing is 0 KHz (nr_bandtable[37].band = 78)
[NR_MAC] NR band 78, duplex mode TDD, duplex spacing = 0 KHz
[NR_PHY] ============================================
[NR_PHY] Harq round stats for Downlink: 1/0/0
[NR_PHY] ============================================
[NR_PHY] ============================================
[NR_PHY] Harq round stats for Downlink: 1/0/0
[NR_PHY] ============================================
[NR_MAC] NR band duplex spacing is 0 KHz (nr_bandtable[37].band = 78)
[NR_MAC] NR band 78, duplex mode TDD, duplex spacing = 0 KHz
[MAC] Initialization of 4-step contention-based random access procedure
[NR_MAC] PRACH scheduler: Selected RO Frame 343, Slot 19, Symbol 0, Fdm 0
[PHY] PRACH [UE 0] in frame.slot 343.19, placing PRACH in position 2828, msg1 frequency start 0 (k1 0), preamble_offset 7, first_nonzero_root_idx 0
[NR_MAC] [UE 0][RAPROC] Got BI RAR subPDU 5 ms
[NR_MAC] [UE 0][RAPROC] Got RAPID RAR subPDU
[NR_MAC] [UE 0][RAPROC][344.7] Found RAR with the intended RAPID 28
[MAC] received TA command 31
[PHY] RAR-Msg2 decoded
[NR_MAC] [RAPROC][344.17] RA-Msg3 transmitted
[NR_RRC] Timer T300 expired! No timely response to RRCSetupRequest
[NR_PHY] ============================================
[NR_PHY] Harq round stats for Downlink: 2/0/0
[NR_PHY] ============================================
=================================================================
==2531496==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fffe4809800 at pc 0x5555566c67a4 bp 0x7fffef6884b0 sp 0x7fffef6884a0
READ of size 4 at 0x7fffe4809800 thread T8
#0 0x5555566c67a3 in get_nr_prach_info_from_ssb_index /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c:1966
#1 0x5555566d05a1 in nr_ue_prach_scheduler /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c:2431
#2 0x5555566ae3ce in nr_ue_ul_scheduler /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c:1050
#3 0x5555565730ca in nr_ue_ul_indication /home/sakthi/oai_dev/openair2/NR_UE_PHY_INTERFACE/NR_IF_Module.c:1147
#4 0x5555561ef415 in processSlotTX /home/sakthi/oai_dev/executables/nr-ue.c:601
#5 0x5555562aa67e in one_thread /home/sakthi/oai_dev/common/utils/threadPool/thread-pool.c:86
#6 0x7ffff6694ac2 in start_thread nptl/pthread_create.c:442
#7 0x7ffff672684f (/lib/x86_64-linux-gnu/libc.so.6+0x12684f)
0x7fffe4809800 is located 1146880 bytes inside of 1146888-byte region [0x7fffe46f1800,0x7fffe4809808)
freed by thread T9 here:
#0 0x7ffff74b4537 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x5555565d5354 in reset_mac_inst /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/main_ue_nr.c:199
#2 0x5555565ac6c8 in nr_rrc_mac_config_req_reset /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/config_ue.c:1378
#3 0x55555651b729 in handle_t300_expiry /home/sakthi/oai_dev/openair2/RRC/NR_UE/rrc_UE.c:2226
#4 0x555556523740 in nr_rrc_handle_timers /home/sakthi/oai_dev/openair2/RRC/NR_UE/rrc_timers_and_constants.c:125
#5 0x555556501eb7 in rrc_nrue /home/sakthi/oai_dev/openair2/RRC/NR_UE/rrc_UE.c:1699
#6 0x5555564ffea6 in rrc_nrue_task /home/sakthi/oai_dev/openair2/RRC/NR_UE/rrc_UE.c:1667
#7 0x7ffff6694ac2 in start_thread nptl/pthread_create.c:442
previously allocated by thread T9 here:
#0 0x7ffff74b4a57 in __interceptor_calloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:154
#1 0x5555566bf216 in build_ssb_list /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c:1745
#2 0x5555566c7f1e in build_ssb_to_ro_map /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c:2040
#3 0x5555565ad3b8 in nr_rrc_mac_config_req_sib1 /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/config_ue.c:1424
#4 0x5555564d9f96 in nr_rrc_ue_decode_NR_BCCH_DL_SCH_Message /home/sakthi/oai_dev/openair2/RRC/NR_UE/rrc_UE.c:755
#5 0x555556503842 in rrc_nrue /home/sakthi/oai_dev/openair2/RRC/NR_UE/rrc_UE.c:1724
#6 0x5555564ffea6 in rrc_nrue_task /home/sakthi/oai_dev/openair2/RRC/NR_UE/rrc_UE.c:1667
#7 0x7ffff6694ac2 in start_thread nptl/pthread_create.c:442
Thread T8 created by T0 here:
#0 0x7ffff7458685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x5555562af86a in threadCreate /home/sakthi/oai_dev/common/utils/system.c:265
#2 0x5555562ab9c0 in initNamedTpool /home/sakthi/oai_dev/common/utils/threadPool/thread-pool.c:156
#3 0x5555561d857e in main /home/sakthi/oai_dev/executables/nr-uesoftmodem.c:484
#4 0x7ffff6629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
Thread T9 created by T0 here:
#0 0x7ffff7458685 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x5555562af86a in threadCreate /home/sakthi/oai_dev/common/utils/system.c:265
#2 0x55555676c605 in itti_create_task /home/sakthi/oai_dev/common/utils/ocp_itti/intertask_interface.cpp:317
#3 0x5555561cf681 in create_tasks_nrue /home/sakthi/oai_dev/executables/nr-uesoftmodem.c:201
#4 0x5555561d887e in main /home/sakthi/oai_dev/executables/nr-uesoftmodem.c:510
#5 0x7ffff6629d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
SUMMARY: AddressSanitizer: heap-use-after-free /home/sakthi/oai_dev/openair2/LAYER2/NR_MAC_UE/nr_ue_scheduler.c:1966 in get_nr_prach_info_from_ssb_index
Shadow bytes around the buggy address:
0x10007c8f92b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x10007c8f92c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x10007c8f92d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x10007c8f92e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x10007c8f92f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x10007c8f9300:[fd]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007c8f9310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007c8f9320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007c8f9330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007c8f9340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x10007c8f9350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2531496==ABORTING
[Thread 0x7fffe5b2f640 (LWP 2531587) exited]
[Thread 0x7fffebd18640 (LWP 2531555) exited]
[Thread 0x7fffec519640 (LWP 2531554) exited]
[Thread 0x7fffecd1a640 (LWP 2531553) exited]
[Thread 0x7fffed51b640 (LWP 2531552) exited]
[Thread 0x7fffedd1c640 (LWP 2531549) exited]
[Thread 0x7fffee51d640 (LWP 2531546) exited]
[Thread 0x7fffef8f8640 (LWP 2531525) exited]
[Thread 0x7ffff00f9640 (LWP 2531522) exited]
[Thread 0x7ffff08fa640 (LWP 2531519) exited]
[Thread 0x7ffff10fb640 (LWP 2531516) exited]
[Thread 0x7ffff18fc640 (LWP 2531513) exited]
[Thread 0x7ffff20fd640 (LWP 2531510) exited]
[Thread 0x7ffff28fe640 (LWP 2531507) exited]
[Thread 0x7ffff30ff640 (LWP 2531504) exited]
[Thread 0x7ffff7eaa440 (LWP 2531496) exited]
[Thread 0x7fffe5298640 (LWP 2531592) exited]
[New process 2531496]
[Inferior 1 (process 2531496) exited with code 01]The timer expires sometimes with ASan (maybe because the execution is slow?) but the heap-use-after-free is the main issue here.