search

srsran / srsRAN_Project

Open source O-RAN 5G CU/DU solution from Software Radio Systems (SRS) https://docs.srsran.com/projects/project
https://www.srsran.com
GNU Affero General Public License v3.0
527 stars 179 forks source link

srsGNB out-of-bound shift problem in pseudo_random_generator #635

Closed lbm98 closed 3 weeks ago

lbm98 commented 6 months ago

Issue Description

srsGNB does an out-of-bound shift within the random number generator at the two places: https://github.com/srsran/srsRAN_Project/blob/f3ed07a5a6f04245a57ca667194e1a3bf9684149/lib/phy/upper/sequence_generators/pseudo_random_generator_impl.cpp#L127 https://github.com/srsran/srsRAN_Project/blob/f3ed07a5a6f04245a57ca667194e1a3bf9684149/lib/phy/upper/sequence_generators/pseudo_random_generator_impl.cpp#L299

Setup Details

Can be reproduced by compiling the test suite with UndefinedBehaviorSanitizer enabled and executing the following testsuite.

cmake \
    -B build-ubsan \
    -G Ninja \
    -DCMAKE_CXX_COMPILER=clang++ \
    -DCMAKE_CXX_FLAGS="-fsanitize=undefined -fno-sanitize-recover=all"

Expected Behavior

The shift stays in-bound of the data type.

Actual Behaviour

UndefinedBehaviorSanitizer generates the following two errors

runtime error: shift exponent 4294967288 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /srs/srsRAN_Project/lib/phy/upper/sequence_generators/pseudo_random_generator_impl.cpp:127:33
runtime error: shift exponent 4294967288 is too large for 32-bit type 'uint32_t' (aka 'unsigned int')
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /srs/srsRAN_Project/lib/phy/upper/sequence_generators/pseudo_random_generator_impl.cpp:299:50

Steps to reproduce the problem

Covered in setup details.

Additional Information

Out-of-bound shifts are undefined behavior which can lead to a security vulnerability.

pgawlowicz commented 2 months ago

@lbm98 Could you check if the issue is still present?