Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Field information of struct `qitem_lte_rrc`

See original GitHub issue

I am reading the fuzz task for LTE RRC, and I have some questions about the queue item structure used in this fuzzer.

  1. What are the possible valid values for the field pdu_type?
  2. Does the field asn_pl follows the following ASN1 format from RRCConnectionReconfiguration payload? source
RRCConnectionReconfiguration ::= SEQUENCE {
rrc-TransactionIdentifier RRC-TransactionIdentifier,
criticalExtensions CHOICE {
c1 CHOICE{
rrcConnectionReconfiguration-r8 RRCConnectionReconfiguration-r8-IEs,
spare7 NULL,
spare6 NULL, spare5 NULL, spare4 NULL,
spare3 NULL, spare2 NULL, spare1 NULL
},
criticalExtensionsFuture SEQUENCE {}
}
}

Can you provide an example queue item?

Issue Analytics

  • State:open
  • Created 2 years ago
  • Comments:5 (2 by maintainers)

github_iconTop GitHub Comments

3reactions
mariusmuecommented, Mar 18, 2022

Unfortunately, it’s a bit more complex in this scenario. There are two important things to consider here

  1. The op for the message can change across baseband versions. To automate and ease our live, we hence included SYM_LTERRC_INT_MOB_CMD_HO_FROM_IRAT_MSG_ID in PatternDB.
  2. The payload structure for baseband internal messages to the LTE_RRC task changes depending on the used op. For fuzzing, we used LTERRC_INT_MOB_CMD_HO_FROM_IRAT_MSG_ID - unfortunately, the payload for messages of this type behave differently from what send_rrc expect.

We never really injected LTERRC_INT_MOB_CMD_HO_FROM_IRAT_MSG_ID from guestlink, but I did some experiment and the things below should work. This is following the message description as described in the source code for the fuzz task.

# change logging to only include relevant parts
self.guest_logger.task_log_disable_all()
self.guest_logger.task_log_enable('LteRrc')

# our variables
asn_pl = b"\x20\x1b\x3f\x80\x00\x00\x00\x01\xa9\x08\x80\x00\x00\x29\x00\x97\x80\x00\x00\x00\x01\x04\x22\x14\x00\xf8\x02\x0a\xc0\x60\x00\xa0\x0c\x80\x42\x02\x9f\x43\x07\xda\xbc\xf8\x4b\x32\x18\x34\xc0\x00\x2d\x68\x08\x5e\x18\x00\x16\x80\x00"
unused = 0
pdu = 0 # You will need to change this. Either static baseband RE, or trying and checking FirmWire's output
op = self.loader.symbol_table.lookup('SYM_LTERRC_INT_MOB_CMD_HO_FROM_IRAT_MSG_ID').address

# create clean working state
self.restore_snapshot('interactive') 
gl = self.get_peripheral('glink')

# we will need a allocated chunk in memory to hold the ASN payload
gl.create_block(len(asn_pl))
self.run_for(1)
block_addr = gl.access
self.qemu.wm(block_addr, 1,  asn_pl, raw=True)

# Create message as described in fuzz task header
pl = struct.pack('<IIII', unused, pdu, len(asn_pl), block_addr)

# Send the message in the right format (which is, a "direct" message whose pl is UNUSED+PDU+LEN+*ASN_PL)
gl.send_queue_op(False, 'LTERRC', op, 0, pl)
gl.set_event('LTE_RRC_') # LTE RRC messages need to have an event set
self.run_for(1)

Running above code from the console results, on my end, to the following output:

[2491.02450] 575 total log lines omitted [Background=104 INTERACTIVE=104 MTI=101 HISR2=54 CDMOT=50 BTL=40 DS_DBG_SAP=30 RLC=29 LTE_TCPIP=24 DBG_SAP=21 ...]
[2491.02462][LteRrc] pal_TaskEntry_LteRrc+0x91 (0x408c193b) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]DrxStart: gDrxRrc_Flag 0 gDrxL1_Flag 1 gDrxRrc_SaveL1Flag 1
[2491.02569][LteRrc] LteRrc_ProcRxMsgFn+0x153 (0x40e648e7) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommDb.c] - [MAIN][LTERRC_INT_MOB_CMD_HO_FROM_IRAT] RegAllocList
[2491.02677][LteRrc] 0x408bf785 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RxMsg SelectMsgQ] Select LteRrc_CurMsgQ
[2491.02737][LteRrc] LteRrc_ReceiveMsg+0x8b9 (0x408c04e9) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RxMsg GetMsgDesc] LTERRC_RADIO_MSG_TYPE:: No MsgDesc
[2491.02796][LteRrc] LteRrc_DisplayRxMsg+0x303 (0x408bd01f) 0b11: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RX][DO] 1. [LTERRC] <== LTERRC_INT_MOB_CMD_HO_FROM_IRAT (0xc3a0)[Init][Wait Msg]
[2491.02859][LteRrc] LteRrcDsds_CheckIsProcStart+0xa9 (0x40904b91) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_ProcDsds.c] - [MAIN][LTE RRC DSRC] LteRrcDsds_CheckIsProcStart msgtype(4)
[2491.02919][LteRrc] LteRrcProAsnDecode+0x4f (0x40827b81) 0b101: [../../../../../../CALPSS/LteL3/LteRrc/asn/arm/Code/Rel1510/src/LteRrc_Codec.c] - LteRrcProAsnDecode (pdu: 6)
[2491.02963][LteRrc] AsnMemAlloc+0x5d (0x411e8a8d) 0b10: [../../../PALCommon/C-Common/StackCommon/Common/Code/src/smpfp_AsnCodecInterface.c] - PROASN_MALLOC Addr:0x4439C020 PDU:6 size:1532
[2491.03007][LteRrc] TraceAsnDecode+0x3b (0x411e8c49) 0b10: [../../../PALCommon/C-Common/StackCommon/Common/Code/src/smpfp_AsnCodecInterface.c] - Output(0x0) from Buffer(0x20) with unpackingLen(1)/unpackedLen(1) @line 121912 (BitUnpacking8)
[2491.03033][LteRrc] TraceAsnDecode+0x3b (0x411e8c49) 0b10: [../../../PALCommon/C-Common/StackCommon/Common/Code/src/smpfp_AsnCodecInterface.c] - Output(0x1) from Buffer(0x1B) with unpackingLen(2)/unpackedLen(3) @line 121919 (BitUnpacking8)
[2491.03058][LteRrc] TraceAsnDecode+0x3b (0x411e8c49) 0b10: [../../../PALCommon/C-Common/StackCommon/Common/Code/src/smpfp_AsnCodecInterface.c] - Output(0x0) from Buffer(0x1B) with unpackingLen(1)/unpackedLen(4) @line 25854 (BitUnpacking8)
[2491.03083][LteRrc] TraceAsnDecode+0x3b (0x411e8c49) 0b10: [../../../PALCommon/C-Common/StackCommon/Common/Code/src/smpfp_AsnCodecInterface.c] - Output(0x0) from Buffer(0x1B) with unpackingLen(1)/unpackedLen(5) @line 18270 (BitUnpacking8)
[2491.03119][LteRrc] LteRrcAsn_DecodeMsg+0xbd (0x40d7d2cb) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]LteRrc_ProAsnDecode: Success
[2491.03155][LteRrc] LteRrcAsn_DecodeMsg+0x1d9 (0x40d7d3e7) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]LteRrc_ProAsnDecode Success, pdu(6) unpackedLen(5 bits)
[2491.03189][LteRrc] LteRrc_ProcessDlAsn1Msg+0xe9 (0x408c0b6d) 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][ProAsn] LteRrc_ProcessDlAsn1Msg (DecodedData: 0x4439c020)
[2491.03242][LteRrc] LteRrcUtil_SaveDmCurRadioMsg+0x89 (0x40d7f8f1) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]LteRrcUtil_SaveDmCurRadioMsg direction (2)
[2491.03296][LteRrc] LteRrc_ProcRxMsgFn+0x153 (0x40e648e7) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommDb.c] - [MAIN][RRCConnectionReestablishmentReject] RegAllocList
[2491.03476][LteRrc] LteRrcUtil_ProcDm+0xc1 (0x40d803a9) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN][DM] UECAPA CAT TbInx(11) will be discarded
[2491.03562][LteRrc] LteRrcMsg_GenSendNsMsg+0x29d (0x40e07cfb) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommMsgSend.c] - [MAIN]RRC StackId(0) MsgId(49180)
[2491.03596][LteRrc] LteRrcMsg_SendTo+0x169 (0x40e09a33) pal_MsgSendTo(DBG_SAP (169)) - UNKNOWN TYPE 0x5
[2491.03645][LteRrc] LteRrcMsg_Send+0x6ff (0x40e0a1e5) 0b11: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommMsgSend.c] - [MAIN][TX][DO] 2. [LTERRC] ==> NS_DM_RRC_STATE_VARIABLE_INFO_EVENT (0xc01c)[Init][Wait Msg]
[2491.03707][LteRrc] LteRrcMsg_GenSendNsMsg+0x29d (0x40e07cfb) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommMsgSend.c] - [MAIN]RRC StackId(0) MsgId(49182)
[2491.03734][LteRrc] LteRrcMsg_SendTo+0x169 (0x40e09a33) pal_MsgSendTo(DBG_SAP (169)) - UNKNOWN TYPE 0x5
[2491.03769][LteRrc] LteRrcMsg_Send+0x6ff (0x40e0a1e5) 0b11: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommMsgSend.c] - [MAIN][TX][DO] 3. [LTERRC] ==> NS_DM_RRC_PEER_MSG_INFO_EVENT (0xc01e)[Init][Wait Msg]
[2491.03827][LteRrc] LteRrc_FreeRxMsgFunc+0x2f5 (0x408b5fd7) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Free LinkMsg : 0x1
[2491.03889][LteRrc] LteRrc_FreeRxMsgFunc+0x355 (0x408b6037) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Free Rx Msg
[2491.03944][LteRrc] pal_TaskEntry_LteRrc+0xbc1 (0x408c246b) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]CLEAR OPFLAG :(MAIN-STATE_CHANGE_TRIGGER)
[2491.03979][LteRrc] LteRrc_SelectMsgQ+0xda5 (0x408bf025) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RxMsg SelectMsgQ] Select LteRrc_SvcInternalQ
[2491.04021][LteRrc] 0x408bf785 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RxMsg SelectMsgQ] Select LteRrc_CurMsgQ
[2491.04075][LteRrc] LteRrc_GetDefaultHdlrDesc+0xb01 (0x408be18b) 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RxMsg GetMsgDesc] LteRrc_GetDefaultHdlrDesc :: No MsgDesc
[2491.04117][LteRrc] LteRrc_DisplayRxMsg+0x303 (0x408bd01f) 0b11: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RX][UNSUPPORT] 4. [LTERRC] <== RRCConnectionReestablishmentReject (0xc356)[Init][Wait Msg]
[2491.04159][LteRrc] LteRrc_DisplayRxMsg+0x61f (0x408bd33b) 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][RX][UNSUPPORT] 4. [LTERRC] <== RRCConnectionReestablishmentReject (0xc356)[Init][Wait Msg]
[2491.04188][LteRrc] LteRrcDsds_CheckIsProcStart+0xa9 (0x40904b91) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_ProcDsds.c] - [MAIN][LTE RRC DSRC] LteRrcDsds_CheckIsProcStart msgtype(7)
[2491.04221][LteRrc] pal_TaskEntry_LteRrc+0x3e1 (0x408c1c8b) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]SET OPFLAG :(MAIN-SUPP_SVC_CANCLE_DISPATCH)
[2491.04272][LteRrc] LteRrc_FreeRxMsgFunc+0x2f5 (0x408b5fd7) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Free LinkMsg : 0xff000001
[2491.04303][LteRrc] LteRrcAsn_FreeMsg+0x35 (0x40d7d6b5) 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN][[LteRrc_ProAsn_FreeMsg] PDU(6), decodedMsgPtr to free: 0x4439C020
[2491.04345][LteRrc] LteRrc_FreeRxMsgFunc+0x355 (0x408b6037) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Free Rx Msg
[2491.04389][LteRrc] pal_TaskEntry_LteRrc+0xbc1 (0x408c246b) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]CLEAR OPFLAG :(MAIN-STATE_CHANGE_TRIGGER)
[2491.04428][LteRrc] LteRrc_SuppSvcCancleDispatch+0x69 (0x40d89907) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_SuppSvcFrameworkCore.c] - [MAIN]_SuppSvcReleaseActiveList Expcept MAIN
[2491.04463][LteRrc] LteRrc_ReceiveMsg+0xd5 (0x408bfd05) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]CLEAR OPFLAG :(MAIN-SUPP_SVC_CANCLE_DISPATCH)
[2491.04503][LteRrc] LteRrc_ReceiveMsg+0x16f (0x408bfd9f) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][ProcessMsg] LTERRC_SUPP_SVC_MSG_EMPTY
[2491.04535][LteRrc] LteRrc_Display+0x3f (0x408b5bab) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]<====================== RRC RESULT =======================>
[2491.04635][LteRrc] LteRrcUtil_DispalyListElem+0x3f (0x40d7ce43) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]------SUPP_SVC_FORK_LIST ==> Elem :2/3------
[2491.04681][LteRrc] LteRrcUtil_DisplayAllList+0xd1 (0x40d7cf5f) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]1.SVC : MAIN
[2491.04724][LteRrc] LteRrcUtil_DisplayAllList+0xd1 (0x40d7cf5f) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]2.SVC : LOGMEAS
[2491.04765][LteRrc] LteRrcUtil_DispalyListElem+0x3f (0x40d7ce43) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]------SUPP_SVC_FORK_LIST ==> Elem :2/3------
[2491.04799][LteRrc] LteRrcUtil_DispalyListElem+0x3f (0x40d7ce43) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]------SUPP_SVC_ACTIVE_LIST ==> Elem :1/3------
[2491.04827][LteRrc] LteRrcUtil_DisplayAllList+0xd1 (0x40d7cf5f) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]1.SVC : MAIN
[2491.04877][LteRrc] LteRrcUtil_DisplayAllList+0x227 (0x40d7d0b5) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_CommUtil.c] - [MAIN]TOTAL LIST ELEM NUM : 5
[2491.04909][LteRrc] LteRrc_Display+0x73 (0x408b5bdf) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]<=======================================================>
[2491.04958][LteRrc] LteRrc_ReceiveMsg+0x1f3 (0x408bfe23) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN][ProcessMsg] LTERRC_MSG_EMPTY
[2491.05005][LteRrc] LteRrcSi_CheckBackgroundOperation+0x1c1 (0x40e778d5) 0b101: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_ProcSysInfo.c] - [MAIN]NOT in Background operation (M_state: 1)
[2491.05042][LteRrc] pal_TaskEntry_LteRrc+0xd23 (0x408c25cd) 0b100: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]DrxEnd: gDrxRrc_Flag 0 gDrxL1_Flag 1 gDrxRrc_SaveL1Flag 1
[2491.05073][LteRrc] pal_TaskEntry_LteRrc+0xd61 (0x408c260b) 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Support Band num(0) band1(0) band2(0) ALPSS REL(2) Capa REL(4)
[2491.05102][LteRrc] pal_TaskEntry_LteRrc+0xd8d (0x408c2637) 0b0: [../../../CALPSS/LteL3/LteRrc/Code/src/LteRrc_Task.c] - [MAIN]Entity (88) (19) (201)

Note that it attempts ASN decoding, but fails, as the wrong PDU for your payload was set. (Looking at the look, pdu 0 seems to encode RRCConnectionReestablishmentReject messages.) Hope this helps!

//edit: Also, we would happily accept a PR which extends guest-link with a send_rrc_radio(pdu, pl) function 😃

0reactions
helpcomputer1999commented, Dec 21, 2022

How do you access the firmware DBG messages while running in Console mode? The documentation does not make this clear.

Read more comments on GitHub >

github_iconTop Results From Across the Web

How to access a field of a struct by indexing? - MATLAB Central
I have a 1-by-1 struct that possesses 3 fields named B, C, and D. Is there any way to call D by its...
Read more >
How do you find out the fields and properties of a struct?
An inspector provides access to structure fields and structure type information without the normal field accessors and mutators.
Read more >
Structures in Go (structs). Unlike traditional Object Oriented…
Struct gives one more ability to add meta-data to its fields. Usually, it is used to provide transformation information on how a struct...
Read more >
C - Structures - Tutorialspoint
C - Structures, Arrays allow to define type of variables that can hold several data items of the same kind. Similarly structure is...
Read more >
5.1 Defining Structure Types: struct - Racket Documentation
A struct form with n fields defines up to 4+2n names: ... a transformer binding that encapsulates information about the structure type declaration....
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Libpanda always starts in suspended mode, even in Fuzz mode

Next page

Can't configure the location of `pyinfra-sudo-askpass-XXXXXXX` file, sudo failing in environments with restricted /tmp script execution