| Message ID | 20220518112553.16962-1-dceara@redhat.com |
|---|---|
| State | Accepted |
| Commit | 336d7dd7cc6f2eb4a10601bff6ab74449324ba0e |
| Headers | show |
| Series | [ovs-dev,v2] dynamic-string: Fix undefined behavior due to offsetting null pointer. | expand |
| Context | Check | Description |
|---|---|---|
| ovsrobot/apply-robot | success | apply and check: success |
| ovsrobot/github-robot-_Build_and_Test | fail | github build: failed |
| ovsrobot/intel-ovs-compilation | success | test: success |
On 5/18/22 13:25, Dumitru Ceara wrote: > When compiled with clang and '-fsanitize=undefined' set, running > 'ovsdb-client --timestamp monitor Open_vSwitch' in a sandbox triggers > the following undefined behavior (flagged by UBSan): > > lib/dynamic-string.c:207:38: runtime error: applying zero offset to null pointer > #0 0x4ebc18 in ds_put_strftime_msec lib/dynamic-string.c:207:38 > #1 0x4ebd04 in xastrftime_msec lib/dynamic-string.c:225:5 > #2 0x552e6a in table_format_timestamp__ lib/table.c:226:12 > #3 0x552852 in table_print_timestamp__ lib/table.c:233:27 > #4 0x5506f3 in table_print_table__ lib/table.c:254:5 > #5 0x550633 in table_format lib/table.c:601:9 > #6 0x5524f3 in table_print lib/table.c:633:5 > #7 0x44dc5e in monitor_print_table ovsdb/ovsdb-client.c:1019:5 > #8 0x44c650 in monitor_print ovsdb/ovsdb-client.c:1040:13 > #9 0x44ac56 in do_monitor__ ovsdb/ovsdb-client.c:1500:21 > #10 0x44636e in do_monitor ovsdb/ovsdb-client.c:1575:5 > #11 0x442c41 in main ovsdb/ovsdb-client.c:283:5 > > Reported-by: Ilya Maximets <i.maximets@ovn.org> > Signed-off-by: Dumitru Ceara <dceara@redhat.com> > --- > v2: > - Use Adrian's suggestion. > - Fixed commit log to use the backtrace matching the ovsdb-client > reproducer. Applied to master and branch-2.17. Thanks! Best regards, Ilya Maximets.
diff --git a/lib/dynamic-string.c b/lib/dynamic-string.c index 6940e1fd63bd..3b4520f87c35 100644 --- a/lib/dynamic-string.c +++ b/lib/dynamic-string.c @@ -202,10 +202,11 @@ ds_put_strftime_msec(struct ds *ds, const char *template, long long int when, localtime_msec(when, &tm); } + ds_reserve(ds, 64); for (;;) { - size_t avail = ds->string ? ds->allocated - ds->length + 1 : 0; - size_t used = strftime_msec(&ds->string[ds->length], avail, template, - &tm); + size_t avail = ds->allocated - ds->length + 1; + char *dest = &ds->string[ds->length]; + size_t used = strftime_msec(dest, avail, template, &tm); if (used) { ds->length += used; return;
When compiled with clang and '-fsanitize=undefined' set, running 'ovsdb-client --timestamp monitor Open_vSwitch' in a sandbox triggers the following undefined behavior (flagged by UBSan): lib/dynamic-string.c:207:38: runtime error: applying zero offset to null pointer #0 0x4ebc18 in ds_put_strftime_msec lib/dynamic-string.c:207:38 #1 0x4ebd04 in xastrftime_msec lib/dynamic-string.c:225:5 #2 0x552e6a in table_format_timestamp__ lib/table.c:226:12 #3 0x552852 in table_print_timestamp__ lib/table.c:233:27 #4 0x5506f3 in table_print_table__ lib/table.c:254:5 #5 0x550633 in table_format lib/table.c:601:9 #6 0x5524f3 in table_print lib/table.c:633:5 #7 0x44dc5e in monitor_print_table ovsdb/ovsdb-client.c:1019:5 #8 0x44c650 in monitor_print ovsdb/ovsdb-client.c:1040:13 #9 0x44ac56 in do_monitor__ ovsdb/ovsdb-client.c:1500:21 #10 0x44636e in do_monitor ovsdb/ovsdb-client.c:1575:5 #11 0x442c41 in main ovsdb/ovsdb-client.c:283:5 Reported-by: Ilya Maximets <i.maximets@ovn.org> Signed-off-by: Dumitru Ceara <dceara@redhat.com> --- v2: - Use Adrian's suggestion. - Fixed commit log to use the backtrace matching the ovsdb-client reproducer. --- lib/dynamic-string.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)