From patchwork Wed May 18 11:25:53 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dumitru Ceara <dceara@redhat.com>
X-Patchwork-Id: 1632780
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: bilbo.ozlabs.org;
	dkim=fail reason="signature verification failed" (1024-bit key;
 unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
 header.s=mimecast20190719 header.b=D+leI3WR;
	dkim-atps=neutral
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by bilbo.ozlabs.org (Postfix) with ESMTPS id 4L39fX31h0z9sGS
	for <incoming@patchwork.ozlabs.org>; Wed, 18 May 2022 21:26:10 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id 1085241B55;
	Wed, 18 May 2022 11:26:08 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id doSsAD8AGxmy; Wed, 18 May 2022 11:26:04 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp4.osuosl.org (Postfix) with ESMTPS id E967741B4F;
	Wed, 18 May 2022 11:26:02 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id BCB82C0039;
	Wed, 18 May 2022 11:26:02 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 789B2C002D
 for <dev@openvswitch.org>; Wed, 18 May 2022 11:26:01 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 58B1B40159
 for <dev@openvswitch.org>; Wed, 18 May 2022 11:26:01 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Authentication-Results: smtp2.osuosl.org (amavisd-new);
 dkim=pass (1024-bit key) header.d=redhat.com
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id OjD1_8yLiLpS for <dev@openvswitch.org>;
 Wed, 18 May 2022 11:26:00 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 8E9CF4012E
 for <dev@openvswitch.org>; Wed, 18 May 2022 11:26:00 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1652873158;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=eH1/yPqtg5RkeRX1FSutJQ8jB8zsRe2kXkjCqtWf2n4=;
 b=D+leI3WRyn49gKZcuai6Pg7Vf7vWDrZi9fhz9+trNfp/xI6kHRrRcyZQ0IUW1kIzt3gDeR
 FFcqW4tHMbtlzfTaHsmXUjpmpNlzhw/53bVJk+JMQoBryZyH1IfQWGf8Ecj/xkrq24pg1x
 Bm4x3ttTQ+DusUrao14qazbLcz42VCw=
Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com
 [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-590-BLrxdfSlNDCfklgIH8vcrg-1; Wed, 18 May 2022 07:25:57 -0400
X-MC-Unique: BLrxdfSlNDCfklgIH8vcrg-1
Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.rdu2.redhat.com
 [10.11.54.8])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 8A74E185A7B2;
 Wed, 18 May 2022 11:25:57 +0000 (UTC)
Received: from dceara.remote.csb (unknown [10.39.195.131])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 82C57C15E71;
 Wed, 18 May 2022 11:25:56 +0000 (UTC)
From: Dumitru Ceara <dceara@redhat.com>
To: dev@openvswitch.org
Date: Wed, 18 May 2022 13:25:53 +0200
Message-Id: <20220518112553.16962-1-dceara@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.85 on 10.11.54.8
Authentication-Results: relay.mimecast.com;
 auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dceara@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Cc: i.maximets@ovn.org
Subject: [ovs-dev] [PATCH v2] dynamic-string: Fix undefined behavior due to
	offsetting null pointer.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

When compiled with clang and '-fsanitize=undefined' set, running
'ovsdb-client --timestamp monitor Open_vSwitch' in a sandbox triggers
the following undefined behavior (flagged by UBSan):

  lib/dynamic-string.c:207:38: runtime error: applying zero offset to null pointer
      #0 0x4ebc18 in ds_put_strftime_msec lib/dynamic-string.c:207:38
      #1 0x4ebd04 in xastrftime_msec lib/dynamic-string.c:225:5
      #2 0x552e6a in table_format_timestamp__ lib/table.c:226:12
      #3 0x552852 in table_print_timestamp__ lib/table.c:233:27
      #4 0x5506f3 in table_print_table__ lib/table.c:254:5
      #5 0x550633 in table_format lib/table.c:601:9
      #6 0x5524f3 in table_print lib/table.c:633:5
      #7 0x44dc5e in monitor_print_table ovsdb/ovsdb-client.c:1019:5
      #8 0x44c650 in monitor_print ovsdb/ovsdb-client.c:1040:13
      #9 0x44ac56 in do_monitor__ ovsdb/ovsdb-client.c:1500:21
      #10 0x44636e in do_monitor ovsdb/ovsdb-client.c:1575:5
      #11 0x442c41 in main ovsdb/ovsdb-client.c:283:5

Reported-by: Ilya Maximets <i.maximets@ovn.org>
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
---
v2:
- Use Adrian's suggestion.
- Fixed commit log to use the backtrace matching the ovsdb-client
  reproducer.
---
 lib/dynamic-string.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/lib/dynamic-string.c b/lib/dynamic-string.c
index 6940e1fd63bd..3b4520f87c35 100644
--- a/lib/dynamic-string.c
+++ b/lib/dynamic-string.c
@@ -202,10 +202,11 @@ ds_put_strftime_msec(struct ds *ds, const char *template, long long int when,
         localtime_msec(when, &tm);
     }
 
+    ds_reserve(ds, 64);
     for (;;) {
-        size_t avail = ds->string ? ds->allocated - ds->length + 1 : 0;
-        size_t used = strftime_msec(&ds->string[ds->length], avail, template,
-                                    &tm);
+        size_t avail = ds->allocated - ds->length + 1;
+        char *dest = &ds->string[ds->length];
+        size_t used = strftime_msec(dest, avail, template, &tm);
         if (used) {
             ds->length += used;
             return;