From 8c2f159809118c6054852d5086582a19be39a2b2 Mon Sep 17 00:00:00 2001
From: Honggang Li <honli@redhat.com>
Date: Fri, 18 Dec 2020 05:18:55 -0800
Subject: [PATCH 2/2] src/common.c: fix a stack-buffer-overflow issue
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff4c61e7e0 at pc 0x14f2cb7ae0b9 bp 0x7fff4c61e650 sp 0x7fff4c61ddd8
WRITE of size 17 at 0x7fff4c61e7e0 thread T0
#0 0x14f2cb7ae0b8 (/lib64/libasan.so.5+0xb40b8)
#1 0x14f2cb7aedd2 in vsscanf (/lib64/libasan.so.5+0xb4dd2)
#2 0x14f2cb7aeede in __interceptor_sscanf (/lib64/libasan.so.5+0xb4ede)
#3 0x14f2cb230766 in ofi_addr_format src/common.c:401
#4 0x14f2cb233238 in ofi_str_toaddr src/common.c:780
#5 0x14f2cb314332 in vrb_handle_ib_ud_addr prov/verbs/src/verbs_info.c:1670
#6 0x14f2cb314332 in vrb_get_match_infos prov/verbs/src/verbs_info.c:1787
#7 0x14f2cb314332 in vrb_getinfo prov/verbs/src/verbs_info.c:1841
#8 0x14f2cb21fc28 in fi_getinfo_ src/fabric.c:1010
#9 0x14f2cb25fcc0 in ofi_get_core_info prov/util/src/util_attr.c:298
#10 0x14f2cb269b20 in ofix_getinfo prov/util/src/util_attr.c:321
#11 0x14f2cb3e29fd in rxd_getinfo prov/rxd/src/rxd_init.c:122
#12 0x14f2cb21fc28 in fi_getinfo_ src/fabric.c:1010
#13 0x407150 in ft_getinfo common/shared.c:794
#14 0x414917 in ft_init_fabric common/shared.c:1042
#15 0x402f40 in run functional/bw.c:155
#16 0x402f40 in main functional/bw.c:252
#17 0x14f2ca1b28e2 in __libc_start_main (/lib64/libc.so.6+0x238e2)
#18 0x401d1d in _start (/root/libfabric/fabtests/functional/fi_bw+0x401d1d)
Address 0x7fff4c61e7e0 is located in stack of thread T0 at offset 48 in frame
#0 0x14f2cb2306f3 in ofi_addr_format src/common.c:397
This frame has 1 object(s):
[32, 48) 'fmt' <== Memory access at offset 48 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.5+0xb40b8)
Shadow bytes around the buggy address:
0x1000698bbca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000698bbcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000698bbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000698bbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000698bbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000698bbcf0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00[f2]f2 f3 f3
0x1000698bbd00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x1000698bbd10: f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
0x1000698bbd20: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
0x1000698bbd30: f2 f2 00 00 00 00 00 06 f2 f2 f2 f2 f2 f2 00 00
0x1000698bbd40: 00 00 00 06 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Fixes: 5d31276f7304 ("common: Redo address string conversions")
Signed-off-by: Honggang Li <honli@redhat.com>
---
src/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/common.c b/src/common.c
index 4c54dc2dec68..3964cf1f7b4b 100644
--- a/src/common.c
+++ b/src/common.c
@@ -395,14 +395,14 @@ sa_sin6:
uint32_t ofi_addr_format(const char *str)
{
- char fmt[16];
+ char fmt[17];
int ret;
+ memset(fmt, 0, sizeof(fmt));
ret = sscanf(str, "%16[^:]://", fmt);
if (ret != 1)
return FI_FORMAT_UNSPEC;
- fmt[sizeof(fmt) - 1] = '\0';
if (!strcasecmp(fmt, "fi_sockaddr_in"))
return FI_SOCKADDR_IN;
else if (!strcasecmp(fmt, "fi_sockaddr_in6"))
--
2.25.4