Tarantool development patches archive
 help / color / mirror / Atom feed
From: Serge Petrenko <sergepetrenko@tarantool.org>
To: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Subject: Re: [Tarantool-patches] [PATCH] backtrace: fix out of bounds access on backtrace printing
Date: Tue, 26 Nov 2019 15:09:01 +0300	[thread overview]
Message-ID: <7524BAB0-1441-437A-A07E-2693F80D751D@tarantool.org> (raw)
In-Reply-To: <ac498885-4d26-38dd-ff93-705a9457686e@tarantool.org>

Hi! Thank you for review!

> 26 нояб. 2019 г., в 2:02, Vladislav Shpilevoy <v.shpilevoy@tarantool.org> написал(а):
> 
> Hi! Thanks for the patch!
> 
> Perhaps the zero termination was done for a case,
> when the cycle in backtrace() does not run even one
> iteration. For example, if unw_step() returns an
> error. Then the buffer is not terminated. So I think
> it is better to keep *p = 0, but do it before the
> cycle.

True, here’s the new patch:

snrpintf always null-terminates the passed string, and it also returns
the number of bytes that "would have been written if there was enough
space", so not only we don't have to null-terminate the string, but even
more so we shouldn't do it erroneously. The only case when a string
should be null-terminated manually is when the print cycle doesn't run
at all, so move the termination before the cycle.

Closes #4636
---
 src/lib/core/backtrace.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lib/core/backtrace.cc b/src/lib/core/backtrace.cc
index 57e541c25..77f77b05c 100644
--- a/src/lib/core/backtrace.cc
+++ b/src/lib/core/backtrace.cc
@@ -143,6 +143,7 @@ backtrace()
 	char *p = backtrace_buf;
 	char *end = p + sizeof(backtrace_buf) - 1;
 	int unw_status;
+	*p = '\0';
 	while ((unw_status = unw_step(&unw_cur)) > 0) {
 		const char *proc;
 		old_sp = sp;
@@ -173,7 +174,6 @@ backtrace()
 		say_debug("unwinding error: %i", unw_status);
 #endif
 out:
-	*p = '\0';
 	return backtrace_buf;
 }
 
-- 
2.21.0 (Apple Git-122)  

> 
> On 25/11/2019 17:27, Serge Petrenko wrote:
>> snrpintf always null-terminates the passed string, and it also returns
>> the number of bytes that "would have been written if there was enough
>> space", so not only we don't have to null-terminate the string, but even
>> more so we shouldn't do it erroneously.
>> 
>> Closes #4636
>> ---
>> https://github.com/tarantool/tarantool/issues/4636
>> https://github.com/tarantool/tarantool/tree/sp/gh-4636-bt-print-fix
>> 
>> src/lib/core/backtrace.cc | 1 -
>> 1 file changed, 1 deletion(-)
>> 
>> diff --git a/src/lib/core/backtrace.cc b/src/lib/core/backtrace.cc
>> index 57e541c25..903ffb79c 100644
>> --- a/src/lib/core/backtrace.cc
>> +++ b/src/lib/core/backtrace.cc
>> @@ -173,7 +173,6 @@ backtrace()
>> 		say_debug("unwinding error: %i", unw_status);
>> #endif
>> out:
>> -	*p = '\0';
>> 	return backtrace_buf;
>> }
>> 
>> 


--
Serge Petrenko
sergepetrenko@tarantool.org

  reply	other threads:[~2019-11-26 12:09 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-25 16:27 Serge Petrenko
2019-11-25 23:02 ` Vladislav Shpilevoy
2019-11-26 12:09   ` Serge Petrenko [this message]
2019-11-26 20:30     ` Vladislav Shpilevoy
2019-12-10 14:06 ` Kirill Yukhin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7524BAB0-1441-437A-A07E-2693F80D751D@tarantool.org \
    --to=sergepetrenko@tarantool.org \
    --cc=tarantool-patches@dev.tarantool.org \
    --cc=v.shpilevoy@tarantool.org \
    --subject='Re: [Tarantool-patches] [PATCH] backtrace: fix out of bounds access on backtrace printing' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox