From: Vladislav Shpilevoy <v.shpilevoy@tarantool.org>
To: tarantool-patches@dev.tarantool.org, tsafin@tarantool.org,
alyapunov@tarantool.org
Subject: [Tarantool-patches] [PATCH 09/11] salad: fix UB pointer arithmetics in bps_tree
Date: Fri, 5 Jun 2020 01:43:16 +0200 [thread overview]
Message-ID: <864075a769f1b09a44950fe93630519eb0fa2899.1591313754.git.v.shpilevoy@tarantool.org> (raw)
In-Reply-To: <cover.1591313754.git.v.shpilevoy@tarantool.org>
From: Aleksandr Lyapunov <alyapunov@tarantool.org>
There is some pointer arithmetics in bps_tree that calculates
intermediate pointers that points out of array bounds. Though they
are never dereferenced and only used for further caclulation of
correct pointers, it is still UB and must be fixed.
Part of #4609
---
src/lib/salad/bps_tree.h | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/src/lib/salad/bps_tree.h b/src/lib/salad/bps_tree.h
index d28b53f53..ef5ae3d7e 100644
--- a/src/lib/salad/bps_tree.h
+++ b/src/lib/salad/bps_tree.h
@@ -2654,7 +2654,7 @@ bps_tree_move_elems_to_right_inner(struct bps_tree *tree,
if (!move_to_empty)
BPS_TREE_DATAMOVE(b->elems + num, b->elems,
b->header.size - 1, b, b);
- BPS_TREE_DATAMOVE(b->elems, a->elems + a->header.size - num,
+ BPS_TREE_DATAMOVE(b->elems, a->elems + (a->header.size - num),
num - 1, b, a);
if (move_to_empty)
*b_inner_path_elem->max_elem_copy =
@@ -2866,7 +2866,7 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree,
mid_part_size - num, a, a);
a->child_ids[pos] = block_id;
- BPS_TREE_DATAMOVE(b->elems, a->elems + a->header.size - num,
+ BPS_TREE_DATAMOVE(b->elems, a->elems + (a->header.size - num),
num - 1, b, a);
if (move_to_empty)
*b_inner_path_elem->max_elem_copy =
@@ -2888,7 +2888,7 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree,
mid_part_size - num, a, a);
a->child_ids[pos] = block_id;
- BPS_TREE_DATAMOVE(b->elems, a->elems + a->header.size - num,
+ BPS_TREE_DATAMOVE(b->elems, a->elems + (a->header.size - num),
num - 1, b, a);
if (move_to_empty)
*b_inner_path_elem->max_elem_copy =
@@ -2916,8 +2916,8 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree,
if (num > 1) {
/* +(num - 2) */
BPS_TREE_DATAMOVE(b->elems,
- a->elems + a->header.size
- - num + 1, num - 2, b, a);
+ a->elems + (a->header.size
+ - num + 1), num - 2, b, a);
/* +1 */
b->elems[num - 2] =
*a_inner_path_elem->max_elem_copy;
@@ -2930,7 +2930,7 @@ bps_tree_insert_and_move_elems_to_right_inner(struct bps_tree *tree,
assert(num > 1);
BPS_TREE_DATAMOVE(b->elems,
- a->elems + a->header.size - num + 1,
+ a->elems + (a->header.size - num + 1),
num - mid_part_size - 1, b, a);
b->elems[new_pos] = max_elem;
BPS_TREE_DATAMOVE(b->elems + new_pos + 1,
@@ -3142,7 +3142,7 @@ bps_tree_insert_and_move_elems_to_left_inner(struct bps_tree *tree,
b->elems[num - 2];
}
if (!move_all)
- BPS_TREE_DATAMOVE(b->elems, b->elems + num - 1,
+ BPS_TREE_DATAMOVE(b->elems, b->elems + (num - 1),
b->header.size - num, b, b);
}
--
2.21.1 (Apple Git-122.3)
next prev parent reply other threads:[~2020-06-04 23:43 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-04 23:43 [Tarantool-patches] [PATCH 00/11] Enable miscelaneous sanitations Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 01/11] cmake: enable misc types of UB detection in clang Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 10/11] sql: fix usage of not initialized index_stat Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 11/11] sql: fix mem_apply_type double type truncation Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 02/11] util: introduce double_compare_nint64() Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 03/11] test: avoid usleep() usage for error injections Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 04/11] vinyl: fix 0 division in case of canceled dump Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 05/11] xrow: don't cast double to float unconditionally Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 06/11] swim: fix zero division Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 07/11] test: fix signed integer overflow in vclock test Vladislav Shpilevoy
2020-06-04 23:43 ` [Tarantool-patches] [PATCH 08/11] digest: eliminate UBs from guava() Vladislav Shpilevoy
2020-06-04 23:43 ` Vladislav Shpilevoy [this message]
2020-06-05 22:09 ` [Tarantool-patches] [PATCH 00/11] Enable miscelaneous sanitations Timur Safin
2020-06-09 8:19 ` Cyrill Gorcunov
2020-06-09 8:28 ` Kirill Yukhin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=864075a769f1b09a44950fe93630519eb0fa2899.1591313754.git.v.shpilevoy@tarantool.org \
--to=v.shpilevoy@tarantool.org \
--cc=alyapunov@tarantool.org \
--cc=tarantool-patches@dev.tarantool.org \
--cc=tsafin@tarantool.org \
--subject='Re: [Tarantool-patches] [PATCH 09/11] salad: fix UB pointer arithmetics in bps_tree' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox