libfabric/SOURCES/0002-src-common.c-fix-a-stack-buffer-overflow-issue.patch

From 8c2f159809118c6054852d5086582a19be39a2b2 Mon Sep 17 00:00:00 2001
From: Honggang Li <honli@redhat.com>
Date: Fri, 18 Dec 2020 05:18:55 -0800
Subject: [PATCH 2/2] src/common.c: fix a stack-buffer-overflow issue

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff4c61e7e0 at pc 0x14f2cb7ae0b9 bp 0x7fff4c61e650 sp 0x7fff4c61ddd8
WRITE of size 17 at 0x7fff4c61e7e0 thread T0
    #0 0x14f2cb7ae0b8  (/lib64/libasan.so.5+0xb40b8)
    #1 0x14f2cb7aedd2 in vsscanf (/lib64/libasan.so.5+0xb4dd2)
    #2 0x14f2cb7aeede in __interceptor_sscanf (/lib64/libasan.so.5+0xb4ede)
    #3 0x14f2cb230766 in ofi_addr_format src/common.c:401
    #4 0x14f2cb233238 in ofi_str_toaddr src/common.c:780
    #5 0x14f2cb314332 in vrb_handle_ib_ud_addr prov/verbs/src/verbs_info.c:1670
    #6 0x14f2cb314332 in vrb_get_match_infos prov/verbs/src/verbs_info.c:1787
    #7 0x14f2cb314332 in vrb_getinfo prov/verbs/src/verbs_info.c:1841
    #8 0x14f2cb21fc28 in fi_getinfo_ src/fabric.c:1010
    #9 0x14f2cb25fcc0 in ofi_get_core_info prov/util/src/util_attr.c:298
    #10 0x14f2cb269b20 in ofix_getinfo prov/util/src/util_attr.c:321
    #11 0x14f2cb3e29fd in rxd_getinfo prov/rxd/src/rxd_init.c:122
    #12 0x14f2cb21fc28 in fi_getinfo_ src/fabric.c:1010
    #13 0x407150 in ft_getinfo common/shared.c:794
    #14 0x414917 in ft_init_fabric common/shared.c:1042
    #15 0x402f40 in run functional/bw.c:155
    #16 0x402f40 in main functional/bw.c:252
    #17 0x14f2ca1b28e2 in __libc_start_main (/lib64/libc.so.6+0x238e2)
    #18 0x401d1d in _start (/root/libfabric/fabtests/functional/fi_bw+0x401d1d)

Address 0x7fff4c61e7e0 is located in stack of thread T0 at offset 48 in frame
    #0 0x14f2cb2306f3 in ofi_addr_format src/common.c:397

  This frame has 1 object(s):
    [32, 48) 'fmt' <== Memory access at offset 48 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.5+0xb40b8)
Shadow bytes around the buggy address:
  0x1000698bbca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000698bbcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000698bbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000698bbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000698bbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000698bbcf0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00[f2]f2 f3 f3
  0x1000698bbd00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x1000698bbd10: f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
  0x1000698bbd20: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2
  0x1000698bbd30: f2 f2 00 00 00 00 00 06 f2 f2 f2 f2 f2 f2 00 00
  0x1000698bbd40: 00 00 00 06 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Fixes: 5d31276f7304 ("common: Redo address string conversions")
Signed-off-by: Honggang Li <honli@redhat.com>
---
 src/common.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/common.c b/src/common.c
index 4c54dc2dec68..3964cf1f7b4b 100644
--- a/src/common.c
+++ b/src/common.c
@@ -395,14 +395,14 @@ sa_sin6:
 
 uint32_t ofi_addr_format(const char *str)
 {
-	char fmt[16];
+	char fmt[17];
 	int ret;
 
+	memset(fmt, 0, sizeof(fmt));
 	ret = sscanf(str, "%16[^:]://", fmt);
 	if (ret != 1)
 		return FI_FORMAT_UNSPEC;
 
-	fmt[sizeof(fmt) - 1] = '\0';
 	if (!strcasecmp(fmt, "fi_sockaddr_in"))
 		return FI_SOCKADDR_IN;
 	else if (!strcasecmp(fmt, "fi_sockaddr_in6"))
-- 
2.25.4
import libfabric-1.11.2-1.el8 2020-12-24 06:09:59 +00:00			`From 8c2f159809118c6054852d5086582a19be39a2b2 Mon Sep 17 00:00:00 2001`
			`From: Honggang Li <honli@redhat.com>`
			`Date: Fri, 18 Dec 2020 05:18:55 -0800`
			`Subject: [PATCH 2/2] src/common.c: fix a stack-buffer-overflow issue`

			`ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff4c61e7e0 at pc 0x14f2cb7ae0b9 bp 0x7fff4c61e650 sp 0x7fff4c61ddd8`
			`WRITE of size 17 at 0x7fff4c61e7e0 thread T0`
			`#0 0x14f2cb7ae0b8 (/lib64/libasan.so.5+0xb40b8)`
			`#1 0x14f2cb7aedd2 in vsscanf (/lib64/libasan.so.5+0xb4dd2)`
			`#2 0x14f2cb7aeede in __interceptor_sscanf (/lib64/libasan.so.5+0xb4ede)`
			`#3 0x14f2cb230766 in ofi_addr_format src/common.c:401`
			`#4 0x14f2cb233238 in ofi_str_toaddr src/common.c:780`
			`#5 0x14f2cb314332 in vrb_handle_ib_ud_addr prov/verbs/src/verbs_info.c:1670`
			`#6 0x14f2cb314332 in vrb_get_match_infos prov/verbs/src/verbs_info.c:1787`
			`#7 0x14f2cb314332 in vrb_getinfo prov/verbs/src/verbs_info.c:1841`
			`#8 0x14f2cb21fc28 in fi_getinfo_ src/fabric.c:1010`
			`#9 0x14f2cb25fcc0 in ofi_get_core_info prov/util/src/util_attr.c:298`
			`#10 0x14f2cb269b20 in ofix_getinfo prov/util/src/util_attr.c:321`
			`#11 0x14f2cb3e29fd in rxd_getinfo prov/rxd/src/rxd_init.c:122`
			`#12 0x14f2cb21fc28 in fi_getinfo_ src/fabric.c:1010`
			`#13 0x407150 in ft_getinfo common/shared.c:794`
			`#14 0x414917 in ft_init_fabric common/shared.c:1042`
			`#15 0x402f40 in run functional/bw.c:155`
			`#16 0x402f40 in main functional/bw.c:252`
			`#17 0x14f2ca1b28e2 in __libc_start_main (/lib64/libc.so.6+0x238e2)`
			`#18 0x401d1d in _start (/root/libfabric/fabtests/functional/fi_bw+0x401d1d)`

			`Address 0x7fff4c61e7e0 is located in stack of thread T0 at offset 48 in frame`
			`#0 0x14f2cb2306f3 in ofi_addr_format src/common.c:397`

			`This frame has 1 object(s):`
			`[32, 48) 'fmt' <== Memory access at offset 48 overflows this variable`
			`HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext`
			`(longjmp and C++ exceptions are supported)`
			`SUMMARY: AddressSanitizer: stack-buffer-overflow (/lib64/libasan.so.5+0xb40b8)`
			`Shadow bytes around the buggy address:`
			`0x1000698bbca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00`
			`0x1000698bbcb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00`
			`0x1000698bbcc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00`
			`0x1000698bbcd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00`
			`0x1000698bbce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00`
			`=>0x1000698bbcf0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00[f2]f2 f3 f3`
			`0x1000698bbd00: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1`
			`0x1000698bbd10: f1 f1 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2`
			`0x1000698bbd20: f2 f2 00 f2 f2 f2 f2 f2 f2 f2 00 f2 f2 f2 f2 f2`
			`0x1000698bbd30: f2 f2 00 00 00 00 00 06 f2 f2 f2 f2 f2 f2 00 00`
			`0x1000698bbd40: 00 00 00 06 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00`
			`Shadow byte legend (one shadow byte represents 8 application bytes):`
			`Addressable: 00`
			`Partially addressable: 01 02 03 04 05 06 07`
			`Heap left redzone: fa`
			`Freed heap region: fd`
			`Stack left redzone: f1`
			`Stack mid redzone: f2`
			`Stack right redzone: f3`
			`Stack after return: f5`
			`Stack use after scope: f8`
			`Global redzone: f9`
			`Global init order: f6`
			`Poisoned by user: f7`
			`Container overflow: fc`
			`Array cookie: ac`
			`Intra object redzone: bb`
			`ASan internal: fe`
			`Left alloca redzone: ca`
			`Right alloca redzone: cb`

			`Fixes: 5d31276f7304 ("common: Redo address string conversions")`
			`Signed-off-by: Honggang Li <honli@redhat.com>`
			`---`
			`src/common.c \| 4 ++--`
			`1 file changed, 2 insertions(+), 2 deletions(-)`

			`diff --git a/src/common.c b/src/common.c`
			`index 4c54dc2dec68..3964cf1f7b4b 100644`
			`--- a/src/common.c`
			`+++ b/src/common.c`
			`@@ -395,14 +395,14 @@ sa_sin6:`

			`uint32_t ofi_addr_format(const char *str)`
			`{`
			`- char fmt[16];`
			`+ char fmt[17];`
			`int ret;`

			`+ memset(fmt, 0, sizeof(fmt));`
			`ret = sscanf(str, "%16[^:]://", fmt);`
			`if (ret != 1)`
			`return FI_FORMAT_UNSPEC;`

			`- fmt[sizeof(fmt) - 1] = '\0';`
			`if (!strcasecmp(fmt, "fi_sockaddr_in"))`
			`return FI_SOCKADDR_IN;`
			`else if (!strcasecmp(fmt, "fi_sockaddr_in6"))`
			`--`
			`2.25.4`