From: Stephen Hemminger <stephen@networkplumber.org>
To: Bruce Richardson <bruce.richardson@intel.com>
Cc: <dev@dpdk.org>, <fengchengwen@huawei.com>
Subject: Re: [PATCH] test/argparse: fix out of bound memcpy
Date: Mon, 30 Jun 2025 07:57:52 -0700 [thread overview]
Message-ID: <20250630075752.0f860529@hermes.local> (raw)
In-Reply-To: <aF7pef1HMfjT88-e@bricha3-mobl1.ger.corp.intel.com>
On Fri, 27 Jun 2025 19:56:57 +0100
Bruce Richardson <bruce.richardson@intel.com> wrote:
> On Fri, Jun 27, 2025 at 09:22:35AM -0700, Stephen Hemminger wrote:
> > The rte_argparse API use variable length arrays for the args.
> > But the test was only putting space on stack for the argparse
> > part, not the args. This can lead to out of bounds writes.
> >
> > The bug only gets detected if DPDK is compiled with LTO.
> > In function ‘test_argparse_copy’,
> > inlined from ‘test_argparse_init_obj’ at ../app/test/test_argparse.c:108:2,
> > inlined from ‘test_argparse_opt_callback_parse_int_of_no_val’ at ../app/test/test_argparse.c:490:8:
> > ../app/test/test_argparse.c:96:17: warning: ‘memcpy’ writing 56 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
> > 96 | memcpy(&dst->args[i], &src->args[i], sizeof(src->args[i]));
> >
> > Fixes: 6c5c6571601c ("argparse: verify argument config")
> > Cc: fengchengwen@huawei.com
> > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> > ---
>
> It looks to me like this is a false positive. If it's not, then the whole
> method of declaring argparse arguments is broken, and the library is not
> really usable.
>
> See below for what I see in gdb for a regular (non-LTO) debug build. Looks
> to me like the compiler is doing the right thing.
>
> /Bruce
The problem is that the when structure is initialized its size gets boosted.
https://www.gnu.org/software/c-intro-and-ref/manual/html_node/Flexible-Array-Fields.html
GNU C allows static initialization of flexible array fields.
The effect is to “make the array long enough” for the initializer.
struct f1 { int x; int y[]; } f1
= { 1, { 2, 3, 4 } };
It looks like a compiler bug that the extra size info doesn't get propogated
into the copy code.
next prev parent reply other threads:[~2025-06-30 14:57 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-27 16:22 Stephen Hemminger
2025-06-27 18:56 ` Bruce Richardson
2025-06-30 14:57 ` Stephen Hemminger [this message]
2025-06-30 14:58 ` [PATCH v2] test/argparse: change initialization to workaround LTO Stephen Hemminger
2025-06-30 15:20 ` Bruce Richardson
2025-06-30 15:23 ` Stephen Hemminger
2025-06-30 15:24 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250630075752.0f860529@hermes.local \
--to=stephen@networkplumber.org \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=fengchengwen@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).