From 525654a164a8862e14de913753100345932af2fc Mon Sep 17 00:00:00 2001 From: Craig Tiller Date: Tue, 3 May 2016 22:38:41 -0700 Subject: [PATCH 1/3] Fix undefined behavior --- src/core/ext/client_config/subchannel_index.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/core/ext/client_config/subchannel_index.c b/src/core/ext/client_config/subchannel_index.c index ab8d9bd91d8..b77632bba39 100644 --- a/src/core/ext/client_config/subchannel_index.c +++ b/src/core/ext/client_config/subchannel_index.c @@ -77,9 +77,14 @@ static grpc_subchannel_key *create_key( grpc_subchannel_key *k = gpr_malloc(sizeof(*k)); k->connector = grpc_connector_ref(connector); k->args.filter_count = args->filter_count; - k->args.filters = gpr_malloc(sizeof(*k->args.filters) * k->args.filter_count); - memcpy((grpc_channel_filter *)k->args.filters, args->filters, - sizeof(*k->args.filters) * k->args.filter_count); + if (k->args.filter_count > 0) { + k->args.filters = + gpr_malloc(sizeof(*k->args.filters) * k->args.filter_count); + memcpy((grpc_channel_filter *)k->args.filters, args->filters, + sizeof(*k->args.filters) * k->args.filter_count); + } else { + k->args.filters = NULL; + } k->args.addr_len = args->addr_len; k->args.addr = gpr_malloc(args->addr_len); memcpy(k->args.addr, args->addr, k->args.addr_len); @@ -106,9 +111,11 @@ static int subchannel_key_compare(grpc_subchannel_key *a, if (c != 0) return c; c = memcmp(a->args.addr, b->args.addr, a->args.addr_len); if (c != 0) return c; - c = memcmp(a->args.filters, b->args.filters, - a->args.filter_count * sizeof(*a->args.filters)); - if (c != 0) return c; + if (a->args.filter_count > 0) { + c = memcmp(a->args.filters, b->args.filters, + a->args.filter_count * sizeof(*a->args.filters)); + if (c != 0) return c; + } return grpc_channel_args_compare(a->args.args, b->args.args); } From 68897999237ab5d67278365b3bd444960fa3c4c0 Mon Sep 17 00:00:00 2001 From: Craig Tiller Date: Tue, 3 May 2016 23:10:07 -0700 Subject: [PATCH 2/3] Fix some ubsan issues: I fear no bugs were harmed in the making of this episode --- build.yaml | 2 ++ src/core/ext/client_config/subchannel.c | 2 +- src/core/ext/client_config/subchannel_index.c | 6 ++++- .../transport/chttp2/transport/frame_goaway.c | 2 +- .../transport/chttp2/transport/hpack_parser.c | 5 ++++ src/core/lib/channel/channel_args.c | 2 +- .../lib/compression/compression_algorithm.c | 1 + src/core/lib/support/murmur_hash.c | 8 +++---- src/core/lib/transport/metadata.c | 2 +- test/core/end2end/fuzzers/api_fuzzer.c | 24 +++++++++++-------- tools/run_tests/configs.json | 3 +++ 11 files changed, 37 insertions(+), 20 deletions(-) diff --git a/build.yaml b/build.yaml index 441752dc3dc..4cf7057a902 100644 --- a/build.yaml +++ b/build.yaml @@ -3247,6 +3247,8 @@ configs: LDFLAGS: -fsanitize=undefined LDXX: clang++ compile_the_world: true + test_environ: + UBSAN_OPTIONS: halt_on_error=1 timeout_multiplier: 1.5 defaults: boringssl: diff --git a/src/core/ext/client_config/subchannel.c b/src/core/ext/client_config/subchannel.c index bd45d3825cc..cfd39e7cfbf 100644 --- a/src/core/ext/client_config/subchannel.c +++ b/src/core/ext/client_config/subchannel.c @@ -320,7 +320,7 @@ grpc_subchannel *grpc_subchannel_create(grpc_exec_ctx *exec_ctx, c->filters = NULL; } c->addr = gpr_malloc(args->addr_len); - memcpy(c->addr, args->addr, args->addr_len); + if (args->addr_len) memcpy(c->addr, args->addr, args->addr_len); c->pollset_set = grpc_pollset_set_create(); c->addr_len = args->addr_len; grpc_set_initial_connect_string(&c->addr, &c->addr_len, diff --git a/src/core/ext/client_config/subchannel_index.c b/src/core/ext/client_config/subchannel_index.c index b77632bba39..69de0e78c18 100644 --- a/src/core/ext/client_config/subchannel_index.c +++ b/src/core/ext/client_config/subchannel_index.c @@ -87,7 +87,9 @@ static grpc_subchannel_key *create_key( } k->args.addr_len = args->addr_len; k->args.addr = gpr_malloc(args->addr_len); - memcpy(k->args.addr, args->addr, k->args.addr_len); + if (k->args.addr_len > 0) { + memcpy(k->args.addr, args->addr, k->args.addr_len); + } k->args.args = copy_channel_args(args->args); return k; } @@ -109,8 +111,10 @@ static int subchannel_key_compare(grpc_subchannel_key *a, if (c != 0) return c; c = GPR_ICMP(a->args.filter_count, b->args.filter_count); if (c != 0) return c; + if (a->args.addr_len) { c = memcmp(a->args.addr, b->args.addr, a->args.addr_len); if (c != 0) return c; + } if (a->args.filter_count > 0) { c = memcmp(a->args.filters, b->args.filters, a->args.filter_count * sizeof(*a->args.filters)); diff --git a/src/core/ext/transport/chttp2/transport/frame_goaway.c b/src/core/ext/transport/chttp2/transport/frame_goaway.c index 69accb7696d..aa25b1a231c 100644 --- a/src/core/ext/transport/chttp2/transport/frame_goaway.c +++ b/src/core/ext/transport/chttp2/transport/frame_goaway.c @@ -137,7 +137,7 @@ grpc_chttp2_parse_error grpc_chttp2_goaway_parser_parse( ++cur; /* fallthrough */ case GRPC_CHTTP2_GOAWAY_DEBUG: - memcpy(p->debug_data + p->debug_pos, cur, (size_t)(end - cur)); + if (end != cur) memcpy(p->debug_data + p->debug_pos, cur, (size_t)(end - cur)); GPR_ASSERT((size_t)(end - cur) < UINT32_MAX - p->debug_pos); p->debug_pos += (uint32_t)(end - cur); p->state = GRPC_CHTTP2_GOAWAY_DEBUG; diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.c b/src/core/ext/transport/chttp2/transport/hpack_parser.c index 687936bfd35..9278a7ac42a 100644 --- a/src/core/ext/transport/chttp2/transport/hpack_parser.c +++ b/src/core/ext/transport/chttp2/transport/hpack_parser.c @@ -1138,6 +1138,7 @@ static int parse_string_prefix(grpc_chttp2_hpack_parser *p, const uint8_t *cur, /* append some bytes to a string */ static void append_bytes(grpc_chttp2_hpack_parser_string *str, const uint8_t *data, size_t length) { + if (length == 0) return; if (length + str->length > str->capacity) { GPR_ASSERT(str->length + length <= UINT32_MAX); str->capacity = (uint32_t)(str->length + length); @@ -1445,6 +1446,10 @@ grpc_chttp2_parse_error grpc_chttp2_header_parser_parse( stream id on a header */ if (stream_parsing != NULL) { if (parser->is_boundary) { + if (stream_parsing->header_frames_received == GPR_ARRAY_SIZE(stream_parsing->got_metadata_on_parse)) { + gpr_log(GPR_ERROR, "too many trailer frames"); + return GRPC_CHTTP2_CONNECTION_ERROR; + } stream_parsing ->got_metadata_on_parse[stream_parsing->header_frames_received] = 1; stream_parsing->header_frames_received++; diff --git a/src/core/lib/channel/channel_args.c b/src/core/lib/channel/channel_args.c index 28d2d78d00f..1659c3788bf 100644 --- a/src/core/lib/channel/channel_args.c +++ b/src/core/lib/channel/channel_args.c @@ -132,7 +132,7 @@ grpc_channel_args *grpc_channel_args_normalize(const grpc_channel_args *a) { for (size_t i = 0; i < a->num_args; i++) { args[i] = &a->args[i]; } - qsort(args, a->num_args, sizeof(grpc_arg *), cmp_key_stable); + if (a->num_args > 1) qsort(args, a->num_args, sizeof(grpc_arg *), cmp_key_stable); grpc_channel_args *b = gpr_malloc(sizeof(grpc_channel_args)); b->num_args = a->num_args; diff --git a/src/core/lib/compression/compression_algorithm.c b/src/core/lib/compression/compression_algorithm.c index 7039364b7bc..820871d579b 100644 --- a/src/core/lib/compression/compression_algorithm.c +++ b/src/core/lib/compression/compression_algorithm.c @@ -199,5 +199,6 @@ void grpc_compression_options_disable_algorithm( int grpc_compression_options_is_algorithm_enabled( const grpc_compression_options *opts, grpc_compression_algorithm algorithm) { + if (algorithm >= GRPC_COMPRESS_ALGORITHMS_COUNT) return 0; return GPR_BITGET(opts->enabled_algorithms_bitset, algorithm); } diff --git a/src/core/lib/support/murmur_hash.c b/src/core/lib/support/murmur_hash.c index 5711fff0c0f..7137c1f3133 100644 --- a/src/core/lib/support/murmur_hash.c +++ b/src/core/lib/support/murmur_hash.c @@ -33,6 +33,8 @@ #include "src/core/lib/support/murmur_hash.h" +#include + #define ROTL32(x, r) ((x) << (r)) | ((x) >> (32 - (r))) #define FMIX32(h) \ @@ -42,10 +44,6 @@ (h) *= 0xc2b2ae35; \ (h) ^= (h) >> 16; -/* Block read - if your platform needs to do endian-swapping or can only - handle aligned reads, do the conversion here */ -#define GETBLOCK32(p, i) (p)[(i)] - uint32_t gpr_murmur_hash3(const void *key, size_t len, uint32_t seed) { const uint8_t *data = (const uint8_t *)key; const size_t nblocks = len / 4; @@ -62,7 +60,7 @@ uint32_t gpr_murmur_hash3(const void *key, size_t len, uint32_t seed) { /* body */ for (i = -(int)nblocks; i; i++) { - k1 = GETBLOCK32(blocks, i); + memcpy(&k1, blocks + i, sizeof(uint32_t)); k1 *= c1; k1 = ROTL32(k1, 15); diff --git a/src/core/lib/transport/metadata.c b/src/core/lib/transport/metadata.c index 5847ec9053d..53fe03bdc92 100644 --- a/src/core/lib/transport/metadata.c +++ b/src/core/lib/transport/metadata.c @@ -373,7 +373,7 @@ grpc_mdstr *grpc_mdstr_from_buffer(const uint8_t *buf, size_t length) { ss = g_static_strtab[idx]; if (ss == NULL) break; if (ss->hash == hash && GPR_SLICE_LENGTH(ss->slice) == length && - 0 == memcmp(buf, GPR_SLICE_START_PTR(ss->slice), length)) { + (length == 0 || 0 == memcmp(buf, GPR_SLICE_START_PTR(ss->slice), length))) { GPR_TIMER_END("grpc_mdstr_from_buffer", 0); return ss; } diff --git a/test/core/end2end/fuzzers/api_fuzzer.c b/test/core/end2end/fuzzers/api_fuzzer.c index b133a948ee0..b6150151d5e 100644 --- a/test/core/end2end/fuzzers/api_fuzzer.c +++ b/test/core/end2end/fuzzers/api_fuzzer.c @@ -418,17 +418,21 @@ static void add_to_free(call_state *call, void *p) { static void read_metadata(input_stream *inp, size_t *count, grpc_metadata **metadata, call_state *cs) { *count = next_byte(inp); - *metadata = gpr_malloc(*count * sizeof(**metadata)); - memset(*metadata, 0, *count * sizeof(**metadata)); - for (size_t i = 0; i < *count; i++) { - (*metadata)[i].key = read_string(inp); - read_buffer(inp, (char **)&(*metadata)[i].value, - &(*metadata)[i].value_length); - (*metadata)[i].flags = read_uint32(inp); - add_to_free(cs, (void *)(*metadata)[i].key); - add_to_free(cs, (void *)(*metadata)[i].value); + if (*count) { + *metadata = gpr_malloc(*count * sizeof(**metadata)); + memset(*metadata, 0, *count * sizeof(**metadata)); + for (size_t i = 0; i < *count; i++) { + (*metadata)[i].key = read_string(inp); + read_buffer(inp, (char **)&(*metadata)[i].value, + &(*metadata)[i].value_length); + (*metadata)[i].flags = read_uint32(inp); + add_to_free(cs, (void *)(*metadata)[i].key); + add_to_free(cs, (void *)(*metadata)[i].value); + } + } else { + *metadata = gpr_malloc(1); } - add_to_free(cs, *metadata); + add_to_free(cs, *metadata); } static call_state *destroy_call(call_state *call) { diff --git a/tools/run_tests/configs.json b/tools/run_tests/configs.json index 325e9aa9295..1a67544d184 100644 --- a/tools/run_tests/configs.json +++ b/tools/run_tests/configs.json @@ -56,6 +56,9 @@ }, { "config": "ubsan", + "environ": { + "UBSAN_OPTIONS": "halt_on_error=1" + }, "timeout_multiplier": 1.5 }, { From 93dd0470cf26aed445b40a8b9332e6b06f5e5514 Mon Sep 17 00:00:00 2001 From: Craig Tiller Date: Wed, 18 May 2016 15:06:37 -0700 Subject: [PATCH 3/3] clang-format --- src/core/ext/client_config/subchannel_index.c | 4 ++-- src/core/ext/transport/chttp2/transport/frame_goaway.c | 3 ++- src/core/ext/transport/chttp2/transport/hpack_parser.c | 3 ++- src/core/lib/channel/channel_args.c | 3 ++- src/core/lib/transport/metadata.c | 3 ++- test/core/end2end/fuzzers/api_fuzzer.c | 2 +- 6 files changed, 11 insertions(+), 7 deletions(-) diff --git a/src/core/ext/client_config/subchannel_index.c b/src/core/ext/client_config/subchannel_index.c index 69de0e78c18..690cb16b96f 100644 --- a/src/core/ext/client_config/subchannel_index.c +++ b/src/core/ext/client_config/subchannel_index.c @@ -112,8 +112,8 @@ static int subchannel_key_compare(grpc_subchannel_key *a, c = GPR_ICMP(a->args.filter_count, b->args.filter_count); if (c != 0) return c; if (a->args.addr_len) { - c = memcmp(a->args.addr, b->args.addr, a->args.addr_len); - if (c != 0) return c; + c = memcmp(a->args.addr, b->args.addr, a->args.addr_len); + if (c != 0) return c; } if (a->args.filter_count > 0) { c = memcmp(a->args.filters, b->args.filters, diff --git a/src/core/ext/transport/chttp2/transport/frame_goaway.c b/src/core/ext/transport/chttp2/transport/frame_goaway.c index aa25b1a231c..827e7a69770 100644 --- a/src/core/ext/transport/chttp2/transport/frame_goaway.c +++ b/src/core/ext/transport/chttp2/transport/frame_goaway.c @@ -137,7 +137,8 @@ grpc_chttp2_parse_error grpc_chttp2_goaway_parser_parse( ++cur; /* fallthrough */ case GRPC_CHTTP2_GOAWAY_DEBUG: - if (end != cur) memcpy(p->debug_data + p->debug_pos, cur, (size_t)(end - cur)); + if (end != cur) + memcpy(p->debug_data + p->debug_pos, cur, (size_t)(end - cur)); GPR_ASSERT((size_t)(end - cur) < UINT32_MAX - p->debug_pos); p->debug_pos += (uint32_t)(end - cur); p->state = GRPC_CHTTP2_GOAWAY_DEBUG; diff --git a/src/core/ext/transport/chttp2/transport/hpack_parser.c b/src/core/ext/transport/chttp2/transport/hpack_parser.c index 9278a7ac42a..ed45bc9cb38 100644 --- a/src/core/ext/transport/chttp2/transport/hpack_parser.c +++ b/src/core/ext/transport/chttp2/transport/hpack_parser.c @@ -1446,7 +1446,8 @@ grpc_chttp2_parse_error grpc_chttp2_header_parser_parse( stream id on a header */ if (stream_parsing != NULL) { if (parser->is_boundary) { - if (stream_parsing->header_frames_received == GPR_ARRAY_SIZE(stream_parsing->got_metadata_on_parse)) { + if (stream_parsing->header_frames_received == + GPR_ARRAY_SIZE(stream_parsing->got_metadata_on_parse)) { gpr_log(GPR_ERROR, "too many trailer frames"); return GRPC_CHTTP2_CONNECTION_ERROR; } diff --git a/src/core/lib/channel/channel_args.c b/src/core/lib/channel/channel_args.c index d95a7bf1103..569be4dc282 100644 --- a/src/core/lib/channel/channel_args.c +++ b/src/core/lib/channel/channel_args.c @@ -132,7 +132,8 @@ grpc_channel_args *grpc_channel_args_normalize(const grpc_channel_args *a) { for (size_t i = 0; i < a->num_args; i++) { args[i] = &a->args[i]; } - if (a->num_args > 1) qsort(args, a->num_args, sizeof(grpc_arg *), cmp_key_stable); + if (a->num_args > 1) + qsort(args, a->num_args, sizeof(grpc_arg *), cmp_key_stable); grpc_channel_args *b = gpr_malloc(sizeof(grpc_channel_args)); b->num_args = a->num_args; diff --git a/src/core/lib/transport/metadata.c b/src/core/lib/transport/metadata.c index 53fe03bdc92..82c8e239f68 100644 --- a/src/core/lib/transport/metadata.c +++ b/src/core/lib/transport/metadata.c @@ -373,7 +373,8 @@ grpc_mdstr *grpc_mdstr_from_buffer(const uint8_t *buf, size_t length) { ss = g_static_strtab[idx]; if (ss == NULL) break; if (ss->hash == hash && GPR_SLICE_LENGTH(ss->slice) == length && - (length == 0 || 0 == memcmp(buf, GPR_SLICE_START_PTR(ss->slice), length))) { + (length == 0 || + 0 == memcmp(buf, GPR_SLICE_START_PTR(ss->slice), length))) { GPR_TIMER_END("grpc_mdstr_from_buffer", 0); return ss; } diff --git a/test/core/end2end/fuzzers/api_fuzzer.c b/test/core/end2end/fuzzers/api_fuzzer.c index b6150151d5e..cacf29e2615 100644 --- a/test/core/end2end/fuzzers/api_fuzzer.c +++ b/test/core/end2end/fuzzers/api_fuzzer.c @@ -432,7 +432,7 @@ static void read_metadata(input_stream *inp, size_t *count, } else { *metadata = gpr_malloc(1); } - add_to_free(cs, *metadata); + add_to_free(cs, *metadata); } static call_state *destroy_call(call_state *call) {