You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@zookeeper.apache.org by "Michael Hudson-Doyle (Jira)" <ji...@apache.org> on 2020/10/04 23:42:00 UTC

[jira] [Updated] (ZOOKEEPER-3954) use of uninitialized data in zookeeper-client/zookeeper-client-c/src/zookeeper.c:free_auth_completion

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-3954?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Michael Hudson-Doyle updated ZOOKEEPER-3954:
--------------------------------------------
    Description: 
When compiled with {{-O3}} and {{gcc-10}} (which is the default for Ubuntu on ppc64el), compilation fails like this:
{code}
/bin/bash ./libtool -tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c -o zookeeper.lo `test -f 'src/zookeeper.c' || echo './'`src/zookeeper.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c src/zookeeper.c -fPIC -DPIC -o .libs/zookeeper.o
src/zookeeper.c: In function 'free_completions': 
src/zookeeper.c:284:9: error: 'a_list.next' may be used uninitialized in this function [-Werror=maybe-uninitialized] 
284 | tmp = a_list>next; 
    | ~~~^~~~~~~~~~~~~ 
cc1: all warnings being treated as errors
{code}
 What's happening here is that free_auth_completions is being inlined into free_completions, and this lets gcc see that members of a_list are being accessed without initialization. I don't know anything like enough about this code to see if this is a bug in code paths that are actually taken but at a glance it's certainly not obviously impossible: if the two if conditions at the top level of free_completions evaluate false, the function effectively looks like this:
 
{code:c}
void free_completions(zhandle_t *zh,int callCompletion,int reason)
{ 
 auth_completion_list_t a_list; 
 free_auth_completion(&a_list); 
} 
{code}

so it's pretty clear that a_list is backed by uninitialized stack memory. Explicitly initializing the variable with "{{a_list = \{NULL, NULL, NULL}}}" makes the warning go away.
 

  was:
When compiled with {{-O3}} and {{gcc-10}} (which is the default for Ubuntu on ppc64el), compilation fails like this:
{code:shell}
/bin/bash ./libtool -tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c -o zookeeper.lo `test -f 'src/zookeeper.c' || echo './'`src/zookeeper.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c src/zookeeper.c -fPIC -DPIC -o .libs/zookeeper.o src/zookeeper.c: In function 'free_completions': src/zookeeper.c:284:9: error: 'a_list.next' may be used uninitialized in this function [-Werror=maybe-uninitialized] 284 | tmp = a_list>next; | ~~~^~~~~~~~~~~~~ cc1: all warnings being treated as errors{code}
 What's happening here is that free_auth_completions is being inlined into free_completions, and this lets gcc see that members of a_list are being accessed without initialization. I don't know anything like enough about this code to see if this is a bug in code paths that are actually taken but at a glance it's certainly not obviously impossible: if the two if conditions at the top level of free_completions evaluate false, the function effectively looks like this:
 
{code:c}
void free_completions(zhandle_t *zh,int callCompletion,int reason)
{ 
 auth_completion_list_t a_list; 
 free_auth_completion(&a_list); 
} 
{code}

so it's pretty clear that a_list is backed by uninitialized stack memory. Explicitly initializing the variable with "a_list = {NULL, NULL, NULL}" makes the warning go away.
 


> use of uninitialized data in zookeeper-client/zookeeper-client-c/src/zookeeper.c:free_auth_completion
> -----------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-3954
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3954
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: c client
>    Affects Versions: 3.6.2
>            Reporter: Michael Hudson-Doyle
>            Priority: Minor
>
> When compiled with {{-O3}} and {{gcc-10}} (which is the default for Ubuntu on ppc64el), compilation fails like this:
> {code}
> /bin/bash ./libtool -tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c -o zookeeper.lo `test -f 'src/zookeeper.c' || echo './'`src/zookeeper.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I./include -I./tests -I./generated -Wdate-time -D_FORTIFY_SOURCE=2 -Wall -Werror -g -O3 -fdebug-prefix-map=/<<PKGBUILDDIR>>=. -fstack-protector-strong -Wformat -Werror=format-security -MT zookeeper.lo -MD -MP -MF .deps/zookeeper.Tpo -c src/zookeeper.c -fPIC -DPIC -o .libs/zookeeper.o
> src/zookeeper.c: In function 'free_completions': 
> src/zookeeper.c:284:9: error: 'a_list.next' may be used uninitialized in this function [-Werror=maybe-uninitialized] 
> 284 | tmp = a_list>next; 
>     | ~~~^~~~~~~~~~~~~ 
> cc1: all warnings being treated as errors
> {code}
>  What's happening here is that free_auth_completions is being inlined into free_completions, and this lets gcc see that members of a_list are being accessed without initialization. I don't know anything like enough about this code to see if this is a bug in code paths that are actually taken but at a glance it's certainly not obviously impossible: if the two if conditions at the top level of free_completions evaluate false, the function effectively looks like this:
>  
> {code:c}
> void free_completions(zhandle_t *zh,int callCompletion,int reason)
> { 
>  auth_completion_list_t a_list; 
>  free_auth_completion(&a_list); 
> } 
> {code}
> so it's pretty clear that a_list is backed by uninitialized stack memory. Explicitly initializing the variable with "{{a_list = \{NULL, NULL, NULL}}}" makes the warning go away.
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)