[ovs-dev] [OVN] Bug: using of uninitialized memory for ic_route_hash.

Han Zhou hzhou at ovn.org
Wed Oct 14 17:15:05 UTC 2020


On Wed, Oct 14, 2020 at 8:14 AM Ilya Maximets <i.maximets at ovn.org> wrote:
>
> Hi.
>
> I tried to run OVN under MemorySanitizer and it found that 'nexthop'
> that passed to ic_route_hash() is typically allocated on stack and
> not fully initialized.  'nexthop' has type of 'struct v46_ip' which
> contains a union to share space for ipv4 and ipv6 address.  If only
> ipv4 initialized where is a plenty of uninitialized space that goes
> to hash_bytes(nexthop, sizeof *nexthop, basis).  This might cause
> inability to find this nexthop inside the hashmap.
>
> So, 'nexthop' must be fully initialized with memset in order to
> avoid such problems.  Another option is to use single structure
> 'struct in6_addr' and map ipv4 address to it with existing api:
> in6_addr_{get,set}_mapped_ipv4/IN6_IS_ADDR_V4MAPPED.
>

Thanks Ilya for reporting this bug! The impact of the bug is:
When a directly connected network of a router is found to be advertised, if
the route already existed in the global IC-SB, it may not be found due to
the hash difference, and results in the existing route being deleted and
the same one recreated, unnecessarily.

I fixed it here:
https://patchwork.ozlabs.org/project/ovn/patch/20201014170821.227967-1-hzhou@ovn.org/

> To be honest, I do not understand why 'struct v46_ip' exist, but
> that's a bit different story.
>
Maybe we should refactor the code to avoid this kind of problem happening
again. The struct existed before and I found it convenient so just reused
it (in ECMP route processing as well).

Thanks,
Han

> Report from MemorySanitizer:
>
> ==3074629==WARNING: MemorySanitizer: use-of-uninitialized-value
>     #0 0x67177e in mhash_add__ ovs/./lib/hash.h:66:9
>     #1 0x671668 in mhash_add ovs/./lib/hash.h:78:12
>     #2 0x6701e9 in hash_bytes ovs/lib/hash.c:38:16
>     #3 0x524b4a in add_network_to_routes_ad ic/ovn-ic.c:1095:5
>     #4 0x51eea3 in route_run ic/ovn-ic.c:1424:21
>     #5 0x51887b in main ic/ovn-ic.c:1674:17
>     #6 0x7fd4ce7871a2 in __libc_start_main
>     #7 0x49c90d in _start (ic/ovn-ic+0x49c90d)
>
>   Uninitialized value was created by an allocation of 'nexthop' in the
>   stack frame of function 'add_network_to_routes_ad'
>     #0 0x5245f0 in add_network_to_routes_ad ic/ovn-ic.c:1069
>
> Best regards, Ilya Maximets.


More information about the dev mailing list