[ovs-dev] [PATCH 1/2] odp-util: Fix using uninitialized gtpu metadata.

Ilya Maximets i.maximets at ovn.org
Mon Oct 19 18:23:51 UTC 2020


If datpath flow doesn't have one of the fields of gtpu metdata, e.g.
'tunnel(gtpu())', uninitialized stack memory will be used instead.

 ==3485429==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x853a1b in format_u8x lib/odp-util.c:3474:13
    #1 0x86ee9c in format_odp_tun_gtpu_opt lib/odp-util.c:3713:5
    #2 0x86a099 in format_odp_tun_attr lib/odp-util.c:3973:13
    #3 0x83afe6 in format_odp_key_attr__ lib/odp-util.c:4179:9
    #4 0x838afb in odp_flow_format lib/odp-util.c:4563:17
    #5 0x738422 in log_flow_message lib/dpif.c:1750:5
    #6 0x738e2f in log_flow_put_message lib/dpif.c:1784:9
    #7 0x7371a4 in dpif_operate lib/dpif.c:1377:21
    #8 0x7363ef in dpif_flow_put lib/dpif.c:1035:5
    #9 0xc7aab7 in dpctl_put_flow lib/dpctl.c:1171:13
    #10 0xc65a4f in dpctl_unixctl_handler lib/dpctl.c:2701:17
    #11 0xaaad04 in process_command lib/unixctl.c:308:13
    #12 0xaa87f7 in run_connection lib/unixctl.c:342:17
    #13 0xaa842e in unixctl_server_run lib/unixctl.c:393:21
    #14 0x51c09c in main vswitchd/ovs-vswitchd.c:128:9
    #15 0x7f88344391a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
    #16 0x46b92d in _start (vswitchd/ovs-vswitchd+0x46b92d)

  Uninitialized value was stored to memory at
    #0 0x87da17 in scan_gtpu_metadata lib/odp-util.c:5221:27
    #1 0x874588 in parse_odp_key_mask_attr__ lib/odp-util.c:5862:9
    #2 0x83ee14 in parse_odp_key_mask_attr lib/odp-util.c:5808:18
    #3 0x83e8b5 in odp_flow_from_string lib/odp-util.c:6065:18
    #4 0xc7a4f3 in dpctl_put_flow lib/dpctl.c:1145:13
    #5 0xc65a4f in dpctl_unixctl_handler lib/dpctl.c:2701:17
    #6 0xaaad04 in process_command lib/unixctl.c:308:13
    #7 0xaa87f7 in run_connection lib/unixctl.c:342:17
    #8 0xaa842e in unixctl_server_run lib/unixctl.c:393:21
    #9 0x51c09c in main vswitchd/ovs-vswitchd.c:128:9
    #10 0x7f88344391a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)

  Uninitialized value was created by an allocation of 'msgtype_ma' in the
  stack frame of function 'scan_gtpu_metadata'
    #0 0x87d440 in scan_gtpu_metadata lib/odp-util.c:5187

Fix that by initializing fields to all zeroes by default.

Reported-at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21426
Fixes: 3c6d05a02e0f ("userspace: Add GTP-U support.")
Signed-off-by: Ilya Maximets <i.maximets at ovn.org>
---
 lib/odp-util.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/odp-util.c b/lib/odp-util.c
index 5989381e9..e7424a9ac 100644
--- a/lib/odp-util.c
+++ b/lib/odp-util.c
@@ -5186,8 +5186,8 @@ scan_gtpu_metadata(const char *s,
                    struct gtpu_metadata *mask)
 {
     const char *s_base = s;
-    uint8_t flags, flags_ma;
-    uint8_t msgtype, msgtype_ma;
+    uint8_t flags = 0, flags_ma = 0;
+    uint8_t msgtype = 0, msgtype_ma = 0;
     int len;
 
     if (!strncmp(s, "flags=", 6)) {
-- 
2.25.4



More information about the dev mailing list