Fix UBSan error (ptr + offset overflow) #148
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
As `i + offset` is promoted to a "negative" size_t,
UBSan would complain when adding the resulting offset to `dst`:
```
/tmp/RtmptDX1SS/file584e37df4e/snappy_ep-prefix/src/snappy_ep/snappy.cc:343:43: runtime error: addition of unsigned offset to 0x6120003c5ec1 overflowed to 0x6120003c5ec0
#0 0x7f9ebd21769c in snappy::(anonymous namespace)::Copy64BytesWithPatternExtension(char*, unsigned long) /tmp/RtmptDX1SS/file584e37df4e/snappy_ep-prefix/src/snappy_ep/snappy.cc:343:43
google#1 0x7f9ebd21769c in std::__1::pair<unsigned char const*, long> snappy::DecompressBranchless<char*>(unsigned char const*, unsigned char const*, long, char*, long) /tmp/RtmptDX1SS/file584e37df4e/snappy_ep-prefix/src/snappy_ep/snappy.cc:1160:15
```
|
We also encountered this UBSan error in Firefox' CI when testing updating from 1.1.8 to 1.1.9. I can confirm that this patch results in a clean test run on our end as well. |
jonkeane
added a commit
to apache/arrow
that referenced
this pull request
Dec 8, 2021
…ppy causing a sanitizer error This would replace (temporarily) #11796 in a way that might be ship-able as is until Snappy accepts google/snappy#148 and is released. Closes #11875 from jonkeane/ARROW-14839-two Authored-by: Jonathan Keane <jkeane@gmail.com> Signed-off-by: Jonathan Keane <jkeane@gmail.com>
jonkeane
added a commit
to apache/arrow
that referenced
this pull request
Apr 27, 2022
Another example of google/snappy#148 Closes #13014 from jonkeane/ARROW-16374 Authored-by: Jonathan Keane <jkeane@gmail.com> Signed-off-by: Jonathan Keane <jkeane@gmail.com>
|
cc @emkornfield in case you know how we can push this forward. This is breaking the R CI for Apache Arrow. |
|
I'll see if I can find the right contact. |
mbautin
added a commit
to yugabyte/snappy
that referenced
this pull request
May 30, 2022
…m/raw/google/snappy/pull/148.diff ( google#148 ) Including an edited version of the above PR's description: As i + offset is promoted to a "negative" size_t, UBSan would complain when adding the resulting offset to dst: snappy::(anonymous namespace)::Copy64BytesWithPatternExtension(char*, unsigned long) src/snappy_ep/snappy.cc:343:43 std::__1::pair<unsigned char const*, long> snappy::DecompressBranchless<char*>(unsigned char const*, unsigned char const*, long, char*, long) src/snappy_ep/snappy.cc:1160:15
|
I would love to be able to pull out some of the hacks we have in our CI + tests more general in Arrow to work around this. Is there anything we could do to help push this forward? |
|
Haven't been able to track down the right person for this, will try again after the holiday weekend. |
|
Thanks for the help! |
emkornfield
reviewed
Jul 19, 2022
| @@ -340,7 +340,7 @@ static inline bool Copy64BytesWithPatternExtension(char* dst, size_t offset) { | |||
| if (SNAPPY_PREDICT_TRUE(offset < 16)) { | |||
| if (SNAPPY_PREDICT_FALSE(offset == 0)) return false; | |||
| // Extend the pattern to the first 16 bytes. | |||
| for (int i = 0; i < 16; i++) dst[i] = dst[i - offset]; | |||
There was a problem hiding this comment.
was there s specific reason for this formulation vs pure pointer arithmetic? *(dst - offset + i)
|
@pwnall could you merge this? Or should we ping someone else? |
|
Thank you! |
This was referenced Oct 19, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As
i + offsetis promoted to a "negative" size_t,UBSan would complain when adding the resulting offset to
dst: