From: Stephen Hemminger <stephen@networkplumber.org>
To: Bruce Richardson <bruce.richardson@intel.com>
Cc: <dev@dpdk.org>, <fengchengwen@huawei.com>
Subject: Re: [PATCH] test/argparse: fix out of bound memcpy
Date: Mon, 30 Jun 2025 07:57:52 -0700 [thread overview]
Message-ID: <20250630075752.0f860529@hermes.local> (raw)
In-Reply-To: <aF7pef1HMfjT88-e@bricha3-mobl1.ger.corp.intel.com>
On Fri, 27 Jun 2025 19:56:57 +0100
Bruce Richardson <bruce.richardson@intel.com> wrote:
> On Fri, Jun 27, 2025 at 09:22:35AM -0700, Stephen Hemminger wrote:
> > The rte_argparse API use variable length arrays for the args.
> > But the test was only putting space on stack for the argparse
> > part, not the args. This can lead to out of bounds writes.
> >
> > The bug only gets detected if DPDK is compiled with LTO.
> > In function ‘test_argparse_copy’,
> > inlined from ‘test_argparse_init_obj’ at ../app/test/test_argparse.c:108:2,
> > inlined from ‘test_argparse_opt_callback_parse_int_of_no_val’ at ../app/test/test_argparse.c:490:8:
> > ../app/test/test_argparse.c:96:17: warning: ‘memcpy’ writing 56 bytes into a region of size 0 overflows the destination [-Wstringop-overflow=]
> > 96 | memcpy(&dst->args[i], &src->args[i], sizeof(src->args[i]));
> >
> > Fixes: 6c5c6571601c ("argparse: verify argument config")
> > Cc: fengchengwen@huawei.com
> > Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
> > ---
>
> It looks to me like this is a false positive. If it's not, then the whole
> method of declaring argparse arguments is broken, and the library is not
> really usable.
>
> See below for what I see in gdb for a regular (non-LTO) debug build. Looks
> to me like the compiler is doing the right thing.
>
> /Bruce
The problem is that the when structure is initialized its size gets boosted.
https://www.gnu.org/software/c-intro-and-ref/manual/html_node/Flexible-Array-Fields.html
GNU C allows static initialization of flexible array fields.
The effect is to “make the array long enough” for the initializer.
struct f1 { int x; int y[]; } f1
= { 1, { 2, 3, 4 } };
It looks like a compiler bug that the extra size info doesn't get propogated
into the copy code.
next prev parent reply other threads:[~2025-06-30 14:57 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-27 16:22 [PATCH] test/argparse: fix out of bound memcpy Stephen Hemminger
2025-06-27 18:56 ` Bruce Richardson
2025-06-30 14:57 ` Stephen Hemminger [this message]
2025-06-30 14:58 ` [PATCH v2] test/argparse: change initialization to workaround LTO Stephen Hemminger
2025-06-30 15:20 ` Bruce Richardson
2025-06-30 15:23 ` Stephen Hemminger
2025-06-30 15:24 ` Stephen Hemminger
2025-07-01 15:41 ` [PATCH v3] " Stephen Hemminger
2025-07-01 15:48 ` Bruce Richardson
2025-07-07 6:42 ` fengchengwen
2025-07-07 4:12 ` [PATCH] test/argparse: fix out of bound memcpy fengchengwen
2025-09-09 13:49 ` [PATCH v4] test/argparse: change initialization to workaround LTO Stephen Hemminger
2025-10-23 19:09 ` Thomas Monjalon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250630075752.0f860529@hermes.local \
--to=stephen@networkplumber.org \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=fengchengwen@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.