-
Notifications
You must be signed in to change notification settings - Fork 983
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix UBSan error (ptr + offset overflow) #148
Conversation
As `i + offset` is promoted to a "negative" size_t, UBSan would complain when adding the resulting offset to `dst`: ``` /tmp/RtmptDX1SS/file584e37df4e/snappy_ep-prefix/src/snappy_ep/snappy.cc:343:43: runtime error: addition of unsigned offset to 0x6120003c5ec1 overflowed to 0x6120003c5ec0 #0 0x7f9ebd21769c in snappy::(anonymous namespace)::Copy64BytesWithPatternExtension(char*, unsigned long) /tmp/RtmptDX1SS/file584e37df4e/snappy_ep-prefix/src/snappy_ep/snappy.cc:343:43 google#1 0x7f9ebd21769c in std::__1::pair<unsigned char const*, long> snappy::DecompressBranchless<char*>(unsigned char const*, unsigned char const*, long, char*, long) /tmp/RtmptDX1SS/file584e37df4e/snappy_ep-prefix/src/snappy_ep/snappy.cc:1160:15 ```
We also encountered this UBSan error in Firefox' CI when testing updating from 1.1.8 to 1.1.9. I can confirm that this patch results in a clean test run on our end as well. |
…ppy causing a sanitizer error This would replace (temporarily) #11796 in a way that might be ship-able as is until Snappy accepts google/snappy#148 and is released. Closes #11875 from jonkeane/ARROW-14839-two Authored-by: Jonathan Keane <jkeane@gmail.com> Signed-off-by: Jonathan Keane <jkeane@gmail.com>
Another example of google/snappy#148 Closes #13014 from jonkeane/ARROW-16374 Authored-by: Jonathan Keane <jkeane@gmail.com> Signed-off-by: Jonathan Keane <jkeane@gmail.com>
cc @emkornfield in case you know how we can push this forward. This is breaking the R CI for Apache Arrow. |
I'll see if I can find the right contact. |
…m/raw/google/snappy/pull/148.diff ( google#148 ) Including an edited version of the above PR's description: As i + offset is promoted to a "negative" size_t, UBSan would complain when adding the resulting offset to dst: snappy::(anonymous namespace)::Copy64BytesWithPatternExtension(char*, unsigned long) src/snappy_ep/snappy.cc:343:43 std::__1::pair<unsigned char const*, long> snappy::DecompressBranchless<char*>(unsigned char const*, unsigned char const*, long, char*, long) src/snappy_ep/snappy.cc:1160:15
I would love to be able to pull out some of the hacks we have in our CI + tests more general in Arrow to work around this. Is there anything we could do to help push this forward? |
Haven't been able to track down the right person for this, will try again after the holiday weekend. |
Thanks for the help! |
@@ -340,7 +340,7 @@ static inline bool Copy64BytesWithPatternExtension(char* dst, size_t offset) { | |||
if (SNAPPY_PREDICT_TRUE(offset < 16)) { | |||
if (SNAPPY_PREDICT_FALSE(offset == 0)) return false; | |||
// Extend the pattern to the first 16 bytes. | |||
for (int i = 0; i < 16; i++) dst[i] = dst[i - offset]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
was there s specific reason for this formulation vs pure pointer arithmetic? *(dst - offset + i)
@pwnall could you merge this? Or should we ping someone else? |
Thank you! |
As
i + offset
is promoted to a "negative" size_t,UBSan would complain when adding the resulting offset to
dst
: