From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 91640 invoked by alias); 15 Jul 2019 16:51:19 -0000 Mailing-List: contact systemtap-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Post: List-Help: , Sender: systemtap-owner@sourceware.org Received: (qmail 91598 invoked by uid 48); 15 Jul 2019 16:51:16 -0000 From: "me at serhei dot io" To: systemtap@sourceware.org Subject: [Bug bpf/24811] New: stapbpf segfault: nested foreach loops can corrupt sorted key data when limit==0 Date: Mon, 15 Jul 2019 16:51:00 -0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: systemtap X-Bugzilla-Component: bpf X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: me at serhei dot io X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: systemtap at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-SW-Source: 2019-q3/txt/msg00015.txt.bz2 https://sourceware.org/bugzilla/show_bug.cgi?id=3D24811 Bug ID: 24811 Summary: stapbpf segfault: nested foreach loops can corrupt sorted key data when limit=3D=3D0 Product: systemtap Version: unspecified Status: NEW Severity: normal Priority: P2 Component: bpf Assignee: systemtap at sourceware dot org Reporter: me at serhei dot io Target Milestone: --- spotted this while working on pr23858 which is a rabbit hole of tricky behaviour The existing if (limit =3D=3D 0) goto empty; -> empty: keys.pop_back() code sequence in bpfinterp.cxx map_get_next_key() seemed fishy to me. Turns out = you can cause a segfault with nested foreach loops. foreach (k1- in a) { // push sorted data for a=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 flag =3D flag && k1 =3D=3D (0-a[k1]) // check data for a=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 foreach (k2- in b) { // push sorted data for b=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 flag =3D flag && k2 =3D=3D b[k2] // check data for b=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 foreach (k3- in a limit lim) { // bug -- don't push, pop sorted data = for b=20=20=20=20=20=20=20=20=20 flag =3D 0 // should not be invoked=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20 } // bug -- after popping, will read sorted data for a on next iterat= ion=20=20 } // pop sorted data for b, but with bug pops a=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20 } // pop sorted data for a, but with bug pops -- segfault? Filing since I suspect a less convoluted set of loops will cause the same thing. --=20 You are receiving this mail because: You are the assignee for the bug.