On Wed, Jun 07, 2023 at 03:08:32PM +0200, Ilya Maximets wrote:
> Initial change set is preserved for as long as the monitor itself.
> However, if a new client has a condition on a column that is not
> one of the monitored columns, this column will be added to the
> monitor via ovsdb_monitor_condition_bind(). This new column, however,
> doesn't exist in the initial change set. That will cause ovsdb-server
> to malfunction or crash trying to access non-existent column during
> condition evaluation:
>
> ERROR: AddressSanitizer: heap-buffer-overflow
> READ of size 4 at 0x606000006780 thread T0
> 0 ovsdb_clause_evaluate ovsdb/condition.c:328:26
> 1 ovsdb_condition_match_any_clause ovsdb/condition.c:441:13
> 2 ovsdb_condition_empty_or_match_any ovsdb/condition.h:84:13
> 3 ovsdb_monitor_row_update_type_condition ovsdb/monitor.c:892:28
> 4 ovsdb_monitor_compose_row_update2 ovsdb/monitor.c:1058:12
> 5 ovsdb_monitor_compose_update ovsdb/monitor.c:1172:24
> 6 ovsdb_monitor_get_update ovsdb/monitor.c:1276:24
> 7 ovsdb_jsonrpc_monitor_create ovsdb/jsonrpc-server.c:1505:12
> 8 ovsdb_jsonrpc_session_got_request ovsdb/jsonrpc-server.c:1030:21
> 9 ovsdb_jsonrpc_session_run ovsdb/jsonrpc-server.c:572:17
> 10 ovsdb_jsonrpc_session_run_all ovsdb/jsonrpc-server.c:602:21
> 11 ovsdb_jsonrpc_server_run ovsdb/jsonrpc-server.c:417:9
> 12 main_loop ovsdb/ovsdb-server.c:222:9
> 13 main ovsdb/ovsdb-server.c:500:5
> 14 __libc_start_call_main
> 15 __libc_start_main@GLIBC_2.2.5
> 16 _start (ovsdb/ovsdb-server+0x473034)
>
> Located 0 bytes after 64-byte region [0x606000006740,0x606000006780)
> allocated by thread T0 here:
> 0 malloc (ovsdb/ovsdb-server+0x50dc82)
> 1 xmalloc__ lib/util.c:140:15
> 2 xmalloc lib/util.c:175:12
> 3 clone_monitor_row_data ovsdb/monitor.c:336:12
> 4 ovsdb_monitor_changes_update ovsdb/monitor.c:1384:23
> 5 ovsdb_monitor_get_initial ovsdb/monitor.c:1535:21
> 6 ovsdb_jsonrpc_monitor_create ovsdb/jsonrpc-server.c:1502:9
> 7 ovsdb_jsonrpc_session_got_request ovsdb/jsonrpc-server.c:1030:21
> 8 ovsdb_jsonrpc_session_run ovsdb/jsonrpc-server.c:572:17
> 9 ovsdb_jsonrpc_session_run_all ovsdb/jsonrpc-server.c:602:21
> 10 ovsdb_jsonrpc_server_run ovsdb/jsonrpc-server.c:417:9
> 11 main_loop ovsdb/ovsdb-server.c:222:9
> 12 main ovsdb/ovsdb-server.c:500:5
> 13 __libc_start_call_main
> 14 __libc_start_main@GLIBC_2.2.5
> 15 _start (ovsdb/ovsdb-server+0x473034)
>
> Fix that by destroying the initial change set every time new columns
> are added to the monitor. This will trigger re-generation of the
> change set and it will contain all the necessary columns afterwards.
>
> Fixes: 07c27226ee96 ("ovsdb: Monitor: Keep and maintain the initial change
> set.")
> Reported-by: Han Zhou <[email protected]>
> Signed-off-by: Ilya Maximets <[email protected]>
Reviewed-by: Simon Horman <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
