On 6/8/23 16:22, Simon Horman wrote:
> On Wed, Jun 07, 2023 at 03:08:32PM +0200, Ilya Maximets wrote:
>> Initial change set is preserved for as long as the monitor itself.
>> However, if a new client has a condition on a column that is not
>> one of the monitored columns, this column will be added to the
>> monitor via ovsdb_monitor_condition_bind(). This new column, however,
>> doesn't exist in the initial change set. That will cause ovsdb-server
>> to malfunction or crash trying to access non-existent column during
>> condition evaluation:
>>
>> ERROR: AddressSanitizer: heap-buffer-overflow
>> READ of size 4 at 0x606000006780 thread T0
>> 0 ovsdb_clause_evaluate ovsdb/condition.c:328:26
>> 1 ovsdb_condition_match_any_clause ovsdb/condition.c:441:13
>> 2 ovsdb_condition_empty_or_match_any ovsdb/condition.h:84:13
>> 3 ovsdb_monitor_row_update_type_condition ovsdb/monitor.c:892:28
>> 4 ovsdb_monitor_compose_row_update2 ovsdb/monitor.c:1058:12
>> 5 ovsdb_monitor_compose_update ovsdb/monitor.c:1172:24
>> 6 ovsdb_monitor_get_update ovsdb/monitor.c:1276:24
>> 7 ovsdb_jsonrpc_monitor_create ovsdb/jsonrpc-server.c:1505:12
>> 8 ovsdb_jsonrpc_session_got_request ovsdb/jsonrpc-server.c:1030:21
>> 9 ovsdb_jsonrpc_session_run ovsdb/jsonrpc-server.c:572:17
>> 10 ovsdb_jsonrpc_session_run_all ovsdb/jsonrpc-server.c:602:21
>> 11 ovsdb_jsonrpc_server_run ovsdb/jsonrpc-server.c:417:9
>> 12 main_loop ovsdb/ovsdb-server.c:222:9
>> 13 main ovsdb/ovsdb-server.c:500:5
>> 14 __libc_start_call_main
>> 15 __libc_start_main@GLIBC_2.2.5
>> 16 _start (ovsdb/ovsdb-server+0x473034)
>>
>> Located 0 bytes after 64-byte region [0x606000006740,0x606000006780)
>> allocated by thread T0 here:
>> 0 malloc (ovsdb/ovsdb-server+0x50dc82)
>> 1 xmalloc__ lib/util.c:140:15
>> 2 xmalloc lib/util.c:175:12
>> 3 clone_monitor_row_data ovsdb/monitor.c:336:12
>> 4 ovsdb_monitor_changes_update ovsdb/monitor.c:1384:23
>> 5 ovsdb_monitor_get_initial ovsdb/monitor.c:1535:21
>> 6 ovsdb_jsonrpc_monitor_create ovsdb/jsonrpc-server.c:1502:9
>> 7 ovsdb_jsonrpc_session_got_request ovsdb/jsonrpc-server.c:1030:21
>> 8 ovsdb_jsonrpc_session_run ovsdb/jsonrpc-server.c:572:17
>> 9 ovsdb_jsonrpc_session_run_all ovsdb/jsonrpc-server.c:602:21
>> 10 ovsdb_jsonrpc_server_run ovsdb/jsonrpc-server.c:417:9
>> 11 main_loop ovsdb/ovsdb-server.c:222:9
>> 12 main ovsdb/ovsdb-server.c:500:5
>> 13 __libc_start_call_main
>> 14 __libc_start_main@GLIBC_2.2.5
>> 15 _start (ovsdb/ovsdb-server+0x473034)
>>
>> Fix that by destroying the initial change set every time new columns
>> are added to the monitor. This will trigger re-generation of the
>> change set and it will contain all the necessary columns afterwards.
>>
>> Fixes: 07c27226ee96 ("ovsdb: Monitor: Keep and maintain the initial change
>> set.")
>> Reported-by: Han Zhou <[email protected]>
>> Signed-off-by: Ilya Maximets <[email protected]>
>
> Reviewed-by: Simon Horman <[email protected]>
>
Thanks, Han and Simon! Applied.
Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
