[Bug 1854054] [NEW] nr_in_ready_table and nr_in_build_table can underflow in if statement

Tue, 26 Nov 2019 05:21:11 -0800 

Public bug reported:

[impact]

the build_cull_table() function scans through elements up to
nr_in_ready_table/nr_in_build_table, and performs actions if a match was
found; however the match detection logic simply compares the for loop
index against nr_in_*_table - 1, which underflows when 0, resulting in
incorrect if section being run and then segfaulting.

[test case]

this is difficult to reproduce and it's unclear the specific conditions
that can reproduce it, but it has been reported to happen and review of
the code shows it clearly could happen.

[regression potential]

this simply moves the -1 over to the for loop counter as a +1, so the
most likely regression would be a for loop counter overflow.  However
that should not happen as the culltable_size is limited to 4096, and the
for loop counter is unsigned int; so it should be safe from overflow.
Any other regression would likely involve a similar result as the
current bug, a segfault.

** Affects: cachefilesd (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: cachefilesd (Ubuntu Bionic)
     Importance: Undecided
         Status: New

** Affects: cachefilesd (Ubuntu Disco)
     Importance: Undecided
         Status: New

** Affects: cachefilesd (Ubuntu Eoan)
     Importance: Undecided
         Status: New

** Affects: cachefilesd (Ubuntu Focal)
     Importance: Undecided
         Status: New

** Also affects: cachefilesd (Ubuntu Disco)
   Importance: Undecided
       Status: New

** Also affects: cachefilesd (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: cachefilesd (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: cachefilesd (Ubuntu Eoan)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1854054

Title:
  nr_in_ready_table and nr_in_build_table can underflow in if statement

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cachefilesd/+bug/1854054/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to