Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

upstream: fix PriorityStateManager indexing #3856

Merged
merged 3 commits into from
Jul 16, 2018
Merged

upstream: fix PriorityStateManager indexing #3856

merged 3 commits into from
Jul 16, 2018

Conversation

akonradi
Copy link
Contributor

The PriorityStateManager is indexing off the end of an array when the priority is large enough:

envoy/source/common/upstream/upstream_impl.cc

Line 697 in c92a301

LocalityWeightsMap& locality_weights_map =

I don't know why this was passing tests before - maybe fortuitous stack layout? Either way, indexing past the end of a std::vector is undefined, which is bad.

Risk Level: Low

Testing: Verified that the out-of-bounds indexing is actually happening by testing with an additional assert.

Docs Changes: N/A
Release Notes: N/A

akonradi added 2 commits July 13, 2018 15:40
@akonradi
Add ASSERT for cluster priority indexing.
89f27cb 
Signed-off-by: Alex Konradi <akonradi@google.com>
@akonradi
Fix updateClusterPrioritySet out-of-bounds index
c5ff655 
The code was only checking whether a vector was empty before attempting
to index into it. The tests were, somehow, passing even though they were
invoking undefined behavior. This adds an explicit bounds check, thus
preventing undefined behavior.

Signed-off-by: Alex Konradi <akonradi@google.com>
@akonradi akonradi mentioned this pull request Jul 13, 2018
Merged
mattklein123
mattklein123 reviewed Jul 13, 2018
View reviewed changes
source/common/upstream/upstream_impl.cc
@@ -695,7 +695,7 @@ void PriorityStateManager::updateClusterPrioritySet(
HostVectorSharedPtr hosts(std::move(current_hosts));
LocalityWeightsMap empty_locality_map;
LocalityWeightsMap& locality_weights_map =
priority_state_.empty() ? empty_locality_map : priority_state_[priority].second;
priority_state_.size() > priority ? priority_state_[priority].second : empty_locality_map;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How do we get into this situation? Should there be some test that covers this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't actually know enough about the PriorityStateManager to say, but there was a test that was invoking this undefined behavior and getting lucky, I guess, because it continued to pass. I only saw it failing when I added the assert in 89f27cb. @dio, thoughts?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry about that. Thanks, @akonradi for catching this. The relevant test is when we clearing endpoints in this test case:

envoy/test/common/upstream/eds_test.cc

Line 552 in 01d2e16

TEST_F(EdsTest, RemoveUnreferencedLocalities) {

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we keep the assertion?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah it seems like there should be some test that should fail w/o this fix either via assertion or something else?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did some digging. We caught this during the Google import because our std::vector::operator[] implementation does a bounds check, which is not in the spec. Unfortunately, there's no clang sanitizer we can use to do this here since the std::vector implementation is in code, and indexing out-of-bounds doesn't trigger an ASAN violation if the vector allocated extra space.

It looks like both libstdc++ and libc++ have their own ways to enable bounds checks. I tried enabling _GLIBCXX_DEBUG locally but it causes compile errors elsewhere that I don't want to fix in this PR. Moving forward, we should probably define both _GLIBCXX_DEBUG and _LIBCPP_DEBUG for ASAN builds, but that's going to be a future PR. Happy to open an issue if that sounds reasonable.

For now, I've added back in the ASSERT. It feels a little redundant now that the bug has been fixed but it sounds like that's preferred over doing nothing.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK that's fine. There is another issue already opened on using _GLIBXX_DEBUG: #2556

@PiotrSikora PiotrSikora mentioned this pull request Jul 13, 2018
Closed
@akonradi
Add ASSERT back for priority_state_ indexing.
f9fdeea 
std::vector does not do bounds checking (even under ASAN), so add an
explicit ASSERT to do the bounds check.

Signed-off-by: Alex Konradi <akonradi@google.com>
@alyssawilk alyssawilk merged commit cf12ea5 into envoyproxy:master Jul 16, 2018
@akonradi akonradi deleted the priority-state-fix branch September 6, 2018 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dio dio dio left review comments

@mattklein123 mattklein123 mattklein123 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@akonradi @dio @mattklein123 @alyssawilk