From aae40bf574571ba571f179fd08ef1c8b732812a1 Mon Sep 17 00:00:00 2001 From: Francis Deslauriers Date: Tue, 25 May 2021 17:45:57 -0400 Subject: [PATCH] Fix: sessiond: use of uninitialized memory in buffer-usage condition MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Issue ===== valgrind reports the following: ==436327== Thread 9 Client manageme: ==436327== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s) ==436327== at 0x51E418D: __libc_sendmsg (sendmsg.c:28) ==436327== by 0x51E418D: sendmsg (sendmsg.c:25) ==436327== by 0x20D436: lttcomm_send_unix_sock (unix.c:294) ==436327== by 0x186F08: send_unix_sock (client.c:895) ==436327== by 0x18BAFA: thread_manage_clients (client.c:2800) ==436327== by 0x18147D: launch_thread (thread.c:66) ==436327== by 0x51D8608: start_thread (pthread_create.c:477) ==436327== by 0x5314292: clone (clone.S:95) ==436327== Address 0x7540ec1 is 97 bytes inside a block of size 256 alloc'd ==436327== at 0x483DFAF: realloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so) ==436327== by 0x1E7556: lttng_dynamic_buffer_set_capacity (dynamic-buffer.c:166) ==436327== by 0x1E72FC: lttng_dynamic_buffer_append (dynamic-buffer.c:55) ==436327== by 0x1DE604: lttng_condition_buffer_usage_serialize (buffer-usage.c:123) ==436327== by 0x1DFF47: lttng_condition_serialize (condition.c:98) ==436327== by 0x20ACD0: lttng_trigger_serialize (trigger.c:328) ==436327== by 0x189EBE: process_client_msg (client.c:2258) ==436327== by 0x18B761: thread_manage_clients (client.c:2742) ==436327== by 0x18147D: launch_thread (thread.c:66) ==436327== by 0x51D8608: start_thread (pthread_create.c:477) ==436327== by 0x5314292: clone (clone.S:95) This can be reproduce by running the sessiond under valgrind and launching the following binary to register buffer-usage conditions: ./tests/regression/tools/trigger/utils/register-some-triggers test_buffer_usage_conditions The valgrind report is pointing us toward the `struct lttng_condition_buffer_usage_comm` stack allocation in the `lttng_condition_buffer_usage_serialize()` function. The actual issue is that the threshold_bytes/threshold_ratio will not be initialized in that structure depending on the way the threshold is expressed. Fix === Make sure the struct is zeroed at the declaration site. Signed-off-by: Francis Deslauriers Signed-off-by: Jérémie Galarneau Change-Id: I2046f4e0e1d857cfd1a53e0c13aea55f17adada3 --- src/common/conditions/buffer-usage.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/common/conditions/buffer-usage.c b/src/common/conditions/buffer-usage.c index 54affe765..cc9e9cde8 100644 --- a/src/common/conditions/buffer-usage.c +++ b/src/common/conditions/buffer-usage.c @@ -84,7 +84,7 @@ int lttng_condition_buffer_usage_serialize( int ret; struct lttng_condition_buffer_usage *usage; size_t session_name_len, channel_name_len; - struct lttng_condition_buffer_usage_comm usage_comm; + struct lttng_condition_buffer_usage_comm usage_comm = {}; if (!condition || !IS_USAGE_CONDITION(condition)) { ret = -1; -- 2.34.1