nr_in_ready_table and nr_in_build_table can underflow in if statement
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
cachefilesd (Debian) |
New
|
Unknown
|
|||
cachefilesd (Ubuntu) |
Fix Released
|
Medium
|
Dan Streetman | ||
Xenial |
Invalid
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Dan Streetman | ||
Disco |
Fix Released
|
Medium
|
Dan Streetman | ||
Eoan |
Fix Released
|
Medium
|
Dan Streetman | ||
Focal |
Fix Released
|
Medium
|
Dan Streetman |
Bug Description
[impact]
the build_cull_table() function scans through elements up to nr_in_ready_
[test case]
this is difficult to reproduce and it's unclear the specific conditions that can reproduce it, but it has been reported to happen and review of the code shows it clearly could happen.
[regression potential]
this simply moves the -1 over to the for loop counter as a +1, so the most likely regression would be a for loop counter overflow. However that should not happen as the culltable_size is limited to 4096, and the for loop counter is unsigned int; so it should be safe from overflow. Any other regression would likely involve a similar result as the current bug, a segfault.
[other info]
this bug does not exist in Xenial, as the counters there are signed ints, so underflow (from 0) does not happen.
Related branches
- Simon Quigley (community): Approve
-
Diff: 77 lines (+19/-5)3 files modifiedcachefilesd.c (+4/-4)
debian/changelog (+13/-0)
debian/control (+2/-1)
Changed in cachefilesd (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in cachefilesd (Ubuntu Bionic): | |
status: | New → Triaged |
status: | Triaged → In Progress |
Changed in cachefilesd (Ubuntu Disco): | |
status: | New → In Progress |
Changed in cachefilesd (Ubuntu Eoan): | |
status: | New → In Progress |
Changed in cachefilesd (Ubuntu Focal): | |
status: | New → In Progress |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in cachefilesd (Ubuntu Eoan): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in cachefilesd (Ubuntu Disco): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in cachefilesd (Ubuntu Bionic): | |
assignee: | nobody → Dan Streetman (ddstreet) |
Changed in cachefilesd (Ubuntu Focal): | |
importance: | Undecided → Low |
Changed in cachefilesd (Ubuntu Eoan): | |
importance: | Undecided → Low |
Changed in cachefilesd (Ubuntu Focal): | |
importance: | Low → Medium |
Changed in cachefilesd (Ubuntu Eoan): | |
importance: | Low → Medium |
Changed in cachefilesd (Ubuntu Disco): | |
importance: | Undecided → Medium |
Changed in cachefilesd (Ubuntu Bionic): | |
importance: | Undecided → Medium |
description: | updated |
Changed in cachefilesd (Debian): | |
status: | Unknown → New |
This bug was fixed in the package cachefilesd - 0.10.10-0.2ubuntu1
--------------- 0.2ubuntu1) focal; urgency=medium
cachefilesd (0.10.10-
* Avoid counter underflow, leading to segfault (LP: #1854054)
-- Dan Streetman <email address hidden> Tue, 26 Nov 2019 08:10:43 -0500