EPICS Base

Invalid memory read in dbGetAttributePart

Series 3.15
Bug #1479330

Bug #1479330 reported by Ambroz Bizjak on 2015-07-29

8

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	EPICS Base	Status tracked in 7.0
	3.14	Fix Released	Undecided	Andrew Johnson
	3.15	Fix Released	Undecided	Andrew Johnson
	3.16	Fix Released	Low	Andrew Johnson
	7.0	Fix Released	Low	Andrew Johnson

Bug Description

There is a possibility of an invalid memory read in dbGetAttributePart. The value of pname[nameLen] is taken before it is certain that there are at least nameLen (non-null) characters in pname (which is indicated by compare==0). I have found this with Address Sanitizer.

Patch is attached. With this fix I see no other ASan errors.

Related branches

lp:~epics-core/epics-base/3.14

Revision history for this message

Ambroz Bizjak (ambroz-bizjak) wrote on 2015-07-29:

#1

dbStaticLib.patch Edit (731 bytes, text/plain)

Revision history for this message

Ambroz Bizjak (ambroz-bizjak) wrote on 2015-07-29:

#2

3.14, 3.15 and 3.16 all appear to be affected.

Andrew Johnson (anj) on 2015-07-30

Changed in epics-base:
status:	New → Confirmed
importance:	Undecided → Low
assignee:	nobody → Andrew Johnson (anj)

Revision history for this message

mdavidsaver (mdavidsaver) wrote on 2015-07-30:

#3

So it looks like this bug happens (at least) whenever dbNameToAddr() is called with an invalid field name shorter than 4 charactors (the default attributes are "RTYP" and "VERS"). For example, "record.Q" for an aiRecord.

Changed in epics-base:
importance:	Low → High
assignee:	Andrew Johnson (anj) → mdavidsaver (mdavidsaver)

Revision history for this message

mdavidsaver (mdavidsaver) wrote on 2015-07-30:

#4

oh, great. Another LP collision.

Revision history for this message

Andrew Johnson (anj) wrote on 2015-07-30:

#5

I agree this is a bug that needs fixing, but I can't apply your patch directly (see below). I am making equivalent changes though. That code isn't the easiest to understand, so I'll clarify what the routine is doing while I'm at it.

* The use of the int variable ch or a cast of pname[nameLen] to (int) is needed to prevent warnings on some compilers, which complain if you pass isalnum() a char.
* Your patch also clashes slightly with a recently applied change that fixed other issues in the dbGetAttributePart() routine.

I'm fixing this on the 3.14 branch; the change will percolate up to the other branches when I merge them up in due course.

Thanks!

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

dbStaticLib.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.