Fix invalid pointer arithmetic in Hash (#1222) #46
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
It is UB to exceed the bounds of the buffer when doing pointer
arithemetic. That means the following is not a valid bounds check:
if (start + 4 <= limit)
Because if we were at the end of the buffer, we wouldn't be
allowed to add 4 anyway. Instead, this must be written as:
if (limit - start >= 4)
Basic forms of this issue are flagged by UBSan. If building with
-fsanitize=undefined, the following test trips an error:
[ RUN ] HASH.SignedUnsignedIssue
.../leveldb/util/hash.cc:30:15: runtime error: applying non-zero offset 4 to null pointer
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /usr/local/google/home/davidben/leveldb/util/hash.cc:30:15 in
[ OK ] HASH.SignedUnsignedIssue (1 ms)
(cherry picked from commit 578eeb7)
|
ACK a8844b2 |
|
For reference, I haven't run the leveldb unit tests under ubsan to test this. I have tried to run the Bitcoin Core msan CI to reproduce this similar to bitcoin/bitcoin#31655 (comment) with a diff: diff --git a/src/leveldb/util/hash.cc b/src/leveldb/util/hash.cc
index dd47c110ee..41b3e8734a 100644
--- a/src/leveldb/util/hash.cc
+++ b/src/leveldb/util/hash.cc
@@ -5,6 +5,7 @@
#include "util/hash.h"
#include <string.h>
+#include <span>
#include "util/coding.h"
@@ -19,7 +20,8 @@
namespace leveldb {
-uint32_t Hash(const char* data, size_t n, uint32_t seed) {
+uint32_t Hash(const char* old, size_t n, uint32_t seed) {
+auto data{std::span{old,n}.data()};
// Similar to murmur hash
const uint32_t m = 0xc6a4a793;
const uint32_t r = 24;However, the CI passed. |
fanquake
approved these changes
Jan 16, 2025
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Jan 16, 2025
04b5790928 Merge bitcoin-core/leveldb-subtree#46: Fix invalid pointer arithmetic in Hash (bitcoin#1222) 59669817c5 Merge bitcoin-core/leveldb-subtree#40: cherry-pick: Remove leveldb::port::kLittleEndian. 73013d1a37 Merge bitcoin-core/leveldb-subtree#45: [jumbo] Add begin()/end() to Slice. a8844b23ab Fix invalid pointer arithmetic in Hash (bitcoin#1222) be4dfc94b3 [jumbo] Add begin()/end() to Slice. 2e3c0131d3 Remove leveldb::port::kLittleEndian. git-subtree-dir: src/leveldb git-subtree-split: 04b57909285c7335c1908d53bcde9b90fe0439be
fanquake
added a commit
to bitcoin/bitcoin
that referenced
this pull request
Jan 21, 2025
910a11f build: remove LEVELDB_IS_BIG_ENDIAN (fanquake) d336b7a Squashed 'src/leveldb/' changes from 688561cba8..04b5790928 (fanquake) Pull request description: Includes: * bitcoin-core/leveldb-subtree#40 (used in #29852) * bitcoin-core/leveldb-subtree#45 * bitcoin-core/leveldb-subtree#46 ACKs for top commit: kevkevinpal: Concept ACK [910a11f](910a11f) l0rinc: ACK 910a11f hebasto: ACK 910a11f, I've performed a subtree update locally and got the same changes. theuni: utACK 910a11f Tree-SHA512: c5a2224c67d3fd598bc682589b805c324abf91003032a85764766048030285f56154779f29d3f0b3673c8f7f497ae62de5fc6b95ef0b022c873750053c7d27d5
janus
pushed a commit
to BitgesellOfficial/bitgesell
that referenced
this pull request
Sep 1, 2025
04b5790928 Merge bitcoin-core/leveldb-subtree#46: Fix invalid pointer arithmetic in Hash (#1222) 59669817c5 Merge bitcoin-core/leveldb-subtree#40: cherry-pick: Remove leveldb::port::kLittleEndian. 73013d1a37 Merge bitcoin-core/leveldb-subtree#45: [jumbo] Add begin()/end() to Slice. a8844b23ab Fix invalid pointer arithmetic in Hash (#1222) be4dfc94b3 [jumbo] Add begin()/end() to Slice. 2e3c0131d3 Remove leveldb::port::kLittleEndian. git-subtree-dir: src/leveldb git-subtree-split: 04b57909285c7335c1908d53bcde9b90fe0439be
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It is UB to exceed the bounds of the buffer when doing pointer arithemetic. That means the following is not a valid bounds check:
Because if we were at the end of the buffer, we wouldn't be allowed to add 4 anyway. Instead, this must be written as:
Basic forms of this issue are flagged by UBSan. If building with -fsanitize=undefined, the following test trips an error:
(cherry picked from commit 578eeb7)