DAOS-17131 dfs: Possible missing string termination after strncpy function call

[grom72]

There are several issues in strncpy usage that may cause memory corruption. Target string may not be ended by \0 character.

Issues detected during sanitizer integration
Ref: #15105

Co-authored-by: Cedric Koch-Hofer [email protected]
Co-autohred-by: Tomasz Gromadzki [email protected]

Signed-off-by: Tomasz Gromadzki [email protected]

Before requesting gatekeeper:

• Two review approvals and any prior change requests have been resolved.
• Testing is complete and all tests passed or there is a reason documented in the PR why it should be force landed and forced-landing tag is set.
• Features: (or Test-tag*) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.
• Commit messages follows the guidelines outlined here.
• Any tests skipped by the ticket being addressed have been run and passed in the PR.

Gatekeeper:

• You are the appropriate gatekeeper to be landing the patch.
• The PR has 2 reviews by people familiar with the code, including appropriate owners.
• Githooks were used. If not, request that user install them and check copyright dates.
• Checkpatch issues are resolved. Pay particular attention to ones that will show up on future PRs.
• All builds have passed. Check non-required builds for any new compiler warnings.
• Sufficient testing is done. Check feature pragmas and test tags and that tests skipped for the ticket are run and now pass with the changes.
• If applicable, the PR has addressed any potential version compatibility issues.
• Check the target branch. If it is master branch, should the PR go to a feature branch? If it is a release branch, does it have merge approval in the JIRA ticket.
• Extra checks if forced landing is requested
  • Review comments are sufficiently resolved, particularly by prior reviewers that requested changes.
  • No new NLT or valgrind warnings. Check the classic view.
  • Quick-build or Quick-functional is not used.
• Fix the commit message upon landing. Check the standard here. Edit it to create a single commit. If necessary, ask submitter for a new summary.

[github-actions]

Ticket title is 'Possible missing string termination after strncpy function call'
Status is 'Awaiting Verification'
Labels: 'scrubbed_2.8'
https://daosio.atlassian.net/browse/DAOS-17131

[mchaarawi]

please remove all these comments from the code. they are not helpful

[grom72]

Done

[mchaarawi]

patch looks good to me, but request to remove all the comments and the ticket number. there is no information gained from those comments overall in the code base.
ticket number should be used to note a known or TBD issue, but not fixes; otherwise code become unreadable if everyone does that.

[mchaarawi]

Also please make sure to run with Features: dfs commit pragma. thanks

[grom72]

Also please make sure to run with Features: dfs commit pragma. thanks

Done

[grom72]

patch looks good to me, but request to remove all the comments and the ticket number. there is no information gained from those comments overall in the code base. ticket number should be used to note a known or TBD issue, but not fixes; otherwise code become unreadable if everyone does that.

A new ticket has been created DAOS-17131. It is only related to issues detected by the sanitizer in #15105.

There is another issue DAOS-17042 that addresses the general problem of possible misuse of strncpy().

[daosbuild1]

Test stage NLT on EL 8.8 completed with status UNSTABLE. https://build.hpdd.intel.com/job/daos-stack/job/daos//view/change-requests/job/PR-15920/4/testReport/

[grom72]

Test stage NLT on EL 8.8 completed with status UNSTABLE. https://build.hpdd.intel.com/job/daos-stack/job/daos//view/change-requests/job/PR-15920/4/testReport/

Transient issue in CI fixed in the next build without any source code modification.
https://build.hpdd.intel.com/job/daos-stack/job/daos/view/change-requests/job/PR-15920/5/testReport/

[mchaarawi]

Test stage NLT on EL 8.8 completed with status UNSTABLE. https://build.hpdd.intel.com/job/daos-stack/job/daos//view/change-requests/job/PR-15920/4/testReport/

Transient issue in CI fixed in the next build without any source code modification. https://build.hpdd.intel.com/job/daos-stack/job/daos/view/change-requests/job/PR-15920/5/testReport/

what is the transient error? is it a known issue? more info is needed when saying the error is transient. it should be a known issue with a ticket.

[jxiong]

There is nothing wrong with the original implementation, IMO. We should address the consistency issue though

[jxiong]

The implementation is actually perfectly fine. Are you see any issues with the original code?

[grom72]

Yes, please take a look at #15105

[daltonbohning]

I do think the existing code has a bug. If attr->da_hints is exactly DAOS_CONT_HINT_MAX_LEN long, then strncpy copies the entire buffer as expected. But then dattr.da_hints[DAOS_CONT_HINT_MAX_LEN - 1] = '\0'; overwrites the last character.
E.g.

strncpy(dattr.da_hints, "1234", 4);
dattr.da_hints[4 - 1] = '\0';

Yields dattr.da_hints = "123\0"

[grom72]

yes, finally the string will be somehow OK, but it will be not the same string. The problem of strncpy misusage has been discussed in #15105

[daltonbohning]

But then again I guess it doesn't matter because attr->da_hints could be longer than DAOS_CONT_HINT_MAX_LEN and not copied entirely anyway

[daltonbohning]

Reading up on this more, it's not actually a misuse of strncpy, but just simply that -Wstringop-truncation warns that you might lose data from the source string.

[daltonbohning]

Also, doing some local testing, the compiler complains either way. So this change doesn't solve anything

With

char my_string[4];
strncpy(my_string, "1234", 4);
my_string[4-1] = '\0';

It complains with

warning: ‘strncpy’ output truncated before terminating nul copying 4 bytes from a string of the same length [-Wstringop-truncation]
     strncpy(my_string, "1234", 4);

And with

char my_string[4];
strncpy(my_string, "1234", 4-1);
my_string[4-1] = '\0';

It complains with

warning: ‘strncpy’ output truncated copying 3 bytes from a string of length 4 [-Wstringop-truncation]
     strncpy(my_string, "1234", 4-1);

[jxiong]

I see. thanks for the explanation

[jxiong]

Again this is fine too if the obj->name is already valid.

I think a serious issue is about the consistency of using DFS_MAX_NAME. Sometimes the name is defined as name[DFS_MAX_NAME + 1] but sometimes it's name[DFS_MAX_NAME]. I would prefer to use the latter and then redefining maximum object name as DFS_MAX_NAME including the ending zero.

[grom72]

Again, this is the result of #15105 + see my comment above: #15920 (comment)

[grom72]

Test stage NLT on EL 8.8 completed with status UNSTABLE. https://build.hpdd.intel.com/job/daos-stack/job/daos//view/change-requests/job/PR-15920/4/testReport/

Transient issue in CI fixed in the next build without any source code modification. https://build.hpdd.intel.com/job/daos-stack/job/daos/view/change-requests/job/PR-15920/5/testReport/

what is the transient error? is it a known issue? more info is needed when saying the error is transient. it should be a known issue with a ticket.

Issue has been created: https://daosio.atlassian.net/browse/DAOS-17149

[daosbuild1]

Test stage Functional Hardware Large completed with status FAILURE. https://build.hpdd.intel.com//job/daos-stack/job/daos/view/change-requests/job/PR-15920/6/execution/node/1420/log