Bug 448464 - False positive "uninitialised bytes" for ioctl HCIGETDEVLIST
Summary: False positive "uninitialised bytes" for ioctl HCIGETDEVLIST
Status: REPORTED
Alias: None
Product: valgrind
Classification: Developer tools
Component: memcheck (show other bugs)
Version: 3.17.0
Platform: Ubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: Julian Seward
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-01-14 14:25 UTC by Andrea
Modified: 2022-01-15 23:08 UTC (History)
1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Andrea 2022-01-14 14:25:23 UTC 
SUMMARY

False positive "uninitialised bytes" for ioctl HCIGETDEVLIST

With this example

#include <pcap.h>

pcap_if_t *alldevs = NULL;
static char errbuf[PCAP_ERRBUF_SIZE];

int main()
{
  pcap_findalldevs(&alldevs, errbuf);
}

valgrind reports

==34992== Memcheck, a memory error detector
==34992== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==34992== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==34992== Command: ./a.out
==34992== 
==34992== Syscall param ioctl(HCIGETDEVLIST) points to uninitialised byte(s)
==34992==    at 0x49DE9CB: ioctl (syscall-template.S:120)
==34992==    by 0x4880641: bt_findalldevs (pcap-bt-linux.c:103)
==34992==    by 0x4880E78: pcap_findalldevs (pcap.c:737)
==34992==    by 0x109169: main (in /home/andrea/projects/cvs/a2e/a.out)
==34992==  Address 0x4e6e772 is 2 bytes inside a block of size 132 alloc'd
==34992==    at 0x4843839: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==34992==    by 0x4880619: bt_findalldevs (pcap-bt-linux.c:92)
==34992==    by 0x4880E78: pcap_findalldevs (pcap.c:737)
==34992==    by 0x109169: main (in /home/andrea/projects/cvs/a2e/a.out)

The problem is in this patch

https://sourceware.org/git/?p=valgrind.git;a=blobdiff;f=coregrind/m_syswrap/syswrap-linux.c;h=e1157e95a887ac8864598f9d9a0cb3d4c32629c7;hp=8ea032e6b8c184894e5206bc49a65a870646d43e;hb=e97f8c49d6e3978045a596037381cbb74aa12c0c;hpb=3a9215788139ab31e5d89773d2ba2b4d0ec70051

This line will fail

PRE_MEM_READ("ioctl(HCIGETDEVLIST)", (Addr)ARG3, sizeof(struct vki_hci_dev_list_req));

because it is reading 4 bytes, 2 of which are padding.

Look here

https://sourceware.org/git/?p=valgrind.git;a=blobdiff;f=include/vki/vki-linux.h;h=9123e24720c9e7808254d0aebc6b7d702e2ab501;hp=225da00ae8766eda84a51a5382677aaf52f00246;hb=e97f8c49d6e3978045a596037381cbb74aa12c0c;hpb=3a9215788139ab31e5d89773d2ba2b4d0ec70051

vki_hci_dev_list_req has size 4, but only the first 2 are data, the rest is padding caused by the 0-size array.

valgrind should only check the first 2 bytes (i.e. dev_num) and not the whole structure.

This has been reported and verified in this downstream issue: https://github.com/the-tcpdump-group/libpcap/issues/1083
Comment 1 Denis Ovsienko 2022-01-15 23:08:23 UTC 
Thank you for writing this up Andrea. libpcap now has a workaround to squelch this particular false positive: it overshoots initializing the argument to satisfy the overshooting assertion. Please fix the assertion at the source.