Opened 12 years ago

Closed 12 years ago

#268 closed defect (fixed)

Conditional jump or move depends on uninitialised value(s)

Reported by: Tatsuhiko Kubo Owned by: Valentin V. Bartenev
Priority: minor Milestone:
Component: nginx-core Version: 1.3.x
Keywords: Cc:
uname -a: Linux bokko-mint 3.2.0-35-generic #55-Ubuntu SMP Wed Dec 5 17:42:16 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.3.10
built by gcc 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)
configure arguments: --with-pcre

Description

Hi, the latest nginx(1.3.10) is tripped over the check of Valgrind.

# valgrind /usr/local/nginx/sbin/nginx -g 'daemon off;'                                  
==24183== Memcheck, a memory error detector
==24183== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==24183== Using Valgrind-3.7.0 and LibVEX; rerun with -h for copyright info
==24183== Command: /usr/local/nginx/sbin/nginx -g daemon\ off;
==24183== 
==24183== Conditional jump or move depends on uninitialised value(s)
==24183==    at 0x4323F7: ngx_http_log_set_log (ngx_http_log_module.c:1278)
==24183==    by 0x41280A: ngx_conf_parse (ngx_conf_file.c:387)
==24183==    by 0x4275FA: ngx_http_core_server (ngx_http_core_module.c:2944)
==24183==    by 0x41280A: ngx_conf_parse (ngx_conf_file.c:387)
==24183==    by 0x421F4D: ngx_http_block (ngx_http.c:239)
==24183==    by 0x41280A: ngx_conf_parse (ngx_conf_file.c:387)
==24183==    by 0x41030A: ngx_init_cycle (ngx_cycle.c:268)
==24183==    by 0x40401B: main (nginx.c:333)
==24183== 
==24183== Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s)
==24183==    at 0x4E41320: __sendmsg_nocancel (syscall-template.S:82)
==24183==    by 0x41C916: ngx_write_channel (ngx_channel.c:77)
==24183==    by 0x41E447: ngx_pass_open_channel (ngx_process_cycle.c:450)
==24183==    by 0x41E4F6: ngx_start_worker_processes (ngx_process_cycle.c:369)
==24183==    by 0x41F5C1: ngx_master_process_cycle (ngx_process_cycle.c:136)
==24183==    by 0x404237: main (nginx.c:412)
==24183==  Address 0x7ff0004cc is on thread 1's stack
==24183== 

configuration to reproduce this problem

worker_processes  4;

events {
    worker_connections  4096;
}

http {
    log_format  main  '$host$remote_addr - $remote_user [$time_local] "$http_host" "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    server {
        listen       8000;
        server_name  localhost;

        root html;

        access_log /tmp/8000.log main buffer=16k;
    }

}

patch for curbing this output

Valgrind outputs following two errors in checking nginx.

  1. Conditional jump or move depends on uninitialised value(s)
  2. Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s)

I have no idea about 2. But I checked that 1 is fixed by following patch.

diff -ur orig/nginx-1.3.10/src/core/ngx_conf_file.c nginx-1.3.10/src/core/ngx_conf_file.c
--- orig/nginx-1.3.10/src/core/ngx_conf_file.c  2012-12-24 00:36:52.000000000 +0900
+++ nginx-1.3.10/src/core/ngx_conf_file.c       2013-01-01 17:35:06.991854337 +0900
@@ -946,6 +946,7 @@
     }

     file->flush = NULL;
+    file->data  = NULL;

     return file;
 }

Thanks.

Attachments (1)

fix_valgirnd_error.patch (358 bytes ) - added by Tatsuhiko Kubo 12 years ago.
fix valgrind error

Download all attachments as: .zip

Change History (6)

by Tatsuhiko Kubo, 12 years ago

Attachment: fix_valgirnd_error.patch added

fix valgrind error

comment:1 by Valentin V. Bartenev, 12 years ago

Owner: set to Valentin V. Bartenev
Status: newassigned

comment:2 by Valentin V. Bartenev, 12 years ago

In 5002/nginx:

The data pointer in ngx_open_file_t objects must be initialized.

Uninitialized pointer may result in arbitrary segfaults if access_log is used
without buffer and without variables in file path.

Patch by Tatsuhiko Kubo (ticket #268).

comment:3 by Vid Luther, 12 years ago

I'm experiencing the same issues as #278, even with this patch applied (it seems the patch is in 1.3.11).

I can issue an nginx restart without fail, but a reload ends up with the same message in the error.log.

Tested on Ubuntu 12.04 LTS

comment:4 by Maxim Dounin, 12 years ago

In 5054/nginx:

Merge of r4985, r4986, r4987, r4988, r4989, r5002: access_log gzip.

*) Access log: fixed redundant buffer reallocation. Previously a new

buffer was allocated for every "access_log" directive with the same
file path and "buffer=" parameters, while only one buffer per file
is used.

*) Reopening log files code moved to a separate function. The code

refactored in a way to call custom handler that can do appropriate
cleanup work (if any), like flushing buffers, finishing compress
streams, finalizing connections to log daemon, etc..

*) Access log: the "flush" parameter of the "access_log" directive.

*) Configure: added the NGX_ZLIB define. This was introduced for

conditional compilation of the code that requires the zlib library.

*) Access log: the "gzip" parameter of the "access_log" directive.

Note: this requires zlib version 1.2.0.4 or above to work.

*) The data pointer in ngx_open_file_t objects must be initialized.

Uninitialized pointer may result in arbitrary segfaults if access_log
is used without buffer and without variables in file path.
Patch by Tatsuhiko Kubo (ticket #268).

comment:5 by Maxim Dounin, 12 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.