citus icon indicating copy to clipboard operation
citus copied to clipboard
verified publisher icon citusdata

Undefined behavior for bit shift in citus_stat_tenants.c

Open manaldush opened this issue 8 months ago • 0 comments

We have bit shift operation without control of shift length in citus_stat_tenants.c. Shift operators where the amount shifted is greater or equal to the promoted bit-width of the left hand side or less than zero, or where the left hand side is negative, can lead to undefined bahavior.

https://github.com/citusdata/citus/blob/0e6127c4f60b26da18ac8df48d2b6a8de5ed9d4c/src/backend/distributed/utils/citus_stat_tenants.c#L608

	/*
	 * If the last score reduction was not in this period we do score reduction now.
	 */
	if (periodCountAfterLastScoreReduction > 0)
	{
		tenantStats->score >>= periodCountAfterLastScoreReduction;
		tenantStats->lastScoreReduction = queryTime;
	}

I caught this problem with sanitizer. It seems on start

stats->lastScoreReduction = 0;

and it lead to bitwise shifts that are out of bounds for their data type

Also, it seems, better to backport it at least at release-13.0 and release-12.1

manaldush avatar Apr 07 '25 08:04 manaldush