portugalportuga's comments

portugalportuga · 2025-07-08T18:56:10 1752000970

money

portugalportuga · on Aug 6, 2024

kinda sounds like this was a regex bug?

> The selection of data in the channel file was done manually and included a regex wildcard matching criterion in the 21st field for all Template Instances, meaning that execution of these tests during development and release builds did not expose the latent out-of-bounds read in the Content Interpreter when provided with 20 rather than 21 inputs.

studmuffin650 · on Aug 6, 2024

Sounds more like a off by 1 bug that was hidden by regexs if I'm reading correctly

darylteo · on Aug 7, 2024

Very easily hidden. Something obtuse like

    (.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)|(.+)

or even this

    (.{4})(.{7})(.{3})(.{6})(.{9})(.{4})(.{7})(.{3})(.{6})(.{9})(.{4})(.{7})(.{3})(.{6})(.{9})(.{4})(.{7})(.{3})(.{6})(.{9})(.{1})

would simply fail to match.

And I wouldn't necessarily blame the developer in either scenario - they received a card that says "hey the channel file will now have an extra field in it's schema"... noone said "btw it's optional".

Calling it a "first year programming mistake" like I'm reading in some media is somewhat incendiary. I see unmarshalling errors happen all the time.

The forest that we must not miss is the kernel-level driver simply dies with no error recovery and bricks the system.

studmuffin650 · on Aug 7, 2024

I think that’s just the nature of kernel programming. Once you’re running in kernel space, there are essentially no safety guards, which is why kernel programming is so difficult. Any faults that occur in user space causing a seg fault + core dump do not exist in kernel space. Especially since kernel code generally has to be written in C, it can be quite difficult even for the best engineers to get everything right.

cptskippy · on Aug 7, 2024

Yeah, my read was that they changed an interface to include an optional parameter but never actually tested the underlying code by providing said optional parameter.

The bug in clients (sensors) wasn't due to regex, the regex was in their integration unit testing which also had a bug and was never supplying the 21st parameter to the client code.

flamedoge · on Aug 7, 2024

regex isn't probably a good thing in a kernel boot code considering it's NP hard

cptskippy · on Aug 8, 2024

That's true statement but what does it have to do with the RCA? From what I read it appears the regex was in the integration tests for the template.

simiones · on Aug 7, 2024

I don't think so. As far as I understood this, the wildcard match was basically considered a no-op (since anything matches, they probably optimized by not even attempting the match), and so that 21st field was never provided to their Content Interpeter, so it never crashed before. The first time they actually added a non-wildcard match, the Content Interpeter was actually asked to check the 21st field as well, and it crashed because it only had an array of 20 items.