One: Fix coverity : 1148326

Created on 8 Sep 2020  路  8Comments  路  Source: Samsung/ONE

parent : #4021

Let's resolve the following Integer overflowed argument defect

DEADLINE : Sep 10th, 2020 ( patch should be applied to tizen repo by this week)

void CLReduceOperation::configure(ICLTensor *input, ICLTensor *output,
                                  const std::set<uint32_t> &axis, bool keep_dims,
                                  ReduceOperation op)
{
  ARM_COMPUTE_ERROR_THROW_ON(validate(input->info(), output->info(), axis, keep_dims, op));
  _axis = axis;
  _input = input;
  _output = output;
  _keep_dims = keep_dims;
  // NOTE The axis must have no duplication.
1. tainted_data_return: Assigning tainted return value of function size to num_of_kernels.
  const size_t num_of_kernels = axis.size();
  const size_t num_of_interm_tensors = num_of_kernels - (keep_dims ? 1 : 0);
  _interm_tensors = support::cpp14::make_unique<CLTensor[]>(num_of_interm_tensors);
  _reduce_kernels = support::cpp14::make_unique<CLReduceOperationKernel[]>(num_of_kernels);
  // Set a vector that is ordered ICLTensors sequentially.
  std::vector<ICLTensor *> tensors;
  tensors.emplace_back(input);
2. Condition i < num_of_interm_tensors, taking false branch.
  for (size_t i = 0; i < num_of_interm_tensors; ++i)
  {
    tensors.emplace_back(_interm_tensors.get() + i);
  }
  tensors.emplace_back(output);
  // Apply ReduceOperation on all kernels
  TensorShape shape{input->info()->tensor_shape()};
  auto it = axis.begin();
3. Condition i < num_of_kernels, taking false branch.
  for (size_t i = 0; i < num_of_kernels; ++i, ++it)
  {
    shape.set(*it, 1, false);
    if (!keep_dims || i != (num_of_kernels - 1))
    {
      _interm_tensors[i].allocator()->init(input->info()->clone()->set_tensor_shape(shape));
      _memory_group.manage(&_interm_tensors[i]);
    }
    _reduce_kernels[i].configure(tensors[i], tensors[i + 1], *it, op);
    if (i != 0)
    {
      _interm_tensors[i - 1].allocator()->allocate();
    }
  }
  // Configure reshape layer if we want to drop the dimensions
4. Condition !keep_dims, taking true branch.
  if (!keep_dims)
  {
CID 1148326 (#3 of 4): Integer overflowed argument (INTEGER_OVERFLOW) [select issue]
    _reshape.configure(&_interm_tensors[num_of_interm_tensors - 1], output);
5. overflow: Subtract operation overflows on operands num_of_interm_tensors and 1U.
CID 1148326 (#4 of 4): Integer overflowed argument (INTEGER_OVERFLOW)
6. overflow_sink: Overflowed or truncated value (or a value computed from an overflowed or truncated value) num_of_interm_tensors - 1U used as critical argument to function. [show details]
    _interm_tensors[num_of_interm_tensors - 1].allocator()->allocate();
  }
}
Urgent help wanted
Source
picture chunseoklee

Most helpful comment

CLReduceOperation::validate() have check ARM_COMPUTE_RETURN_ERROR_ON(num_of_kernels < 1); and I've added this check #4003. You can add same patch to CLReduceOperation::configure().

picture hseok-oh on 8 Sep 2020
👍2

All 8 comments

CLReduceOperation::validate() have check ARM_COMPUTE_RETURN_ERROR_ON(num_of_kernels < 1); and I've added this check #4003. You can add same patch to CLReduceOperation::configure().

hseok-oh picture hseok-oh on 8 Sep 2020
👍2

CLReduceOperation::validate() have check ARM_COMPUTE_RETURN_ERROR_ON(num_of_kernels < 1); and I've added this check #4003. You can add same patch to CLReduceOperation::configure().

I will made a patch to tizen instead of update upstream branch

chunseoklee picture chunseoklee on 8 Sep 2020

#4131 does not resolve the defect : https://code.sec.samsung.net/ahub/service/analyses/184875

chunseoklee picture chunseoklee on 9 Sep 2020

ARM_COMPUTE_ERROR_ON do nothing on release build, but ARM_COMPUTE_RETURN_ERROR_ON return error status. So #4003 resolved issue, but #4131 cannot resolve issue.

hseok-oh picture hseok-oh on 9 Sep 2020

build error with ARM_COMPUTE_RETURN_ERROR_ON since configure does not return.

chunseoklee picture chunseoklee on 9 Sep 2020

Solution 1. Patch (throw exception directly)

--- a/compute/ARMComputeEx/src/runtime/CL/functions/CLReduceOperation.cpp
+++ b/compute/ARMComputeEx/src/runtime/CL/functions/CLReduceOperation.cpp
@@ -120,7 +120,10 @@ void CLReduceOperation::configure(ICLTensor *input, ICLTensor *output,
   const size_t num_of_kernels = axis.size();
   const size_t num_of_interm_tensors = num_of_kernels - (keep_dims ? 1 : 0);

-  ARM_COMPUTE_ERROR_ON(num_of_kernels < 1);
+  if (num_of_kernels < 1)
+  {
+    throw std::runtime_error("CLReduceOperation: there is no axis to reduce");
+  }

   _interm_tensors = support::cpp14::make_unique<CLTensor[]>(num_of_interm_tensors);
   _reduce_kernels = support::cpp14::make_unique<CLReduceOperationKernel[]>(num_of_kernels);

Solution 2. Mark as ignore and false-positive.

hseok-oh picture hseok-oh on 9 Sep 2020

I will try option1 to tizen repo : https://code.sec.samsung.net/ahub/service/analyses/185433 -> result : critical 0

chunseoklee picture chunseoklee on 9 Sep 2020
👍1

PR : #4159

chunseoklee picture chunseoklee on 9 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

underflow101 picture underflow101  路  4Comments
seanshpark picture seanshpark  路  3Comments
seanshpark picture seanshpark  路  3Comments
wateret picture wateret  路  4Comments
YongseopKim picture YongseopKim  路  3Comments