From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <fiona.trahe@intel.com>
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by dpdk.org (Postfix) with ESMTP id D7930FEB
 for <dev@dpdk.org>; Wed, 31 Oct 2018 01:40:00 +0100 (CET)
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from orsmga007.jf.intel.com ([10.7.209.58])
 by orsmga103.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
 30 Oct 2018 17:40:00 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.54,446,1534834800"; d="scan'208";a="85494275"
Received: from sivswdev01.ir.intel.com (HELO localhost.localdomain)
 ([10.237.217.45])
 by orsmga007.jf.intel.com with ESMTP; 30 Oct 2018 17:39:58 -0700
From: Fiona Trahe <fiona.trahe@intel.com>
To: dev@dpdk.org
Cc: thomas@monjalon.net, akhil.goyal@nxp.com, tomaszx.jozwiak@intel.com,
 jerin.jacob@caviumnetworks.com, Fiona Trahe <fiona.trahe@intel.com>
Date: Wed, 31 Oct 2018 00:39:54 +0000
Message-Id: <1540946394-22196-1-git-send-email-fiona.trahe@intel.com>
X-Mailer: git-send-email 1.7.0.7
In-Reply-To: <20181027164739.13110-1-jerin.jacob@caviumnetworks.com>
References: <20181027164739.13110-1-jerin.jacob@caviumnetworks.com>
Subject: [dpdk-dev] [PATCH] compress/qat: fix out-of-bounds error
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Oct 2018 00:40:01 -0000

QAT array for sgls in intermediate buffer structure
was #defined to 1, but setup code hardcoded as if 2 buffers
so causing out of bounds write. Reworked to loop correctly
using #define.

Fixes: a124830a6f00 ("compress/qat: enable dynamic huffman encoding")

Reported-by: Jerin Jacob <jerin.jacob@caviumnetworks.com>
Signed-off-by: Fiona Trahe <fiona.trahe@intel.com>
---
 drivers/compress/qat/qat_comp_pmd.c | 38 ++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

diff --git a/drivers/compress/qat/qat_comp_pmd.c b/drivers/compress/qat/qat_comp_pmd.c
index 01dd736..ea93077 100644
--- a/drivers/compress/qat/qat_comp_pmd.c
+++ b/drivers/compress/qat/qat_comp_pmd.c
@@ -165,11 +165,14 @@ qat_comp_setup_inter_buffers(struct qat_comp_dev_private *comp_dev,
 	}
 
 	/* Create a memzone to hold intermediate buffers and associated
-	 * meta-data needed by the firmware. The memzone contains:
+	 * meta-data needed by the firmware. The memzone contains 3 parts:
 	 *  - a list of num_im_sgls physical pointers to sgls
-	 *  - the num_im_sgl sgl structures, each pointing to 2 flat buffers
-	 *  - the flat buffers: num_im_sgl * 2
-	 * where num_im_sgls depends on the hardware generation of the device
+	 *  - the num_im_sgl sgl structures, each pointing to
+	 *    QAT_NUM_BUFS_IN_IM_SGL flat buffers
+	 *  - the flat buffers: num_im_sgl * QAT_NUM_BUFS_IN_IM_SGL
+	 *    buffers, each of buff_size
+	 * num_im_sgls depends on the hardware generation of the device
+	 * buff_size comes from the user via the config file
 	 */
 
 	size_of_ptr_array = num_im_sgls * sizeof(phys_addr_t);
@@ -202,30 +205,31 @@ qat_comp_setup_inter_buffers(struct qat_comp_dev_private *comp_dev,
 		    offset_of_sgls + i * sizeof(struct qat_inter_sgl);
 		struct qat_inter_sgl *sgl =
 		    (struct qat_inter_sgl *)(mz_start +	curr_sgl_offset);
+		int lb;
 		array_of_pointers->pointer[i] = mz_start_phys + curr_sgl_offset;
 
 		sgl->num_bufs = QAT_NUM_BUFS_IN_IM_SGL;
 		sgl->num_mapped_bufs = 0;
 		sgl->resrvd = 0;
-		sgl->buffers[0].addr = mz_start_phys + offset_of_flat_buffs +
-			((i * QAT_NUM_BUFS_IN_IM_SGL) * buff_size);
-		sgl->buffers[0].len = buff_size;
-		sgl->buffers[0].resrvd = 0;
-		sgl->buffers[1].addr = mz_start_phys + offset_of_flat_buffs +
-			(((i * QAT_NUM_BUFS_IN_IM_SGL) + 1) * buff_size);
-		sgl->buffers[1].len = buff_size;
-		sgl->buffers[1].resrvd = 0;
 
 #if QAT_IM_BUFFER_DEBUG
 		QAT_LOG(DEBUG, "  : phys addr of sgl[%i] in array_of_pointers"
-			    "= 0x%"PRIx64, i, array_of_pointers->pointer[i]);
+			" = 0x%"PRIx64, i, array_of_pointers->pointer[i]);
 		QAT_LOG(DEBUG, "  : virt address of sgl[%i] = %p", i, sgl);
-		QAT_LOG(DEBUG, "  : sgl->buffers[0].addr = 0x%"PRIx64", len=%d",
-			sgl->buffers[0].addr, sgl->buffers[0].len);
-		QAT_LOG(DEBUG, "  : sgl->buffers[1].addr = 0x%"PRIx64", len=%d",
-			sgl->buffers[1].addr, sgl->buffers[1].len);
+#endif
+		for (lb = 0; lb < QAT_NUM_BUFS_IN_IM_SGL; lb++) {
+			sgl->buffers[lb].addr =
+			  mz_start_phys + offset_of_flat_buffs +
+			  (((i * QAT_NUM_BUFS_IN_IM_SGL) + lb) * buff_size);
+			sgl->buffers[lb].len = buff_size;
+			sgl->buffers[lb].resrvd = 0;
+#if QAT_IM_BUFFER_DEBUG
+			QAT_LOG(DEBUG,
+			  "  : sgl->buffers[%d].addr = 0x%"PRIx64", len=%d",
+			  lb, sgl->buffers[lb].addr, sgl->buffers[lb].len);
 #endif
 		}
+	}
 #if QAT_IM_BUFFER_DEBUG
 	QAT_DP_HEXDUMP_LOG(DEBUG,  "IM buffer memzone start:",
 			mz_start, offset_of_flat_buffs + 32);
-- 
2.7.4