DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] eal: out-of-bounds write
@ 2016-04-26  7:44 Slawomir Mrozowicz
  2016-04-26  8:53 ` Bruce Richardson
  0 siblings, 1 reply; 4+ messages in thread
From: Slawomir Mrozowicz @ 2016-04-26  7:44 UTC (permalink / raw)
  To: david.marchand; +Cc: dev, Slawomir Mrozowicz

Fix issue reported by Coverity.

Coverity ID 13282: Out-of-bounds write
overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements
at element index 257 using index j.

Fixes: af75078fece3 ("first public release")

Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
---
 lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
index 5b9132c..1e737e4 100644
--- a/lib/librte_eal/linuxapp/eal/eal_memory.c
+++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
@@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void)
 
 		if (new_memseg) {
 			j += 1;
-			if (j == RTE_MAX_MEMSEG)
+			if (j >= RTE_MAX_MEMSEG)
 				break;
 
 			mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
-- 
1.9.1

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [PATCH] eal: out-of-bounds write
  2016-04-26  7:44 [dpdk-dev] [PATCH] eal: out-of-bounds write Slawomir Mrozowicz
@ 2016-04-26  8:53 ` Bruce Richardson
  2016-04-26  9:44   ` Sergio Gonzalez Monroy
  0 siblings, 1 reply; 4+ messages in thread
From: Bruce Richardson @ 2016-04-26  8:53 UTC (permalink / raw)
  To: Slawomir Mrozowicz; +Cc: david.marchand, dev

On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote:
> Fix issue reported by Coverity.
> 
> Coverity ID 13282: Out-of-bounds write
> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements
> at element index 257 using index j.
> 
> Fixes: af75078fece3 ("first public release")
> 
> Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
> ---
>  lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
> index 5b9132c..1e737e4 100644
> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c
> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void)
>  
>  		if (new_memseg) {
>  			j += 1;
> -			if (j == RTE_MAX_MEMSEG)
> +			if (j >= RTE_MAX_MEMSEG)
>  				break;
>  
>  			mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
> -- 

This does appear to be a valid fix for the issue. However, looking at the code,
it appears that the only way we could actually hit the problem is if 
j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better
fix for this issue (or perhaps we want both fixes).

Thoughts?

/Bruce

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [PATCH] eal: out-of-bounds write
  2016-04-26  8:53 ` Bruce Richardson
@ 2016-04-26  9:44   ` Sergio Gonzalez Monroy
  2016-04-26 11:42     ` Mrozowicz, SlawomirX
  0 siblings, 1 reply; 4+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-04-26  9:44 UTC (permalink / raw)
  To: Bruce Richardson, Slawomir Mrozowicz; +Cc: david.marchand, dev

On 26/04/2016 09:53, Bruce Richardson wrote:
> On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote:
>> Fix issue reported by Coverity.
>>
>> Coverity ID 13282: Out-of-bounds write
>> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements
>> at element index 257 using index j.
>>
>> Fixes: af75078fece3 ("first public release")
>>
>> Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
>> ---
>>   lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +-
>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
>> index 5b9132c..1e737e4 100644
>> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c
>> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
>> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void)
>>   
>>   		if (new_memseg) {
>>   			j += 1;
>> -			if (j == RTE_MAX_MEMSEG)
>> +			if (j >= RTE_MAX_MEMSEG)
>>   				break;
>>   
>>   			mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
>> -- 
> This does appear to be a valid fix for the issue. However, looking at the code,
> it appears that the only way we could actually hit the problem is if
> j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better
> fix for this issue (or perhaps we want both fixes).
>
> Thoughts?

It doesn't make sense to go into the loop if we don't have free memsegs.
Either way we should print the error indicating that we reached MAX_MEMSEG.

Sergio


> /Bruce

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [PATCH] eal: out-of-bounds write
  2016-04-26  9:44   ` Sergio Gonzalez Monroy
@ 2016-04-26 11:42     ` Mrozowicz, SlawomirX
  0 siblings, 0 replies; 4+ messages in thread
From: Mrozowicz, SlawomirX @ 2016-04-26 11:42 UTC (permalink / raw)
  To: Gonzalez Monroy, Sergio, Richardson, Bruce; +Cc: david.marchand, dev



>-----Original Message-----
>From: Gonzalez Monroy, Sergio
>Sent: Tuesday, April 26, 2016 11:44 AM
>To: Richardson, Bruce <bruce.richardson@intel.com>; Mrozowicz, SlawomirX
><slawomirx.mrozowicz@intel.com>
>Cc: david.marchand@6wind.com; dev@dpdk.org
>Subject: Re: [dpdk-dev] [PATCH] eal: out-of-bounds write
>
>On 26/04/2016 09:53, Bruce Richardson wrote:
>> On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote:
>>> Fix issue reported by Coverity.
>>>
>>> Coverity ID 13282: Out-of-bounds write
>>> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements
>>> at element index 257 using index j.
>>>
>>> Fixes: af75078fece3 ("first public release")
>>>
>>> Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
>>> ---
>>>   lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +-
>>>   1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c
>>> b/lib/librte_eal/linuxapp/eal/eal_memory.c
>>> index 5b9132c..1e737e4 100644
>>> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c
>>> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
>>> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void)
>>>
>>>   		if (new_memseg) {
>>>   			j += 1;
>>> -			if (j == RTE_MAX_MEMSEG)
>>> +			if (j >= RTE_MAX_MEMSEG)
>>>   				break;
>>>
>>>   			mcfg->memseg[j].phys_addr = hugepage[i].physaddr;
>>> --
>> This does appear to be a valid fix for the issue. However, looking at
>> the code, it appears that the only way we could actually hit the
>> problem is if j == RTE_MAX_MEMSEG on exiting the previous loop. Would
>> a check there be a better fix for this issue (or perhaps we want both fixes).
>>
>> Thoughts?
>
>It doesn't make sense to go into the loop if we don't have free memsegs.
>Either way we should print the error indicating that we reached
>MAX_MEMSEG.
>
>Sergio
>

It is possible to add additional checking available memseg before the loop. 
In this case it will be checked twice before loop and inside loop. 
In my opinion it is not necessary.

Anyway it is valuable to add in line 1336 error message if the MAX_MEMSEG is reached.

Sławomir

>
>> /Bruce

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-04-26 11:42 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-04-26  7:44 [dpdk-dev] [PATCH] eal: out-of-bounds write Slawomir Mrozowicz
2016-04-26  8:53 ` Bruce Richardson
2016-04-26  9:44   ` Sergio Gonzalez Monroy
2016-04-26 11:42     ` Mrozowicz, SlawomirX

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).