From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8E191A0523; Thu, 2 Jul 2020 05:06:11 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 33FD41D146; Thu, 2 Jul 2020 05:06:09 +0200 (CEST) Received: from mail-pj1-f67.google.com (mail-pj1-f67.google.com [209.85.216.67]) by dpdk.org (Postfix) with ESMTP id 5CE3F1BFFE for ; Thu, 2 Jul 2020 05:06:07 +0200 (CEST) Received: by mail-pj1-f67.google.com with SMTP id k5so2306569pjg.3 for ; Wed, 01 Jul 2020 20:06:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kOjWDEilniWQhXfgnybN3CbeZoz0QvS33ZmGbYL1dsM=; b=smpnRBrI9cr1TOgXDj/qC0UKm/2Q7VyR7DDIz4PyDsdNfnSdDbk3NG0pQOZcwe256J VxJ/wGOG1Tp3CxporKfsO8IxY/bsiTfeMkjRqyRR9KRonxqOmA2stfTGJPKrc6/w+9P3 IL8oDcVAvulXcwzbxdM43szrwUkgOoJEjJEVZ6pQlT8pIxZlsvBiPxwFB95v3Uo+jziq AGV1QTtEtVtoTqsKvfE2l4r833oNznRXRNA1CTJqg4bxVDC/ybykFBVZry1Xka4PAXQ2 DVI/s7WHMM2wzdoxUZBm4AYw5Cecvi2139P3/rL6EGF6uuaW+DRinI7+iVPmNHmKkJIt MmfA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=kOjWDEilniWQhXfgnybN3CbeZoz0QvS33ZmGbYL1dsM=; b=juVzd8W+EUThWsfzmiXXDaOAyh8wonXtv2d+g26XJPS/HCvZWpgtYQG8FYgoAY26Yn 8MO2e+JERrqv9OpVsSGPVnZXdLSUmGIZiqveLnwYLFFoQh/iOEOgS7U9uRmIVtUoB2UJ rc4ebhySPgCIRlLYqdw/ApiqJilsZvUCSd9CDaXiEAi0ceMOnWPsgdn9pIBnYopUFSn2 1Vbuxxxze42S/yhBD3T0e8NOBfimEfY40wbpVGMySaWRrvi+oa3v1+TmrgPVRMM3wD80 LxFJkKr/YQevSLcIPqKRG1nOUs4Nh+SLHrt2W7UQOSXGLb9vUeT6GuRfYkuT/IEZdJHx gRgw== X-Gm-Message-State: AOAM531T5HPQIG0Ftt2vBTVQIGH2M4CNxu+rcYAFceIH1QnIgZZiORFS nTe5YFckfbgXmpzW51P7aXOP/A== X-Google-Smtp-Source: ABdhPJz6oYuD6KAISQm1ap6+UDmvc5kMvyZ9RMLP1msrPgTU/kQFE6EJ0KUTAMlqJjdXfAdmImdWrw== X-Received: by 2002:a17:90a:1b4a:: with SMTP id q68mr695746pjq.1.1593659166201; Wed, 01 Jul 2020 20:06:06 -0700 (PDT) Received: from hermes.lan (204-195-22-127.wavecable.com. [204.195.22.127]) by smtp.gmail.com with ESMTPSA id j21sm7128174pfa.133.2020.07.01.20.06.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Jul 2020 20:06:05 -0700 (PDT) From: Stephen Hemminger To: cristian.dumitrescu@intel.com Cc: dev@dpdk.org, Stephen Hemminger , jacekx.piasecki@intel.com, stable@dpdk.org Date: Wed, 1 Jul 2020 20:05:58 -0700 Message-Id: <20200702030558.17852-1-stephen@networkplumber.org> X-Mailer: git-send-email 2.26.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH] cfgfile: avoid stack buffer underflow X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" If cfgfile is give a line with comment character at the start of the line, it will dereference outside of the buffer. Detected with address sanitizer: SUMMARY: AddressSanitizer: stack-buffer-underflow lib/librte_cfgfile/rte_cfgfile.c:194 in rte_cfgfile_load_with_params Shadow bytes around the buggy address: 0x200fff79f6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fff79f6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fff79f6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fff79f6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fff79f6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x200fff79f6f0: 00 00 00 00 f1 f1 f1[f1]00 00 00 00 00 00 00 00 0x200fff79f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fff79f710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x200fff79f720: 04 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x200fff79f730: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 0x200fff79f740: f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==2189==ABORTING Fixes: a6a47ac9c2c9 ("cfgfile: rework load function") Cc: jacekx.piasecki@intel.com CC: stable@dpdk.org Signed-off-by: Stephen Hemminger --- lib/librte_cfgfile/rte_cfgfile.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c index 714717dd9007..160d78826e7c 100644 --- a/lib/librte_cfgfile/rte_cfgfile.c +++ b/lib/librte_cfgfile/rte_cfgfile.c @@ -191,7 +191,8 @@ rte_cfgfile_load_with_params(const char *filename, int flags, } /* skip parsing if comment character found */ pos = memchr(buffer, params->comment_character, len); - if (pos != NULL && (*(pos-1) != '\\')) { + if (pos != NULL && + (pos == buffer || *(pos-1) != '\\')) { *pos = '\0'; len = pos - buffer; } -- 2.26.2