From: Stephen Hemminger <stephen@networkplumber.org>
To: roy.fan.zhang@intel.com, pablo.de.lara.guarch@intel.com
Cc: dev@dpdk.org
Subject: [BUG] out of bounds reference in crypto snow3g driver.
Date: Tue, 7 Jun 2022 09:40:44 -0700 [thread overview]
Message-ID: <20220607094044.63d534c2@hermes.local> (raw)
Gcc-12 finds a bug in crypto_ipsec_mb_pmd_snow3g.
The code here is trying to be clever and put the crypto operations into a ring.
But if there are multiple operations in will dereference outside of the valid ops.
The offending line is here:
enqueued_op = rte_ring_enqueue_burst(qp->ingress_queue,
(void **)&op, processed_op, NULL);
And processed_op can be greater than one, causing potential out of bounds reference.
Since I don't have the hardware, and the code is trying to be too clever here.
Fixing it is left to maintainers.
Full output is:
[2496/3606] Compiling C object drivers/libtmp_rte_crypto_ipsec_mb.a.p/crypto_ipsec_mb_pmd_snow3g.c.o
In file included from ../lib/ring/rte_ring_elem.h:24,
from ../lib/ring/rte_ring.h:43,
from ../lib/mempool/rte_mempool.h:45,
from ../lib/mbuf/rte_mbuf.h:38,
from ../lib/cryptodev/rte_crypto.h:20,
from ../lib/cryptodev/cryptodev_pmd.h:26,
from ../drivers/crypto/ipsec_mb/ipsec_mb_private.h:9,
from ../drivers/crypto/ipsec_mb/pmd_snow3g_priv.h:8,
from ../drivers/crypto/ipsec_mb/pmd_snow3g.c:5:
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_hts_enqueue_elem’ at ../lib/ring/rte_ring_hts_elem_pvt.h:196:3,
inlined from ‘rte_ring_mp_hts_enqueue_burst_elem’ at ../lib/ring/rte_ring_hts.h:110:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:577:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_hts_enqueue_elem’ at ../lib/ring/rte_ring_hts_elem_pvt.h:196:3,
inlined from ‘rte_ring_mp_hts_enqueue_burst_elem’ at ../lib/ring/rte_ring_hts.h:110:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:577:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_hts_enqueue_elem’ at ../lib/ring/rte_ring_hts_elem_pvt.h:196:3,
inlined from ‘rte_ring_mp_hts_enqueue_burst_elem’ at ../lib/ring/rte_ring_hts.h:110:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:577:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_rts_enqueue_elem’ at ../lib/ring/rte_ring_rts_elem_pvt.h:211:3,
inlined from ‘rte_ring_mp_rts_enqueue_burst_elem’ at ../lib/ring/rte_ring_rts.h:137:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:574:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_rts_enqueue_elem’ at ../lib/ring/rte_ring_rts_elem_pvt.h:211:3,
inlined from ‘rte_ring_mp_rts_enqueue_burst_elem’ at ../lib/ring/rte_ring_rts.h:137:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:574:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_rts_enqueue_elem’ at ../lib/ring/rte_ring_rts_elem_pvt.h:211:3,
inlined from ‘rte_ring_mp_rts_enqueue_burst_elem’ at ../lib/ring/rte_ring_rts.h:137:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:574:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_sp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:535:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:571:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_sp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:535:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:571:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_sp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:535:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:571:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_mp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:506:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:568:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_mp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:506:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:568:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_mp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:506:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:568:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
reply other threads:[~2022-06-07 16:41 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607094044.63d534c2@hermes.local \
--to=stephen@networkplumber.org \
--cc=dev@dpdk.org \
--cc=pablo.de.lara.guarch@intel.com \
--cc=roy.fan.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).