* [BUG] out of bounds reference in crypto snow3g driver.
@ 2022-06-07 16:40 Stephen Hemminger
0 siblings, 0 replies; only message in thread
From: Stephen Hemminger @ 2022-06-07 16:40 UTC (permalink / raw)
To: roy.fan.zhang, pablo.de.lara.guarch; +Cc: dev
Gcc-12 finds a bug in crypto_ipsec_mb_pmd_snow3g.
The code here is trying to be clever and put the crypto operations into a ring.
But if there are multiple operations in will dereference outside of the valid ops.
The offending line is here:
enqueued_op = rte_ring_enqueue_burst(qp->ingress_queue,
(void **)&op, processed_op, NULL);
And processed_op can be greater than one, causing potential out of bounds reference.
Since I don't have the hardware, and the code is trying to be too clever here.
Fixing it is left to maintainers.
Full output is:
[2496/3606] Compiling C object drivers/libtmp_rte_crypto_ipsec_mb.a.p/crypto_ipsec_mb_pmd_snow3g.c.o
In file included from ../lib/ring/rte_ring_elem.h:24,
from ../lib/ring/rte_ring.h:43,
from ../lib/mempool/rte_mempool.h:45,
from ../lib/mbuf/rte_mbuf.h:38,
from ../lib/cryptodev/rte_crypto.h:20,
from ../lib/cryptodev/cryptodev_pmd.h:26,
from ../drivers/crypto/ipsec_mb/ipsec_mb_private.h:9,
from ../drivers/crypto/ipsec_mb/pmd_snow3g_priv.h:8,
from ../drivers/crypto/ipsec_mb/pmd_snow3g.c:5:
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_hts_enqueue_elem’ at ../lib/ring/rte_ring_hts_elem_pvt.h:196:3,
inlined from ‘rte_ring_mp_hts_enqueue_burst_elem’ at ../lib/ring/rte_ring_hts.h:110:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:577:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_hts_enqueue_elem’ at ../lib/ring/rte_ring_hts_elem_pvt.h:196:3,
inlined from ‘rte_ring_mp_hts_enqueue_burst_elem’ at ../lib/ring/rte_ring_hts.h:110:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:577:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_hts_enqueue_elem’ at ../lib/ring/rte_ring_hts_elem_pvt.h:196:3,
inlined from ‘rte_ring_mp_hts_enqueue_burst_elem’ at ../lib/ring/rte_ring_hts.h:110:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:577:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_rts_enqueue_elem’ at ../lib/ring/rte_ring_rts_elem_pvt.h:211:3,
inlined from ‘rte_ring_mp_rts_enqueue_burst_elem’ at ../lib/ring/rte_ring_rts.h:137:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:574:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_rts_enqueue_elem’ at ../lib/ring/rte_ring_rts_elem_pvt.h:211:3,
inlined from ‘rte_ring_mp_rts_enqueue_burst_elem’ at ../lib/ring/rte_ring_rts.h:137:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:574:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_rts_enqueue_elem’ at ../lib/ring/rte_ring_rts_elem_pvt.h:211:3,
inlined from ‘rte_ring_mp_rts_enqueue_burst_elem’ at ../lib/ring/rte_ring_rts.h:137:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:574:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_sp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:535:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:571:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_sp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:535:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:571:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_sp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:535:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:571:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_mp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:506:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:568:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:68:44: warning: array subscript 1 is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
68 | ring[idx + 1] = obj[i + 1];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset 8 into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_mp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:506:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:568:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:69:44: warning: array subscript [2, 4294967293] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
69 | ring[idx + 2] = obj[i + 2];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [16, 34359738344] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
In function ‘__rte_ring_enqueue_elems_64’,
inlined from ‘__rte_ring_enqueue_elems’ at ../lib/ring/rte_ring_elem_pvt.h:130:3,
inlined from ‘__rte_ring_do_enqueue_elem’ at ../lib/ring/rte_ring_elem_pvt.h:328:2,
inlined from ‘rte_ring_mp_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:506:9,
inlined from ‘rte_ring_enqueue_burst_elem’ at ../lib/ring/rte_ring_elem.h:568:10,
inlined from ‘rte_ring_enqueue_burst’ at ../lib/ring/rte_ring.h:738:9,
inlined from ‘process_op_bit’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:425:16,
inlined from ‘snow3g_pmd_dequeue_burst’ at ../drivers/crypto/ipsec_mb/pmd_snow3g.c:484:20:
../lib/ring/rte_ring_elem_pvt.h:70:44: warning: array subscript [3, 4294967294] is outside array bounds of ‘struct rte_crypto_op[0]’ [-Warray-bounds]
70 | ring[idx + 3] = obj[i + 3];
| ~~~^~~~~~~
../drivers/crypto/ipsec_mb/pmd_snow3g.c: In function ‘snow3g_pmd_dequeue_burst’:
../drivers/crypto/ipsec_mb/pmd_snow3g.c:434:1: note: at offset [24, 34359738352] into object ‘op’ of size 8
434 | snow3g_pmd_dequeue_burst(void *queue_pair,
| ^~~~~~~~~~~~~~~~~~~~~~~~
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2022-06-07 16:41 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-07 16:40 [BUG] out of bounds reference in crypto snow3g driver Stephen Hemminger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).