* [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
@ 2018-05-07 9:50 Qi Zhang
2018-05-08 6:24 ` Zhao1, Wei
2018-05-09 13:58 ` Thomas Monjalon
0 siblings, 2 replies; 7+ messages in thread
From: Qi Zhang @ 2018-05-07 9:50 UTC (permalink / raw)
To: adrien.mazarguil; +Cc: yuan.peng, wei.zhao1, dev, Qi Zhang
When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
mask->length is not the real size of binary pattern, it should take
spec->length, or memory size will be over counted (0xffff) and invalid
memory be access during following memcpy.
Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
---
app/test-pmd/config.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c
index 16fc481ce..bcaf429c4 100644
--- a/app/test-pmd/config.c
+++ b/app/test-pmd/config.c
@@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct rte_flow_item *item,
dst.raw = buf;
off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
sizeof(*src.raw->pattern));
- size = off + src.raw->length * sizeof(*src.raw->pattern);
+ size = off + ((const struct rte_flow_item_raw *)item->spec)->
+ length * sizeof(*src.raw->pattern);
if (dst.raw) {
memcpy(dst.raw, src.raw, sizeof(*src.raw));
dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
--
2.13.6
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
2018-05-07 9:50 [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access Qi Zhang
@ 2018-05-08 6:24 ` Zhao1, Wei
2018-05-08 8:31 ` Zhang, Qi Z
2018-05-09 13:58 ` Thomas Monjalon
1 sibling, 1 reply; 7+ messages in thread
From: Zhao1, Wei @ 2018-05-08 6:24 UTC (permalink / raw)
To: Zhang, Qi Z, adrien.mazarguil; +Cc: Peng, Yuan, dev
Hi, zhang qi
This fix patch to DPDK.or is also useful for igb flex byte core dump issue.
I have validation it. But there is some patch check warning.
https://dpdk.org/dev/patchwork/patch/39417/
> -----Original Message-----
> From: Zhang, Qi Z
> Sent: Monday, May 7, 2018 5:51 PM
> To: adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei <wei.zhao1@intel.com>;
> dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> Subject: [PATCH] app/testpmd: fix invalid memory access
>
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
>
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
>
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> ---
> app/test-pmd/config.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> 16fc481ce..bcaf429c4 100644
> --- a/app/test-pmd/config.c
> +++ b/app/test-pmd/config.c
> @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> rte_flow_item *item,
> dst.raw = buf;
> off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
> sizeof(*src.raw->pattern));
> - size = off + src.raw->length * sizeof(*src.raw->pattern);
> + size = off + ((const struct rte_flow_item_raw *)item->spec)->
> + length * sizeof(*src.raw->pattern);
> if (dst.raw) {
> memcpy(dst.raw, src.raw, sizeof(*src.raw));
> dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> --
> 2.13.6
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
2018-05-08 6:24 ` Zhao1, Wei
@ 2018-05-08 8:31 ` Zhang, Qi Z
0 siblings, 0 replies; 7+ messages in thread
From: Zhang, Qi Z @ 2018-05-08 8:31 UTC (permalink / raw)
To: Zhao1, Wei, adrien.mazarguil; +Cc: Peng, Yuan, dev
Hi Zhao Wei:
> -----Original Message-----
> From: Zhao1, Wei
> Sent: Tuesday, May 8, 2018 2:24 PM
> To: Zhang, Qi Z <qi.z.zhang@intel.com>; adrien.mazarguil@6wind.com
> Cc: Peng, Yuan <yuan.peng@intel.com>; dev@dpdk.org
> Subject: RE: [PATCH] app/testpmd: fix invalid memory access
>
> Hi, zhang qi
> This fix patch to DPDK.or is also useful for igb flex byte core dump issue.
> I have validation it. But there is some patch check warning.
> https://dpdk.org/dev/patchwork/patch/39417/
Thanks for testing, I will capture the typo if Adrien agree with the fix.
Regards
Qi
>
>
>
> > -----Original Message-----
> > From: Zhang, Qi Z
> > Sent: Monday, May 7, 2018 5:51 PM
> > To: adrien.mazarguil@6wind.com
> > Cc: Peng, Yuan <yuan.peng@intel.com>; Zhao1, Wei
> <wei.zhao1@intel.com>;
> > dev@dpdk.org; Zhang, Qi Z <qi.z.zhang@intel.com>
> > Subject: [PATCH] app/testpmd: fix invalid memory access
> >
> > When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> > mask->length is not the real size of binary pattern, it should take
> > spec->length, or memory size will be over counted (0xffff) and invalid
> > memory be access during following memcpy.
> >
> > Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
> >
> > Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
> > ---
> > app/test-pmd/config.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/app/test-pmd/config.c b/app/test-pmd/config.c index
> > 16fc481ce..bcaf429c4 100644
> > --- a/app/test-pmd/config.c
> > +++ b/app/test-pmd/config.c
> > @@ -1077,7 +1077,8 @@ flow_item_spec_copy(void *buf, const struct
> > rte_flow_item *item,
> > dst.raw = buf;
> > off = RTE_ALIGN_CEIL(sizeof(struct rte_flow_item_raw),
> > sizeof(*src.raw->pattern));
> > - size = off + src.raw->length * sizeof(*src.raw->pattern);
> > + size = off + ((const struct rte_flow_item_raw *)item->spec)->
> > + length * sizeof(*src.raw->pattern);
> > if (dst.raw) {
> > memcpy(dst.raw, src.raw, sizeof(*src.raw));
> > dst.raw->pattern = memcpy((uint8_t *)dst.raw + off,
> > --
> > 2.13.6
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
2018-05-07 9:50 [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access Qi Zhang
2018-05-08 6:24 ` Zhao1, Wei
@ 2018-05-09 13:58 ` Thomas Monjalon
1 sibling, 0 replies; 7+ messages in thread
From: Thomas Monjalon @ 2018-05-09 13:58 UTC (permalink / raw)
To: Qi Zhang; +Cc: dev, adrien.mazarguil, yuan.peng, wei.zhao1
07/05/2018 11:50, Qi Zhang:
> When calulate memory size of an RTE_FLOW_ITEM_TYPE_RAW 's mask
> mask->length is not the real size of binary pattern, it should take
> spec->length, or memory size will be over counted (0xffff) and invalid
> memory be access during following memcpy.
>
> Fixes: d0ad8648b1c5 ("app/testpmd: fix RSS flow action configuration")
>
> Signed-off-by: Qi Zhang <qi.z.zhang@intel.com>
Applied, thanks
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
2021-10-12 7:50 ` Li, Xiaoyun
@ 2021-10-12 8:21 ` Sunil Kumar Kori
0 siblings, 0 replies; 7+ messages in thread
From: Sunil Kumar Kori @ 2021-10-12 8:21 UTC (permalink / raw)
To: Li, Xiaoyun; +Cc: dev, stable, Dumitrescu, Cristian
Regards
Sunil Kumar Kori
>-----Original Message-----
>From: Li, Xiaoyun <xiaoyun.li@intel.com>
>Sent: Tuesday, October 12, 2021 1:21 PM
>To: Sunil Kumar Kori <skori@marvell.com>
>Cc: dev@dpdk.org; stable@dpdk.org; Dumitrescu, Cristian
><cristian.dumitrescu@intel.com>
>Subject: [EXT] RE: [PATCH] app/testpmd: fix invalid memory access
>
>External Email
>
>----------------------------------------------------------------------
>Hi
>
>> -----Original Message-----
>> From: skori@marvell.com <skori@marvell.com>
>> Sent: Tuesday, October 12, 2021 15:36
>> To: Li, Xiaoyun <xiaoyun.li@intel.com>
>> Cc: dev@dpdk.org; Sunil Kumar Kori <skori@marvell.com>;
>> stable@dpdk.org
>> Subject: [PATCH] app/testpmd: fix invalid memory access
>>
>> From: Sunil Kumar Kori <skori@marvell.com>
>>
>> During parsing of DSCP entries, memory is allocated and assgined to
>*dscp_table.
>> Later on, same memory is accessed using *dscp_table[i++].
>>
>> Due to higher precedence for array subscript, dscp_table[i++] will be
>> executed first which actually does not point to the same memory which
>> was allocated previously for DSCP table entries.
>>
>> Cc: stable@dpdk.org
>>
>> Fixes: e63b50162aa3 ("app/testpmd: clean metering and policing
>> commands")
>
>I think the fix should be for patch 459463ae6c26 ("app/testpmd: fix memory
>allocation for DSCP table") Also, added metering maintainer.
>
Ack. I will update and share v2.
>BRs
>Xiaoyun
>
>>
>> Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
>> ---
>> app/test-pmd/cmdline_mtr.c | 6 +++---
>> 1 file changed, 3 insertions(+), 3 deletions(-)
>>
>> diff --git a/app/test-pmd/cmdline_mtr.c b/app/test-pmd/cmdline_mtr.c
>> index
>> b5dcfdadcf..ad7ef6ad98 100644
>> --- a/app/test-pmd/cmdline_mtr.c
>> +++ b/app/test-pmd/cmdline_mtr.c
>> @@ -101,13 +101,13 @@ parse_dscp_table_entries(char *str, enum
>> rte_color
>> **dscp_table)
>> while (1) {
>> if (strcmp(token, "G") == 0 ||
>> strcmp(token, "g") == 0)
>> - *dscp_table[i++] = RTE_COLOR_GREEN;
>> + (*dscp_table)[i++] = RTE_COLOR_GREEN;
>> else if (strcmp(token, "Y") == 0 ||
>> strcmp(token, "y") == 0)
>> - *dscp_table[i++] = RTE_COLOR_YELLOW;
>> + (*dscp_table)[i++] = RTE_COLOR_YELLOW;
>> else if (strcmp(token, "R") == 0 ||
>> strcmp(token, "r") == 0)
>> - *dscp_table[i++] = RTE_COLOR_RED;
>> + (*dscp_table)[i++] = RTE_COLOR_RED;
>> else {
>> free(*dscp_table);
>> return -1;
>> --
>> 2.25.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
2021-10-12 7:36 skori
@ 2021-10-12 7:50 ` Li, Xiaoyun
2021-10-12 8:21 ` Sunil Kumar Kori
0 siblings, 1 reply; 7+ messages in thread
From: Li, Xiaoyun @ 2021-10-12 7:50 UTC (permalink / raw)
To: skori; +Cc: dev, stable, Dumitrescu, Cristian
Hi
> -----Original Message-----
> From: skori@marvell.com <skori@marvell.com>
> Sent: Tuesday, October 12, 2021 15:36
> To: Li, Xiaoyun <xiaoyun.li@intel.com>
> Cc: dev@dpdk.org; Sunil Kumar Kori <skori@marvell.com>; stable@dpdk.org
> Subject: [PATCH] app/testpmd: fix invalid memory access
>
> From: Sunil Kumar Kori <skori@marvell.com>
>
> During parsing of DSCP entries, memory is allocated and assgined to *dscp_table.
> Later on, same memory is accessed using *dscp_table[i++].
>
> Due to higher precedence for array subscript, dscp_table[i++] will be executed
> first which actually does not point to the same memory which was allocated
> previously for DSCP table entries.
>
> Cc: stable@dpdk.org
>
> Fixes: e63b50162aa3 ("app/testpmd: clean metering and policing commands")
I think the fix should be for patch 459463ae6c26 ("app/testpmd: fix memory allocation for DSCP table")
Also, added metering maintainer.
BRs
Xiaoyun
>
> Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
> ---
> app/test-pmd/cmdline_mtr.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/app/test-pmd/cmdline_mtr.c b/app/test-pmd/cmdline_mtr.c index
> b5dcfdadcf..ad7ef6ad98 100644
> --- a/app/test-pmd/cmdline_mtr.c
> +++ b/app/test-pmd/cmdline_mtr.c
> @@ -101,13 +101,13 @@ parse_dscp_table_entries(char *str, enum rte_color
> **dscp_table)
> while (1) {
> if (strcmp(token, "G") == 0 ||
> strcmp(token, "g") == 0)
> - *dscp_table[i++] = RTE_COLOR_GREEN;
> + (*dscp_table)[i++] = RTE_COLOR_GREEN;
> else if (strcmp(token, "Y") == 0 ||
> strcmp(token, "y") == 0)
> - *dscp_table[i++] = RTE_COLOR_YELLOW;
> + (*dscp_table)[i++] = RTE_COLOR_YELLOW;
> else if (strcmp(token, "R") == 0 ||
> strcmp(token, "r") == 0)
> - *dscp_table[i++] = RTE_COLOR_RED;
> + (*dscp_table)[i++] = RTE_COLOR_RED;
> else {
> free(*dscp_table);
> return -1;
> --
> 2.25.1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access
@ 2021-10-12 7:36 skori
2021-10-12 7:50 ` Li, Xiaoyun
0 siblings, 1 reply; 7+ messages in thread
From: skori @ 2021-10-12 7:36 UTC (permalink / raw)
To: Xiaoyun Li; +Cc: dev, Sunil Kumar Kori, stable
From: Sunil Kumar Kori <skori@marvell.com>
During parsing of DSCP entries, memory is allocated and assgined
to *dscp_table. Later on, same memory is accessed using
*dscp_table[i++].
Due to higher precedence for array subscript, dscp_table[i++] will
be executed first which actually does not point to the same memory
which was allocated previously for DSCP table entries.
Cc: stable@dpdk.org
Fixes: e63b50162aa3 ("app/testpmd: clean metering and policing commands")
Signed-off-by: Sunil Kumar Kori <skori@marvell.com>
---
app/test-pmd/cmdline_mtr.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/app/test-pmd/cmdline_mtr.c b/app/test-pmd/cmdline_mtr.c
index b5dcfdadcf..ad7ef6ad98 100644
--- a/app/test-pmd/cmdline_mtr.c
+++ b/app/test-pmd/cmdline_mtr.c
@@ -101,13 +101,13 @@ parse_dscp_table_entries(char *str, enum rte_color **dscp_table)
while (1) {
if (strcmp(token, "G") == 0 ||
strcmp(token, "g") == 0)
- *dscp_table[i++] = RTE_COLOR_GREEN;
+ (*dscp_table)[i++] = RTE_COLOR_GREEN;
else if (strcmp(token, "Y") == 0 ||
strcmp(token, "y") == 0)
- *dscp_table[i++] = RTE_COLOR_YELLOW;
+ (*dscp_table)[i++] = RTE_COLOR_YELLOW;
else if (strcmp(token, "R") == 0 ||
strcmp(token, "r") == 0)
- *dscp_table[i++] = RTE_COLOR_RED;
+ (*dscp_table)[i++] = RTE_COLOR_RED;
else {
free(*dscp_table);
return -1;
--
2.25.1
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-10-12 8:21 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-07 9:50 [dpdk-dev] [PATCH] app/testpmd: fix invalid memory access Qi Zhang
2018-05-08 6:24 ` Zhao1, Wei
2018-05-08 8:31 ` Zhang, Qi Z
2018-05-09 13:58 ` Thomas Monjalon
2021-10-12 7:36 skori
2021-10-12 7:50 ` Li, Xiaoyun
2021-10-12 8:21 ` Sunil Kumar Kori
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).