From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id CB587A00C4; Mon, 2 Jan 2023 10:15:29 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 9401E42D0C; Mon, 2 Jan 2023 10:15:24 +0100 (CET) Received: from mail-io1-f53.google.com (mail-io1-f53.google.com [209.85.166.53]) by mails.dpdk.org (Postfix) with ESMTP id 78EAB41181 for ; Wed, 28 Dec 2022 21:37:58 +0100 (CET) Received: by mail-io1-f53.google.com with SMTP id d123so8792637iof.6 for ; Wed, 28 Dec 2022 12:37:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=o0rV9m68WRkB8QBoMEZM3j7k8CadAzKe0R4J+gQzNto=; b=m/V185yckv/h/VgvkSM9Ydfrudfq4nImO6KvtCLvJCTlrogXDw+FWow2C+fq6FZYpp 2iMBd7Q4PbjPnZwkV9kZB8UN4JXDmpFEoBcovJn++uFqee3NW2uD2omlzdVDfUgpXPMQ zY9/fFx3WG36nbBzRQ1372RmDEzSBqXJP84jYwKxkNnuQrovgsCqxswWfBUMJ8knDf/S /q4D9gfYZeO27Xgm7cFN7yC6nwhkEEEBduqZTe/b6TxhNCaSn7E4d+e1kBtaoWUtmF5e Rf9M43ecGw5DJgH4ErdSQqIKoLK+N+H2MJCuVKfo3jjjycyPFovmgNk71EF841SoxWFT nhDg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=o0rV9m68WRkB8QBoMEZM3j7k8CadAzKe0R4J+gQzNto=; b=63yviCuOY7qG/SKqAmk1FPQknup/LkBM9yFdyog5+UAbRMpTxJL03Yhjixuw4JVOLB UPkuHhJQufXJ18IBQ6diNoUDivo2Qd41TTOsqQj9tkDnRnKY1UZk7nNpdcd4rTOp2dRW dT1FfPLGp2elClCRbq2aPPenrUYelfDerz382UZy27cDjAuHxzsyb6W3itTnfZDA9q4I FmQaOiHyYHuraIvIeBo9V0xkArakH9cwxEZOxuluJ/7RU6zZI2XNskTXByGAE31iS07S cklEDj1/QFv7BZmbpg8XLVIQojclX7xgnRt5RgG8AjWWqZcwtVN8wTF4jRTu6GPLbqZD p/1w== X-Gm-Message-State: AFqh2krg99jqBaJjlEm6E7SrqIJIPKrzFDdK8/5A+o4210JWzf8vxSpl ttnkxszf8LPGBDugMXw1QfXqgBgFAdkntk8kC+xeTPcLzE8= X-Google-Smtp-Source: AMrXdXtcNakPJXvNobsrGgqCKhD+htI5r6iQYrahK9iljl2+qd94jo8nhwK/w3/IS4XPVRleIXZm9/oRy/S2QPOZVDY= X-Received: by 2002:a05:6638:3e0f:b0:38a:b96b:9fd8 with SMTP id co15-20020a0566383e0f00b0038ab96b9fd8mr1916001jab.193.1672259877262; Wed, 28 Dec 2022 12:37:57 -0800 (PST) MIME-Version: 1.0 From: Mike Cui Date: Wed, 28 Dec 2022 12:37:46 -0800 Message-ID: Subject: lib/vhost/virtio_net: possible stack overflow in virtio_dev_tx_async_packed() To: dev@dpdk.org, cheng1.jiang@intel.com Content-Type: multipart/alternative; boundary="000000000000f4db9105f0e95777" X-Mailman-Approved-At: Mon, 02 Jan 2023 10:15:22 +0100 X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org --000000000000f4db9105f0e95777 Content-Type: text/plain; charset="UTF-8" Hi, I believe there is a possible stack overflow in this code: https://github.com/DPDK/dpdk/blob/main/lib/vhost/virtio_net.c#L3631 Here, pkts_prealloc is declared on the stack with size MAX_PKT_BURST, then filled in by rte_pktmbuf_alloc_bulk() up to 'count' elements, but 'count' is not capped at MAX_PKT_BURST like in many other code paths. Suggested patch: diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c index 9abf752f30..21f00317c7 100644 --- a/lib/vhost/virtio_net.c +++ b/lib/vhost/virtio_net.c @@ -3634,6 +3634,7 @@ virtio_dev_tx_async_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, async_iter_reset(async); + count = RTE_MIN(count, MAX_PKT_BURST); if (rte_pktmbuf_alloc_bulk(mbuf_pool, pkts_prealloc, count)) goto out; --000000000000f4db9105f0e95777 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi,

I believe there is a possible stack overflow in= this code:=C2=A0https://github.com/DPDK/dpdk/blob/main/lib/vhost/virt= io_net.c#L3631

Here, pkts_prealloc is declared= =C2=A0on the stack with size MAX_PKT_BURST, then filled in by rte_pktmbuf_a= lloc_bulk() up to 'count' elements, but 'count'=C2=A0 is no= t capped at MAX_PKT_BURST like in many other code paths.
Suggested patch:

diff --git a/lib/vhost/virtio_n= et.c b/lib/vhost/virtio_net.c

index 9abf752f30..21f00317c7 10= 0644

--- a/lib/vhost/virtio_net.c

+++ b/lib/vhost/virtio_net.c

@@ -3634,6 +3634,7 @@ virtio_de= v_tx_async_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,

=C2=A0

=C2=A0 async_iter_reset(async);

=C2=A0

+ count =3D RTE_MIN(count, MAX_PKT_B= URST);

=C2=A0 if (rte_pktmbuf_alloc_bulk(mbuf_pool, pkts_prealloc, = count))

=C2=A0 goto out;

=C2=A0

--000000000000f4db9105f0e95777--