RE: [EXT] Re: [PATCH] examples/l3fwd: resolve stack buffer overflow issue

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Rahul Bhansali <rbhansali@marvell.com>
To: Thomas Monjalon <thomas@monjalon.net>
Cc: "dev@dpdk.org" <dev@dpdk.org>,
	"david.marchand@redhat.com" <david.marchand@redhat.com>,
	Conor Walsh <conor.walsh@intel.com>
Subject: RE: [EXT] Re: [PATCH] examples/l3fwd: resolve stack buffer overflow issue
Date: Wed, 9 Mar 2022 15:24:25 +0000	[thread overview]
Message-ID: <CO6PR18MB3844B0B47EFA841F04E2CA62B80A9@CO6PR18MB3844.namprd18.prod.outlook.com> (raw)
In-Reply-To: <4698000.9Mp67QZiUf@thomas>

Hi Thomas,

> -----Original Message-----
> From: Thomas Monjalon <thomas@monjalon.net>
> Sent: Tuesday, March 8, 2022 4:51 PM
> To: Rahul Bhansali <rbhansali@marvell.com>
> Cc: dev@dpdk.org; david.marchand@redhat.com; Conor Walsh
> <conor.walsh@intel.com>
> Subject: [EXT] Re: [PATCH] examples/l3fwd: resolve stack buffer overflow issue
> 
> External Email
> 
> ----------------------------------------------------------------------
> 11/01/2022 13:50, Rahul Bhansali:
> > This patch fixes the stack buffer overflow error reported from
> > AddressSanitizer.
> > Function send_packetsx4() tries to access out of bound data from
> > rte_mbuf and fill it into TX buffer even in the case where no pending
> > packets (len = 0).
> > Performance impact:- No
> >
> > ASAN error report:-
> > ==819==ERROR: AddressSanitizer: stack-buffer-overflow on address
> > 0xffffe2c0dcf0 at pc 0x0000005e791c bp 0xffffe2c0d7e0 sp
> > 0xffffe2c0d800 READ of size 8 at 0xffffe2c0dcf0 thread T0
> >  #0 0x5e7918 in send_packetsx4 ../examples/l3fwd/l3fwd_common.h:251
> >  #1 0x5e7918 in send_packets_multi ../examples/l3fwd/l3fwd_neon.h:226
> 
> This code comes from below commit, so these tags are missing:
> Fixes: 96ff445371e0 ("examples/l3fwd: reorganise and optimize LPM code
> path")
> Cc: stable@dpdk.org
> 
> > Signed-off-by: Rahul Bhansali <rbhansali@marvell.com>
> > ---
> >  examples/l3fwd/l3fwd_common.h | 4 ++++
> >  1 file changed, 4 insertions(+)
> >
> > diff --git a/examples/l3fwd/l3fwd_common.h
> > b/examples/l3fwd/l3fwd_common.h index 7d83ff641a..de77711f88 100644
> > --- a/examples/l3fwd/l3fwd_common.h
> > +++ b/examples/l3fwd/l3fwd_common.h
> > @@ -236,6 +236,9 @@ send_packetsx4(struct lcore_conf *qconf, uint16_t
> > port, struct rte_mbuf *m[],
> >
> >  		/* copy rest of the packets into the TX buffer. */
> >  		len = num - n;
> > +		if (len == 0)
> > +			goto exit;
> > +
> 
> I don't understand how it can fix something.
> There is already  "while (j < len)" with j and len being 0, the loop should not be
> effective in this case.

This Switch will execute Case statement first even before considering the while condition or anything else before case statement. While condition will be executed only after all switch cases are executed.
Hence in case of len = 0 and n > 28, it is throwing stack buffer overflow error.

Below is sample code to simulate the while loop behavior inside switch. Checked it for both x86 and arm64.
https://godbolt.org/z/4Kecqbsde 

> 
> >  		j = 0;
> >  		switch (len % FWDSTEP) {
> >  		while (j < len) {
> > @@ -258,6 +261,7 @@ send_packetsx4(struct lcore_conf *qconf, uint16_t
> port, struct rte_mbuf *m[],
> >  		}
> >  	}
> >
> > +exit:
> >  	qconf->tx_mbufs[port].len = len;
> >  }
> 
>

next prev parent reply	other threads:[~2022-03-09 15:24 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-01-11 12:50 Rahul Bhansali
2022-03-07  4:27 ` Rahul Bhansali
2022-03-07  6:45 ` Rahul Bhansali
2022-03-07 10:46   ` Walsh, Conor
2022-03-08 11:20 ` Thomas Monjalon
2022-03-09 15:24   ` Rahul Bhansali [this message]
2022-03-09 19:07     ` [EXT] " Thomas Monjalon
2022-03-10  9:38       ` Rahul Bhansali
2022-03-09 15:57 ` Ananyev, Konstantin
2022-03-14 22:16   ` Thomas Monjalon

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CO6PR18MB3844B0B47EFA841F04E2CA62B80A9@CO6PR18MB3844.namprd18.prod.outlook.com \
    --to=rbhansali@marvell.com \
    --cc=conor.walsh@intel.com \
    --cc=david.marchand@redhat.com \
    --cc=dev@dpdk.org \
    --cc=thomas@monjalon.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).