Re: [dpdk-dev] [PATCH] mem: fix the alloc size roundup overflow

[Bing Zhao <bingz@mellanox.com>]

> -----Original Message-----
> From: Burakov, Anatoly <anatoly.burakov@intel.com>
> Sent: Monday, April 20, 2020 7:40 PM
> To: Bing Zhao <bingz@mellanox.com>
> Cc: dev@dpdk.org; sergio.gonzalez.monroy@intel.com;
> stable@dpdk.org
> Subject: Re: [PATCH] mem: fix the alloc size roundup overflow
> 
> On 07-Apr-20 11:46 AM, Bing Zhao wrote:
> > The size checking is done in the caller. The size parameter is an
> > unsigned (64b wide) right now, so the comparison with zero should
> be
> > enough in most cases. But it won't help in the following case.
> > If the allocating request input a huge number by mistake, e.g., some
> > overflow after the calculation (especially subtraction), the checking
> > in the caller will succeed since it is not zero. Indeed, there is not
> > enough space in the system to support such huge memory allocation.
> > Usually it will return failure in the following code. But if the input
> > size is just a little smaller than the UINT64_MAX, like -2 in signed
> > type.
> > The roundup will cause an overflow and then "reset" the size to 0,
> and
> > then only a header (128B now) with zero length will be returned.
> > The following will be the previous allocation header.
> > It should be OK in most cases if the application won't access the
> > memory body. Or else, some critical issue will be caused and not easy
> > to debug. So this issue should be prevented at the beginning, like
> > other big size failure, NULL pointer should be returned also.
> >
> > Fixes: fdf20fa7bee9 ("add prefix to cache line macros")
> > Cc: sergio.gonzalez.monroy@intel.com
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Bing Zhao <bingz@mellanox.com>
> > ---
> >   lib/librte_eal/common/malloc_heap.c | 3 +++
> >   1 file changed, 3 insertions(+)
> >
> > diff --git a/lib/librte_eal/common/malloc_heap.c
> > b/lib/librte_eal/common/malloc_heap.c
> > index 842eb9d..bd50656 100644
> > --- a/lib/librte_eal/common/malloc_heap.c
> > +++ b/lib/librte_eal/common/malloc_heap.c
> > @@ -241,6 +241,9 @@
> >   	size = RTE_CACHE_LINE_ROUNDUP(size);
> >   	align = RTE_CACHE_LINE_ROUNDUP(align);
> >
> > +	/* roundup might cause an overflow */
> > +	if (size == 0)
> > +		return NULL;
> >   	elem = find_suitable_element(heap, size, flags, align, bound,
> contig);
> >   	if (elem != NULL) {
> >   		elem = malloc_elem_alloc(elem, size, align, bound,
> contig);
> >
> 
> Can we add a unit test for this in malloc_autotest?
> 
> Otherwise,
> 
> Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>
> 

Thanks, Burakov. I can try to add one case in the unit for this.

> --
> Thanks,
> Anatoly