DPDK patches and discussions
 help / color / mirror / Atom feed
* [DPDK/ethdev Bug 1859] common/cnxk: out of bounds access
@ 2025-12-23 22:18 bugzilla
  0 siblings, 0 replies; only message in thread
From: bugzilla @ 2025-12-23 22:18 UTC (permalink / raw)
  To: dev

http://bugs.dpdk.org/show_bug.cgi?id=1859

            Bug ID: 1859
           Summary: common/cnxk: out of bounds access
           Product: DPDK
           Version: 25.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: ethdev
          Assignee: dev@dpdk.org
          Reporter: stephen@networkplumber.org
  Target Milestone: ---

Gcc 16 detects out of bounds array access:

In function ‘nix_inl_selftest_work_cb’,
    inlined from ‘inl_outb_soft_exp_poll’ at
../drivers/common/cnxk/roc_nix_inl_dev.c:1173:4,
    inlined from ‘nix_inl_outb_poll_thread’ at
../drivers/common/cnxk/roc_nix_inl_dev.c:1201:6:
../drivers/common/cnxk/roc_nix_inl_dev.c:43:19: warning: array subscript 1 is
outside array bounds of ‘uint64_t[1]’ {aka ‘long unsigned int[1]’}
[-Warray-bounds=]
   43 |         uintptr_t work = gw[1];
      |                   ^~~~
../drivers/common/cnxk/roc_nix_inl_dev.c: In function
‘nix_inl_outb_poll_thread’:
../drivers/common/cnxk/roc_nix_inl_dev.c:1172:34: note: at offset 8 into object
‘tmp’ of size 8
 1172 |                         uint64_t tmp = ~(uint32_t)0x0;
      |                                  ^~~

The code in question is:

static void
inl_outb_soft_exp_poll(struct nix_inl_dev *inl_dev, uint32_t ring_idx)
{
...             if (sa != NULL) {
                        uint64_t tmp = ~(uint32_t)0x0;
                        inl_dev->work_cb(&tmp, sa, NIX_INL_SOFT_EXPIRY_THRD,
NULL, port_id);

...
static void
nix_inl_selftest_work_cb(uint64_t *gw, void *args, enum nix_inl_event_type
type, void *cq_s,
                         uint32_t port_id)
{
        uintptr_t work = gw[1];

        (void)type;
        (void)cq_s;
        (void)port_id;
        *((uintptr_t *)args + (gw[0] & 0x1)) = work;

        plt_atomic_thread_fence(__ATOMIC_ACQ_REL);
}

I.e tmp is 64 bits, and work_cb is referencing outside of that.

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2025-12-23 22:18 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-12-23 22:18 [DPDK/ethdev Bug 1859] common/cnxk: out of bounds access bugzilla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).