From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id EC5BFA00C5; Thu, 7 May 2020 13:55:32 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 3A7D21DBD2; Thu, 7 May 2020 13:55:31 +0200 (CEST) Received: from mga03.intel.com (mga03.intel.com [134.134.136.65]) by dpdk.org (Postfix) with ESMTP id 062ED1DA8D; Thu, 7 May 2020 13:55:28 +0200 (CEST) IronPort-SDR: Uyxc5fCz+9Wr8/QJOcZUjCQpOnsU6i9gXAbuT67DRsUlAF9f+BDDhXTfcMgh4ITOnxl4pZDpLk 4xMYMZVENmCQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga008.fm.intel.com ([10.253.24.58]) by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 May 2020 04:55:27 -0700 IronPort-SDR: Moia1jk7ksrTj1M912uP5ILloXQ5RenViTlTVOFxTSReW37DN6npUY/f294/J2ntXp74P8AYwn Z9opvwJst/Cw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,363,1583222400"; d="scan'208";a="251495474" Received: from aburakov-mobl.ger.corp.intel.com (HELO [10.252.140.79]) ([10.252.140.79]) by fmsmga008.fm.intel.com with ESMTP; 07 May 2020 04:55:25 -0700 To: Bing Zhao , thomas@monjalon.net Cc: dev@dpdk.org, stable@dpdk.org, sergio.gonzalez.monroy@intel.com References: <1586256364-185699-1-git-send-email-bingz@mellanox.com> <1588837269-360196-1-git-send-email-bingz@mellanox.com> From: "Burakov, Anatoly" Message-ID: Date: Thu, 7 May 2020 12:55:24 +0100 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0 MIME-Version: 1.0 In-Reply-To: <1588837269-360196-1-git-send-email-bingz@mellanox.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Subject: Re: [dpdk-dev] [PATCH v2] mem: fix the alloc size roundup overflow X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 07-May-20 8:41 AM, Bing Zhao wrote: > The size checking is done in the caller. The size parameter is an > unsigned (64b wide) right now, so the comparison with zero should be > enough in most cases. But it won't help in the following case. > If the allocating request input a huge number by mistake, e.g., some > overflow after the calculation (especially subtraction), the checking > in the caller will succeed since it is not zero. Indeed, there is not > enough space in the system to support such huge memory allocation. > Usually it will return failure in the following code. But if the > input size is just a little smaller than the UINT64_MAX, like -2 in > signed type. > The roundup will cause an overflow and then "reset" the size to 0, > and then only a header (128B now) with zero length will be returned. > The following will be the previous allocation header. > It should be OK in most cases if the application won't access the > memory body. Or else, some critical issue will be caused and not easy > to debug. So this issue should be prevented at the beginning, like > other big size failure, NULL pointer should be returned also. > > Fixes: fdf20fa7bee9 ("add prefix to cache line macros") > Cc: sergio.gonzalez.monroy@intel.com > Cc: stable@dpdk.org > > Signed-off-by: Bing Zhao > --- > v2: add unit test for this case > --- > app/test/test_malloc.c | 12 ++++++++++++ > lib/librte_eal/common/malloc_heap.c | 3 +++ > 2 files changed, 15 insertions(+) > > diff --git a/app/test/test_malloc.c b/app/test/test_malloc.c > index 40a2f50..a96c060 100644 > --- a/app/test/test_malloc.c > +++ b/app/test/test_malloc.c > @@ -846,6 +846,18 @@ > if (bad_ptr != NULL) > goto err_return; > > + /* rte_malloc expected to return null with size will cause overflow */ > + align = RTE_CACHE_LINE_SIZE; > + size = (size_t)-8; > + > + bad_ptr = rte_malloc(type, size, align); > + if (bad_ptr != NULL) > + goto err_return; > + > + bad_ptr = rte_realloc(NULL, size, align); > + if (bad_ptr != NULL) > + goto err_return; You're mixing space and tabs as indentation here. Otherwise, Reviewed-by: Anatoly Burakov > + > return 0; > > err_return: > diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c > index 842eb9d..bd50656 100644 > --- a/lib/librte_eal/common/malloc_heap.c > +++ b/lib/librte_eal/common/malloc_heap.c > @@ -241,6 +241,9 @@ > size = RTE_CACHE_LINE_ROUNDUP(size); > align = RTE_CACHE_LINE_ROUNDUP(align); > > + /* roundup might cause an overflow */ > + if (size == 0) > + return NULL; > elem = find_suitable_element(heap, size, flags, align, bound, contig); > if (elem != NULL) { > elem = malloc_elem_alloc(elem, size, align, bound, contig); > -- Thanks, Anatoly