From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8C1DCA04A3 for ; Tue, 12 May 2020 08:28:53 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 51ECA1C138; Tue, 12 May 2020 08:28:53 +0200 (CEST) Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id 3A2251C031; Tue, 12 May 2020 08:28:50 +0200 (CEST) IronPort-SDR: 7Q0ORMkJemnVswfLrRR2UTuqrgh727PC/KMDL54F8u0uUKqyUY7ejNJcN9kf4Dk2mSSnUUrFOw 7EEkg7sEfWnA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga003.fm.intel.com ([10.253.24.29]) by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 May 2020 23:28:49 -0700 IronPort-SDR: rRfkkW2+B6YWniaakwFmOI8/IHKLrC2wcS9sfGo8aNnKFdmV0GkuLkQsMemn2G170xXkWp/T4J xID+NF/Yv3iQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,382,1583222400"; d="scan'208";a="306392521" Received: from dpdk-qifu-cxl.sh.intel.com ([10.67.119.67]) by FMSMGA003.fm.intel.com with ESMTP; 11 May 2020 23:28:48 -0700 From: Wei Zhao To: dev@dpdk.org Cc: stable@dpdk.org, beilei.xing@intel.com, Wei Zhao Date: Tue, 12 May 2020 11:19:15 -0400 Message-Id: <20200512151915.105152-1-wei.zhao1@intel.com> X-Mailer: git-send-email 2.17.1 Subject: [dpdk-stable] [PATCH] net/i40e: fix the security risk of wild pointer operation X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" In i40e PMD code of function i40e_res_pool_free(), if valid_entry is freed by "rte_free(valid_entry);" in the following code: if (prev != NULL) { ........................ if (insert == 1) { LIST_REMOVE(valid_entry, next); rte_free(valid_entry); } else { rte_free(valid_entry); insert = 1; } } then the following code for pool update may still use the wild pointer "valid_entry": " pool->num_free += valid_entry->len; pool->num_alloc -= valid_entry>len; " it seems to be a security bug, we should avoid this risk. Cc: stable@dpdk.org Fixes: 4861cde46116 ("i40e: new poll mode driver") Signed-off-by: Wei Zhao --- drivers/net/i40e/i40e_ethdev.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c index 749d85f54..7f8ea5309 100644 --- a/drivers/net/i40e/i40e_ethdev.c +++ b/drivers/net/i40e/i40e_ethdev.c @@ -4973,6 +4973,9 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool, } insert = 0; + pool->num_free += valid_entry->len; + pool->num_alloc -= valid_entry->len; + /* Try to merge with next one*/ if (next != NULL) { /* Merge with next one */ @@ -5010,9 +5013,6 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool, LIST_INSERT_HEAD(&pool->free_list, valid_entry, next); } - pool->num_free += valid_entry->len; - pool->num_alloc -= valid_entry->len; - return 0; } -- 2.17.1