From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id A70D2A0518 for ; Fri, 24 Jul 2020 14:04:03 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 9EB6F1BFE5; Fri, 24 Jul 2020 14:04:03 +0200 (CEST) Received: from mail-wm1-f66.google.com (mail-wm1-f66.google.com [209.85.128.66]) by dpdk.org (Postfix) with ESMTP id D54801C034 for ; Fri, 24 Jul 2020 14:04:02 +0200 (CEST) Received: by mail-wm1-f66.google.com with SMTP id t142so1673382wmt.4 for ; Fri, 24 Jul 2020 05:04:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=/jdTMwcR7l4K6sf09I8sHPSZkBkReBcQZXn7Bf6dsW8=; b=p5JkKcq0TzrX1p2sx9tJUtBXcdjvCjKZ4wXqsqG/GV/dJG5IoDrngHQ+RxG0aRxsjp MLqDudMrzFNOIOYjg/w9OQrNVwj67ZZ7Mu6UcFr7RrwkR1Azk2EsFYaGCAKSEGibiwWq pV7d4zYtEeafXKw8G76YWQAnRJN4zW+7j59TlqnqENW4hZl+rYg4h0apolS+cJNVW6fZ Iwc4gn7q7XWd3kfbmaXEwiY0hwMuKgNAoOWVTojzGJqjaiwTb4MrEjEmdaLYN/01nQQ+ IbRf4CfsldYGaNrg+n07BNfFa9XE2LL6yWbpIfP1ngZCIN2/KqfkXp3VAVL+c2SR39Kf 11Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=/jdTMwcR7l4K6sf09I8sHPSZkBkReBcQZXn7Bf6dsW8=; b=Frp9GYY4kzmfbRjfKfFO5P0rXKjdbZtxwCnpQu44ASetKFrdWqvWslNK09LywPEgjF EgJ2n1TVttOLXNPrq+q+PIHRT0P0fvcB+Ex+HfRPPcIUfSH7Kl23dnK4t71ZL3gryPDa 51Fl0+z3mFWH71dapRlSNxGVMUJB289H/XDjCIiL1OMAEYUfvOqEGjF6aUol57aUjoRm on5ZPj1TLoIWydv3lJdDKy0NeMkkNyXiMy16ZrDH83ZIRDd9kK9JwYtvUgPjiaZpeGv5 zwH2QXybCOywUkAH1ZMWC2oI1/2Yt0ALwa5VlC/orKCQaA9NPr56Hh4YakThZS5NCZhq Dm8A== X-Gm-Message-State: AOAM5336UtkHgvKj1lIDTdiDzxDCrfkdc8FH4JS00kuDn4iv3yYJaYsf wtBcskOEYN9lQeTH20gw74k= X-Google-Smtp-Source: ABdhPJxIpFP5HIvY/x+WkZDNJTx790KfomNlhbwKw6OmmCK1pQTNEF6f/xhUzLWAJgxEMw1tUQc4Ww== X-Received: by 2002:a1c:7ed7:: with SMTP id z206mr8189584wmc.135.1595592242565; Fri, 24 Jul 2020 05:04:02 -0700 (PDT) Received: from localhost ([88.98.246.218]) by smtp.gmail.com with ESMTPSA id h6sm1075797wrv.40.2020.07.24.05.04.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 24 Jul 2020 05:04:01 -0700 (PDT) From: luca.boccassi@gmail.com To: Xiaolong Ye Cc: Olivier Matz , dpdk stable Date: Fri, 24 Jul 2020 12:58:10 +0100 Message-Id: <20200724120030.1863487-52-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200724120030.1863487-1-luca.boccassi@gmail.com> References: <20200724120030.1863487-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] patch 'mbuf: fix boundary check at dynamic field registration' has been queued to stable release 19.11.4 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to stable release 19.11.4 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 07/26/20. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Thanks. Luca Boccassi --- >From f32952bfab8ea4160ce82e2c1b6262397fa635bd Mon Sep 17 00:00:00 2001 From: Xiaolong Ye Date: Sat, 13 Jun 2020 23:49:17 +0800 Subject: [PATCH] mbuf: fix boundary check at dynamic field registration [ upstream commit f8eb26dda8bfc806ff71f65966dc17210686fc20 ] We should make sure off + size < sizeof(struct rte_mbuf) to avoid possible out-of-bounds access of free_space array, there is no issue currently due to the low bits of free_flags (which is adjacent to free_space) are always set to 0. But we shouldn't rely on it since it's fragile and layout of struct mbuf_dyn_shm may be changed in the future. This patch adds boundary check explicitly to avoid potential risk of out-of-bounds access. Fixes: 4958ca3a443a ("mbuf: support dynamic fields and flags") Signed-off-by: Xiaolong Ye Acked-by: Olivier Matz --- lib/librte_mbuf/rte_mbuf_dyn.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_mbuf/rte_mbuf_dyn.c b/lib/librte_mbuf/rte_mbuf_dyn.c index 953e3ec31..13d6da6d1 100644 --- a/lib/librte_mbuf/rte_mbuf_dyn.c +++ b/lib/librte_mbuf/rte_mbuf_dyn.c @@ -69,7 +69,8 @@ process_score(void) for (off = 0; off < sizeof(struct rte_mbuf); off++) { /* get the size of the free zone */ - for (size = 0; shm->free_space[off + size]; size++) + for (size = 0; (off + size) < sizeof(struct rte_mbuf) && + shm->free_space[off + size]; size++) ; if (size == 0) continue; -- 2.20.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2020-07-24 12:53:50.613155067 +0100 +++ 0052-mbuf-fix-boundary-check-at-dynamic-field-registratio.patch 2020-07-24 12:53:48.275006236 +0100 @@ -1,8 +1,10 @@ -From f8eb26dda8bfc806ff71f65966dc17210686fc20 Mon Sep 17 00:00:00 2001 +From f32952bfab8ea4160ce82e2c1b6262397fa635bd Mon Sep 17 00:00:00 2001 From: Xiaolong Ye Date: Sat, 13 Jun 2020 23:49:17 +0800 Subject: [PATCH] mbuf: fix boundary check at dynamic field registration +[ upstream commit f8eb26dda8bfc806ff71f65966dc17210686fc20 ] + We should make sure off + size < sizeof(struct rte_mbuf) to avoid possible out-of-bounds access of free_space array, there is no issue currently due to the low bits of free_flags (which is adjacent to @@ -12,7 +14,6 @@ out-of-bounds access. Fixes: 4958ca3a443a ("mbuf: support dynamic fields and flags") -Cc: stable@dpdk.org Signed-off-by: Xiaolong Ye Acked-by: Olivier Matz