patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Olivier Matz <olivier.matz@6wind.com>
To: Aaron Conole <aconole@redhat.com>
Cc: Thomas Monjalon <thomas@monjalon.net>,
	Wenwu Ma <wenwux.ma@intel.com>,
	andrew.rybchenko@oktetlabs.ru, stable@dpdk.org, dev@dpdk.org,
	zhihongx.peng@intel.com
Subject: Re: [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
Date: Fri, 16 Apr 2021 09:20:57 +0200	[thread overview]
Message-ID: <20210416072057.GA1726@platinum> (raw)
In-Reply-To: <f7tk0p3aey8.fsf@dhcp-25.97.bos.redhat.com>

On Thu, Apr 15, 2021 at 08:51:27AM -0400, Aaron Conole wrote:
> Olivier Matz <olivier.matz@6wind.com> writes:
> 
> > On Tue, Apr 13, 2021 at 01:52:26PM +0200, Thomas Monjalon wrote:
> >> 13/04/2021 22:05, Wenwu Ma:
> >> > Amount of allocated memory was not enough for mempool
> >> > which cause buffer overflow when access fields of mempool
> >> > private structure in the rte_pktmbuf_priv_size function.
> >>
> >> Was it causing the test to fail?
> >> How do you reproduce the overflow?
> >
> > In the test, right after the rte_mempool_create(), the function
> > rte_mempool_obj_iter() is called too initialize the mempool objects with
> > the rte_pktmbuf_init() callback function. This callback expects that the
> > mempool is a packet pool, i.e. its private area is a struct
> > rte_pktmbuf_pool_private structure.
> >
> > In the current test, the size of the private area is 0, which probably
> > causes the function rte_pktmbuf_priv_size() to return an unpredictable
> > value, and this value is used as a size in a memset.
> 
> Is it possible to have rte_mempool_get_priv() detect that the private
> area isn't valid and return a ref to a const static member for this that
> will have the correct mbuf_priv_size?  There isn't really documentation
> that I can find that describes this corner case with the mempool private
> data section.  Actually, it doesn't really say what happens if private
> data size is 0, so maybe a documentation update should go with this test
> case fix, too?

Good point, we can indeed add something in the API documentation. To
detect that the private area is not big enough in rte_pktmbuf_init(),
unfortunatly the function has no return code, but for now we can add at
least an RTE_ASSERT() (only active when -DRTE_ENABLE_ASSERT is passed),
as it's already done for other checks.

I can do a new version of the patch. Wenwu, is it ok for you?

In a second step, we can think about changing the API of all mempool
callbacks and their wrappers to add a return code.


> > This part of the test was added in commit 923ceaeac140 ("test/mempool:
> > add unit test cases").
> >
> > Instead of changing the size of the private area like done in the patch,
> > I suggest to use another callback than rte_pktmbuf_init(). After all,
> > this is a mempool test, so we should not rely on mbuf features. The
> > function my_obj_init() could be used like in other places of the test,
> > like this:
> >
> >   @@ -552,7 +552,7 @@ test_mempool(void)
> >   		 GOTO_ERR(ret, err);
> >   
> >   	 /* test to initialize mempool objects and memory */
> >   -        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
> >   +        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
> >   			 NULL);
> >   	 if (nb_objs == 0)
> >   		 GOTO_ERR(ret, err);
> >
> >
> > Wenwu, does it solve your issue?
> >
> >
> > Regards,
> > Olivier
> 

  reply	other threads:[~2021-04-16  7:21 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20210331210557.4919-1-wenwux.ma@intel.com>
2021-04-12 14:10 ` [dpdk-stable] [PATCH v1] test/mempool: fix out of memory bound for mempool Wenwu Ma
2021-04-13 20:05 ` [dpdk-stable] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
2021-04-13 11:52   ` Thomas Monjalon
2021-04-15  6:45     ` Olivier Matz
2021-04-15 12:51       ` Aaron Conole
2021-04-16  7:20         ` Olivier Matz [this message]
2021-04-27 13:56   ` [dpdk-stable] [PATCH v3 1/2] " Olivier Matz
2021-05-04 18:07     ` Thomas Monjalon
2021-04-13 20:03 [dpdk-stable] [v2] " Wenwu Ma
  -- strict thread matches above, loose matches on Subject: below --
2021-04-13 19:22 Wenwu Ma

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210416072057.GA1726@platinum \
    --to=olivier.matz@6wind.com \
    --cc=aconole@redhat.com \
    --cc=andrew.rybchenko@oktetlabs.ru \
    --cc=dev@dpdk.org \
    --cc=stable@dpdk.org \
    --cc=thomas@monjalon.net \
    --cc=wenwux.ma@intel.com \
    --cc=zhihongx.peng@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).