From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id CE760A0C41 for ; Tue, 30 Nov 2021 17:41:28 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id C9CAD4118F; Tue, 30 Nov 2021 17:41:28 +0100 (CET) Received: from smtp-relay-internal-0.canonical.com (smtp-relay-internal-0.canonical.com [185.125.188.122]) by mails.dpdk.org (Postfix) with ESMTP id A3B3B41177 for ; Tue, 30 Nov 2021 17:41:27 +0100 (CET) Received: from mail-ed1-f69.google.com (mail-ed1-f69.google.com [209.85.208.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 7220B40037 for ; Tue, 30 Nov 2021 16:41:27 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1638290487; bh=PIGnjG+DSnZOVH4kOFdf8YM4EydN6NkISqKMBGB2hx0=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=O3LtVaOcDwaasoFkrz3QMXW92cnSHAit3qiRm1VGQJLx/RVgk4ZNLaOYjfUvxToQI Q7cmg+9ixs0WTcfvPyMYF7IeH/Z7RjK6gHn4QjU4TuBSj+SCqlhC6x3vprkxO2D7qF UbqEyBnsrEPtaT1nxAgK/LVJv8W8iZRhRnxdwXT6T4LShH43zKF+1yb/c81zVGW6+4 wvwEw5wgrCXLPUYul3Hg1tuC041kmbSeNPiSXxCQQTnsos5HSvBb8rMt0P14ujzhJQ SzxPbQD6m2gb34ix91x8C4Ti9w49mMDoC6Rb9G7h63veYHTjZ/3DUQxDdixvDo/5pK YwI+VvL2PVfxg== Received: by mail-ed1-f69.google.com with SMTP id v10-20020aa7d9ca000000b003e7bed57968so17412253eds.23 for ; Tue, 30 Nov 2021 08:41:27 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=PIGnjG+DSnZOVH4kOFdf8YM4EydN6NkISqKMBGB2hx0=; b=brXb1dsSYj7nz+T73vq0v1nA6aY5mI3zK2MWTgHNJdk4mJXzWcukTH1isC7TkpeBac FPc9YKcxlmqFg9iQUr8NZpb6jrkJdNaGfxZn6TJ9AlFJrp1SJJiToSYoeNSe44k7PYgg g0ZSftl315zczvAovTK6xDotgqVyGVI6oRF9pAPDCkUoGwOr2fObjstpIom4eqiLxGSt 1txUZJUl+BtpXbM6ooFB4KmULIN6UQjxfZ323QH8pI0UZq5Vf+gRZJjfFDha5w1uFEDM mBqP1HCtfnnzvRxO3zZUHOJYH/B3K8x7NO2ByYUA49bZN5ewPeHJNH17QUrAnv1avAvJ gt7A== X-Gm-Message-State: AOAM532FpyZtRJe6dCuxvUp7JyjOCDQ1pzJ5kA4Vo2ScRLVtZaEcvGi5 EC9v/yz2bP4i48KZ1Khej/szFuD6LgfV4gcdv+wMaGHJEjNI0mK/EoOTkDHGSHcAiFIjNDB4iMS 4MtF09SePUR0EkzmPgMgZfS8C X-Received: by 2002:aa7:c2c6:: with SMTP id m6mr154808edp.42.1638290486991; Tue, 30 Nov 2021 08:41:26 -0800 (PST) X-Google-Smtp-Source: ABdhPJz2udr7OiYZIQT6t61gns58skF2JIfFc19IsezU/M+FQtKKk2uAnXfW0D1XtYgt7xk9Rqvr1A== X-Received: by 2002:aa7:c2c6:: with SMTP id m6mr154794edp.42.1638290486851; Tue, 30 Nov 2021 08:41:26 -0800 (PST) Received: from localhost.localdomain ([2001:67c:1560:8007::aac:c4ad]) by smtp.gmail.com with ESMTPSA id k21sm11317473edo.87.2021.11.30.08.41.26 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 30 Nov 2021 08:41:26 -0800 (PST) From: christian.ehrhardt@canonical.com To: Vladimir Medvedkin Cc: Bruce Richardson , dpdk stable Subject: patch 'lpm6: fix buffer overflow' has been queued to stable release 19.11.11 Date: Tue, 30 Nov 2021 17:35:07 +0100 Message-Id: <20211130163605.2460997-103-christian.ehrhardt@canonical.com> X-Mailer: git-send-email 2.34.0 In-Reply-To: <20211130163605.2460997-1-christian.ehrhardt@canonical.com> References: <20211130163605.2460997-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 19.11.11 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before December 10th 2021. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/cpaelzer/dpdk-stable-queue This queued commit can be viewed at: https://github.com/cpaelzer/dpdk-stable-queue/commit/b34c6b450317d5a58342ccda5b1a16ee98bf3c85 the Thanks. Christian Ehrhardt --- >From b34c6b450317d5a58342ccda5b1a16ee98bf3c85 Mon Sep 17 00:00:00 2001 From: Vladimir Medvedkin Date: Thu, 21 Oct 2021 18:15:49 +0100 Subject: [PATCH] lpm6: fix buffer overflow [ upstream commit b16ac536573869ba3afd724947bfa9abbd477f86 ] This patch fixes buffer overflow reported by ASAN, please reference https://bugs.dpdk.org/show_bug.cgi?id=819 The rte_lpm6 keeps routing information for control plane purpose inside the rte_hash table which uses rte_jhash() as a hash function. >From the rte_jhash() documentation: If input key is not aligned to four byte boundaries or a multiple of four bytes in length, the memory region just after may be read (but not used in the computation). rte_lpm6 uses 17 bytes keys consisting of IPv6 address (16 bytes) + depth (1 byte). This patch increases the size of the depth field up to uint32_t and sets the alignment to 4 bytes. Bugzilla ID: 819 Fixes: 86b3b21952a8 ("lpm6: store rules in hash table") Signed-off-by: Vladimir Medvedkin Acked-by: Bruce Richardson --- lib/librte_lpm/rte_lpm6.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c index 6e1b18d6fd..b7a087554e 100644 --- a/lib/librte_lpm/rte_lpm6.c +++ b/lib/librte_lpm/rte_lpm6.c @@ -80,7 +80,7 @@ struct rte_lpm6_rule { /** Rules tbl entry key. */ struct rte_lpm6_rule_key { uint8_t ip[RTE_LPM6_IPV6_ADDR_SIZE]; /**< Rule IP address. */ - uint8_t depth; /**< Rule depth. */ + uint32_t depth; /**< Rule depth. */ }; /* Header of tbl8 */ @@ -259,6 +259,8 @@ rte_lpm6_create(const char *name, int socket_id, lpm_list = RTE_TAILQ_CAST(rte_lpm6_tailq.head, rte_lpm6_list); RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_tbl_entry) != sizeof(uint32_t)); + RTE_BUILD_BUG_ON(sizeof(struct rte_lpm6_rule_key) % + sizeof(uint32_t) != 0); /* Check user arguments. */ if ((name == NULL) || (socket_id < -1) || (config == NULL) || -- 2.34.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2021-11-30 16:50:11.814311884 +0100 +++ 0103-lpm6-fix-buffer-overflow.patch 2021-11-30 16:50:05.906874381 +0100 @@ -1 +1 @@ -From b16ac536573869ba3afd724947bfa9abbd477f86 Mon Sep 17 00:00:00 2001 +From b34c6b450317d5a58342ccda5b1a16ee98bf3c85 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit b16ac536573869ba3afd724947bfa9abbd477f86 ] + @@ -23 +24,0 @@ -Cc: stable@dpdk.org @@ -28 +29 @@ - lib/lpm/rte_lpm6.c | 4 +++- + lib/librte_lpm/rte_lpm6.c | 4 +++- @@ -31,4 +32,4 @@ -diff --git a/lib/lpm/rte_lpm6.c b/lib/lpm/rte_lpm6.c -index 37baabb26d..73768fc956 100644 ---- a/lib/lpm/rte_lpm6.c -+++ b/lib/lpm/rte_lpm6.c +diff --git a/lib/librte_lpm/rte_lpm6.c b/lib/librte_lpm/rte_lpm6.c +index 6e1b18d6fd..b7a087554e 100644 +--- a/lib/librte_lpm/rte_lpm6.c ++++ b/lib/librte_lpm/rte_lpm6.c