From: David Marchand <david.marchand@redhat.com>
To: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Cc: dev <dev@dpdk.org>, "Wang, Yipeng1" <yipeng1.wang@intel.com>,
"Gobriel, Sameh" <sameh.gobriel@intel.com>,
Bruce Richardson <bruce.richardson@intel.com>,
dpdk stable <stable@dpdk.org>
Subject: Re: [dpdk-stable] [PATCH] test/hash: fix buffer overflow
Date: Mon, 11 Oct 2021 13:03:20 +0200 [thread overview]
Message-ID: <CAJFAV8yr_uHs9AHKvwyPC5+hkR98UeCmeGs6W50HPMROp07kJg@mail.gmail.com> (raw)
In-Reply-To: <1633728526-197782-1-git-send-email-vladimir.medvedkin@intel.com>
On Fri, Oct 8, 2021 at 11:28 PM Vladimir Medvedkin
<vladimir.medvedkin@intel.com> wrote:
>
> This patch fixes buffer overflow reported by ASAN,
> please reference https://bugs.dpdk.org/show_bug.cgi?id=818
>
> Some tests for the rte_hash table use the rte_jhash_32b() as
> the hash function. This hash function interprets the length
> argument in units of 4 bytes.
>
> This patch divides configured key length by 4 in cases when
> rte_jhash_32b() is used.
>
> Bugzilla ID: 818
> Fixes: af75078fece3 ("first public release")
> Cc: stable@dpdk.org
>
With patch applied, ASan reports another issue.
Did you test your fix with ASan?
From GHA, with https://patchwork.dpdk.org/project/dpdk/patch/20211002162432.4348-4-david.marchand@redhat.com/
applied:
30/94 DPDK:fast-tests / hash_autotest FAIL 0.87 s (exit status 1)
--- command ---
DPDK_TEST='hash_autotest'
/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test -l 0-1
--file-prefix=hash_autotest
--- stdout ---
RTE>>hash_autotest
--- stderr ---
EAL: Detected CPU lcores: 2
EAL: Detected NUMA nodes: 1
EAL: Detected shared linkage of DPDK
EAL: WARNING! Base virtual address hint (0x100005000 !=
0x7fa4a7cda000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: Multi-process socket /var/run/dpdk/hash_autotest/mp_socket
EAL: Selected IOVA mode 'PA'
EAL: No available 1048576 kB hugepages reported
EAL: VFIO support initialized
EAL: WARNING! Base virtual address hint (0x10000b000 !=
0x7fa49688f000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x100011000 !=
0x7fa49682e000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x100a12000 !=
0x7fa094a00000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x100c17000 !=
0x7fa49669f000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x101618000 !=
0x7f9c94800000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x10181d000 !=
0x7fa49663e000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x10221e000 !=
0x7f9894600000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x102423000 !=
0x7fa49649f000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
EAL: WARNING! Base virtual address hint (0x102e24000 !=
0x7f9494400000) not respected!
EAL: This may cause issues with mapping memory into secondary processes
APP: HPET is not enabled, using TSC as default timer
=================================================================
==26840==ERROR: AddressSanitizer: global-buffer-overflow on address
0x00000372e3e0 at pc 0x0000014b0eb8 bp 0x7fff80e49990 sp
0x7fff80e49988
READ of size 4 at 0x00000372e3e0 thread T0
#0 0x14b0eb7 in __rte_jhash_2hashes
/home/runner/work/dpdk/dpdk/build/../lib/hash/rte_jhash.h:137:9
#1 0x14b0130 in rte_jhash_2hashes
/home/runner/work/dpdk/dpdk/build/../lib/hash/rte_jhash.h:238:2
#2 0x14b0051 in rte_jhash
/home/runner/work/dpdk/dpdk/build/../lib/hash/rte_jhash.h:284:2
#3 0x7fa4a38c7627 in rte_hash_hash
/home/runner/work/dpdk/dpdk/build/../lib/hash/rte_cuckoo_hash.c:538:9
#4 0x7fa4a38d6672 in rte_hash_add_key
/home/runner/work/dpdk/dpdk/build/../lib/hash/rte_cuckoo_hash.c:1212:46
#5 0x14a06db in test_five_keys
/home/runner/work/dpdk/dpdk/build/../app/test/test_hash.c:715:12
#6 0x149deda in test_hash
/home/runner/work/dpdk/dpdk/build/../app/test/test_hash.c:2207:6
#7 0x4d61f6 in cmd_autotest_parsed
/home/runner/work/dpdk/dpdk/build/../app/test/commands.c:71:10
#8 0x7fa4a44356c5 in cmdline_parse
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_parse.c:290:3
#9 0x7fa4a442e8d5 in cmdline_valid_buffer
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:26:8
#10 0x7fa4a443ff07 in rdline_char_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline_rdline.c:421:5
#11 0x7fa4a442f03f in cmdline_in
/home/runner/work/dpdk/dpdk/build/../lib/cmdline/cmdline.c:149:9
#12 0x5ac71e in main
/home/runner/work/dpdk/dpdk/build/../app/test/test.c:214:8
#13 0x7fa49ca42bf6 in __libc_start_main
/build/glibc-S9d2JN/glibc-2.27/csu/../csu/libc-start.c:310
#14 0x42eaa9 in _start
(/home/runner/work/dpdk/dpdk/build/app/test/dpdk-test+0x42eaa9)
0x00000372e3e1 is located 0 bytes to the right of global variable
'keys' defined in '../app/test/test_hash.c:115:24' (0x372e3a0) of size
65
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/runner/work/dpdk/dpdk/build/../lib/hash/rte_jhash.h:137:9 in
__rte_jhash_2hashes
Shadow bytes around the buggy address:
0x0000806ddc20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000806ddc30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000806ddc40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000806ddc50: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
0x0000806ddc60: 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 f9 f9
=>0x0000806ddc70: f9 f9 f9 f9 00 00 00 00 00 00 00 00[01]f9 f9 f9
0x0000806ddc80: f9 f9 f9 f9 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
0x0000806ddc90: 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
0x0000806ddca0: 00 00 00 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9 f9
0x0000806ddcb0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0000806ddcc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==26840==ABORTING
-------
--
David Marchand
next prev parent reply other threads:[~2021-10-11 11:04 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-08 21:28 Vladimir Medvedkin
2021-10-11 11:03 ` David Marchand [this message]
2021-10-13 19:26 ` Medvedkin, Vladimir
2021-10-14 7:04 ` David Marchand
2021-10-14 17:46 ` Medvedkin, Vladimir
2021-10-13 19:27 ` [dpdk-stable] [PATCH v2] " Vladimir Medvedkin
2021-10-14 8:34 ` David Marchand
2021-10-14 17:47 ` Medvedkin, Vladimir
2021-10-14 17:48 ` [dpdk-stable] [PATCH v3] " Vladimir Medvedkin
2021-10-15 9:33 ` David Marchand
2021-10-15 13:02 ` Medvedkin, Vladimir
2021-10-19 7:02 ` David Marchand
2021-10-19 15:57 ` Medvedkin, Vladimir
2021-10-20 19:54 ` David Marchand
2021-10-20 20:49 ` Wang, Yipeng1
2021-10-21 7:40 ` David Marchand
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAJFAV8yr_uHs9AHKvwyPC5+hkR98UeCmeGs6W50HPMROp07kJg@mail.gmail.com \
--to=david.marchand@redhat.com \
--cc=bruce.richardson@intel.com \
--cc=dev@dpdk.org \
--cc=sameh.gobriel@intel.com \
--cc=stable@dpdk.org \
--cc=vladimir.medvedkin@intel.com \
--cc=yipeng1.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).