From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 3C55DA00C5
	for <public@inbox.dpdk.org>; Thu,  7 May 2020 13:55:31 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 04CD81DA8D;
	Thu,  7 May 2020 13:55:31 +0200 (CEST)
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by dpdk.org (Postfix) with ESMTP id 062ED1DA8D;
 Thu,  7 May 2020 13:55:28 +0200 (CEST)
IronPort-SDR: Uyxc5fCz+9Wr8/QJOcZUjCQpOnsU6i9gXAbuT67DRsUlAF9f+BDDhXTfcMgh4ITOnxl4pZDpLk
 4xMYMZVENmCQ==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga008.fm.intel.com ([10.253.24.58])
 by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 07 May 2020 04:55:27 -0700
IronPort-SDR: Moia1jk7ksrTj1M912uP5ILloXQ5RenViTlTVOFxTSReW37DN6npUY/f294/J2ntXp74P8AYwn
 Z9opvwJst/Cw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.73,363,1583222400"; d="scan'208";a="251495474"
Received: from aburakov-mobl.ger.corp.intel.com (HELO [10.252.140.79])
 ([10.252.140.79])
 by fmsmga008.fm.intel.com with ESMTP; 07 May 2020 04:55:25 -0700
To: Bing Zhao <bingz@mellanox.com>, thomas@monjalon.net
Cc: dev@dpdk.org, stable@dpdk.org, sergio.gonzalez.monroy@intel.com
References: <1586256364-185699-1-git-send-email-bingz@mellanox.com>
 <1588837269-360196-1-git-send-email-bingz@mellanox.com>
From: "Burakov, Anatoly" <anatoly.burakov@intel.com>
Message-ID: <d04730e6-9830-2714-6aee-51c50868613b@intel.com>
Date: Thu, 7 May 2020 12:55:24 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <1588837269-360196-1-git-send-email-bingz@mellanox.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Re: [dpdk-stable] [PATCH v2] mem: fix the alloc size roundup
	overflow
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

On 07-May-20 8:41 AM, Bing Zhao wrote:
> The size checking is done in the caller. The size parameter is an
> unsigned (64b wide) right now, so the comparison with zero should be
> enough in most cases. But it won't help in the following case.
> If the allocating request input a huge number by mistake, e.g., some
> overflow after the calculation (especially subtraction), the checking
> in the caller will succeed since it is not zero. Indeed, there is not
> enough space in the system to support such huge memory allocation.
> Usually it will return failure in the following code. But if the
> input size is just a little smaller than the UINT64_MAX, like -2 in
> signed type.
> The roundup will cause an overflow and then "reset" the size to 0,
> and then only a header (128B now) with zero length will be returned.
> The following will be the previous allocation header.
> It should be OK in most cases if the application won't access the
> memory body. Or else, some critical issue will be caused and not easy
> to debug. So this issue should be prevented at the beginning, like
> other big size failure, NULL pointer should be returned also.
> 
> Fixes: fdf20fa7bee9 ("add prefix to cache line macros")
> Cc: sergio.gonzalez.monroy@intel.com
> Cc: stable@dpdk.org
> 
> Signed-off-by: Bing Zhao <bingz@mellanox.com>
> ---
> v2: add unit test for this case
> ---
>   app/test/test_malloc.c              | 12 ++++++++++++
>   lib/librte_eal/common/malloc_heap.c |  3 +++
>   2 files changed, 15 insertions(+)
> 
> diff --git a/app/test/test_malloc.c b/app/test/test_malloc.c
> index 40a2f50..a96c060 100644
> --- a/app/test/test_malloc.c
> +++ b/app/test/test_malloc.c
> @@ -846,6 +846,18 @@
>   	if (bad_ptr != NULL)
>   		goto err_return;
>   
> +	/* rte_malloc expected to return null with size will cause overflow */
> +	align = RTE_CACHE_LINE_SIZE;
> +	size = (size_t)-8;
> +
> +	bad_ptr = rte_malloc(type, size, align);
> +	if (bad_ptr != NULL)
> +		goto err_return;
> +
> +	bad_ptr = rte_realloc(NULL, size, align);
> +        if (bad_ptr != NULL)
> +                goto err_return;

You're mixing space and tabs as indentation here.

Otherwise,

Reviewed-by: Anatoly Burakov <anatoly.burakov@intel.com>

> +
>   	return 0;
>   
>   err_return:
> diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c
> index 842eb9d..bd50656 100644
> --- a/lib/librte_eal/common/malloc_heap.c
> +++ b/lib/librte_eal/common/malloc_heap.c
> @@ -241,6 +241,9 @@
>   	size = RTE_CACHE_LINE_ROUNDUP(size);
>   	align = RTE_CACHE_LINE_ROUNDUP(align);
>   
> +	/* roundup might cause an overflow */
> +	if (size == 0)
> +		return NULL;
>   	elem = find_suitable_element(heap, size, flags, align, bound, contig);
>   	if (elem != NULL) {
>   		elem = malloc_elem_alloc(elem, size, align, bound, contig);
> 


-- 
Thanks,
Anatoly