From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 69DACA04AF for ; Tue, 8 Feb 2022 11:55:47 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 643E941147; Tue, 8 Feb 2022 11:55:47 +0100 (CET) Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by mails.dpdk.org (Postfix) with ESMTP id 49813410FC; Tue, 8 Feb 2022 11:55:43 +0100 (CET) Received: from dggeme709-chm.china.huawei.com (unknown [172.30.72.54]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4JtKds24lmzbjh3; Tue, 8 Feb 2022 18:54:41 +0800 (CST) Received: from dggpemm500008.china.huawei.com (7.185.36.136) by dggeme709-chm.china.huawei.com (10.1.199.105) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2308.21; Tue, 8 Feb 2022 18:55:41 +0800 Received: from dggpemm500008.china.huawei.com ([7.185.36.136]) by dggpemm500008.china.huawei.com ([7.185.36.136]) with mapi id 15.01.2308.021; Tue, 8 Feb 2022 18:55:41 +0800 From: wangyunjian To: "dev@dpdk.org" CC: "matan@nvidia.com" , "viacheslavo@nvidia.com" , "michaelba@nvidia.com" , dingxiaoxiong , xudingke , "stable@dpdk.org" Subject: RE: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key Thread-Topic: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key Thread-Index: AQHX+HNT1/1qWpipAEOf5J1lYrxXkqyJw82A Date: Tue, 8 Feb 2022 10:55:41 +0000 Message-ID: References: <5cd9086411342c7475e3227249d3aa3a3144897d.1640314881.git.wangyunjian@huawei.com> In-Reply-To: <5cd9086411342c7475e3227249d3aa3a3144897d.1640314881.git.wangyunjian@huawei.com> Accept-Language: zh-CN, en-US Content-Language: zh-CN X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.174.242.157] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-CFilter-Loop: Reflected X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Friday, December 24, 2021 11:06 AM > To: dev@dpdk.org > Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; > dingxiaoxiong ; xudingke > ; wangyunjian ; > stable@dpdk.org > Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hr= xq's > rss_key >=20 > The mlx5_drop_action_create function use mlx5_malloc for allocating > 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can > cause buffer overflow. >=20 > Detected with address sanitizer: > 0 (/usr/lib64/libasan.so.4+0x7b8e2) > 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765 > 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800 > 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051 > 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846 > 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743 > 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501 > 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 > 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 > 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 > 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 > 11 in > mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150 > 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 > 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 > 14 in pci_probe ../drivers/bus/pci/pci_common.c:380 > 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 > 16 in rte_eal_init ../lib/eal/linux/eal.c:1286 > 17 in main ../app/test-pmd/testpmd.c:4112 >=20 > Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code") > Cc: stable@dpdk.org >=20 > Signed-off-by: Yunjian Wang > --- > drivers/net/mlx5/mlx5_rxq.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >=20 > diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c > index f77d42dedf..a1e0b887a8 100644 > --- a/drivers/net/mlx5/mlx5_rxq.c > +++ b/drivers/net/mlx5/mlx5_rxq.c > @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev) >=20 > if (priv->drop_queue.hrxq) > return priv->drop_queue.hrxq; > - hrxq =3D mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY); > + hrxq =3D mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + > MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY); > if (!hrxq) { > DRV_LOG(WARNING, > "Port %u cannot allocate memory for drop queue.", > -- > 2.27.0