Buffer overflow with DPDK QoS sched app example file

Buffer overflow with DPDK QoS sched app example file

[Rubens Figueiredo]

[-- Attachment #1: Type: text/plain, Size: 5997 bytes --]

Good afternoon,

When running latest DPDK, commit 
fd233ad17e5ffa42d50f1625165a7fce3f1cbc5f, I have a found an issue with 
running the qos_sched app with the configuration file present at the end 
of this email.

DPDK was built with the following options. meson --reconfigure 
--buildtype=debugoptimized -Dexamples=qos_sched -Db_sanitize=address build

The process is run as follows. Of note, with the default config files, 
the process starts and is executed as expected.
.build/examples/dpdk-qos_sched -l 29-32 -n 4 -a 86:01.0 -a 86:01.1 -a 
86:01.2 -- --pfc "0,0,30,31,32"   --cfg 
/home/ubuntu/dpdk/examples/qos_sched/65kpipe_25gb_pipe_alloc_buggy.cfg 
--mnc 29  --bsz "128,512,511,511"  --rsz "4096,32768,4096" -i

The error seen is the following.

EAL: Detected CPU lcores: 112
EAL: Detected NUMA nodes: 2
EAL: Detected static linkage of DPDK
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'VA'
EAL: VFIO support initialized
EAL: Using IOMMU type 1 (Type 1)
Interactive-mode selected
APP: Initializing port 11... ETHDEV: Invalid port_id=11
EAL: Error - exiting with code: 1
Error during getting device (port 11) info: No such device

The following is the ASAN output. I am unfortunately unable to pursue 
this any further. Could anyone please give some assistance?
=================================================================
==253445==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x62117f738b20 at pc 0x62117cda077f bp 0x7ffd06c50ae0 sp 0x7ffd06c50ad0
WRITE of size 4 at 0x62117f738b20 thread T0
    #0 0x62117cda077e in cfg_load_subport 
../examples/qos_sched/cfg_file.c:422
    #1 0x62117cda13be in app_load_cfg_profile 
../examples/qos_sched/init.c:304
    #2 0x62117cda13be in app_init ../examples/qos_sched/init.c:336
    #3 0x62117cd32ae5 in main ../examples/qos_sched/main.c:190
    #4 0x76846842a1c9 in __libc_start_call_main 
../sysdeps/nptl/libc_start_call_main.h:58
    #5 0x76846842a28a in __libc_start_main_impl ../csu/libc-start.c:360
    #6 0x62117cd989a4 in _start 
(/home/ubuntu/dpdk-tryout/build/examples/dpdk-qos_sched+0xc069a4) 
(BuildId: 8d0f5fdb7beb728ce95a88abe602fdd7766f27be)

0x62117f738b20 is located 0 bytes after global variable 'active_queues' 
defined in '../examples/qos_sched/cfg_file.c:23:10' (0x62117f738ae0) of 
size 64
SUMMARY: AddressSanitizer: global-buffer-overflow 
../examples/qos_sched/cfg_file.c:422 in cfg_load_subport
Shadow bytes around the buggy address:
  0x62117f738880: 00 f9f9f9f9f9f9f900 f9f9f9f9f9f9f9
  0x62117f738900: 04 f9f9f9f9f9f9f900 00 00 00 00 00 00 00
  0x62117f738980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62117f738a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
  0x62117f738a80: f9f9f9f904 f9f9f9f9f9f9f900 00 00 00
=>0x62117f738b00: 00 00 00 00[f9]f9f9f900 00 00 00 00 00 00 00
  0x62117f738b80: 00 00 00 00 00 00 00 00 00 00 00 00 f9f9f9f9
  0x62117f738c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62117f738c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62117f738d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x62117f738d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==253445==ABORTING


; Port configuration
[port]
frame overhead =24
number of subports per port =2

subport 0 =0
subport 1 =0

; Subport configuration
[subport 0]
number of pipes per subport =2
queue sizes =64 64 64 64 64 64 64 64 64 64 64 64 64

pipe 0 - 1 =0 ; These pipes are configured with pipe profile 0

; Subport configuration
[subport 1]
number of pipes per subport =2
queue sizes =64 64 64 64 64 64 64 64 64 64 64 64 64

pipe 0 - 1 =0 ; These pipes are configured with pipe profile 0

[subport profile 0]
tb rate =3125000000 ; Bytes per second
tb size =1000000000 ; Bytes

tc 0 rate =3125000000 ; Bytes per second
tc 1 rate =3125000000 ; Bytes per second
tc 2 rate =3125000000 ; Bytes per second
tc 3 rate =3125000000 ; Bytes per second
tc 4 rate =3125000000 ; Bytes per second
tc 5 rate =3125000000 ; Bytes per second
tc 6 rate =3125000000 ; Bytes per second
tc 7 rate =3125000000 ; Bytes per second
tc 8 rate =3125000000 ; Bytes per second
tc 9 rate =3125000000 ; Bytes per second
tc 10 rate =3125000000 ; Bytes per second
tc 11 rate =3125000000 ; Bytes per second
tc 12 rate =3125000000 ; Bytes per second

tc period =10 ; Milliseconds

; Pipe configuration
[pipe profile 0]
tb rate =750000 ; Bytes per second
tb size =10000 ; Bytes

tc 0 rate =750000 ; Bytes per second
tc 1 rate =750000 ; Bytes per second
tc 2 rate =750000 ; Bytes per second
tc 3 rate =750000 ; Bytes per second
tc 4 rate =750000 ; Bytes per second
tc 5 rate =750000 ; Bytes per second
tc 6 rate =750000 ; Bytes per second
tc 7 rate =750000 ; Bytes per second
tc 8 rate =750000 ; Bytes per second
tc 9 rate =750000 ; Bytes per second
tc 10 rate =750000 ; Bytes per second
tc 11 rate =750000 ; Bytes per second
tc 12 rate =750000 ; Bytes per second

tc period =20 ; Milliseconds

tc 12 oversubscription weight =1

tc 12 wrr weights =1 1 1 1



-- 
BISDN GmbH
Körnerstraße 7-10
10785 Berlin
Germany


Phone: 
+49-30-6108-1-6100


Managing Directors: 
Dr.-Ing. Hagen Woesner, Andreas 
Köpsel


Commercial register: 
Amtsgericht Berlin-Charlottenburg HRB 141569 
B
VAT ID No: DE283257294


[-- Attachment #2: Type: text/html, Size: 31266 bytes --]