From: Ferruh Yigit <ferruh.yigit@amd.com>
To: "Sivaramakrishnan, VenkatX" <venkatx.sivaramakrishnan@intel.com>,
Hemant Agrawal <hemant.agrawal@nxp.com>,
Sachin Saxena <sachin.saxena@nxp.com>,
Zyta Szpak <zr@semihalf.com>, Liron Himi <lironh@marvell.com>,
Chaoyong He <chaoyong.he@corigine.com>,
Gagandeep Singh <g.singh@nxp.com>,
Jerin Jacob <jerinj@marvell.com>,
Maciej Czekaj <mczekaj@marvell.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>,
"Power, Ciara" <ciara.power@intel.com>,
"pascal.mazon@6wind.com" <pascal.mazon@6wind.com>,
"tdu@semihalf.com" <tdu@semihalf.com>,
"jianfeng.tan@intel.com" <jianfeng.tan@intel.com>,
"jerin.jacob@caviumnetworks.com" <jerin.jacob@caviumnetworks.com>,
"stable@dpdk.org" <stable@dpdk.org>
Subject: Re: [PATCH v2] net/tap: fix buffer overflow for ptypes list
Date: Fri, 15 Dec 2023 17:21:05 +0000 [thread overview]
Message-ID: <402fd6c2-3665-4c9c-b135-510f88fe8ad4@amd.com> (raw)
In-Reply-To: <DM6PR11MB346849D71646731F9E805C838293A@DM6PR11MB3468.namprd11.prod.outlook.com>
On 12/15/2023 1:55 PM, Sivaramakrishnan, VenkatX wrote:
> Hi Ferruh,
>
>> -----Original Message-----
>> From: Ferruh Yigit <ferruh.yigit@amd.com>
>> Sent: Friday, December 15, 2023 7:22 PM
>> To: Sivaramakrishnan, VenkatX <venkatx.sivaramakrishnan@intel.com>; Hemant
>> Agrawal <hemant.agrawal@nxp.com>; Sachin Saxena
>> <sachin.saxena@nxp.com>; Zyta Szpak <zr@semihalf.com>; Liron Himi
>> <lironh@marvell.com>; Chaoyong He <chaoyong.he@corigine.com>; Gagandeep
>> Singh <g.singh@nxp.com>; Jerin Jacob <jerinj@marvell.com>; Maciej Czekaj
>> <mczekaj@marvell.com>
>> Cc: dev@dpdk.org; Power, Ciara <ciara.power@intel.com>;
>> pascal.mazon@6wind.com; tdu@semihalf.com; jianfeng.tan@intel.com;
>> jerin.jacob@caviumnetworks.com; stable@dpdk.org
>> Subject: Re: [PATCH v2] net/tap: fix buffer overflow for ptypes list
>>
>> On 12/15/2023 1:38 PM, Sivaramakrishnan Venkat wrote:
>>> Incorrect ptypes list causes buffer overflow for Address Sanitizer
>>> run. The last element in the ptypes lists to be "RTE_PTYPE_UNKNOWN"
>>> for rte_eth_dev_get_supported_ptypes().
>>> In rte_eth_dev_get_supported_ptypes(),the loop iterates until it finds
>>> "RTE_PTYPE_UNKNOWN" to detect last element of the ptypes array.
>>> Fix the ptypes list for drivers.
>>>
>>> Fixes: 0849ac3b6122 ("net/tap: add packet type management")
>>> Fixes: a7bdc3bd4244 ("net/dpaa: support packet type parsing")
>>> Fixes: 4ccc8d770d3b ("net/mvneta: add PMD skeleton")
>>> Fixes: f3f0d77db6b0 ("net/mrvl: support packet type parsing")
>>> Fixes: 78a38edf66de ("ethdev: query supported packet types")
>>> Fixes: 659b494d3d88 ("net/pfe: add packet types and basic statistics")
>>> Fixes: 398a1be14168 ("net/thunderx: remove generic passX references")
>>> Cc: pascal.mazon@6wind.com
>>> Cc: zr@semihalf.com
>>> Cc: tdu@semihalf.com
>>> Cc: jianfeng.tan@intel.com
>>> Cc: g.singh@nxp.com
>>> Cc: jerin.jacob@caviumnetworks.com
>>> Cc: stable@dpdk.org
>>>
>>> Signed-off-by: Sivaramakrishnan Venkat
>>> <venkatx.sivaramakrishnan@intel.com>
>>>
>>
>> Thanks Sivaramakrishnan for fixing all drivers.
>>
>> Acked-by: Ferruh Yigit <ferruh.yigit@amd.com>
>>
>>
>>
>> Is there any chance you can add relevant unit test to
>> 'app/test/test_ethdev_api.c', this way it helps us prevent doing same mistake in
>> the future?
>>
> Currently, the application didn't crash for an invalid ptypes list.
> It is a silent buffer overflow that was only detected by running ASAN.
> Could you please provide your inputs/ideas to implement a unit test for invalid ptypes list.
>
I was thinking just call the API and detect the crash, but if it doesn't
cause crash it won't help much.
This is .dev_supported_ptypes_get() design problem, it is relying on
driver set array ending with 'RTE_PTYPE_UNKNOWN' but there is no way to
verify it. Also this requirement is not documented very well.
Please scratch the ask to add unit test.
Perhaps we can change the '.dev_supported_ptypes_get()', this should be
possible without impacting the user, just by updating drivers.
'.dev_supported_ptypes_get()' can be updated as:
typedef const uint32_t *
(*eth_dev_supported_ptypes_get_t)(struct rte_eth_dev *dev, uint32_t num);
'num' is simply size of returned 'ptypes' array.
This eliminates need to have 'RTE_PTYPE_UNKNOWN' as last item, and
overall change is not so big.
What do you think, does new dev_ops fingerprint make sense to you?
next prev parent reply other threads:[~2023-12-15 17:21 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-12 14:37 [PATCH v1] " Sivaramakrishnan Venkat
2023-12-12 15:23 ` Ferruh Yigit
2023-12-15 13:38 ` [PATCH v2] " Sivaramakrishnan Venkat
2023-12-15 13:52 ` Ferruh Yigit
2023-12-15 13:55 ` Sivaramakrishnan, VenkatX
2023-12-15 17:21 ` Ferruh Yigit [this message]
2023-12-21 18:40 ` [PATCH v3] ethdev: fix getting supported " Sivaramakrishnan Venkat
2023-12-21 21:03 ` Tyler Retzlaff
2023-12-22 8:21 ` David Marchand
2024-01-04 17:51 ` [dpdk-dev v4 2/2] net/tap: fix buffer overflow for " Sivaramakrishnan Venkat
2024-01-04 17:51 ` [dpdk-dev v4 1/2] net/tap: fix buffer overflow for ptypes list through updation of last element Sivaramakrishnan Venkat
2024-01-11 15:11 ` Ferruh Yigit
2024-01-04 17:51 ` [dpdk-dev v4 2/2] net/tap: fix buffer overflow for ptypes list through driver API update Sivaramakrishnan Venkat
2024-01-11 15:12 ` Ferruh Yigit
2024-01-11 16:29 ` Andrew Rybchenko
2024-01-18 12:07 ` [PATCH v5 1/2] drivers/net: fix buffer overflow for ptypes list Sivaramakrishnan Venkat
2024-01-19 14:58 ` Ferruh Yigit
2024-01-19 17:10 ` Power, Ciara
2024-01-22 9:42 ` Ferruh Yigit
2024-01-22 9:46 ` Power, Ciara
2024-01-22 10:03 ` Ferruh Yigit
2024-01-25 16:07 ` [PATCH v6 " Sivaramakrishnan Venkat
2024-02-01 15:43 ` [PATCH v7 " Sivaramakrishnan Venkat
2024-02-01 15:50 ` Sivaramakrishnan Venkat
2024-02-01 22:58 ` Ferruh Yigit
2024-02-01 23:29 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=402fd6c2-3665-4c9c-b135-510f88fe8ad4@amd.com \
--to=ferruh.yigit@amd.com \
--cc=chaoyong.he@corigine.com \
--cc=ciara.power@intel.com \
--cc=dev@dpdk.org \
--cc=g.singh@nxp.com \
--cc=hemant.agrawal@nxp.com \
--cc=jerin.jacob@caviumnetworks.com \
--cc=jerinj@marvell.com \
--cc=jianfeng.tan@intel.com \
--cc=lironh@marvell.com \
--cc=mczekaj@marvell.com \
--cc=pascal.mazon@6wind.com \
--cc=sachin.saxena@nxp.com \
--cc=stable@dpdk.org \
--cc=tdu@semihalf.com \
--cc=venkatx.sivaramakrishnan@intel.com \
--cc=zr@semihalf.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).