Re: BUG: AddressSanitizer reports a buffer-overflow on rte_hash_lookup

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Isaac Boukris <iboukris@gmail.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: dev@dpdk.org
Subject: Re: BUG: AddressSanitizer reports a buffer-overflow on rte_hash_lookup
Date: Sun, 5 Feb 2023 22:14:28 +0200	[thread overview]
Message-ID: <CAC-fF8Q9xW2bkZ5p3CgfpepuhcTOMMMA-+uK-PORvoXpWXxCbQ@mail.gmail.com> (raw)
In-Reply-To: <20230205114921.605de31a@hermes.local>

On Sun, Feb 5, 2023 at 9:49 PM Stephen Hemminger
<stephen@networkplumber.org> wrote:
>
> On Sun, 5 Feb 2023 18:54:20 +0200
> Isaac Boukris <iboukris@gmail.com> wrote:
>
> > Hi,
> >
> > I managed to reproduce it by modifying the helloworld app (see
> > attached). The report seem correct, as in case of 10 byte key the code
> > tries to look at the key as uint32 array and access k[2] which is two
> > bytes over, see:
> > https://github.com/DPDK/dpdk/blob/0bf5832222971a0154c9150d4a7a4b82ecbc9ddb/lib/hash/rte_jhash.h#L118
> >
> > $ sudo build/helloworld --iova-mode=pa
> > EAL: Detected CPU lcores: 8
> > EAL: Detected NUMA nodes: 1
> > EAL: Detected static linkage of DPDK
> > EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
> > EAL: Selected IOVA mode 'PA'
> > EAL: VFIO support initialized
> > EAL: Using IOMMU type 1 (Type 1)
> > EAL: Ignore mapping IO port bar(3)
> > EAL: Probe PCI driver: net_vmxnet3 (15ad:7b0) device: 0000:0b:00.0 (socket -1)
> > =================================================================
> > ==21410==ERROR: AddressSanitizer: global-buffer-overflow on address
> > 0x0000024fe428 at pc 0x000001293b0b bp 0x7fff126ef2d0 sp
> > 0x7fff126ef2c0
> > READ of size 4 at 0x0000024fe428 thread T0
> >     #0 0x1293b0a in __rte_jhash_2hashes
> > (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1293b0a)
> >     #1 0x12953bf in rte_jhash_2hashes
> > (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x12953bf)
> >     #2 0x12954c8 in rte_jhash
> > (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x12954c8)
> >     #3 0x1bd7168 in rte_hash_lookup
> > (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1bd7168)
> >     #4 0x1295600 in main
> > (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1295600)
> >     #5 0x7fe8fffbbd84 in __libc_start_main (/lib64/libc.so.6+0x3ad84)
> >     #6 0x129356d in _start
> > (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x129356d)
> >
> > 0x0000024fe42a is located 0 bytes to the right of global variable
> > 'hash_key' defined in 'main.c:34:13' (0x24fe420) of size 10
> > SUMMARY: AddressSanitizer: global-buffer-overflow
> > (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1293b0a)
> > in __rte_jhash_2hashes
>
> This code is using the common optimization of doing a full 32 bit access
> and masking the result. This will read past the end of the passed input
> but ignore the extra bytes. It won't be a problem unless the application
> goes out of its way to put a hash key value at the end of a mapped
> region.

Ack, fwiw it still makes it trickier to use AddressSanitizer in user app.

next prev parent reply	other threads:[~2023-02-05 20:14 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-02-05 16:54 Isaac Boukris
2023-02-05 19:49 ` Stephen Hemminger
2023-02-05 20:14   ` Isaac Boukris [this message]
2023-02-05 21:08     ` Stephen Hemminger

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=CAC-fF8Q9xW2bkZ5p3CgfpepuhcTOMMMA-+uK-PORvoXpWXxCbQ@mail.gmail.com \
    --to=iboukris@gmail.com \
    --cc=dev@dpdk.org \
    --cc=stephen@networkplumber.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).