Re: [PATCH] app/testpmd: fix indirect action list parameters parsing

[Ferruh Yigit <ferruh.yigit@amd.com>]

On 11/10/2023 5:41 PM, Etelson, Gregory wrote:
> Hello Ferruh,
> 
> [:snip:]
> 
>>> *** stack smashing detected ***: terminated
>>>
>>> The corruption occurred in `parse_int()` called from
>>> `parse_indlst_id2ptr()`.
>>>
>>> Inside `parse_int()` the arg parameter referenced 8 bytes of memory
>>> while the target buffer was 4 bytes allocated on caller optimized stack:
>>>
>>> (gdb) p *arg
>>> $1 = { ... size = 8, ...}
>>>
>>
>> Thanks Gregory, I can see the problem now.
>>
> 
> [: Thumbs up :]
> 
> [:snip:]
> 
>> BUT back to the root cause of the problem,
>> `parse_int()` tries to be generic and it support different size of
>> variables [1], but it fails on this.
>>
>> `parse_int()` gets 'size' as argument, but it doesn't use parameter
>> value, instead overwrites it with 'size = arg->size;' and uses this
>> value, in this case when context provides larger variable size than what
>> `parse_int()` gets as parameter, the problem you observed occurs.
>>
>> What do you think to use 'size' from parameter list, as it is intended,
>> instead of using 'arg->size'?
>> Or perhaps use 'buf' and 'size' from parameter if they are valid, else
>> get the from context/arg [2]?
>> I think this solves your problem, can you please verify it?
>>
>> btw, 'buf' usage is a little more complex, since `parse_int()` checks
>> for "ctx->object != NULL" to continue, I can't really be sure about
>> intention there, but please check usage in `parse_port()`, it looks like
>> when 'buf' provided expectation is to get parsed value in the 'buf'.
>>
>>
>>
>>
>> [1]
>>  switch (size) {
>>  case sizeof(uint8_t):
>>    ...
>>  case sizeof(uint16_t):
>>    ...
>>  ...
>>  case sizeof(uint64_t):
>>    ...
>>
>>
>> [2]
>> diff --git a/app/test-pmd/cmdline_flow.c b/app/test-pmd/cmdline_flow.c
>> index 0d521159e97d..cd123c69265e 100644
>> --- a/app/test-pmd/cmdline_flow.c
>> +++ b/app/test-pmd/cmdline_flow.c
>> @@ -10805,8 +10805,10 @@ parse_int(struct context *ctx, const struct
>> token *token,
>>                         goto error;
>>                 return len;
>>         }
>> -       buf = (uint8_t *)ctx->object + arg->offset;
>> -       size = arg->size;
>> +       if (buf == NULL || size == 0) {
>> +               buf = (uint8_t *)ctx->object + arg->offset;
>> +               size = arg->size;
>> +       }
>>         if (u > RTE_LEN2MASK(size * CHAR_BIT, uint64_t))
>>                 return -1;
>>  objmask:
>>
> 
> About the fault root cause.
> There were 2 uncoupled resources in that case: static token size and
> variable size passed to parse_int().
> parse_int() caller must provide a buffer large enough for token size.
> Otherwise parse_int() will corrupt memory outside the input buffer.
> 

As you said 'parse_int()' has two sizes, 'token->size' and 'size'
function argument. Why function ignores 'size' argument and only uses
'token->size', I think this is a mistake.


If 'parse_int()' doesn't use 'buf' and 'size' arguments at all, why it
has them?


> In the generic solution parse_int() caller allocates target buffer using
> existing knowledge about input token size.
> 
> Testpmd add_port() imitates the ARGS_ENTRY() macro that extrapolates
> target buffer size from RTE structure member.
> 
> Current testpmd cannot use that approach directly because indirect
> action references internal testpmd ID.
> 
> Testpmd indirect ID has no defined type or token that leads to indirect
> ID parser.
> 
> As a solution, testpmd can provide centralized parser function for all
> indirect IDs. The function will parse ID value and use the token as the
> key to indirect database search:
> 

Although it sounds reasonable to have indirect id parser, won't it have
exact same problem?

If token size if 64 bits as it is now, as far as I can see below code
will have same stack corruption problem.


I think we should update parse_int function, to use either function
parameters or context values, but changes has potential side effect and
timing is not good for it, let's continue with your v3 for now.


> diff --git a/app/test-pmd/cmdline_flow.c b/app/test-pmd/cmdline_flow.c
> index ce71818705..7fb3b61d37 100644
> --- a/app/test-pmd/cmdline_flow.c
> +++ b/app/test-pmd/cmdline_flow.c
> 
> +typedef uint32_t indirect_id_t;
> +
> +static int
> +parse_indirect_index(struct context *ctx, const struct token *token,
> +               const char *str, unsigned int len,
> +               void *buf, unsigned int size)
> +{
> +       indirect_id_t id;
> +
> +       ctx->object = &id;
> +       parse_int(ctx, token, str, len, ctx->object, sizeof(id));
> +
> +       switch (ctx->curr) {
> +       case INDIRECT_ACTION_ID2PTR:
> +               /**/
> +               break;
> +       case INDIRECT_LIST_ACTION_ID2PTR_HANDLE:
> +               /**/
> +               break;
> +       case INDIRECT_LIST_ACTION_ID2PTR_CONF:
> +               /**/
> +               break;
> +       default:
> +               /**/
> +       }
> +
> +
> +}
> +
> 
> Regards,
> Gregory