From: Ferruh Yigit <ferruh.yigit@amd.com>
To: "Etelson, Gregory" <getelson@nvidia.com>
Cc: "dev@dpdk.org" <dev@dpdk.org>,
Maayan Kashani <mkashani@nvidia.com>,
Raslan Darawsheh <rasland@nvidia.com>, Ori Kam <orika@nvidia.com>,
Aman Singh <aman.deep.singh@intel.com>,
Yuying Zhang <yuying.zhang@intel.com>
Subject: Re: [PATCH] app/testpmd: fix indirect action list parameters parsing
Date: Fri, 10 Nov 2023 20:15:32 +0000 [thread overview]
Message-ID: <10312d29-eafe-47a6-8654-380941d74dde@amd.com> (raw)
In-Reply-To: <2ddf95cd-840d-81dc-1fff-99b3dbe59095@nvidia.com>
On 11/10/2023 5:41 PM, Etelson, Gregory wrote:
> Hello Ferruh,
>
> [:snip:]
>
>>> *** stack smashing detected ***: terminated
>>>
>>> The corruption occurred in `parse_int()` called from
>>> `parse_indlst_id2ptr()`.
>>>
>>> Inside `parse_int()` the arg parameter referenced 8 bytes of memory
>>> while the target buffer was 4 bytes allocated on caller optimized stack:
>>>
>>> (gdb) p *arg
>>> $1 = { ... size = 8, ...}
>>>
>>
>> Thanks Gregory, I can see the problem now.
>>
>
> [: Thumbs up :]
>
> [:snip:]
>
>> BUT back to the root cause of the problem,
>> `parse_int()` tries to be generic and it support different size of
>> variables [1], but it fails on this.
>>
>> `parse_int()` gets 'size' as argument, but it doesn't use parameter
>> value, instead overwrites it with 'size = arg->size;' and uses this
>> value, in this case when context provides larger variable size than what
>> `parse_int()` gets as parameter, the problem you observed occurs.
>>
>> What do you think to use 'size' from parameter list, as it is intended,
>> instead of using 'arg->size'?
>> Or perhaps use 'buf' and 'size' from parameter if they are valid, else
>> get the from context/arg [2]?
>> I think this solves your problem, can you please verify it?
>>
>> btw, 'buf' usage is a little more complex, since `parse_int()` checks
>> for "ctx->object != NULL" to continue, I can't really be sure about
>> intention there, but please check usage in `parse_port()`, it looks like
>> when 'buf' provided expectation is to get parsed value in the 'buf'.
>>
>>
>>
>>
>> [1]
>> switch (size) {
>> case sizeof(uint8_t):
>> ...
>> case sizeof(uint16_t):
>> ...
>> ...
>> case sizeof(uint64_t):
>> ...
>>
>>
>> [2]
>> diff --git a/app/test-pmd/cmdline_flow.c b/app/test-pmd/cmdline_flow.c
>> index 0d521159e97d..cd123c69265e 100644
>> --- a/app/test-pmd/cmdline_flow.c
>> +++ b/app/test-pmd/cmdline_flow.c
>> @@ -10805,8 +10805,10 @@ parse_int(struct context *ctx, const struct
>> token *token,
>> goto error;
>> return len;
>> }
>> - buf = (uint8_t *)ctx->object + arg->offset;
>> - size = arg->size;
>> + if (buf == NULL || size == 0) {
>> + buf = (uint8_t *)ctx->object + arg->offset;
>> + size = arg->size;
>> + }
>> if (u > RTE_LEN2MASK(size * CHAR_BIT, uint64_t))
>> return -1;
>> objmask:
>>
>
> About the fault root cause.
> There were 2 uncoupled resources in that case: static token size and
> variable size passed to parse_int().
> parse_int() caller must provide a buffer large enough for token size.
> Otherwise parse_int() will corrupt memory outside the input buffer.
>
As you said 'parse_int()' has two sizes, 'token->size' and 'size'
function argument. Why function ignores 'size' argument and only uses
'token->size', I think this is a mistake.
If 'parse_int()' doesn't use 'buf' and 'size' arguments at all, why it
has them?
> In the generic solution parse_int() caller allocates target buffer using
> existing knowledge about input token size.
>
> Testpmd add_port() imitates the ARGS_ENTRY() macro that extrapolates
> target buffer size from RTE structure member.
>
> Current testpmd cannot use that approach directly because indirect
> action references internal testpmd ID.
>
> Testpmd indirect ID has no defined type or token that leads to indirect
> ID parser.
>
> As a solution, testpmd can provide centralized parser function for all
> indirect IDs. The function will parse ID value and use the token as the
> key to indirect database search:
>
Although it sounds reasonable to have indirect id parser, won't it have
exact same problem?
If token size if 64 bits as it is now, as far as I can see below code
will have same stack corruption problem.
I think we should update parse_int function, to use either function
parameters or context values, but changes has potential side effect and
timing is not good for it, let's continue with your v3 for now.
> diff --git a/app/test-pmd/cmdline_flow.c b/app/test-pmd/cmdline_flow.c
> index ce71818705..7fb3b61d37 100644
> --- a/app/test-pmd/cmdline_flow.c
> +++ b/app/test-pmd/cmdline_flow.c
>
> +typedef uint32_t indirect_id_t;
> +
> +static int
> +parse_indirect_index(struct context *ctx, const struct token *token,
> + const char *str, unsigned int len,
> + void *buf, unsigned int size)
> +{
> + indirect_id_t id;
> +
> + ctx->object = &id;
> + parse_int(ctx, token, str, len, ctx->object, sizeof(id));
> +
> + switch (ctx->curr) {
> + case INDIRECT_ACTION_ID2PTR:
> + /**/
> + break;
> + case INDIRECT_LIST_ACTION_ID2PTR_HANDLE:
> + /**/
> + break;
> + case INDIRECT_LIST_ACTION_ID2PTR_CONF:
> + /**/
> + break;
> + default:
> + /**/
> + }
> +
> +
> +}
> +
>
> Regards,
> Gregory
next prev parent reply other threads:[~2023-11-10 20:15 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-08 16:34 Gregory Etelson
2023-11-09 16:16 ` Ferruh Yigit
2023-11-09 18:22 ` Etelson, Gregory
2023-11-09 19:03 ` Ferruh Yigit
2023-11-09 19:57 ` Etelson, Gregory
2023-11-10 14:51 ` Ferruh Yigit
2023-11-10 17:41 ` Etelson, Gregory
2023-11-10 20:15 ` Ferruh Yigit [this message]
2023-11-10 21:22 ` Etelson, Gregory
2023-11-09 18:36 ` [PATCH v2] " Gregory Etelson
2023-11-09 19:41 ` Stephen Hemminger
2023-11-09 20:01 ` Bruce Richardson
2023-11-10 7:04 ` [PATCH v3] app/testpmd: fix indirect action list ID size Gregory Etelson
2023-11-10 23:40 ` Ferruh Yigit
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10312d29-eafe-47a6-8654-380941d74dde@amd.com \
--to=ferruh.yigit@amd.com \
--cc=aman.deep.singh@intel.com \
--cc=dev@dpdk.org \
--cc=getelson@nvidia.com \
--cc=mkashani@nvidia.com \
--cc=orika@nvidia.com \
--cc=rasland@nvidia.com \
--cc=yuying.zhang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).