* [dpdk-dev] [PATCH] eal: fix crash on mmap error in rte_eal_hugepage_attach()
@ 2016-09-28 10:52 maciej.czekaj
2016-10-03 13:04 ` Sergio Gonzalez Monroy
0 siblings, 1 reply; 3+ messages in thread
From: maciej.czekaj @ 2016-09-28 10:52 UTC (permalink / raw)
To: david.marchand; +Cc: dev, Maciej Czekaj
From: Maciej Czekaj <maciej.czekaj@caviumnetworks.com>
In ASLR-enabled system, it is possible that selected
virtual space is occupied by program segments. Therefore,
error path should not blindly unmap all memmory segments
but only those already mapped.
Steps that lead to crash:
1. memeseg 0 in secondary process overlaps
with libc.so
2. mmap of /dev/zero fails for virtual space of memseg 0
3. munmap of memseg 0 leads to unmapping libc.so itself
4. app gets SIGSEGV after returning from syscall to libc
Fixes: ea329d7f8e34 ("mem: fix leak after mapping failure")
Signed-off-by: Maciej Czekaj <maciej.czekaj@caviumnetworks.com>
---
lib/librte_eal/linuxapp/eal/eal_memory.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c
index 612626c..1dfe223 100644
--- a/lib/librte_eal/linuxapp/eal/eal_memory.c
+++ b/lib/librte_eal/linuxapp/eal/eal_memory.c
@@ -1545,6 +1545,7 @@ rte_eal_hugepage_attach(void)
struct hugepage_file *hp = NULL;
unsigned num_hp = 0;
unsigned i, s = 0; /* s used to track the segment number */
+ unsigned max_seg = RTE_MAX_MEMSEG;
off_t size;
int fd, fd_zero = -1, fd_hugepage = -1;
@@ -1603,6 +1604,9 @@ rte_eal_hugepage_attach(void)
"in /dev/zero to requested address [%p]: '%s'\n",
(unsigned long long)mcfg->memseg[s].len,
mcfg->memseg[s].addr, strerror(errno));
+ max_seg = s;
+ if (base_addr != MAP_FAILED)
+ munmap(base_addr, mcfg->memseg[s].len);
if (aslr_enabled() > 0) {
RTE_LOG(ERR, EAL, "It is recommended to "
"disable ASLR in the kernel "
@@ -1675,11 +1679,8 @@ rte_eal_hugepage_attach(void)
return 0;
error:
- s = 0;
- while (s < RTE_MAX_MEMSEG && mcfg->memseg[s].len > 0) {
- munmap(mcfg->memseg[s].addr, mcfg->memseg[s].len);
- s++;
- }
+ for (i = 0; i < max_seg && mcfg->memseg[i].len > 0; i++)
+ munmap(mcfg->memseg[i].addr, mcfg->memseg[i].len);
if (hp != NULL && hp != MAP_FAILED)
munmap(hp, size);
if (fd_zero >= 0)
--
2.7.4
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dpdk-dev] [PATCH] eal: fix crash on mmap error in rte_eal_hugepage_attach()
2016-09-28 10:52 [dpdk-dev] [PATCH] eal: fix crash on mmap error in rte_eal_hugepage_attach() maciej.czekaj
@ 2016-10-03 13:04 ` Sergio Gonzalez Monroy
2016-10-03 14:06 ` Thomas Monjalon
0 siblings, 1 reply; 3+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-10-03 13:04 UTC (permalink / raw)
To: maciej.czekaj, david.marchand; +Cc: dev
On 28/09/2016 11:52, maciej.czekaj@caviumnetworks.com wrote:
> From: Maciej Czekaj <maciej.czekaj@caviumnetworks.com>
>
> In ASLR-enabled system, it is possible that selected
> virtual space is occupied by program segments. Therefore,
> error path should not blindly unmap all memmory segments
> but only those already mapped.
>
> Steps that lead to crash:
> 1. memeseg 0 in secondary process overlaps
> with libc.so
> 2. mmap of /dev/zero fails for virtual space of memseg 0
> 3. munmap of memseg 0 leads to unmapping libc.so itself
> 4. app gets SIGSEGV after returning from syscall to libc
>
> Fixes: ea329d7f8e34 ("mem: fix leak after mapping failure")
>
> Signed-off-by: Maciej Czekaj <maciej.czekaj@caviumnetworks.com>
> ---
> lib/librte_eal/linuxapp/eal/eal_memory.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [dpdk-dev] [PATCH] eal: fix crash on mmap error in rte_eal_hugepage_attach()
2016-10-03 13:04 ` Sergio Gonzalez Monroy
@ 2016-10-03 14:06 ` Thomas Monjalon
0 siblings, 0 replies; 3+ messages in thread
From: Thomas Monjalon @ 2016-10-03 14:06 UTC (permalink / raw)
To: maciej.czekaj; +Cc: dev, Sergio Gonzalez Monroy, david.marchand
2016-10-03 14:04, Sergio Gonzalez Monroy:
> On 28/09/2016 11:52, maciej.czekaj@caviumnetworks.com wrote:
> > From: Maciej Czekaj <maciej.czekaj@caviumnetworks.com>
> >
> > In ASLR-enabled system, it is possible that selected
> > virtual space is occupied by program segments. Therefore,
> > error path should not blindly unmap all memmory segments
> > but only those already mapped.
> >
> > Steps that lead to crash:
> > 1. memeseg 0 in secondary process overlaps
> > with libc.so
> > 2. mmap of /dev/zero fails for virtual space of memseg 0
> > 3. munmap of memseg 0 leads to unmapping libc.so itself
> > 4. app gets SIGSEGV after returning from syscall to libc
> >
> > Fixes: ea329d7f8e34 ("mem: fix leak after mapping failure")
> >
> > Signed-off-by: Maciej Czekaj <maciej.czekaj@caviumnetworks.com>
> > ---
> > lib/librte_eal/linuxapp/eal/eal_memory.c | 11 ++++++-----
> > 1 file changed, 6 insertions(+), 5 deletions(-)
>
> Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
Applied, thanks
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-10-03 14:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-28 10:52 [dpdk-dev] [PATCH] eal: fix crash on mmap error in rte_eal_hugepage_attach() maciej.czekaj
2016-10-03 13:04 ` Sergio Gonzalez Monroy
2016-10-03 14:06 ` Thomas Monjalon
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).