From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <david.marchand@6wind.com>
Received: from mail-wg0-f54.google.com (mail-wg0-f54.google.com [74.125.82.54])
 by dpdk.org (Postfix) with ESMTP id 8D2DCC388
 for <dev@dpdk.org>; Thu,  9 Jul 2015 11:19:51 +0200 (CEST)
Received: by wgxm20 with SMTP id m20so34546126wgx.3
 for <dev@dpdk.org>; Thu, 09 Jul 2015 02:19:51 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
 :references:mime-version:content-type:content-transfer-encoding;
 bh=fiBpQ9/LdXoB8h7HTmlzEG539pYvUzgnGj9pZ1uLqtE=;
 b=aa0Gi3PmnXJz0GpaDShO5b6j87r6Jpk04vaYaXN0w61d/c2iN7P6i1+M7I7HltzWs4
 uU7IVTvzbrp/B0FWJYrBwiU11mwmK2f7W2u2xg0SA91FHnEbHUvnJY5zcdkTA256t2/1
 Nvb67GjbXwnWzceaPVRfG3DWKBKnnqQpuP1rQ6VXiR1JT9E56Lr5yUA7WMz0H0x7fxiN
 EmsL45cgdTYBuqmbFOboAd5OgrtW+joVzgEGrFx0j4OST/ytB0dU+B9cZWm/viwMHQKt
 vQMgEuuSm7s0BBvMpAW6cVltXihK8WnxyoR0Pt+swb/r/oFAcsDtUhfU7kAmx8N3WLq8
 i8Aw==
X-Gm-Message-State: ALoCoQngbjsO1dTM4uhFavKWwoR81Mk6SDhhzQNO9JccjZohSotPhJ4mBGYBn3zF6yZwr7yTEvki
X-Received: by 10.180.37.133 with SMTP id y5mr71722105wij.7.1436433591406;
 Thu, 09 Jul 2015 02:19:51 -0700 (PDT)
Received: from alcyon.dev.6wind.com (6wind.net2.nerim.net. [213.41.151.210])
 by smtp.gmail.com with ESMTPSA id um5sm7774777wjc.1.2015.07.09.02.19.49
 for <dev@dpdk.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Thu, 09 Jul 2015 02:19:50 -0700 (PDT)
From: David Marchand <david.marchand@6wind.com>
To: dev@dpdk.org
Date: Thu,  9 Jul 2015 11:19:26 +0200
Message-Id: <1436433566-328-7-git-send-email-david.marchand@6wind.com>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1436433566-328-1-git-send-email-david.marchand@6wind.com>
References: <1436259634-7077-1-git-send-email-david.marchand@6wind.com>
 <1436433566-328-1-git-send-email-david.marchand@6wind.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Subject: [dpdk-dev] =?utf-8?q?=5BPATCH_v2_6/6=5D_eal/linux=3A_avoid_out_of?=
	=?utf-8?q?_bound_access?=
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jul 2015 09:19:51 -0000

Using IBM advance toolchain on Ubuntu 14.04 (package 8.0-3), gcc is complaining
about out of bound accesses.

  CC eal_hugepage_info.o
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:
In function ‘eal_hugepage_info_init’:
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:350:35:
error: array subscript is above array bounds [-Werror=array-bounds]
      internal_config.hugepage_info[j].hugepage_sz)
                                   ^
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:350:35:
error: array subscript is above array bounds [-Werror=array-bounds]
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:349:37:
error: array subscript is above array bounds [-Werror=array-bounds]
    if (internal_config.hugepage_info[j-1].hugepage_sz <
                                     ^
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:350:35:
error: array subscript is above array bounds [-Werror=array-bounds]
      internal_config.hugepage_info[j].hugepage_sz)

Looking at the code, these warnings are invalid from my pov and they disappeared
when upgrading the toolchain to new version (8.0-4).

However, the code was buggy (sorting code is wrong), so fix this by using qsort
and adding a check on num_sizes to avoid potential out of bound accesses.

Signed-off-by: David Marchand <david.marchand@6wind.com>
Acked-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---
 lib/librte_eal/linuxapp/eal/eal_hugepage_info.c |   31 ++++++++++-------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/lib/librte_eal/linuxapp/eal/eal_hugepage_info.c b/lib/librte_eal/linuxapp/eal/eal_hugepage_info.c
index f097e71..cdaa47b 100644
--- a/lib/librte_eal/linuxapp/eal/eal_hugepage_info.c
+++ b/lib/librte_eal/linuxapp/eal/eal_hugepage_info.c
@@ -189,15 +189,6 @@ get_hugepage_dir(uint64_t hugepage_sz)
 	return retval;
 }
 
-static inline void
-swap_hpi(struct hugepage_info *a, struct hugepage_info *b)
-{
-	char buf[sizeof(*a)];
-	memcpy(buf, a, sizeof(buf));
-	memcpy(a, b, sizeof(buf));
-	memcpy(b, buf, sizeof(buf));
-}
-
 /*
  * Clear the hugepage directory of whatever hugepage files
  * there are. Checks if the file is locked (i.e.
@@ -268,6 +259,15 @@ error:
 	return -1;
 }
 
+static int
+compare_hpi(const void *a, const void *b)
+{
+	const struct hugepage_info *hpi_a = a;
+	const struct hugepage_info *hpi_b = b;
+
+	return hpi_b->hugepage_sz - hpi_a->hugepage_sz;
+}
+
 /*
  * when we initialize the hugepage info, everything goes
  * to socket 0 by default. it will later get sorted by memory
@@ -294,6 +294,9 @@ eal_hugepage_info_init(void)
 			    dirent_start_len) != 0)
 			continue;
 
+		if (num_sizes >= MAX_HUGEPAGE_SIZES)
+			break;
+
 		hpi = &internal_config.hugepage_info[num_sizes];
 		hpi->hugepage_sz =
 			rte_str_to_size(&dirent->d_name[dirent_start_len]);
@@ -348,14 +351,8 @@ eal_hugepage_info_init(void)
 	internal_config.num_hugepage_sizes = num_sizes;
 
 	/* sort the page directory entries by size, largest to smallest */
-	for (i = 0; i < num_sizes; i++) {
-		unsigned j;
-		for (j = i+1; j < num_sizes; j++)
-			if (internal_config.hugepage_info[j-1].hugepage_sz <
-			     internal_config.hugepage_info[j].hugepage_sz)
-				swap_hpi(&internal_config.hugepage_info[j-1],
-					 &internal_config.hugepage_info[j]);
-	}
+	qsort(&internal_config.hugepage_info[0], num_sizes,
+	      sizeof(internal_config.hugepage_info[0]), compare_hpi);
 
 	/* now we have all info, check we have at least one valid size */
 	for (i = 0; i < num_sizes; i++)
-- 
1.7.10.4