From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) by dpdk.org (Postfix) with ESMTP id 63B9F9AB6 for ; Tue, 14 Jun 2016 20:07:34 +0200 (CEST) Received: from fmsmga002.fm.intel.com ([10.253.24.26]) by fmsmga104.fm.intel.com with ESMTP; 14 Jun 2016 11:07:19 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.26,471,1459839600"; d="scan'208";a="1001854456" Received: from sie-lab-212-209.ir.intel.com (HELO silpixa00377983.ir.intel.com) ([10.237.212.209]) by fmsmga002.fm.intel.com with ESMTP; 14 Jun 2016 11:07:19 -0700 From: Sergio Gonzalez Monroy To: dev@dpdk.org Date: Tue, 14 Jun 2016 19:07:18 +0100 Message-Id: <1465927638-71892-1-git-send-email-sergio.gonzalez.monroy@intel.com> X-Mailer: git-send-email 2.4.11 Subject: [dpdk-dev] [PATCH] mem: fix possible memzone integer overflow X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 18:07:34 -0000 It is possible to get an integer overflow if we try to reserve a memzone with len = 0 (meaning the maximum contiguous space available) and the maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align). Issue reported by Coverity: >>> 10. overflow: Subtract operation overflows on operands len and >>> 64UL. >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW) >>> 11. overflow_sink: Overflowed or truncated value (or a value >>> computed from an overflowed or truncated value) >>> len - 64UL - align used as return value. 122 return len - MALLOC_ELEM_OVERHEAD - align; Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc") Signed-off-by: Sergio Gonzalez Monroy --- lib/librte_eal/common/eal_common_memzone.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/lib/librte_eal/common/eal_common_memzone.c b/lib/librte_eal/common/eal_common_memzone.c index 452679e..5d28341 100644 --- a/lib/librte_eal/common/eal_common_memzone.c +++ b/lib/librte_eal/common/eal_common_memzone.c @@ -119,6 +119,9 @@ find_heap_max_free_elem(int *s, unsigned align) } } + if (len < MALLOC_ELEM_OVERHEAD + align) + return 0; + return len - MALLOC_ELEM_OVERHEAD - align; } @@ -197,8 +200,13 @@ memzone_reserve_aligned_thread_unsafe(const char *name, size_t len, if (len == 0) { if (bound != 0) requested_len = bound; - else + else { requested_len = find_heap_max_free_elem(&socket_id, align); + if (requested_len == 0) { + rte_errno = ENOMEM; + return NULL; + } + } } if (socket_id == SOCKET_ID_ANY) -- 2.4.11