From: Fiona Trahe <fiona.trahe@intel.com>
To: dev@dpdk.org
Cc: thomas@monjalon.net, akhil.goyal@nxp.com,
tomaszx.jozwiak@intel.com, jerin.jacob@caviumnetworks.com,
Fiona Trahe <fiona.trahe@intel.com>
Subject: [dpdk-dev] [PATCH] compress/qat: fix out-of-bounds error
Date: Wed, 31 Oct 2018 00:39:54 +0000 [thread overview]
Message-ID: <1540946394-22196-1-git-send-email-fiona.trahe@intel.com> (raw)
In-Reply-To: <20181027164739.13110-1-jerin.jacob@caviumnetworks.com>
QAT array for sgls in intermediate buffer structure
was #defined to 1, but setup code hardcoded as if 2 buffers
so causing out of bounds write. Reworked to loop correctly
using #define.
Fixes: a124830a6f00 ("compress/qat: enable dynamic huffman encoding")
Reported-by: Jerin Jacob <jerin.jacob@caviumnetworks.com>
Signed-off-by: Fiona Trahe <fiona.trahe@intel.com>
---
drivers/compress/qat/qat_comp_pmd.c | 38 ++++++++++++++++++++-----------------
1 file changed, 21 insertions(+), 17 deletions(-)
diff --git a/drivers/compress/qat/qat_comp_pmd.c b/drivers/compress/qat/qat_comp_pmd.c
index 01dd736..ea93077 100644
--- a/drivers/compress/qat/qat_comp_pmd.c
+++ b/drivers/compress/qat/qat_comp_pmd.c
@@ -165,11 +165,14 @@ qat_comp_setup_inter_buffers(struct qat_comp_dev_private *comp_dev,
}
/* Create a memzone to hold intermediate buffers and associated
- * meta-data needed by the firmware. The memzone contains:
+ * meta-data needed by the firmware. The memzone contains 3 parts:
* - a list of num_im_sgls physical pointers to sgls
- * - the num_im_sgl sgl structures, each pointing to 2 flat buffers
- * - the flat buffers: num_im_sgl * 2
- * where num_im_sgls depends on the hardware generation of the device
+ * - the num_im_sgl sgl structures, each pointing to
+ * QAT_NUM_BUFS_IN_IM_SGL flat buffers
+ * - the flat buffers: num_im_sgl * QAT_NUM_BUFS_IN_IM_SGL
+ * buffers, each of buff_size
+ * num_im_sgls depends on the hardware generation of the device
+ * buff_size comes from the user via the config file
*/
size_of_ptr_array = num_im_sgls * sizeof(phys_addr_t);
@@ -202,30 +205,31 @@ qat_comp_setup_inter_buffers(struct qat_comp_dev_private *comp_dev,
offset_of_sgls + i * sizeof(struct qat_inter_sgl);
struct qat_inter_sgl *sgl =
(struct qat_inter_sgl *)(mz_start + curr_sgl_offset);
+ int lb;
array_of_pointers->pointer[i] = mz_start_phys + curr_sgl_offset;
sgl->num_bufs = QAT_NUM_BUFS_IN_IM_SGL;
sgl->num_mapped_bufs = 0;
sgl->resrvd = 0;
- sgl->buffers[0].addr = mz_start_phys + offset_of_flat_buffs +
- ((i * QAT_NUM_BUFS_IN_IM_SGL) * buff_size);
- sgl->buffers[0].len = buff_size;
- sgl->buffers[0].resrvd = 0;
- sgl->buffers[1].addr = mz_start_phys + offset_of_flat_buffs +
- (((i * QAT_NUM_BUFS_IN_IM_SGL) + 1) * buff_size);
- sgl->buffers[1].len = buff_size;
- sgl->buffers[1].resrvd = 0;
#if QAT_IM_BUFFER_DEBUG
QAT_LOG(DEBUG, " : phys addr of sgl[%i] in array_of_pointers"
- "= 0x%"PRIx64, i, array_of_pointers->pointer[i]);
+ " = 0x%"PRIx64, i, array_of_pointers->pointer[i]);
QAT_LOG(DEBUG, " : virt address of sgl[%i] = %p", i, sgl);
- QAT_LOG(DEBUG, " : sgl->buffers[0].addr = 0x%"PRIx64", len=%d",
- sgl->buffers[0].addr, sgl->buffers[0].len);
- QAT_LOG(DEBUG, " : sgl->buffers[1].addr = 0x%"PRIx64", len=%d",
- sgl->buffers[1].addr, sgl->buffers[1].len);
+#endif
+ for (lb = 0; lb < QAT_NUM_BUFS_IN_IM_SGL; lb++) {
+ sgl->buffers[lb].addr =
+ mz_start_phys + offset_of_flat_buffs +
+ (((i * QAT_NUM_BUFS_IN_IM_SGL) + lb) * buff_size);
+ sgl->buffers[lb].len = buff_size;
+ sgl->buffers[lb].resrvd = 0;
+#if QAT_IM_BUFFER_DEBUG
+ QAT_LOG(DEBUG,
+ " : sgl->buffers[%d].addr = 0x%"PRIx64", len=%d",
+ lb, sgl->buffers[lb].addr, sgl->buffers[lb].len);
#endif
}
+ }
#if QAT_IM_BUFFER_DEBUG
QAT_DP_HEXDUMP_LOG(DEBUG, "IM buffer memzone start:",
mz_start, offset_of_flat_buffs + 32);
--
2.7.4
next prev parent reply other threads:[~2018-10-31 0:40 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-27 16:48 [dpdk-dev] [PATCH] compress/qat: fix build issue with clang 7.0.0 Jerin Jacob
2018-10-29 17:29 ` Trahe, Fiona
2018-10-31 0:39 ` Fiona Trahe [this message]
2018-10-31 6:35 ` [dpdk-dev] [PATCH] compress/qat: fix out-of-bounds error Jerin Jacob
2018-11-01 14:16 ` Bruce Richardson
2018-11-02 11:41 ` Akhil Goyal
2018-11-01 21:16 ` Jozwiak, TomaszX
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1540946394-22196-1-git-send-email-fiona.trahe@intel.com \
--to=fiona.trahe@intel.com \
--cc=akhil.goyal@nxp.com \
--cc=dev@dpdk.org \
--cc=jerin.jacob@caviumnetworks.com \
--cc=thomas@monjalon.net \
--cc=tomaszx.jozwiak@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).