[dpdk-dev] [PATCH] mem: fix possible memzone integer overflow

DPDK patches and discussions
 help / color / mirror / Atom feed

* [dpdk-dev] [PATCH] mem: fix possible memzone integer overflow
@ 2016-06-14 18:07 Sergio Gonzalez Monroy
  2016-06-20  8:57 ` Thomas Monjalon
  0 siblings, 1 reply; 2+ messages in thread
From: Sergio Gonzalez Monroy @ 2016-06-14 18:07 UTC (permalink / raw)
  To: dev

It is possible to get an integer overflow if we try to reserve a memzone
with len = 0 (meaning the maximum contiguous space available) and the
maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).

Issue reported by Coverity:

   >>> 10. overflow: Subtract operation overflows on operands len and
   >>>     64UL.
   >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
   >>> 11. overflow_sink: Overflowed or truncated value (or a value
   >>>     computed from an overflowed or truncated value)
   >>>     len - 64UL - align used as return value.
   122         return len - MALLOC_ELEM_OVERHEAD - align;

Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---
 lib/librte_eal/common/eal_common_memzone.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/librte_eal/common/eal_common_memzone.c b/lib/librte_eal/common/eal_common_memzone.c
index 452679e..5d28341 100644
--- a/lib/librte_eal/common/eal_common_memzone.c
+++ b/lib/librte_eal/common/eal_common_memzone.c
@@ -119,6 +119,9 @@ find_heap_max_free_elem(int *s, unsigned align)
 		}
 	}
 
+	if (len < MALLOC_ELEM_OVERHEAD + align)
+		return 0;
+
 	return len - MALLOC_ELEM_OVERHEAD - align;
 }
 
@@ -197,8 +200,13 @@ memzone_reserve_aligned_thread_unsafe(const char *name, size_t len,
 	if (len == 0) {
 		if (bound != 0)
 			requested_len = bound;
-		else
+		else {
 			requested_len = find_heap_max_free_elem(&socket_id, align);
+			if (requested_len == 0) {
+				rte_errno = ENOMEM;
+				return NULL;
+			}
+		}
 	}
 
 	if (socket_id == SOCKET_ID_ANY)
-- 
2.4.11

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [dpdk-dev] [PATCH] mem: fix possible memzone integer overflow
  2016-06-14 18:07 [dpdk-dev] [PATCH] mem: fix possible memzone integer overflow Sergio Gonzalez Monroy
@ 2016-06-20  8:57 ` Thomas Monjalon
  0 siblings, 0 replies; 2+ messages in thread
From: Thomas Monjalon @ 2016-06-20  8:57 UTC (permalink / raw)
  To: Sergio Gonzalez Monroy; +Cc: dev

2016-06-14 19:07, Sergio Gonzalez Monroy:
> It is possible to get an integer overflow if we try to reserve a memzone
> with len = 0 (meaning the maximum contiguous space available) and the
> maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).
> 
> Issue reported by Coverity:
> 
>    >>> 10. overflow: Subtract operation overflows on operands len and
>    >>>     64UL.
>    >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
>    >>> 11. overflow_sink: Overflowed or truncated value (or a value
>    >>>     computed from an overflowed or truncated value)
>    >>>     len - 64UL - align used as return value.
>    122         return len - MALLOC_ELEM_OVERHEAD - align;
> 
> Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc")
> 
> Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>

Applied, thanks

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-06-20  8:58 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-06-14 18:07 [dpdk-dev] [PATCH] mem: fix possible memzone integer overflow Sergio Gonzalez Monroy
2016-06-20  8:57 ` Thomas Monjalon

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).