From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id F1D262B89 for ; Tue, 26 Apr 2016 10:53:47 +0200 (CEST) Received: from orsmga002.jf.intel.com ([10.7.209.21]) by orsmga102.jf.intel.com with ESMTP; 26 Apr 2016 01:53:47 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,536,1455004800"; d="scan'208";a="962845930" Received: from bricha3-mobl3.ger.corp.intel.com ([10.237.221.45]) by orsmga002.jf.intel.com with SMTP; 26 Apr 2016 01:53:45 -0700 Received: by (sSMTP sendmail emulation); Tue, 26 Apr 2016 09:53:44 +0025 Date: Tue, 26 Apr 2016 09:53:44 +0100 From: Bruce Richardson To: Slawomir Mrozowicz Cc: david.marchand@6wind.com, dev@dpdk.org Message-ID: <20160426085343.GA17164@bricha3-MOBL3> References: <1461656687-5396-1-git-send-email-slawomirx.mrozowicz@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1461656687-5396-1-git-send-email-slawomirx.mrozowicz@intel.com> Organization: Intel Shannon Ltd. User-Agent: Mutt/1.5.23 (2014-03-12) Subject: Re: [dpdk-dev] [PATCH] eal: out-of-bounds write X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 26 Apr 2016 08:53:48 -0000 On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote: > Fix issue reported by Coverity. > > Coverity ID 13282: Out-of-bounds write > overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements > at element index 257 using index j. > > Fixes: af75078fece3 ("first public release") > > Signed-off-by: Slawomir Mrozowicz > --- > lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c > index 5b9132c..1e737e4 100644 > --- a/lib/librte_eal/linuxapp/eal/eal_memory.c > +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c > @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void) > > if (new_memseg) { > j += 1; > - if (j == RTE_MAX_MEMSEG) > + if (j >= RTE_MAX_MEMSEG) > break; > > mcfg->memseg[j].phys_addr = hugepage[i].physaddr; > -- This does appear to be a valid fix for the issue. However, looking at the code, it appears that the only way we could actually hit the problem is if j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better fix for this issue (or perhaps we want both fixes). Thoughts? /Bruce