From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 83040A04A2;
	Tue, 12 May 2020 08:28:52 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 07CD91C066;
	Tue, 12 May 2020 08:28:52 +0200 (CEST)
Received: from mga01.intel.com (mga01.intel.com [192.55.52.88])
 by dpdk.org (Postfix) with ESMTP id 3A2251C031;
 Tue, 12 May 2020 08:28:50 +0200 (CEST)
IronPort-SDR: 7Q0ORMkJemnVswfLrRR2UTuqrgh727PC/KMDL54F8u0uUKqyUY7ejNJcN9kf4Dk2mSSnUUrFOw
 7EEkg7sEfWnA==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga003.fm.intel.com ([10.253.24.29])
 by fmsmga101.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 11 May 2020 23:28:49 -0700
IronPort-SDR: rRfkkW2+B6YWniaakwFmOI8/IHKLrC2wcS9sfGo8aNnKFdmV0GkuLkQsMemn2G170xXkWp/T4J
 xID+NF/Yv3iQ==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.73,382,1583222400"; d="scan'208";a="306392521"
Received: from dpdk-qifu-cxl.sh.intel.com ([10.67.119.67])
 by FMSMGA003.fm.intel.com with ESMTP; 11 May 2020 23:28:48 -0700
From: Wei Zhao <wei.zhao1@intel.com>
To: dev@dpdk.org
Cc: stable@dpdk.org,
	beilei.xing@intel.com,
	Wei Zhao <wei.zhao1@intel.com>
Date: Tue, 12 May 2020 11:19:15 -0400
Message-Id: <20200512151915.105152-1-wei.zhao1@intel.com>
X-Mailer: git-send-email 2.17.1
Subject: [dpdk-dev] [PATCH] net/i40e: fix the security risk of wild pointer
	operation
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

In i40e PMD code of function i40e_res_pool_free(), if valid_entry is
freed by "rte_free(valid_entry);" in the following code:

if (prev != NULL) {
 ........................

   if (insert == 1) {
     LIST_REMOVE(valid_entry, next);
     rte_free(valid_entry);
    } else {
     rte_free(valid_entry);
     insert = 1;
    }
  }

then the following code for pool update may still use the wild pointer
"valid_entry":

" pool->num_free += valid_entry->len;
  pool->num_alloc -= valid_entry>len;
"
it seems to be a security bug, we should avoid this risk.

Cc: stable@dpdk.org
Fixes: 4861cde46116 ("i40e: new poll mode driver")

Signed-off-by: Wei Zhao <wei.zhao1@intel.com>
---
 drivers/net/i40e/i40e_ethdev.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethdev.c
index 749d85f54..7f8ea5309 100644
--- a/drivers/net/i40e/i40e_ethdev.c
+++ b/drivers/net/i40e/i40e_ethdev.c
@@ -4973,6 +4973,9 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
 	}
 
 	insert = 0;
+	pool->num_free += valid_entry->len;
+	pool->num_alloc -= valid_entry->len;
+
 	/* Try to merge with next one*/
 	if (next != NULL) {
 		/* Merge with next one */
@@ -5010,9 +5013,6 @@ i40e_res_pool_free(struct i40e_res_pool_info *pool,
 			LIST_INSERT_HEAD(&pool->free_list, valid_entry, next);
 	}
 
-	pool->num_free += valid_entry->len;
-	pool->num_alloc -= valid_entry->len;
-
 	return 0;
 }
 
-- 
2.17.1