From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id CA1CCA00C5; Thu, 11 Jun 2020 17:03:39 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 9C6322A5D; Thu, 11 Jun 2020 17:03:39 +0200 (CEST) Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com [209.85.221.67]) by dpdk.org (Postfix) with ESMTP id A222B1B19 for ; Thu, 11 Jun 2020 17:03:37 +0200 (CEST) Received: by mail-wr1-f67.google.com with SMTP id q11so6535827wrp.3 for ; Thu, 11 Jun 2020 08:03:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=5euna51O34xz9phrtw6beoNgZ9YHeymQkXsgVHnqk10=; b=doPKRkjIvnNfvgcAnpL+U8H1bj4xMFrMQgnBfvdMLBYNzwwQemTB3BQkVQnQag0daP szzwaXDqUVTBRTwSbbo7VA76QDh9/f3sNA+2JDvUK2WSqJKOce1C/T+68VnLWMhTwmkj +aF/HObr7uE6+OkiAmIMAMwspPio0eEVggUquk8ZiLeUWeh/+Pqw1cv6xgO+mb7zB0+Z PC0T4mFpuavDn6O+a1+ookxu5tH4dLO4JWohi2/u+mvagElMuL9vYgaYLTuI+gn8oDQJ mNuJEmNGXLM8E+OGmu4av40InzT/JvjtM3EFwuHS7wqGfQOnqC7+UALPETD46X+6x4sI PjcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=5euna51O34xz9phrtw6beoNgZ9YHeymQkXsgVHnqk10=; b=VC+MM+VtIp1OvR2ZpWUey9Of4PsADtwKDqGys7AO828iJ1eKAjKLioW9BYTRkosfzA mrH/UGoVNezRrM/VJ5sr/4tGRGVVhY1oY7Mpukb1/E5NnbQIlesoC6b4LEGsL7YmavRd GImznhIxvvS7jt/kTpO9Ymwd9T2j4l9lcGaf5J+l4zXMKEjkWsNcTl9phuF1ClCE+NoG vXiKYPxWscvoFUM8/7/sdI7fjepLloTBE6mv76rvOqh4cM+Jb2tGk/PuCzHIqz9iHmJm KXSrMRkfYmjz/O48nYwxxAZm/Z39HCzEiuDffDTONcFsR3UGogQpYCDeYMMcVgJfpPct +CDw== X-Gm-Message-State: AOAM530kFH1VCG5nLnIDjSc5D9K4gyYAJjFqwx4gcll9xjGHKeg7mlHX +mVoZ1llCNPZqiYzqVInZdLIsQ== X-Google-Smtp-Source: ABdhPJxIS/mWSJXUi+IAFEfA1sQRSwc9YwICuyiwMDokz+V3gbDDz51f08BmOkbfa+vsU3DnS5jtTw== X-Received: by 2002:adf:de91:: with SMTP id w17mr10752051wrl.249.1591887817351; Thu, 11 Jun 2020 08:03:37 -0700 (PDT) Received: from 6wind.com (2a01cb0c0005a600345636f7e65ed1a0.ipv6.abo.wanadoo.fr. [2a01:cb0c:5:a600:3456:36f7:e65e:d1a0]) by smtp.gmail.com with ESMTPSA id x8sm5629205wrs.43.2020.06.11.08.03.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Jun 2020 08:03:36 -0700 (PDT) Date: Thu, 11 Jun 2020 17:03:36 +0200 From: Olivier Matz To: Xiaolong Ye Cc: Thomas Monjalon , Konstantin Ananyev , dev@dpdk.org, stable@dpdk.org Message-ID: <20200611150336.GB12564@platinum> References: <20200610150845.82462-1-xiaolong.ye@intel.com> <20200611004801.105736-1-xiaolong.ye@intel.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200611004801.105736-1-xiaolong.ye@intel.com> User-Agent: Mutt/1.10.1 (2018-07-13) Subject: Re: [dpdk-dev] [PATCH v2] mbuf: fix out-of-bounds access X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On Thu, Jun 11, 2020 at 08:48:01AM +0800, Xiaolong Ye wrote: > We should make sure off + size < sizeof(struct rte_mbuf) to avoid > possible out-of-bounds access of free_space array, there is no issue > currently due to the low bits of free_flags (which is adjacent to > free_space) are always set to 0. But we shouldn't rely on it since it's > fragile and layout of struct mbuf_dyn_shm may be changed in the future. > This patch adds boundary check explicitly to avoid potential risk of > out-of-bounds access. > > Fixes: 4958ca3a443a ("mbuf: support dynamic fields and flags") > Cc: stable@dpdk.org > > Signed-off-by: Xiaolong Ye I suggest to change the title in: mbuf: fix out-of-bounds access at dyn field register Thomas, as Xiaolong pointed-out, it fixes a bug in the code but there is no impact. I let you decide if it should be tagged as a fix or not, and if it should be backported. I'll tend to say yes. Acked-by: Olivier Matz > --- > > V2: put the check before accessing free_space > > lib/librte_mbuf/rte_mbuf_dyn.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/lib/librte_mbuf/rte_mbuf_dyn.c b/lib/librte_mbuf/rte_mbuf_dyn.c > index d6931f847..9d6388cff 100644 > --- a/lib/librte_mbuf/rte_mbuf_dyn.c > +++ b/lib/librte_mbuf/rte_mbuf_dyn.c > @@ -71,7 +71,8 @@ process_score(void) > > for (off = 0; off < sizeof(struct rte_mbuf); off++) { > /* get the size of the free zone */ > - for (size = 0; shm->free_space[off + size]; size++) > + for (size = 0; (off + size) < sizeof(struct rte_mbuf) && > + shm->free_space[off + size]; size++) > ; > if (size == 0) > continue; > -- > 2.17.1 >