From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id CA1CCA00C5;
	Thu, 11 Jun 2020 17:03:39 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 9C6322A5D;
	Thu, 11 Jun 2020 17:03:39 +0200 (CEST)
Received: from mail-wr1-f67.google.com (mail-wr1-f67.google.com
 [209.85.221.67]) by dpdk.org (Postfix) with ESMTP id A222B1B19
 for <dev@dpdk.org>; Thu, 11 Jun 2020 17:03:37 +0200 (CEST)
Received: by mail-wr1-f67.google.com with SMTP id q11so6535827wrp.3
 for <dev@dpdk.org>; Thu, 11 Jun 2020 08:03:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google;
 h=date:from:to:cc:subject:message-id:references:mime-version
 :content-disposition:in-reply-to:user-agent;
 bh=5euna51O34xz9phrtw6beoNgZ9YHeymQkXsgVHnqk10=;
 b=doPKRkjIvnNfvgcAnpL+U8H1bj4xMFrMQgnBfvdMLBYNzwwQemTB3BQkVQnQag0daP
 szzwaXDqUVTBRTwSbbo7VA76QDh9/f3sNA+2JDvUK2WSqJKOce1C/T+68VnLWMhTwmkj
 +aF/HObr7uE6+OkiAmIMAMwspPio0eEVggUquk8ZiLeUWeh/+Pqw1cv6xgO+mb7zB0+Z
 PC0T4mFpuavDn6O+a1+ookxu5tH4dLO4JWohi2/u+mvagElMuL9vYgaYLTuI+gn8oDQJ
 mNuJEmNGXLM8E+OGmu4av40InzT/JvjtM3EFwuHS7wqGfQOnqC7+UALPETD46X+6x4sI
 PjcA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:date:from:to:cc:subject:message-id:references
 :mime-version:content-disposition:in-reply-to:user-agent;
 bh=5euna51O34xz9phrtw6beoNgZ9YHeymQkXsgVHnqk10=;
 b=VC+MM+VtIp1OvR2ZpWUey9Of4PsADtwKDqGys7AO828iJ1eKAjKLioW9BYTRkosfzA
 mrH/UGoVNezRrM/VJ5sr/4tGRGVVhY1oY7Mpukb1/E5NnbQIlesoC6b4LEGsL7YmavRd
 GImznhIxvvS7jt/kTpO9Ymwd9T2j4l9lcGaf5J+l4zXMKEjkWsNcTl9phuF1ClCE+NoG
 vXiKYPxWscvoFUM8/7/sdI7fjepLloTBE6mv76rvOqh4cM+Jb2tGk/PuCzHIqz9iHmJm
 KXSrMRkfYmjz/O48nYwxxAZm/Z39HCzEiuDffDTONcFsR3UGogQpYCDeYMMcVgJfpPct
 +CDw==
X-Gm-Message-State: AOAM530kFH1VCG5nLnIDjSc5D9K4gyYAJjFqwx4gcll9xjGHKeg7mlHX
 +mVoZ1llCNPZqiYzqVInZdLIsQ==
X-Google-Smtp-Source: ABdhPJxIS/mWSJXUi+IAFEfA1sQRSwc9YwICuyiwMDokz+V3gbDDz51f08BmOkbfa+vsU3DnS5jtTw==
X-Received: by 2002:adf:de91:: with SMTP id w17mr10752051wrl.249.1591887817351; 
 Thu, 11 Jun 2020 08:03:37 -0700 (PDT)
Received: from 6wind.com (2a01cb0c0005a600345636f7e65ed1a0.ipv6.abo.wanadoo.fr.
 [2a01:cb0c:5:a600:3456:36f7:e65e:d1a0])
 by smtp.gmail.com with ESMTPSA id x8sm5629205wrs.43.2020.06.11.08.03.36
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 11 Jun 2020 08:03:36 -0700 (PDT)
Date: Thu, 11 Jun 2020 17:03:36 +0200
From: Olivier Matz <olivier.matz@6wind.com>
To: Xiaolong Ye <xiaolong.ye@intel.com>
Cc: Thomas Monjalon <thomas@monjalon.net>,
 Konstantin Ananyev <konstantin.ananyev@intel.com>, dev@dpdk.org,
 stable@dpdk.org
Message-ID: <20200611150336.GB12564@platinum>
References: <20200610150845.82462-1-xiaolong.ye@intel.com>
 <20200611004801.105736-1-xiaolong.ye@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200611004801.105736-1-xiaolong.ye@intel.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Subject: Re: [dpdk-dev] [PATCH v2] mbuf: fix out-of-bounds access
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Thu, Jun 11, 2020 at 08:48:01AM +0800, Xiaolong Ye wrote:
> We should make sure off + size < sizeof(struct rte_mbuf) to avoid
> possible out-of-bounds access of free_space array, there is no issue
> currently due to the low bits of free_flags (which is adjacent to
> free_space) are always set to 0. But we shouldn't rely on it since it's
> fragile and layout of struct mbuf_dyn_shm may be changed in the future.
> This patch adds boundary check explicitly to avoid potential risk of
> out-of-bounds access.
> 
> Fixes: 4958ca3a443a ("mbuf: support dynamic fields and flags")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Xiaolong Ye <xiaolong.ye@intel.com>

I suggest to change the title in:
mbuf: fix out-of-bounds access at dyn field register

Thomas, as Xiaolong pointed-out, it fixes a bug in the code but there is
no impact. I let you decide if it should be tagged as a fix or not, and
if it should be backported. I'll tend to say yes.

Acked-by: Olivier Matz <olivier.matz@6wind.com>

> ---
> 
> V2: put the check before accessing free_space
> 
>  lib/librte_mbuf/rte_mbuf_dyn.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/lib/librte_mbuf/rte_mbuf_dyn.c b/lib/librte_mbuf/rte_mbuf_dyn.c
> index d6931f847..9d6388cff 100644
> --- a/lib/librte_mbuf/rte_mbuf_dyn.c
> +++ b/lib/librte_mbuf/rte_mbuf_dyn.c
> @@ -71,7 +71,8 @@ process_score(void)
>  
>  	for (off = 0; off < sizeof(struct rte_mbuf); off++) {
>  		/* get the size of the free zone */
> -		for (size = 0; shm->free_space[off + size]; size++)
> +		for (size = 0; (off + size) < sizeof(struct rte_mbuf) &&
> +			     shm->free_space[off + size]; size++)
>  			;
>  		if (size == 0)
>  			continue;
> -- 
> 2.17.1
>