[dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool members

DPDK patches and discussions
 help / color / mirror / Atom feed

* [dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool members
@ 2021-03-31 19:02 Wenwu Ma
  0 siblings, 0 replies; 4+ messages in thread
From: Wenwu Ma @ 2021-03-31 19:02 UTC (permalink / raw)
  To: olivier.matz; +Cc: dev

Before accessing the private data of mempool in
function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
it is necessary to determine whether the private data exists,
otherwise it will cause heap-buffer-overflow.

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 lib/librte_mbuf/rte_mbuf.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
index c4c9ebfaa..6c2559550 100644
--- a/lib/librte_mbuf/rte_mbuf.h
+++ b/lib/librte_mbuf/rte_mbuf.h
@@ -811,6 +811,9 @@ rte_pktmbuf_data_room_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_data_room_size;
 }
@@ -832,6 +835,9 @@ rte_pktmbuf_priv_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_priv_size;
 }
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool members
@ 2021-03-31 13:43 Wenwu Ma
  2021-03-31  7:12 ` Jerin Jacob
  0 siblings, 1 reply; 4+ messages in thread
From: Wenwu Ma @ 2021-03-31 13:43 UTC (permalink / raw)
  To: olivier.matz, dev; +Cc: Wenwu Ma

Before accessing the private data of mempool in
function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
it is necessary to determine whether the private data exists,
otherwise it will cause null pointer access.

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 lib/librte_mbuf/rte_mbuf.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
index c4c9ebfaa..6c2559550 100644
--- a/lib/librte_mbuf/rte_mbuf.h
+++ b/lib/librte_mbuf/rte_mbuf.h
@@ -811,6 +811,9 @@ rte_pktmbuf_data_room_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_data_room_size;
 }
@@ -832,6 +835,9 @@ rte_pktmbuf_priv_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_priv_size;
 }
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool members
  2021-03-31 13:43 Wenwu Ma
@ 2021-03-31  7:12 ` Jerin Jacob
  0 siblings, 0 replies; 4+ messages in thread
From: Jerin Jacob @ 2021-03-31  7:12 UTC (permalink / raw)
  To: Wenwu Ma; +Cc: Olivier Matz, dpdk-dev

On Wed, Mar 31, 2021 at 7:19 AM Wenwu Ma <wenwux.ma@intel.com> wrote:
>
> Before accessing the private data of mempool in
> function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
> it is necessary to determine whether the private data exists,
> otherwise it will cause null pointer access.
>
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
> ---
>  lib/librte_mbuf/rte_mbuf.h | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
> index c4c9ebfaa..6c2559550 100644
> --- a/lib/librte_mbuf/rte_mbuf.h
> +++ b/lib/librte_mbuf/rte_mbuf.h
> @@ -811,6 +811,9 @@ rte_pktmbuf_data_room_size(struct rte_mempool *mp)
>  {
>         struct rte_pktmbuf_pool_private *mbp_priv;
>
> +       if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
> +               return 0;

If mp->private_data_size updated in the slow path at mempool create
time, why not have this sanity check in the slow path?


> +
>         mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
>         return mbp_priv->mbuf_data_room_size;
>  }
> @@ -832,6 +835,9 @@ rte_pktmbuf_priv_size(struct rte_mempool *mp)
>  {
>         struct rte_pktmbuf_pool_private *mbp_priv;
>
> +       if (mp->private_data_size < sizeof(struct rte_pktmbuf_pool_private))
> +               return 0;
> +
>         mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
>         return mbp_priv->mbuf_priv_size;
>  }
> --
> 2.25.1
>

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool members
@ 2021-03-30 14:07 wenwux.ma
  0 siblings, 0 replies; 4+ messages in thread
From: wenwux.ma @ 2021-03-30 14:07 UTC (permalink / raw)
  To: olivier.matz; +Cc: dev, wenwu ma

From: wenwu ma <wenwux.ma@intel.com>

Before accessing the private data of mempool in
function rte_pktmbuf_priv_size() and rte_pktmbuf_data_room_size(),
it is necessary to determine whether the private data exists,
otherwise it will cause null pointer access.

Signed-off-by: wenwu ma <wenwux.ma@intel.com>
---
 lib/librte_mbuf/rte_mbuf.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/librte_mbuf/rte_mbuf.h b/lib/librte_mbuf/rte_mbuf.h
index c4c9ebfaa..9cca9a7d4 100644
--- a/lib/librte_mbuf/rte_mbuf.h
+++ b/lib/librte_mbuf/rte_mbuf.h
@@ -811,6 +811,9 @@ rte_pktmbuf_data_room_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size != sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_data_room_size;
 }
@@ -832,6 +835,9 @@ rte_pktmbuf_priv_size(struct rte_mempool *mp)
 {
 	struct rte_pktmbuf_pool_private *mbp_priv;
 
+	if (mp->private_data_size != sizeof(struct rte_pktmbuf_pool_private))
+		return 0;
+
 	mbp_priv = (struct rte_pktmbuf_pool_private *)rte_mempool_get_priv(mp);
 	return mbp_priv->mbuf_priv_size;
 }
-- 
2.25.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-03-31  7:12 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-31 19:02 [dpdk-dev] [PATCH] mbuf: Fix illegal pointer access to mempool members Wenwu Ma
  -- strict thread matches above, loose matches on Subject: below --
2021-03-31 13:43 Wenwu Ma
2021-03-31  7:12 ` Jerin Jacob
2021-03-30 14:07 wenwux.ma

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).