DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test
@ 2021-03-31 21:05 Wenwu Ma
  2021-04-13 20:05 ` [dpdk-dev] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
  2021-04-15  2:04 ` [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test Peng, ZhihongX
  0 siblings, 2 replies; 12+ messages in thread
From: Wenwu Ma @ 2021-03-31 21:05 UTC (permalink / raw)
  To: olivier.matz, andrew.rybchenko, dev

The value of parameter private_data_size of function
rte_mempool_create() called in test_mempool() should not be 0,
Otherwise, the function rte_pktmbuf_priv_size() called in
rte_pktmbuf_init() will cause heap-buffer-overflow.

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 app/test/test_mempool.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
 	mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
 		MEMPOOL_SIZE,
 		MEMPOOL_ELT_SIZE,
-		RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+		RTE_MEMPOOL_CACHE_MAX_SIZE,
+		sizeof(struct rte_pktmbuf_pool_private),
 		NULL, NULL,
 		my_obj_init, NULL,
 		SOCKET_ID_ANY, 0);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [dpdk-dev] [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
  2021-04-13 20:05 ` [dpdk-dev] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
@ 2021-04-13 11:52   ` Thomas Monjalon
  2021-04-15  6:45     ` Olivier Matz
  2021-04-27 13:56   ` [dpdk-dev] [PATCH v3 1/2] " Olivier Matz
  1 sibling, 1 reply; 12+ messages in thread
From: Thomas Monjalon @ 2021-04-13 11:52 UTC (permalink / raw)
  To: Wenwu Ma; +Cc: olivier.matz, andrew.rybchenko, stable, dev, aconole

13/04/2021 22:05, Wenwu Ma:
> Amount of allocated memory was not enough for mempool
> which cause buffer overflow when access fields of mempool
> private structure in the rte_pktmbuf_priv_size function.

Was it causing the test to fail?
How do you reproduce the overflow?

> Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>




^ permalink raw reply	[flat|nested] 12+ messages in thread

* [dpdk-dev] [v2] test/mempool: fix heap buffer overflow
  2021-03-31 21:05 [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test Wenwu Ma
@ 2021-04-13 20:05 ` Wenwu Ma
  2021-04-13 11:52   ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
  2021-04-27 13:56   ` [dpdk-dev] [PATCH v3 1/2] " Olivier Matz
  2021-04-15  2:04 ` [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test Peng, ZhihongX
  1 sibling, 2 replies; 12+ messages in thread
From: Wenwu Ma @ 2021-04-13 20:05 UTC (permalink / raw)
  To: olivier.matz, andrew.rybchenko; +Cc: dev, Wenwu Ma, stable

Amount of allocated memory was not enough for mempool
which cause buffer overflow when access fields of mempool
private structure in the rte_pktmbuf_priv_size function.

Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
v2:
- refine commit log. 
---
 app/test/test_mempool.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
 	mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
 		MEMPOOL_SIZE,
 		MEMPOOL_ELT_SIZE,
-		RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+		RTE_MEMPOOL_CACHE_MAX_SIZE,
+		sizeof(struct rte_pktmbuf_pool_private),
 		NULL, NULL,
 		my_obj_init, NULL,
 		SOCKET_ID_ANY, 0);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test
  2021-03-31 21:05 [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test Wenwu Ma
  2021-04-13 20:05 ` [dpdk-dev] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
@ 2021-04-15  2:04 ` Peng, ZhihongX
  1 sibling, 0 replies; 12+ messages in thread
From: Peng, ZhihongX @ 2021-04-15  2:04 UTC (permalink / raw)
  To: Ma, WenwuX, olivier.matz, andrew.rybchenko, dev

-----Original Message-----
From: dev <dev-bounces@dpdk.org> On Behalf Of Wenwu Ma
Sent: Thursday, April 1, 2021 5:06 AM
To: olivier.matz@6wind.com; andrew.rybchenko@oktetlabs.ru; dev@dpdk.org
Subject: [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test

The value of parameter private_data_size of function
rte_mempool_create() called in test_mempool() should not be 0, Otherwise, the function rte_pktmbuf_priv_size() called in
rte_pktmbuf_init() will cause heap-buffer-overflow.

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 app/test/test_mempool.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
 	mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
 		MEMPOOL_SIZE,
 		MEMPOOL_ELT_SIZE,
-		RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+		RTE_MEMPOOL_CACHE_MAX_SIZE,
+		sizeof(struct rte_pktmbuf_pool_private),
 		NULL, NULL,
 		my_obj_init, NULL,
 		SOCKET_ID_ANY, 0);
--
2.25.1

Tested-by: Peng Zhihong <zhihongx.peng@intel.com>

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [dpdk-dev] [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
  2021-04-13 11:52   ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
@ 2021-04-15  6:45     ` Olivier Matz
  2021-04-15 12:51       ` Aaron Conole
  0 siblings, 1 reply; 12+ messages in thread
From: Olivier Matz @ 2021-04-15  6:45 UTC (permalink / raw)
  To: Thomas Monjalon
  Cc: Wenwu Ma, andrew.rybchenko, stable, dev, aconole, zhihongx.peng

On Tue, Apr 13, 2021 at 01:52:26PM +0200, Thomas Monjalon wrote:
> 13/04/2021 22:05, Wenwu Ma:
> > Amount of allocated memory was not enough for mempool
> > which cause buffer overflow when access fields of mempool
> > private structure in the rte_pktmbuf_priv_size function.
>
> Was it causing the test to fail?
> How do you reproduce the overflow?

In the test, right after the rte_mempool_create(), the function
rte_mempool_obj_iter() is called too initialize the mempool objects with
the rte_pktmbuf_init() callback function. This callback expects that the
mempool is a packet pool, i.e. its private area is a struct
rte_pktmbuf_pool_private structure.

In the current test, the size of the private area is 0, which probably
causes the function rte_pktmbuf_priv_size() to return an unpredictable
value, and this value is used as a size in a memset.

This part of the test was added in commit 923ceaeac140 ("test/mempool:
add unit test cases").

Instead of changing the size of the private area like done in the patch,
I suggest to use another callback than rte_pktmbuf_init(). After all,
this is a mempool test, so we should not rely on mbuf features. The
function my_obj_init() could be used like in other places of the test,
like this:

  @@ -552,7 +552,7 @@ test_mempool(void)
  		 GOTO_ERR(ret, err);
  
  	 /* test to initialize mempool objects and memory */
  -        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
  +        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
  			 NULL);
  	 if (nb_objs == 0)
  		 GOTO_ERR(ret, err);


Wenwu, does it solve your issue?


Regards,
Olivier

^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [dpdk-dev] [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
  2021-04-15  6:45     ` Olivier Matz
@ 2021-04-15 12:51       ` Aaron Conole
  2021-04-16  7:20         ` Olivier Matz
  0 siblings, 1 reply; 12+ messages in thread
From: Aaron Conole @ 2021-04-15 12:51 UTC (permalink / raw)
  To: Olivier Matz
  Cc: Thomas Monjalon, Wenwu Ma, andrew.rybchenko, stable, dev, zhihongx.peng

Olivier Matz <olivier.matz@6wind.com> writes:

> On Tue, Apr 13, 2021 at 01:52:26PM +0200, Thomas Monjalon wrote:
>> 13/04/2021 22:05, Wenwu Ma:
>> > Amount of allocated memory was not enough for mempool
>> > which cause buffer overflow when access fields of mempool
>> > private structure in the rte_pktmbuf_priv_size function.
>>
>> Was it causing the test to fail?
>> How do you reproduce the overflow?
>
> In the test, right after the rte_mempool_create(), the function
> rte_mempool_obj_iter() is called too initialize the mempool objects with
> the rte_pktmbuf_init() callback function. This callback expects that the
> mempool is a packet pool, i.e. its private area is a struct
> rte_pktmbuf_pool_private structure.
>
> In the current test, the size of the private area is 0, which probably
> causes the function rte_pktmbuf_priv_size() to return an unpredictable
> value, and this value is used as a size in a memset.

Is it possible to have rte_mempool_get_priv() detect that the private
area isn't valid and return a ref to a const static member for this that
will have the correct mbuf_priv_size?  There isn't really documentation
that I can find that describes this corner case with the mempool private
data section.  Actually, it doesn't really say what happens if private
data size is 0, so maybe a documentation update should go with this test
case fix, too?

> This part of the test was added in commit 923ceaeac140 ("test/mempool:
> add unit test cases").
>
> Instead of changing the size of the private area like done in the patch,
> I suggest to use another callback than rte_pktmbuf_init(). After all,
> this is a mempool test, so we should not rely on mbuf features. The
> function my_obj_init() could be used like in other places of the test,
> like this:
>
>   @@ -552,7 +552,7 @@ test_mempool(void)
>   		 GOTO_ERR(ret, err);
>   
>   	 /* test to initialize mempool objects and memory */
>   -        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
>   +        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
>   			 NULL);
>   	 if (nb_objs == 0)
>   		 GOTO_ERR(ret, err);
>
>
> Wenwu, does it solve your issue?
>
>
> Regards,
> Olivier


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [dpdk-dev] [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
  2021-04-15 12:51       ` Aaron Conole
@ 2021-04-16  7:20         ` Olivier Matz
  0 siblings, 0 replies; 12+ messages in thread
From: Olivier Matz @ 2021-04-16  7:20 UTC (permalink / raw)
  To: Aaron Conole
  Cc: Thomas Monjalon, Wenwu Ma, andrew.rybchenko, stable, dev, zhihongx.peng

On Thu, Apr 15, 2021 at 08:51:27AM -0400, Aaron Conole wrote:
> Olivier Matz <olivier.matz@6wind.com> writes:
> 
> > On Tue, Apr 13, 2021 at 01:52:26PM +0200, Thomas Monjalon wrote:
> >> 13/04/2021 22:05, Wenwu Ma:
> >> > Amount of allocated memory was not enough for mempool
> >> > which cause buffer overflow when access fields of mempool
> >> > private structure in the rte_pktmbuf_priv_size function.
> >>
> >> Was it causing the test to fail?
> >> How do you reproduce the overflow?
> >
> > In the test, right after the rte_mempool_create(), the function
> > rte_mempool_obj_iter() is called too initialize the mempool objects with
> > the rte_pktmbuf_init() callback function. This callback expects that the
> > mempool is a packet pool, i.e. its private area is a struct
> > rte_pktmbuf_pool_private structure.
> >
> > In the current test, the size of the private area is 0, which probably
> > causes the function rte_pktmbuf_priv_size() to return an unpredictable
> > value, and this value is used as a size in a memset.
> 
> Is it possible to have rte_mempool_get_priv() detect that the private
> area isn't valid and return a ref to a const static member for this that
> will have the correct mbuf_priv_size?  There isn't really documentation
> that I can find that describes this corner case with the mempool private
> data section.  Actually, it doesn't really say what happens if private
> data size is 0, so maybe a documentation update should go with this test
> case fix, too?

Good point, we can indeed add something in the API documentation. To
detect that the private area is not big enough in rte_pktmbuf_init(),
unfortunatly the function has no return code, but for now we can add at
least an RTE_ASSERT() (only active when -DRTE_ENABLE_ASSERT is passed),
as it's already done for other checks.

I can do a new version of the patch. Wenwu, is it ok for you?

In a second step, we can think about changing the API of all mempool
callbacks and their wrappers to add a return code.


> > This part of the test was added in commit 923ceaeac140 ("test/mempool:
> > add unit test cases").
> >
> > Instead of changing the size of the private area like done in the patch,
> > I suggest to use another callback than rte_pktmbuf_init(). After all,
> > this is a mempool test, so we should not rely on mbuf features. The
> > function my_obj_init() could be used like in other places of the test,
> > like this:
> >
> >   @@ -552,7 +552,7 @@ test_mempool(void)
> >   		 GOTO_ERR(ret, err);
> >   
> >   	 /* test to initialize mempool objects and memory */
> >   -        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
> >   +        nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
> >   			 NULL);
> >   	 if (nb_objs == 0)
> >   		 GOTO_ERR(ret, err);
> >
> >
> > Wenwu, does it solve your issue?
> >
> >
> > Regards,
> > Olivier
> 

^ permalink raw reply	[flat|nested] 12+ messages in thread

* [dpdk-dev] [PATCH v3 1/2] test/mempool: fix heap buffer overflow
  2021-04-13 20:05 ` [dpdk-dev] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
  2021-04-13 11:52   ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
@ 2021-04-27 13:56   ` Olivier Matz
  2021-04-27 13:56     ` [dpdk-dev] [PATCH v3 2/2] mbuf: better document usage of packet pool initializers Olivier Matz
  2021-05-04 18:07     ` [dpdk-dev] [dpdk-stable] [PATCH v3 1/2] test/mempool: fix heap buffer overflow Thomas Monjalon
  1 sibling, 2 replies; 12+ messages in thread
From: Olivier Matz @ 2021-04-27 13:56 UTC (permalink / raw)
  To: dev
  Cc: Andrew Rybchenko, Pallantla Poornima, Wenwu Ma, Peng Zhihong,
	Aaron Conole, Thomas Monjalon, stable

The function rte_pktmbuf_init() expects that the mempool private area is
large enough and was previously initialized by rte_pktmbuf_pool_init(),
which is not the case.

This causes the function rte_pktmbuf_priv_size() to return an
unpredictable value, and this value is used as a size in a memset.

Replace the mempool object initializer by my_obj_init(), which does not
have this constraint, and fits the needs for this test.

Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
 app/test/test_mempool.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fdaa..3adadd6731 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -552,7 +552,7 @@ test_mempool(void)
 		GOTO_ERR(ret, err);
 
 	/* test to initialize mempool objects and memory */
-	nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
+	nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
 			NULL);
 	if (nb_objs == 0)
 		GOTO_ERR(ret, err);
-- 
2.29.2


^ permalink raw reply	[flat|nested] 12+ messages in thread

* [dpdk-dev] [PATCH v3 2/2] mbuf: better document usage of packet pool initializers
  2021-04-27 13:56   ` [dpdk-dev] [PATCH v3 1/2] " Olivier Matz
@ 2021-04-27 13:56     ` Olivier Matz
  2021-04-27 14:22       ` Aaron Conole
  2021-05-04 18:07     ` [dpdk-dev] [dpdk-stable] [PATCH v3 1/2] test/mempool: fix heap buffer overflow Thomas Monjalon
  1 sibling, 1 reply; 12+ messages in thread
From: Olivier Matz @ 2021-04-27 13:56 UTC (permalink / raw)
  To: dev
  Cc: Andrew Rybchenko, Pallantla Poornima, Wenwu Ma, Peng Zhihong,
	Aaron Conole, Thomas Monjalon

Clarify that the mempool private initializer and object initializer used
for packet pools require that the mempool private size is large enough.

Also add an assert (only enabled when -DRTE_ENABLE_ASSERT is passed) to
check this constraint.

Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
---
 lib/mbuf/rte_mbuf.c | 5 +++++
 lib/mbuf/rte_mbuf.h | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/lib/mbuf/rte_mbuf.c b/lib/mbuf/rte_mbuf.c
index 3ff0a69187..f7e3c1a187 100644
--- a/lib/mbuf/rte_mbuf.c
+++ b/lib/mbuf/rte_mbuf.c
@@ -43,6 +43,8 @@ rte_pktmbuf_pool_init(struct rte_mempool *mp, void *opaque_arg)
 	struct rte_pktmbuf_pool_private default_mbp_priv;
 	uint16_t roomsz;
 
+	RTE_ASSERT(mp->private_data_size >=
+		   sizeof(struct rte_pktmbuf_pool_private));
 	RTE_ASSERT(mp->elt_size >= sizeof(struct rte_mbuf));
 
 	/* if no structure is provided, assume no mbuf private area */
@@ -83,6 +85,9 @@ rte_pktmbuf_init(struct rte_mempool *mp,
 	struct rte_mbuf *m = _m;
 	uint32_t mbuf_size, buf_len, priv_size;
 
+	RTE_ASSERT(mp->private_data_size >=
+		   sizeof(struct rte_pktmbuf_pool_private));
+
 	priv_size = rte_pktmbuf_priv_size(mp);
 	mbuf_size = sizeof(struct rte_mbuf) + priv_size;
 	buf_len = rte_pktmbuf_data_room_size(mp);
diff --git a/lib/mbuf/rte_mbuf.h b/lib/mbuf/rte_mbuf.h
index c4c9ebfaa0..a555f216ae 100644
--- a/lib/mbuf/rte_mbuf.h
+++ b/lib/mbuf/rte_mbuf.h
@@ -624,6 +624,9 @@ rte_mbuf_raw_free(struct rte_mbuf *m)
  * address, and so on). This function is given as a callback function to
  * rte_mempool_obj_iter() or rte_mempool_create() at pool creation time.
  *
+ * This function expects that the mempool private area was previously
+ * initialized with rte_pktmbuf_pool_init().
+ *
  * @param mp
  *   The mempool from which mbufs originate.
  * @param opaque_arg
@@ -639,7 +642,7 @@ void rte_pktmbuf_init(struct rte_mempool *mp, void *opaque_arg,
 		      void *m, unsigned i);
 
 /**
- * A  packet mbuf pool constructor.
+ * A packet mbuf pool constructor.
  *
  * This function initializes the mempool private data in the case of a
  * pktmbuf pool. This private data is needed by the driver. The
@@ -648,6 +651,9 @@ void rte_pktmbuf_init(struct rte_mempool *mp, void *opaque_arg,
  * pool creation. It can be extended by the user, for example, to
  * provide another packet size.
  *
+ * The mempool private area size must be at least equal to
+ * sizeof(struct rte_pktmbuf_pool_private).
+ *
  * @param mp
  *   The mempool from which mbufs originate.
  * @param opaque_arg
-- 
2.29.2


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [dpdk-dev] [PATCH v3 2/2] mbuf: better document usage of packet pool initializers
  2021-04-27 13:56     ` [dpdk-dev] [PATCH v3 2/2] mbuf: better document usage of packet pool initializers Olivier Matz
@ 2021-04-27 14:22       ` Aaron Conole
  0 siblings, 0 replies; 12+ messages in thread
From: Aaron Conole @ 2021-04-27 14:22 UTC (permalink / raw)
  To: Olivier Matz
  Cc: dev, Andrew Rybchenko, Pallantla Poornima, Wenwu Ma,
	Peng Zhihong, Thomas Monjalon

Olivier Matz <olivier.matz@6wind.com> writes:

> Clarify that the mempool private initializer and object initializer used
> for packet pools require that the mempool private size is large enough.
>
> Also add an assert (only enabled when -DRTE_ENABLE_ASSERT is passed) to
> check this constraint.
>
> Signed-off-by: Olivier Matz <olivier.matz@6wind.com>
> ---

Acked-by: Aaron Conole <aconole@redhat.com>


^ permalink raw reply	[flat|nested] 12+ messages in thread

* Re: [dpdk-dev] [dpdk-stable] [PATCH v3 1/2] test/mempool: fix heap buffer overflow
  2021-04-27 13:56   ` [dpdk-dev] [PATCH v3 1/2] " Olivier Matz
  2021-04-27 13:56     ` [dpdk-dev] [PATCH v3 2/2] mbuf: better document usage of packet pool initializers Olivier Matz
@ 2021-05-04 18:07     ` Thomas Monjalon
  1 sibling, 0 replies; 12+ messages in thread
From: Thomas Monjalon @ 2021-05-04 18:07 UTC (permalink / raw)
  To: Wenwu Ma, Olivier Matz
  Cc: dev, stable, Andrew Rybchenko, Pallantla Poornima, Peng Zhihong,
	Aaron Conole

27/04/2021 15:56, Olivier Matz:
> The function rte_pktmbuf_init() expects that the mempool private area is
> large enough and was previously initialized by rte_pktmbuf_pool_init(),
> which is not the case.
> 
> This causes the function rte_pktmbuf_priv_size() to return an
> unpredictable value, and this value is used as a size in a memset.
> 
> Replace the mempool object initializer by my_obj_init(), which does not
> have this constraint, and fits the needs for this test.
> 
> Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>

Replaced with Reported-by and added Olivier's signature
to match patch authorship.

Series applied, thanks.



^ permalink raw reply	[flat|nested] 12+ messages in thread

* [dpdk-dev] [v2] test/mempool: fix heap buffer overflow
@ 2021-04-13 20:03 Wenwu Ma
  0 siblings, 0 replies; 12+ messages in thread
From: Wenwu Ma @ 2021-04-13 20:03 UTC (permalink / raw)
  To: olivier.matz, andrew.rybchenko; +Cc: dev, Wenwu Ma, stable

Amount of allocated memory was not enough for mempool
which cause buffer overflow when access fields of mempool
private structure in the rte_pktmbuf_priv_size function.

Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org

Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
v2:
- refine commit log. 
---
 app/test/test_mempool.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
 	mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
 		MEMPOOL_SIZE,
 		MEMPOOL_ELT_SIZE,
-		RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+		RTE_MEMPOOL_CACHE_MAX_SIZE,
+		sizeof(struct rte_pktmbuf_pool_private),
 		NULL, NULL,
 		my_obj_init, NULL,
 		SOCKET_ID_ANY, 0);
-- 
2.25.1


^ permalink raw reply	[flat|nested] 12+ messages in thread

end of thread, other threads:[~2021-05-04 18:07 UTC | newest]

Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-31 21:05 [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test Wenwu Ma
2021-04-13 20:05 ` [dpdk-dev] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
2021-04-13 11:52   ` [dpdk-dev] [dpdk-stable] " Thomas Monjalon
2021-04-15  6:45     ` Olivier Matz
2021-04-15 12:51       ` Aaron Conole
2021-04-16  7:20         ` Olivier Matz
2021-04-27 13:56   ` [dpdk-dev] [PATCH v3 1/2] " Olivier Matz
2021-04-27 13:56     ` [dpdk-dev] [PATCH v3 2/2] mbuf: better document usage of packet pool initializers Olivier Matz
2021-04-27 14:22       ` Aaron Conole
2021-05-04 18:07     ` [dpdk-dev] [dpdk-stable] [PATCH v3 1/2] test/mempool: fix heap buffer overflow Thomas Monjalon
2021-04-15  2:04 ` [dpdk-dev] [PATCH] test/mempool: Fix illegal pointer access in mempool test Peng, ZhihongX
2021-04-13 20:03 [dpdk-dev] [v2] test/mempool: fix heap buffer overflow Wenwu Ma

DPDK patches and discussions

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/dev/0 dev/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 dev dev/ https://inbox.dpdk.org/dev \
		dev@dpdk.org
	public-inbox-index dev

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.dev


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git