From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 8305B41BDD;
	Sun,  5 Feb 2023 20:49:26 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 0E17340A7D;
	Sun,  5 Feb 2023 20:49:26 +0100 (CET)
Received: from mail-pj1-f51.google.com (mail-pj1-f51.google.com
 [209.85.216.51]) by mails.dpdk.org (Postfix) with ESMTP id 2B35F40041
 for <dev@dpdk.org>; Sun,  5 Feb 2023 20:49:24 +0100 (CET)
Received: by mail-pj1-f51.google.com with SMTP id
 rm7-20020a17090b3ec700b0022c05558d22so9369841pjb.5
 for <dev@dpdk.org>; Sun, 05 Feb 2023 11:49:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20210112.gappssmtp.com; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:subject:cc:to:from:date:from:to:cc:subject:date
 :message-id:reply-to;
 bh=n3g2D7GhSDqba1QBHul1myc0j/qCtfwmqGlgk1I/xfo=;
 b=5k9EaenhAXPX0GrFToFIPlDR79ifPcde/8gg6BJc/LKA9KmseLjJd+XqauzLGzqtnm
 Dh0PTfCbDschDIqSESTQIbHr4/IPmglxJjjCb1Z8u0WMWHx9AxDu3ZObTFdScT1B6KmC
 2Rthqjy9WAnMlWVXZ4ppRuVbHLp8PFNVrm7hieKjChe2LrT6U7+wBsFtH92MmwsCGV7w
 Kxsin6s1+mIwrX4GdxbetwMaVcCAO2F6i+mv/iLxz69uBCejf4wtwEWzx7ENmrvwuH/i
 eUANmfZyeY+1cUWPFPjfr8o5Eah98oIEhiExgTjQ2rd+YxRyj1jOMBylNfku1nKFa0Ew
 5cbg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=n3g2D7GhSDqba1QBHul1myc0j/qCtfwmqGlgk1I/xfo=;
 b=10L5rypFzx6a7Ze3igzpLdGrGx2oP3jdxhheWaq/DHZp9dP9zsiL7mInFRO0ntxz87
 9GcejxbjnD1A5AwtglURDN1hgKRfseqy/WmQLPFLtyuboVQZ7PS9I2+xJ4XDVEvtk5JT
 Idf5rxhdDUiKW/7KjKq2MeKCicJYrGdTYxhMHTtGVth6FbmMQupU3q41SP4z7nAs0UrD
 LgY0wmAyUiZEh2+BO6PCoKaQNfBuc/nIFXrgM3zkeIWptYzlT5QOp9JV+7wRXG8sAzY4
 pV0ewt8vOeyJLIpGJIbnZRutkVRDyKGDQgf/lTB9ONDMOvGNgJa4749BNQ+ERMVbL5BC
 2FkQ==
X-Gm-Message-State: AO0yUKXSbT5VKy/fyMUPB8nlNFJhHHZ1WEa8bVy73dh4iFy2IWPn/as5
 MBuneY28/WoY8MpZLdV6BHhgZQ==
X-Google-Smtp-Source: AK7set9PIALNRx29lhQ8i8cILKFjBLwM9Fp7espOjba/aQQwp89vM7B3CdKhx01ivQBvTbwPvdtfpA==
X-Received: by 2002:a17:902:c611:b0:196:5839:b374 with SMTP id
 r17-20020a170902c61100b001965839b374mr13224110plr.9.1675626563139; 
 Sun, 05 Feb 2023 11:49:23 -0800 (PST)
Received: from hermes.local (204-195-120-218.wavecable.com. [204.195.120.218])
 by smtp.gmail.com with ESMTPSA id
 jc5-20020a17090325c500b00194afb5a3ebsm1502629plb.21.2023.02.05.11.49.22
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sun, 05 Feb 2023 11:49:22 -0800 (PST)
Date: Sun, 5 Feb 2023 11:49:21 -0800
From: Stephen Hemminger <stephen@networkplumber.org>
To: Isaac Boukris <iboukris@gmail.com>
Cc: dev@dpdk.org
Subject: Re: BUG: AddressSanitizer reports a buffer-overflow on rte_hash_lookup
Message-ID: <20230205114921.605de31a@hermes.local>
In-Reply-To: <CAC-fF8Qt6ExgN4zM7NeOGTHPvWk5xykWTYzEPKYm3tsYwj7EAg@mail.gmail.com>
References: <CAC-fF8Qt6ExgN4zM7NeOGTHPvWk5xykWTYzEPKYm3tsYwj7EAg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

On Sun, 5 Feb 2023 18:54:20 +0200
Isaac Boukris <iboukris@gmail.com> wrote:

> Hi,
> 
> I managed to reproduce it by modifying the helloworld app (see
> attached). The report seem correct, as in case of 10 byte key the code
> tries to look at the key as uint32 array and access k[2] which is two
> bytes over, see:
> https://github.com/DPDK/dpdk/blob/0bf5832222971a0154c9150d4a7a4b82ecbc9ddb/lib/hash/rte_jhash.h#L118
> 
> $ sudo build/helloworld --iova-mode=pa
> EAL: Detected CPU lcores: 8
> EAL: Detected NUMA nodes: 1
> EAL: Detected static linkage of DPDK
> EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
> EAL: Selected IOVA mode 'PA'
> EAL: VFIO support initialized
> EAL: Using IOMMU type 1 (Type 1)
> EAL: Ignore mapping IO port bar(3)
> EAL: Probe PCI driver: net_vmxnet3 (15ad:7b0) device: 0000:0b:00.0 (socket -1)
> =================================================================
> ==21410==ERROR: AddressSanitizer: global-buffer-overflow on address
> 0x0000024fe428 at pc 0x000001293b0b bp 0x7fff126ef2d0 sp
> 0x7fff126ef2c0
> READ of size 4 at 0x0000024fe428 thread T0
>     #0 0x1293b0a in __rte_jhash_2hashes
> (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1293b0a)
>     #1 0x12953bf in rte_jhash_2hashes
> (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x12953bf)
>     #2 0x12954c8 in rte_jhash
> (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x12954c8)
>     #3 0x1bd7168 in rte_hash_lookup
> (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1bd7168)
>     #4 0x1295600 in main
> (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1295600)
>     #5 0x7fe8fffbbd84 in __libc_start_main (/lib64/libc.so.6+0x3ad84)
>     #6 0x129356d in _start
> (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x129356d)
> 
> 0x0000024fe42a is located 0 bytes to the right of global variable
> 'hash_key' defined in 'main.c:34:13' (0x24fe420) of size 10
> SUMMARY: AddressSanitizer: global-buffer-overflow
> (/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1293b0a)
> in __rte_jhash_2hashes

This code is using the common optimization of doing a full 32 bit access
and masking the result. This will read past the end of the passed input
but ignore the extra bytes. It won't be a problem unless the application
goes out of its way to put a hash key value at the end of a mapped
region.