From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id BBA3BA034F; Fri, 15 May 2020 04:24:50 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 171051D9C6; Fri, 15 May 2020 04:24:50 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 2A14B1D9B9; Fri, 15 May 2020 04:24:47 +0200 (CEST) IronPort-SDR: HuoFzK3U0U8Dx7BLK7nWySo7DASxkEpc3K/WwFSJluZR5y96774TLU2cO4ipn6EbXpTrhluK6Q On2lS2aJ1r5w== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 14 May 2020 19:24:47 -0700 IronPort-SDR: Qv0uOGPBlvh6MKszY6VEOzECryRfsYEv3IZP2ZWsOlTyglirtvbG3/wBup1Q6DCqJ2D78Fa0hx WdgJhuxTJgyQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,393,1583222400"; d="scan'208";a="252251697" Received: from orsmsx109.amr.corp.intel.com ([10.22.240.7]) by fmsmga007.fm.intel.com with ESMTP; 14 May 2020 19:24:47 -0700 Received: from orsmsx113.amr.corp.intel.com (10.22.240.9) by ORSMSX109.amr.corp.intel.com (10.22.240.7) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 14 May 2020 19:24:46 -0700 Received: from ORSEDG002.ED.cps.intel.com (10.7.248.5) by ORSMSX113.amr.corp.intel.com (10.22.240.9) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 14 May 2020 19:24:46 -0700 Received: from NAM11-BN8-obe.outbound.protection.outlook.com (104.47.58.170) by edgegateway.intel.com (134.134.137.101) with Microsoft SMTP Server (TLS) id 14.3.439.0; Thu, 14 May 2020 19:24:46 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=hZMIqf60po8SZOBuExQBx5Qa/3Jnlgl8Dc2oWLFFg1EsC/ARPMMeff7V5N3c/8wZJ4hTAqR8WMDhlgvL02hpT6vbAm1PPMlax3Ap1T61J+7Utur2chIc2xWiW1/bw+bvWKnaSQke0GVPwtBPhdYY5pjPwQasXy4ZlzKF3m+IQE/EbhKsHmtwLFlPH+wlzHnsLJYINH2NVgYzqHkbheT68T5n8Jysr3PjbJ57Yny24M3mR1jypNhaT/8CkFP8sX7TELFetdMVpjWiT5AxNYumA1rkhPa3BwvYvUMKxXPjvrOZ47M/Ei14fLQSn413c0BqDt0O5ekobHmYX1NEMu3UkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ian+MWtLX1AulI03YbWBhaMchBvyaWt7vPU8XmlWlmo=; b=C6XR7qvk7HXLVdeDVQT/73Fnr1/AOQPQ30za7KNkKkOXuNQjvRaXoVPUm4eD8BkskJSQKSOOfKsnO2hANgilhm9N6WgoNAEgK/gMblFpJJiLoiB0/2ZYkEEwPrw33xwrQI86vO9IAa5nELr9QhKcev9kqiMJDAKq4AoFZ3px7nL5jPu/9onw4whl0cgcxPbGSXRC/0m3zeTrBilvXaDiZtxPRgiwzNqQl/nOzBpidKer7QYbTHgOt0rSTNg7bTK5ZebMB6B8pquQYyWCZAk0cM2BP70iZVJso82/jC5a4+VZSWlPEt933E3UiCh+7FYlf2N8piNP+f9it4HKO2yNiA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ian+MWtLX1AulI03YbWBhaMchBvyaWt7vPU8XmlWlmo=; b=GEWqVs3lqJqZ8IDikndIoQWjRLUItojzfPbUYEKI641Zz9sGsiWFnmgogAxCx/rZkbgVRtu+NCAag5OuSYVIXDPSgYaYcuZh8Njqj+8pri6oG6U6ko2LC9mhtlUWEDzGUZb7Rz6jaCholfhmXJiFAHAZPYEApX37ZXGoVd2XzrE= Received: from MWHPR11MB1391.namprd11.prod.outlook.com (2603:10b6:300:23::15) by MWHPR11MB1645.namprd11.prod.outlook.com (2603:10b6:301:b::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3000.25; Fri, 15 May 2020 02:24:42 +0000 Received: from MWHPR11MB1391.namprd11.prod.outlook.com ([fe80::c809:34b4:173b:d211]) by MWHPR11MB1391.namprd11.prod.outlook.com ([fe80::c809:34b4:173b:d211%7]) with mapi id 15.20.3000.022; Fri, 15 May 2020 02:24:42 +0000 From: "Zhao1, Wei" To: "dev@dpdk.org" CC: "stable@dpdk.org" , "Xing, Beilei" , "Guo, Jia" Thread-Topic: [PATCH] net/i40e: fix the security risk of wild pointer operation Thread-Index: AQHWKCap0yZxSAPjxk+kacm4+eqhC6iob2xg Date: Fri, 15 May 2020 02:24:42 +0000 Message-ID: References: <20200512151915.105152-1-wei.zhao1@intel.com> In-Reply-To: <20200512151915.105152-1-wei.zhao1@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiNTM0MmM5YmUtNzA2NS00OTFiLTkyNWUtZmMzZjY3YWE3ZGEyIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjEwLjE4MDQuNDkiLCJUcnVzdGVkTGFiZWxIYXNoIjoiRVJBdjFibzVGSFhpZlRHKzZuZHd4UlpzQjZnbWVhbGI2M3JZYUVVa01iTTlhQk9aOWhDTmRWSzZNT3N4aEpYUyJ9 dlp-version: 11.0.600.7 dlp-product: dlpe-windows x-ctpclassification: CTP_NT dlp-reaction: no-action authentication-results: dpdk.org; dkim=none (message not signed) header.d=none;dpdk.org; dmarc=none action=none header.from=intel.com; x-originating-ip: [192.55.52.217] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 37513ab8-35a8-41bb-8f94-08d7f8772094 x-ms-traffictypediagnostic: MWHPR11MB1645: x-ld-processed: 46c98d88-e344-4ed4-8496-4ed7712e255d,ExtAddr x-ms-exchange-transport-forked: True x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-forefront-prvs: 04041A2886 x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ZI5WBXgtNtcleS4xS67SXryWLB3pv3W/RrMzgCyxkOzdW3UnRE18B6Um1emrufY5TmvBkQ+R2FlHthxGoprRNcvcRQqbcqVfBQzAzcYkWtd/7ebYSpKXclu8QkoFQ9KKb4yJ28Z+FeO0qKQ7b+WLDRtXuN34KaAIW52tioy1op104knWMHizysEoexR39/d2aJyg/oIjfBdykLfTHLvqfaAvzOeS5Gco2BlJGZMl2SoA+lADfhfC5Ok/gjYUHaZV7bKfAUZXeeRjdFaSDO8cKxdVtYCvGg+l9JmAiyK2kORfmdDcHMSVKbqahjERHuojkeY3DJM1J1aweslkUUBEP/HpXgcPzlK+s2j38SegKkOiyUZc4a9ZR5GnJhBJC1RwQLUc22UuoQhKqy4HbHi3j/LghbiZ40xmXmEm5OXfOkKmM/PEjRdzs5SynmkeNX40 x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR11MB1391.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(396003)(136003)(366004)(39860400002)(376002)(346002)(52536014)(66446008)(64756008)(86362001)(15650500001)(5660300002)(66476007)(66556008)(66946007)(76116006)(107886003)(2906002)(71200400001)(4326008)(8676002)(186003)(55016002)(8936002)(53546011)(6506007)(450100002)(478600001)(26005)(9686003)(6916009)(316002)(54906003)(7696005)(33656002); DIR:OUT; SFP:1102; x-ms-exchange-antispam-messagedata: JTN3K8wvLQjsfbq55b6vmEQdPbrC9Z8a8jN2GJmcH3AQ2BRuLQ+ybqLFIPFlNyQs8jPY4sJErbuJ3gnr/Vw4qoM0EGZjpfD+2+WS/iZZmAMx5pwBIyV+G5lLM7UvzL556urhbTqfjP2S2fotvAZ7ccKXIKe3A5q03D0mBbLje0NtjA2ihYYUGIlMAZFPJArTTdGmEdRn+Phg8EIPjn40GxxDi9MgQyq1xhZB0gYJuv7UQc6Be4FTFfSrxOiOZFmUgtkUs4I6YAaTqNL/YzdLRqe2p9qq2TeUV09uinf/1a8OYhx77sJh9N14Cs8NAiR+pB/xh0l4Sgownvy1rUqoYzFJ/gqvSC7LEWNCYp2NnuGgM37YYG6rMOgNkIkyXI6rM05eAZl4pzPl7I6yw2BwjlDB1Fgvum82uUNKApy7OTly1Vwnt+HTLGSDe6rPaFZ/9BJOf/p3n/uB5YcwxTk97XbLsTmvzTDNedr+8vVPd7o= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-MS-Exchange-CrossTenant-Network-Message-Id: 37513ab8-35a8-41bb-8f94-08d7f8772094 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 May 2020 02:24:42.5199 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 1Pnju7IxlkSoilMlwpe2NhmmVafNKVvo7N8xBOA1BFaP939Vh610NmJgkEcIVqTitiNWQZYH2L6MunaQeofDnw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1645 X-OriginatorOrg: intel.com Subject: Re: [dpdk-dev] [PATCH] net/i40e: fix the security risk of wild pointer operation X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" Can any one view for this patch? Thanks! > -----Original Message----- > From: Zhao1, Wei > Sent: Tuesday, May 12, 2020 11:19 PM > To: dev@dpdk.org > Cc: stable@dpdk.org; Xing, Beilei ; Zhao1, Wei > > Subject: [PATCH] net/i40e: fix the security risk of wild pointer operatio= n >=20 > In i40e PMD code of function i40e_res_pool_free(), if valid_entry is free= d by > "rte_free(valid_entry);" in the following code: >=20 > if (prev !=3D NULL) { > ........................ >=20 > if (insert =3D=3D 1) { > LIST_REMOVE(valid_entry, next); > rte_free(valid_entry); > } else { > rte_free(valid_entry); > insert =3D 1; > } > } >=20 > then the following code for pool update may still use the wild pointer > "valid_entry": >=20 > " pool->num_free +=3D valid_entry->len; > pool->num_alloc -=3D valid_entry>len; > " > it seems to be a security bug, we should avoid this risk. >=20 > Cc: stable@dpdk.org > Fixes: 4861cde46116 ("i40e: new poll mode driver") >=20 > Signed-off-by: Wei Zhao > --- > drivers/net/i40e/i40e_ethdev.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) >=20 > diff --git a/drivers/net/i40e/i40e_ethdev.c b/drivers/net/i40e/i40e_ethde= v.c > index 749d85f54..7f8ea5309 100644 > --- a/drivers/net/i40e/i40e_ethdev.c > +++ b/drivers/net/i40e/i40e_ethdev.c > @@ -4973,6 +4973,9 @@ i40e_res_pool_free(struct i40e_res_pool_info > *pool, > } >=20 > insert =3D 0; > + pool->num_free +=3D valid_entry->len; > + pool->num_alloc -=3D valid_entry->len; > + > /* Try to merge with next one*/ > if (next !=3D NULL) { > /* Merge with next one */ > @@ -5010,9 +5013,6 @@ i40e_res_pool_free(struct i40e_res_pool_info > *pool, > LIST_INSERT_HEAD(&pool->free_list, valid_entry, next); > } >=20 > - pool->num_free +=3D valid_entry->len; > - pool->num_alloc -=3D valid_entry->len; > - > return 0; > } >=20 > -- > 2.17.1