From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [Bug 1000] memory access overflow in skeleton_rawdev
Date: Fri, 22 Apr 2022 09:14:00 +0000 [thread overview]
Message-ID: <bug-1000-3@http.bugs.dpdk.org/> (raw)
https://bugs.dpdk.org/show_bug.cgi?id=1000
Bug ID: 1000
Summary: memory access overflow in skeleton_rawdev
Product: DPDK
Version: 21.11
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: core
Assignee: dev@dpdk.org
Reporter: yonghaoz1994@gmail.com
Target Milestone: ---
Hi all,
In function "skeleton_rawdev_enqueue_bugs", the variable "q_id" is "uint16_t",
but we convert the variable "context" to (int*), which may cause memory access
overflow.
See the following ASan report:
==3042499==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xffffdd8d6700 at pc 0x000010c57c80 bp 0xffffdd8d6600 sp 0xffffdd8d65f8
READ of size 4 at
0xffffdd8d6700 thread T0
/usr/local/bin/llvm-symbolizer: /usr/lib64/libtinfo.so.5: no version
information available (required by /usr/local/bin/llvm-symbolizer)
#0 0x10c57c7c in
skeleton_rawdev_enqueue_bufs
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
#1 0x1d74dbc in
rte_rawdev_enqueue_buffers
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:233:9
#2
0x10c5fb38 in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:382:8
#3 0x10c5ac30
in skeldev_test_run
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:425:9
#4
0x10c5a3bc in test_rawdev_skeldev
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:460:2
#5 0x1d77668
in rte_rawdev_selftest
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:388:9
#6 0xa3ccc8 in test_rawdev_selftest_impl
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:21:8
#7 0xa3cb08 in test_rawdev_selftest_skeleton
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:29:9
#8
0xa3c7f4 in test_rawdev_selftests
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:40:6
#9 0x4c6ec8 in cmd_autotest_parsed
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/commands.c:70:10
#10 0x207ef14 in cmdline_parse
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_parse.c:290:3
#11 0x2074fbc in cmdline_valid_buffer
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:26:8
#12 0x208fef4 in rdline_char_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_rdline.c:446:5
#13 0x2075d50 in cmdline_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:148:9
#14 0x4d4e54 in main
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test.c:214:8
#15 0xffff9caeaff8 (/usr/lib64/libc.so.6+0x2aff8)
#16 0xffff9caeb0c4 in __libc_start_main (/usr/lib64/libc.so.6+0x2b0c4)
#17 0x4296ac in _start
(/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/app/test/dpdk-test+0x4296ac)
Address 0xffffdd8d6700 is located in stack of thread T0 at offset 32 in frame
#0 0x10c5f75c in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:369
This frame has 3 object(s):
[32, 34) 'queue_id' (line 372) <== Memory access at offset 32 partially
overflows this variable
[48, 56) 'buffers' (line 373)
[80, 88) 'deq_buffers' (line 374)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions
*are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
in skeleton_rawdev_enqueue_bufs
--
You are receiving this mail because:
You are the assignee for the bug.
next reply other threads:[~2022-04-22 9:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-22 9:14 bugzilla [this message]
2022-10-04 19:12 ` bugzilla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-1000-3@http.bugs.dpdk.org/ \
--to=bugzilla@dpdk.org \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).