DPDK patches and discussions
 help / color / mirror / Atom feed
* [Bug 1000] memory access overflow in skeleton_rawdev
@ 2022-04-22  9:14 bugzilla
  2022-10-04 19:12 ` bugzilla
  0 siblings, 1 reply; 2+ messages in thread
From: bugzilla @ 2022-04-22  9:14 UTC (permalink / raw)
  To: dev

https://bugs.dpdk.org/show_bug.cgi?id=1000

            Bug ID: 1000
           Summary: memory access overflow in skeleton_rawdev
           Product: DPDK
           Version: 21.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: core
          Assignee: dev@dpdk.org
          Reporter: yonghaoz1994@gmail.com
  Target Milestone: ---

Hi all,

In function "skeleton_rawdev_enqueue_bugs", the variable "q_id" is "uint16_t",
but we convert the variable "context" to (int*), which may cause memory access
overflow.

See the following ASan report:

==3042499==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xffffdd8d6700 at pc 0x000010c57c80 bp 0xffffdd8d6600 sp 0xffffdd8d65f8        
                                                                               
                                                   READ of size 4 at
0xffffdd8d6700 thread T0
/usr/local/bin/llvm-symbolizer: /usr/lib64/libtinfo.so.5: no version
information available (required by /usr/local/bin/llvm-symbolizer)             
                                                                               
                                                       #0 0x10c57c7c in
skeleton_rawdev_enqueue_bufs
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
                                                                               
                                                             #1 0x1d74dbc in
rte_rawdev_enqueue_buffers
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:233:9  
                                                                               
                                                                             #2
0x10c5fb38 in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:382:8
                                                                               
                                                                  #3 0x10c5ac30
in skeldev_test_run
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:425:9
                                                                               
                                                                    #4
0x10c5a3bc in test_rawdev_skeldev
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:460:2
                                                                               
                                                                 #5 0x1d77668
in rte_rawdev_selftest
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:388:9  
                                                                               
                                                                               
    #6 0xa3ccc8 in test_rawdev_selftest_impl
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:21:8    
                                                                               
                                                                              
#7 0xa3cb08 in test_rawdev_selftest_skeleton
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:29:9    
                                                                               
                                                                           #8
0xa3c7f4 in test_rawdev_selftests
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:40:6    
                                                                               
                                                                               
   #9 0x4c6ec8 in cmd_autotest_parsed
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/commands.c:70:10      
                                                                               
                                                                               
     #10 0x207ef14 in cmdline_parse
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_parse.c:290:3
                                                                               
                                                                               
       #11 0x2074fbc in cmdline_valid_buffer
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:26:8     
                                                                               
                                                                               
  #12 0x208fef4 in rdline_char_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_rdline.c:446:5
                                                                               
                                                                               
     #13 0x2075d50 in cmdline_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:148:9    
                                                                               
                                                                               
            #14 0x4d4e54 in main
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test.c:214:8          
                                                                               
                                                                               
                   #15 0xffff9caeaff8  (/usr/lib64/libc.so.6+0x2aff8)
    #16 0xffff9caeb0c4 in __libc_start_main (/usr/lib64/libc.so.6+0x2b0c4)
    #17 0x4296ac in _start
(/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/app/test/dpdk-test+0x4296ac)

Address 0xffffdd8d6700 is located in stack of thread T0 at offset 32 in frame  
                                                                               
                                                                               
                                            #0 0x10c5f75c in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:369

  This frame has 3 object(s):
    [32, 34) 'queue_id' (line 372) <== Memory access at offset 32 partially
overflows this variable                                                        
                                                                               
                                                [48, 56) 'buffers' (line 373)
    [80, 88) 'deq_buffers' (line 374)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork                                         
                                                                               
                                                    (longjmp and C++ exceptions
*are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
in skeleton_rawdev_enqueue_bufs

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [Bug 1000] memory access overflow in skeleton_rawdev
  2022-04-22  9:14 [Bug 1000] memory access overflow in skeleton_rawdev bugzilla
@ 2022-10-04 19:12 ` bugzilla
  0 siblings, 0 replies; 2+ messages in thread
From: bugzilla @ 2022-10-04 19:12 UTC (permalink / raw)
  To: dev

https://bugs.dpdk.org/show_bug.cgi?id=1000

David Marchand (david.marchand@redhat.com) changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |DUPLICATE
                 CC|                            |david.marchand@redhat.com

--- Comment #1 from David Marchand (david.marchand@redhat.com) ---
Closing as same report has been opened under bz #999.

*** This bug has been marked as a duplicate of bug 999 ***

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2022-10-04 19:12 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-22  9:14 [Bug 1000] memory access overflow in skeleton_rawdev bugzilla
2022-10-04 19:12 ` bugzilla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).