DPDK patches and discussions
 help / color / mirror / Atom feed
From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [DPDK/other Bug 1665] __rte_trace_mem_get causing out of bounds write
Date: Wed, 26 Feb 2025 15:19:34 +0000	[thread overview]
Message-ID: <bug-1665-3@http.bugs.dpdk.org/> (raw)

[-- Attachment #1: Type: text/plain, Size: 1463 bytes --]

https://bugs.dpdk.org/show_bug.cgi?id=1665

            Bug ID: 1665
           Summary: __rte_trace_mem_get causing out of bounds write
           Product: DPDK
           Version: 24.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: other
          Assignee: dev@dpdk.org
          Reporter: oleksandrn@interfacemasters.com
  Target Milestone: ---

When almost out of trace memory, __rte_trace_mem_get can write out of bounds.

It happens in my case if I have trace events of sizes that are not aligned to
__RTE_TRACE_EVENT_HEADER_SZ. like 27,33 etc.

I suspect that the issue is with the incorrect bounds check in
__rte_trace_mem_get.

>    uint32_t offset = trace->offset;
>    if (unlikely((offset + sz) >= trace->len)) { // assume condition is false,
>    and offset is not aligned
>    ...}
>    offset = RTE_ALIGN_CEIL(offset, __RTE_TRACE_EVENT_HEADER_SZ); // after
>    offset alignment offset + size might be bigger than trace->len
>    void *mem = RTE_PTR_ADD(&trace->mem[0], offset); // returning memory chunk
>    that is smaller than requested size


For example:
offset = 21, len = 32, size = 9 -> offset + size is smaller than len
align offset to __RTE_TRACE_EVENT_HEADER_SZ -> offset = 24
offset + size is bigger than len.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #2: Type: text/html, Size: 3415 bytes --]

                 reply	other threads:[~2025-02-26 15:19 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-1665-3@http.bugs.dpdk.org/ \
    --to=bugzilla@dpdk.org \
    --cc=dev@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).