| Bug ID | 1665 |
|---|---|
| Summary | __rte_trace_mem_get causing out of bounds write |
| Product | DPDK |
| Version | 24.11 |
| Hardware | All |
| OS | All |
| Status | UNCONFIRMED |
| Severity | normal |
| Priority | Normal |
| Component | other |
| Assignee | dev@dpdk.org |
| Reporter | oleksandrn@interfacemasters.com |
| Target Milestone | --- |
When almost out of trace memory, __rte_trace_mem_get can write out of bounds. It happens in my case if I have trace events of sizes that are not aligned to __RTE_TRACE_EVENT_HEADER_SZ. like 27,33 etc. I suspect that the issue is with the incorrect bounds check in __rte_trace_mem_get. > uint32_t offset = trace->offset; > if (unlikely((offset + sz) >= trace->len)) { // assume condition is false, > and offset is not aligned > ...} > offset = RTE_ALIGN_CEIL(offset, __RTE_TRACE_EVENT_HEADER_SZ); // after > offset alignment offset + size might be bigger than trace->len > void *mem = RTE_PTR_ADD(&trace->mem[0], offset); // returning memory chunk > that is smaller than requested size For example: offset = 21, len = 32, size = 9 -> offset + size is smaller than len align offset to __RTE_TRACE_EVENT_HEADER_SZ -> offset = 24 offset + size is bigger than len.