From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 2DC5B45524 for ; Fri, 28 Jun 2024 21:45:38 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2782C41109; Fri, 28 Jun 2024 21:45:38 +0200 (CEST) Received: from mail-wm1-f54.google.com (mail-wm1-f54.google.com [209.85.128.54]) by mails.dpdk.org (Postfix) with ESMTP id C9114410F1 for ; Fri, 28 Jun 2024 21:45:36 +0200 (CEST) Received: by mail-wm1-f54.google.com with SMTP id 5b1f17b1804b1-421f4d1c057so7411695e9.3 for ; Fri, 28 Jun 2024 12:45:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1719603936; x=1720208736; darn=dpdk.org; h=subject:from:cc:to:user-agent:mime-version:date:message-id:from:to :cc:subject:date:message-id:reply-to; bh=uDcS1OuE35goMVpXU6chXR9UusmplNYV06qlGrYRD2c=; b=CW1oumq8NNHUeSbd5WvttogbKnpLimEbYKirP+NM40C0slK4XMONwIaYu9xbG6cX7Z D8RUhRwpEQdoWeTUus9cg/na/scf22yfgytok2IYStbDeLFyMWF/tq3ewiZljpopEKHl W5bBC7+R+5aZwebOugsOYgnmxD059nlsGgH40= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719603936; x=1720208736; h=subject:from:cc:to:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=uDcS1OuE35goMVpXU6chXR9UusmplNYV06qlGrYRD2c=; b=CqOJW5NIidOojjLXZPFCO++SwAC0oDbTmoZua8IcOprNg9UpcJa6DixTlfKDqbJLRr UtoxREf4Y2FsjltrC609htzJHMULahWGW3gqKcxebFb0xpZypPrzAhWQ2JQJA6FRayJh 8oFZdVshDdr4x/+nDr1wknB9uka6GEUEeCD7kVz3e/6byi9FiDkLT9ID2ZWzeMUoOpWj 5cX6BhtA+yiaGD0oQauMQkbF35kwDN4KcRUFvY+8/dQtNo2ESfU3eWIVRyBTotbDwOvj Wn/+uIKQLeW0sKhnxtlCamIAdKXWL6HT9v1aaDqruvF5iRF7JcTjRa7g6W1bzoL5vFQb cjKA== X-Forwarded-Encrypted: i=1; AJvYcCULP7Q3UFPP5ig1a7v/UwQaZOeor5fGl2bzYItvZoZU4EoHwD2z/AH6fhEYfrj8esyzQ4arOEk2Dossfe0kmrc= X-Gm-Message-State: AOJu0YzHZgujM6PMTP8N6JqbMf+BOIQW9HbSsUcTl78fuiRJPU/9t5ys WuoWaEppLiLdtnA7vusGmL9TPbCSJ5GGc3iyBN1w78AK4WVNrH271GG/wpS0vQ8glrCue/9SZsP w3aifUHIKEnoXfRCMmkGrYC5ttRchGRTP7Q== X-Google-Smtp-Source: AGHT+IEz82BL7XZdC62VWtVM+GEU+UBsavQIgJG+OL60nYELdd6o456oVE9i6AmEzolH7E+UkPAy2w== X-Received: by 2002:a05:6000:18a1:b0:366:ee9b:847 with SMTP id ffacd0b85a97d-366ee9b09a1mr14647256f8f.14.1719603936374; Fri, 28 Jun 2024 12:45:36 -0700 (PDT) Received: from [192.168.0.8] ([92.81.76.237]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4256b09a828sm48695915e9.37.2024.06.28.12.45.34 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Jun 2024 12:45:35 -0700 (PDT) Message-ID: <102781f4-e82c-4780-acb5-fad92fb2c30b@broadcom.com> Date: Fri, 28 Jun 2024 22:45:32 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Jakub Grajciar , Ferruh Yigit Cc: dev@dpdk.org, Mihai Brodschi , stable@dpdk.org From: Mihai Brodschi Subject: [PATCH] net/memif: fix buffer overflow in zero copy Rx Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="000000000000cda514061bf87db7" X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org --000000000000cda514061bf87db7 Content-Language: en-US Content-Type: text/plain; charset="UTF-8"; format=flowed rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate new mbufs to be provided to the sender. The allocated mbuf pointers are stored in a ring, but the alloc function doesn't implement index wrap-around, so it writes past the end of the array. This results in memory corruption and duplicate mbufs being received. Allocate 2x the space for the mbuf ring, so that the alloc function has a contiguous array to write to, then copy the excess entries to the start of the array. Fixes: 43b815d88188 ("net/memif: support zero-copy slave") Cc: stable@dpdk.org Signed-off-by: Mihai Brodschi --- drivers/net/memif/rte_eth_memif.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c index 16da22b5c6..3491c53cf1 100644 --- a/drivers/net/memif/rte_eth_memif.c +++ b/drivers/net/memif/rte_eth_memif.c @@ -600,6 +600,10 @@ eth_memif_rx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], n_slots); if (unlikely(ret < 0)) goto no_free_mbufs; + if (unlikely(n_slots > ring_size - (head & mask))) { + rte_memcpy(mq->buffers, &mq->buffers[ring_size], + (n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *)); + } while (n_slots--) { s0 = head++ & mask; @@ -1245,8 +1249,12 @@ memif_init_queues(struct rte_eth_dev *dev) } mq->buffers = NULL; if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) { + /* + * Allocate 2x ring_size to reserve a contiguous array for + * rte_pktmbuf_alloc_bulk (to store allocated mbufs). + */ mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) * - (1 << mq->log2_ring_size), 0); + (1 << (mq->log2_ring_size + 1)), 0); if (mq->buffers == NULL) return -ENOMEM; } -- 2.43.0 -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. --000000000000cda514061bf87db7 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQcwYJKoZIhvcNAQcCoIIQZDCCEGACAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg gg3KMIIFDTCCA/WgAwIBAgIQeEqpED+lv77edQixNJMdADANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA5MTYwMDAwMDBaFw0yODA5MTYwMDAwMDBaMFsxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTEwLwYDVQQDEyhHbG9iYWxTaWduIEdDQyBS MyBQZXJzb25hbFNpZ24gMiBDQSAyMDIwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA vbCmXCcsbZ/a0fRIQMBxp4gJnnyeneFYpEtNydrZZ+GeKSMdHiDgXD1UnRSIudKo+moQ6YlCOu4t rVWO/EiXfYnK7zeop26ry1RpKtogB7/O115zultAz64ydQYLe+a1e/czkALg3sgTcOOcFZTXk38e aqsXsipoX1vsNurqPtnC27TWsA7pk4uKXscFjkeUE8JZu9BDKaswZygxBOPBQBwrA5+20Wxlk6k1 e6EKaaNaNZUy30q3ArEf30ZDpXyfCtiXnupjSK8WU2cK4qsEtj09JS4+mhi0CTCrCnXAzum3tgcH cHRg0prcSzzEUDQWoFxyuqwiwhHu3sPQNmFOMwIDAQABo4IB2jCCAdYwDgYDVR0PAQH/BAQDAgGG MGAGA1UdJQRZMFcGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNxQCAgYKKwYBBAGCNwoDBAYJ KwYBBAGCNxUGBgorBgEEAYI3CgMMBggrBgEFBQcDBwYIKwYBBQUHAxEwEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUljPR5lgXWzR1ioFWZNW+SN6hj88wHwYDVR0jBBgwFoAUj/BLf6guRSSu TVD6Y5qL3uLdG7wwegYIKwYBBQUHAQEEbjBsMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9i YWxzaWduLmNvbS9yb290cjMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5j b20vY2FjZXJ0L3Jvb3QtcjMuY3J0MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFs c2lnbi5jb20vcm9vdC1yMy5jcmwwWgYDVR0gBFMwUTALBgkrBgEEAaAyASgwQgYKKwYBBAGgMgEo CjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAN BgkqhkiG9w0BAQsFAAOCAQEAdAXk/XCnDeAOd9nNEUvWPxblOQ/5o/q6OIeTYvoEvUUi2qHUOtbf jBGdTptFsXXe4RgjVF9b6DuizgYfy+cILmvi5hfk3Iq8MAZsgtW+A/otQsJvK2wRatLE61RbzkX8 9/OXEZ1zT7t/q2RiJqzpvV8NChxIj+P7WTtepPm9AIj0Keue+gS2qvzAZAY34ZZeRHgA7g5O4TPJ /oTd+4rgiU++wLDlcZYd/slFkaT3xg4qWDepEMjT4T1qFOQIL+ijUArYS4owpPg9NISTKa1qqKWJ jFoyms0d0GwOniIIbBvhI2MJ7BSY9MYtWVT5jJO3tsVHwj4cp92CSFuGwunFMzCCA18wggJHoAMC AQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9v dCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5 MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENB IC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0E XyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+J J5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8u nPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTv riBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGj QjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5N UPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEAS0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigH M8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9ubG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmU Y/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaMld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V 14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcy a5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/fhO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/ XzCCBVIwggQ6oAMCAQICDHbaeqlxkxwG0oD4oTANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJC RTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTExMC8GA1UEAxMoR2xvYmFsU2lnbiBHQ0MgUjMg UGVyc29uYWxTaWduIDIgQ0EgMjAyMDAeFw0yMjExMTQxMTQ3MjRaFw0yNTExMTQxMTQ3MjRaMIGS MQswCQYDVQQGEwJJTjESMBAGA1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUxFjAU BgNVBAoTDUJyb2FkY29tIEluYy4xFzAVBgNVBAMTDk1paGFpIEJyb2RzY2hpMSowKAYJKoZIhvcN AQkBFhttaWhhaS5icm9kc2NoaUBicm9hZGNvbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDKeSQ6fd3ArZpB+9ObkhCvLHNKaI4Zarn0m98M/IZYwHIXVxxLVn0g9I8RbzaUa6GZ k6TzMA22mdd6Sy/mnwJHOy7pNVd/2MBVwIkhNYL+5CwdBjBanvOOLh9FBl8QzKhifV7xYDMWJQJD Mr+QIRdtZOKkm9i0sRs9bwF2Rxbvnxj2EwgBSPe4FVpHEx4Is25hBIOZcEIvZTVoZgisovq6vB5I ERa8kmgfcp8zNafingkraXyOhds+xUiXbrZOthVlXg3ijylyQ50+iCWICS3qWXOw1tJXqTZUGgB/ PmiSLVSsz9RLsdo8tAV035w8AbZbKyFKl7mQzcIIE/9Zbk/PAgMBAAGjggHcMIIB2DAOBgNVHQ8B Af8EBAMCBaAwgaMGCCsGAQUFBwEBBIGWMIGTME4GCCsGAQUFBzAChkJodHRwOi8vc2VjdXJlLmds b2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3IzcGVyc29uYWxzaWduMmNhMjAyMC5jcnQwQQYIKwYB BQUHMAGGNWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjNwZXJzb25hbHNpZ24yY2Ey MDIwME0GA1UdIARGMEQwQgYKKwYBBAGgMgEoCjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJBgNVHRMEAjAAMEkGA1UdHwRCMEAwPqA8oDqGOGh0 dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyM3BlcnNvbmFsc2lnbjJjYTIwMjAuY3JsMCYG A1UdEQQfMB2BG21paGFpLmJyb2RzY2hpQGJyb2FkY29tLmNvbTATBgNVHSUEDDAKBggrBgEFBQcD BDAfBgNVHSMEGDAWgBSWM9HmWBdbNHWKgVZk1b5I3qGPzzAdBgNVHQ4EFgQUTKjubK5dUstAoG+s gC9E5CNgobQwDQYJKoZIhvcNAQELBQADggEBADk/H+GmVd7WyerJTClll6xJOZorGnuKIVwthtoZ sVIrdxY2sspHYC0cmnRDxpw5/18UBLwjjIgPbv2PwJMPiiS4BG5r9ykQLpsSfbBzSiaUKkEX7jdH 5ONn8aGl4W0jcGJEKHK0KHziK1SJYWRExzSFfdTwFLTEj/g3yVZQT+mB+zv8NMRAmdG8DJ4waVPi L+E3ld0mdxuSCcvvAzi7ZNBrkCWUuC/YaiMtIRuyDqYnppUEkIXHE+SMfA+dirfXGmIYfk16DAOk rnI0rl6IAv30qz/Du0BDNsHi3gsTsQMfrA5M0saDCy65Bina2ExB2ZK6YyuajQd6BDtsygsH2Uwx ggJtMIICaQIBATBrMFsxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTEw LwYDVQQDEyhHbG9iYWxTaWduIEdDQyBSMyBQZXJzb25hbFNpZ24gMiBDQSAyMDIwAgx22nqpcZMc BtKA+KEwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEINiB95y4mnzQaYAuxmzLxbJT ut/zI+05FLamSPv3kkleMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTI0MDYyODE5NDUzNlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEW MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCG SAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQB7w+FXxV2/2Yc5vWZjIPhG29pwktDiyOqkDDMY6VJe /kdWtH0A/8litV12pfdyP7PtLxKvb7sQiLQs5F24C9Q4CuWQardeKRV3J2hzNCK4mN6zgFmiAPOi fSIj36Fr+650eIikts4wDV5qwCKXF2gDpW82n+c8/gubi0KVwHa8hffA5a2HZTG1vioOXfQ/nGF1 uL2ZObQtBAlYKVjMm6ki0mkiLaoBFduvy+Jz64Wip6mZaLpr5tI15GOrnIlWQM8xZTCG2K3YkN5h HfJNg0ApFFRnVlc/B1UEjmLj+xbejpr5R1zcthZX2PISYlk8J0U7nZROwzbYthX8VwPRk82p --000000000000cda514061bf87db7--