From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
by inbox.dpdk.org (Postfix) with ESMTP id 535BEA0523
for <public@inbox.dpdk.org>; Thu, 2 Jul 2020 05:06:09 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
by dpdk.org (Postfix) with ESMTP id F0E3E1BFC8;
Thu, 2 Jul 2020 05:06:08 +0200 (CEST)
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com
[209.85.216.66]) by dpdk.org (Postfix) with ESMTP id 554291BFC8
for <stable@dpdk.org>; Thu, 2 Jul 2020 05:06:07 +0200 (CEST)
Received: by mail-pj1-f66.google.com with SMTP id c1so4616675pja.5
for <stable@dpdk.org>; Wed, 01 Jul 2020 20:06:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=networkplumber-org.20150623.gappssmtp.com; s=20150623;
h=from:to:cc:subject:date:message-id:mime-version
:content-transfer-encoding;
bh=kOjWDEilniWQhXfgnybN3CbeZoz0QvS33ZmGbYL1dsM=;
b=smpnRBrI9cr1TOgXDj/qC0UKm/2Q7VyR7DDIz4PyDsdNfnSdDbk3NG0pQOZcwe256J
VxJ/wGOG1Tp3CxporKfsO8IxY/bsiTfeMkjRqyRR9KRonxqOmA2stfTGJPKrc6/w+9P3
IL8oDcVAvulXcwzbxdM43szrwUkgOoJEjJEVZ6pQlT8pIxZlsvBiPxwFB95v3Uo+jziq
AGV1QTtEtVtoTqsKvfE2l4r833oNznRXRNA1CTJqg4bxVDC/ybykFBVZry1Xka4PAXQ2
DVI/s7WHMM2wzdoxUZBm4AYw5Cecvi2139P3/rL6EGF6uuaW+DRinI7+iVPmNHmKkJIt
MmfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
:content-transfer-encoding;
bh=kOjWDEilniWQhXfgnybN3CbeZoz0QvS33ZmGbYL1dsM=;
b=ks5zSVwkC6H1SeypmtNk0NeYemY/nHk5Ne4pj6tOiZU4KBolye6ktq/Jc8JzSTC+K/
TbCA7i6BuxvVvveupqll9wSBaYZ6xb8Jqgm9QM4CadAvvkbgWnNj56mSw0IB3iAtebZi
2LoyK3An/nN1x/BFSfKq7d9a/ifUG41qOkn3xqRCM/m1t5+YwS0+P3YgnRy8+w1w7yal
4Y182pwKZwACK4wctlPEuqHs7sjafZ/PBY3t0MVhvhrZ6CD6XokW2v5bs8ppjPLRuCo2
e4f/qcMBl9ZI+IdS+vFkrTmTK42/GJo9vis6aWhSHnk+FXOW1M476CecowFwvZ/jp1bM
2MrA==
X-Gm-Message-State: AOAM533IYbxfsLYoGuBYojiEysY5wsTHp9F5eidtaB6P8hy6fBbXTcjf
BRrrN7xbamiaOK6Vy1E33mI3RA==
X-Google-Smtp-Source: ABdhPJz6oYuD6KAISQm1ap6+UDmvc5kMvyZ9RMLP1msrPgTU/kQFE6EJ0KUTAMlqJjdXfAdmImdWrw==
X-Received: by 2002:a17:90a:1b4a:: with SMTP id q68mr695746pjq.1.1593659166201;
Wed, 01 Jul 2020 20:06:06 -0700 (PDT)
Received: from hermes.lan (204-195-22-127.wavecable.com. [204.195.22.127])
by smtp.gmail.com with ESMTPSA id j21sm7128174pfa.133.2020.07.01.20.06.04
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Wed, 01 Jul 2020 20:06:05 -0700 (PDT)
From: Stephen Hemminger <stephen@networkplumber.org>
To: cristian.dumitrescu@intel.com
Cc: dev@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
jacekx.piasecki@intel.com, stable@dpdk.org
Date: Wed, 1 Jul 2020 20:05:58 -0700
Message-Id: <20200702030558.17852-1-stephen@networkplumber.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] [PATCH] cfgfile: avoid stack buffer underflow
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
<mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
<mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>
If cfgfile is give a line with comment character at the start
of the line, it will dereference outside of the buffer.
Detected with address sanitizer:
SUMMARY: AddressSanitizer: stack-buffer-underflow lib/librte_cfgfile/rte_cfgfile.c:194 in rte_cfgfile_load_with_params
Shadow bytes around the buggy address:
0x200fff79f6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200fff79f6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200fff79f6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200fff79f6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200fff79f6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x200fff79f6f0: 00 00 00 00 f1 f1 f1[f1]00 00 00 00 00 00 00 00
0x200fff79f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200fff79f710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x200fff79f720: 04 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x200fff79f730: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
0x200fff79f740: f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2189==ABORTING
Fixes: a6a47ac9c2c9 ("cfgfile: rework load function")
Cc: jacekx.piasecki@intel.com
CC: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
lib/librte_cfgfile/rte_cfgfile.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c
index 714717dd9007..160d78826e7c 100644
--- a/lib/librte_cfgfile/rte_cfgfile.c
+++ b/lib/librte_cfgfile/rte_cfgfile.c
@@ -191,7 +191,8 @@ rte_cfgfile_load_with_params(const char *filename, int flags,
}
/* skip parsing if comment character found */
pos = memchr(buffer, params->comment_character, len);
- if (pos != NULL && (*(pos-1) != '\\')) {
+ if (pos != NULL &&
+ (pos == buffer || *(pos-1) != '\\')) {
*pos = '\0';
len = pos - buffer;
}
--
2.26.2