From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 535BEA0523
	for <public@inbox.dpdk.org>; Thu,  2 Jul 2020 05:06:09 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id F0E3E1BFC8;
	Thu,  2 Jul 2020 05:06:08 +0200 (CEST)
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com
 [209.85.216.66]) by dpdk.org (Postfix) with ESMTP id 554291BFC8
 for <stable@dpdk.org>; Thu,  2 Jul 2020 05:06:07 +0200 (CEST)
Received: by mail-pj1-f66.google.com with SMTP id c1so4616675pja.5
 for <stable@dpdk.org>; Wed, 01 Jul 2020 20:06:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=networkplumber-org.20150623.gappssmtp.com; s=20150623;
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=kOjWDEilniWQhXfgnybN3CbeZoz0QvS33ZmGbYL1dsM=;
 b=smpnRBrI9cr1TOgXDj/qC0UKm/2Q7VyR7DDIz4PyDsdNfnSdDbk3NG0pQOZcwe256J
 VxJ/wGOG1Tp3CxporKfsO8IxY/bsiTfeMkjRqyRR9KRonxqOmA2stfTGJPKrc6/w+9P3
 IL8oDcVAvulXcwzbxdM43szrwUkgOoJEjJEVZ6pQlT8pIxZlsvBiPxwFB95v3Uo+jziq
 AGV1QTtEtVtoTqsKvfE2l4r833oNznRXRNA1CTJqg4bxVDC/ybykFBVZry1Xka4PAXQ2
 DVI/s7WHMM2wzdoxUZBm4AYw5Cecvi2139P3/rL6EGF6uuaW+DRinI7+iVPmNHmKkJIt
 MmfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=kOjWDEilniWQhXfgnybN3CbeZoz0QvS33ZmGbYL1dsM=;
 b=ks5zSVwkC6H1SeypmtNk0NeYemY/nHk5Ne4pj6tOiZU4KBolye6ktq/Jc8JzSTC+K/
 TbCA7i6BuxvVvveupqll9wSBaYZ6xb8Jqgm9QM4CadAvvkbgWnNj56mSw0IB3iAtebZi
 2LoyK3An/nN1x/BFSfKq7d9a/ifUG41qOkn3xqRCM/m1t5+YwS0+P3YgnRy8+w1w7yal
 4Y182pwKZwACK4wctlPEuqHs7sjafZ/PBY3t0MVhvhrZ6CD6XokW2v5bs8ppjPLRuCo2
 e4f/qcMBl9ZI+IdS+vFkrTmTK42/GJo9vis6aWhSHnk+FXOW1M476CecowFwvZ/jp1bM
 2MrA==
X-Gm-Message-State: AOAM533IYbxfsLYoGuBYojiEysY5wsTHp9F5eidtaB6P8hy6fBbXTcjf
 BRrrN7xbamiaOK6Vy1E33mI3RA==
X-Google-Smtp-Source: ABdhPJz6oYuD6KAISQm1ap6+UDmvc5kMvyZ9RMLP1msrPgTU/kQFE6EJ0KUTAMlqJjdXfAdmImdWrw==
X-Received: by 2002:a17:90a:1b4a:: with SMTP id q68mr695746pjq.1.1593659166201; 
 Wed, 01 Jul 2020 20:06:06 -0700 (PDT)
Received: from hermes.lan (204-195-22-127.wavecable.com. [204.195.22.127])
 by smtp.gmail.com with ESMTPSA id j21sm7128174pfa.133.2020.07.01.20.06.04
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 01 Jul 2020 20:06:05 -0700 (PDT)
From: Stephen Hemminger <stephen@networkplumber.org>
To: cristian.dumitrescu@intel.com
Cc: dev@dpdk.org, Stephen Hemminger <stephen@networkplumber.org>,
 jacekx.piasecki@intel.com, stable@dpdk.org
Date: Wed,  1 Jul 2020 20:05:58 -0700
Message-Id: <20200702030558.17852-1-stephen@networkplumber.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] [PATCH] cfgfile: avoid stack buffer underflow
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

If cfgfile is give a line with comment character at the start
of the line, it will dereference outside of the buffer.

Detected with address sanitizer:

SUMMARY: AddressSanitizer: stack-buffer-underflow lib/librte_cfgfile/rte_cfgfile.c:194 in rte_cfgfile_load_with_params
Shadow bytes around the buggy address:
  0x200fff79f6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200fff79f6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200fff79f6c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200fff79f6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200fff79f6e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x200fff79f6f0: 00 00 00 00 f1 f1 f1[f1]00 00 00 00 00 00 00 00
  0x200fff79f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200fff79f710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x200fff79f720: 04 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x200fff79f730: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
  0x200fff79f740: f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2189==ABORTING

Fixes: a6a47ac9c2c9 ("cfgfile: rework load function")
Cc: jacekx.piasecki@intel.com
CC: stable@dpdk.org
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
---
 lib/librte_cfgfile/rte_cfgfile.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/librte_cfgfile/rte_cfgfile.c b/lib/librte_cfgfile/rte_cfgfile.c
index 714717dd9007..160d78826e7c 100644
--- a/lib/librte_cfgfile/rte_cfgfile.c
+++ b/lib/librte_cfgfile/rte_cfgfile.c
@@ -191,7 +191,8 @@ rte_cfgfile_load_with_params(const char *filename, int flags,
 		}
 		/* skip parsing if comment character found */
 		pos = memchr(buffer, params->comment_character, len);
-		if (pos != NULL && (*(pos-1) != '\\')) {
+		if (pos != NULL &&
+		    (pos == buffer || *(pos-1) != '\\')) {
 			*pos = '\0';
 			len = pos -  buffer;
 		}
-- 
2.26.2