From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id B816FA04DD for ; Wed, 28 Oct 2020 11:55:56 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id B11EACAC9; Wed, 28 Oct 2020 11:55:55 +0100 (CET) Received: from mail-wm1-f45.google.com (mail-wm1-f45.google.com [209.85.128.45]) by dpdk.org (Postfix) with ESMTP id E080CCAC9 for ; Wed, 28 Oct 2020 11:55:53 +0100 (CET) Received: by mail-wm1-f45.google.com with SMTP id e2so4316149wme.1 for ; Wed, 28 Oct 2020 03:55:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=ReHgmpzZiZabZ6L40jvvL4HrTXHaJgsMIdLBC6i/0HI=; b=n2R4D4FyEO31XyMH50tQ1I/ATbtq5D5wLUkpn5eiwgU+dxx755jAR+5jliQb01F1pX np0lciC21Lcnn3LuOyGxDpja60xUzpo7xSui5JUVtDObojQ9NdsW60PVi2FBpsAzDwl3 66zqfQlaQNLvrk5TAm0LtpEWg71mfX6NXNzKt8MW/5eoBKX0AWuLqWjGqzDvFCtaIcZY Illy7HEgaw8wMWj6kURDFzoLWoQxUZdKSdWaUPYDDTf3MOx1lmXULBDRoEyRym3TUwiG Xw9uZaBN/obVO9GI4Lo19q+UOuBjucnZwnd2szPpYCK6BIxvptayIRRi/IVd2FGOwVKw +c2w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ReHgmpzZiZabZ6L40jvvL4HrTXHaJgsMIdLBC6i/0HI=; b=lcQR+CD4biAVHW22rne12eZ05DpNYKz/WpzMMLFw62Rtw5xxr2mK1GrWeNQckoy9MJ qnwp9JBocZ89eeV/TzqgyQKi31G2kL+ZV8Q8fuTzeEmqIAv8Bt36W9+hMwT03pK8tLgS 7OTTSAnxFlyjIK7lz1b6jb+7sHDj3YmltfLUeUIbfujjtHaFPZMU3oCHByudVOJkzkC+ dZOcOaRfHIEoloe4KrkdH4V/Z8ZThAvCRW05r2eSmW7wJA90YOPrXo4wTWUb2VL0m23E fDYw/DEey7RHQN+BzapVJjXKwhEs5OKEiX9t7MnuJcCPWsrSrqF0owpds9uctvSEzG9c OjYg== X-Gm-Message-State: AOAM530nAlaHRk8qpRmCratEwF/6WLdi9pSiZEgI7RKWcNMITQHKIZbH GlnD0B+kfFyi5LUpuqgFM/4= X-Google-Smtp-Source: ABdhPJyTzaynnjBw3pzra1G7J16xr4Vzbco0XJlL9O0hREWzU7RH53RyDZEyKyJwjdClTXinJ2hy1g== X-Received: by 2002:a1c:449:: with SMTP id 70mr7314722wme.40.1603882552645; Wed, 28 Oct 2020 03:55:52 -0700 (PDT) Received: from localhost ([88.98.246.218]) by smtp.gmail.com with ESMTPSA id j9sm6491661wrp.59.2020.10.28.03.55.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 28 Oct 2020 03:55:52 -0700 (PDT) From: luca.boccassi@gmail.com To: Lukasz Wojciechowski Cc: David Hunt , dpdk stable Date: Wed, 28 Oct 2020 10:45:43 +0000 Message-Id: <20201028104606.3504127-184-luca.boccassi@gmail.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20201028104606.3504127-1-luca.boccassi@gmail.com> References: <20201028104606.3504127-1-luca.boccassi@gmail.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] patch 'distributor: fix buffer use after free' has been queued to stable release 19.11.6 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to stable release 19.11.6 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 10/30/20. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Thanks. Luca Boccassi --- >From 56cf2de232b0fb7195abfd379410845b595c9d9b Mon Sep 17 00:00:00 2001 From: Lukasz Wojciechowski Date: Sat, 17 Oct 2020 05:06:47 +0200 Subject: [PATCH] distributor: fix buffer use after free [ upstream commit 6bd951b48222caaa10a796057f617cab04f928b0 ] rte_distributor_request_pkt and rte_distributor_get_pkt dereferenced oldpkt parameter when in RTE_DIST_ALG_SINGLE even if number of returned buffers from worker to distributor was 0. This patch passes NULL to the legacy API when number of returned buffers is 0. This allows passing NULL as oldpkt parameter. Distributor tests are also updated passing NULL as oldpkt and 0 as number of returned packets, where packets are not returned. Fixes: 775003ad2f96 ("distributor: add new burst-capable library") Signed-off-by: Lukasz Wojciechowski Acked-by: David Hunt --- app/test/test_distributor.c | 28 +++++++++--------------- lib/librte_distributor/rte_distributor.c | 4 ++-- 2 files changed, 12 insertions(+), 20 deletions(-) diff --git a/app/test/test_distributor.c b/app/test/test_distributor.c index ba1f81cf8d..52230d2504 100644 --- a/app/test/test_distributor.c +++ b/app/test/test_distributor.c @@ -62,13 +62,10 @@ handle_work(void *arg) struct rte_mbuf *buf[8] __rte_cache_aligned; struct worker_params *wp = arg; struct rte_distributor *db = wp->dist; - unsigned int count = 0, num = 0; + unsigned int count = 0, num; unsigned int id = __atomic_fetch_add(&worker_idx, 1, __ATOMIC_RELAXED); - int i; - for (i = 0; i < 8; i++) - buf[i] = NULL; - num = rte_distributor_get_pkt(db, id, buf, buf, num); + num = rte_distributor_get_pkt(db, id, buf, NULL, 0); while (!quit) { __atomic_fetch_add(&worker_stats[id].handled_packets, num, __ATOMIC_RELAXED); @@ -272,19 +269,16 @@ handle_work_with_free_mbufs(void *arg) struct rte_distributor *d = wp->dist; unsigned int count = 0; unsigned int i; - unsigned int num = 0; + unsigned int num; unsigned int id = __atomic_fetch_add(&worker_idx, 1, __ATOMIC_RELAXED); - for (i = 0; i < 8; i++) - buf[i] = NULL; - num = rte_distributor_get_pkt(d, id, buf, buf, num); + num = rte_distributor_get_pkt(d, id, buf, NULL, 0); while (!quit) { worker_stats[id].handled_packets += num; count += num; for (i = 0; i < num; i++) rte_pktmbuf_free(buf[i]); - num = rte_distributor_get_pkt(d, - id, buf, buf, num); + num = rte_distributor_get_pkt(d, id, buf, NULL, 0); } worker_stats[id].handled_packets += num; count += num; @@ -342,14 +336,14 @@ handle_work_for_shutdown_test(void *arg) struct worker_params *wp = arg; struct rte_distributor *d = wp->dist; unsigned int count = 0; - unsigned int num = 0; + unsigned int num; unsigned int total = 0; unsigned int i; unsigned int returned = 0; const unsigned int id = __atomic_fetch_add(&worker_idx, 1, __ATOMIC_RELAXED); - num = rte_distributor_get_pkt(d, id, buf, buf, num); + num = rte_distributor_get_pkt(d, id, buf, NULL, 0); /* wait for quit single globally, or for worker zero, wait * for zero_quit */ @@ -358,8 +352,7 @@ handle_work_for_shutdown_test(void *arg) count += num; for (i = 0; i < num; i++) rte_pktmbuf_free(buf[i]); - num = rte_distributor_get_pkt(d, - id, buf, buf, num); + num = rte_distributor_get_pkt(d, id, buf, NULL, 0); total += num; } worker_stats[id].handled_packets += num; @@ -373,14 +366,13 @@ handle_work_for_shutdown_test(void *arg) while (zero_quit) usleep(100); - num = rte_distributor_get_pkt(d, - id, buf, buf, num); + num = rte_distributor_get_pkt(d, id, buf, NULL, 0); while (!quit) { worker_stats[id].handled_packets += num; count += num; rte_pktmbuf_free(pkt); - num = rte_distributor_get_pkt(d, id, buf, buf, num); + num = rte_distributor_get_pkt(d, id, buf, NULL, 0); } returned = rte_distributor_return_pkt(d, id, buf, num); diff --git a/lib/librte_distributor/rte_distributor.c b/lib/librte_distributor/rte_distributor.c index d6d4350a28..93c90cf543 100644 --- a/lib/librte_distributor/rte_distributor.c +++ b/lib/librte_distributor/rte_distributor.c @@ -42,7 +42,7 @@ rte_distributor_request_pkt(struct rte_distributor *d, if (unlikely(d->alg_type == RTE_DIST_ALG_SINGLE)) { rte_distributor_request_pkt_single(d->d_single, - worker_id, oldpkt[0]); + worker_id, count ? oldpkt[0] : NULL); return; } @@ -134,7 +134,7 @@ rte_distributor_get_pkt(struct rte_distributor *d, if (unlikely(d->alg_type == RTE_DIST_ALG_SINGLE)) { if (return_count <= 1) { pkts[0] = rte_distributor_get_pkt_single(d->d_single, - worker_id, oldpkt[0]); + worker_id, return_count ? oldpkt[0] : NULL); return (pkts[0]) ? 1 : 0; } else return -EINVAL; -- 2.20.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2020-10-28 10:35:17.422557693 +0000 +++ 0184-distributor-fix-buffer-use-after-free.patch 2020-10-28 10:35:11.796834322 +0000 @@ -1,8 +1,10 @@ -From 6bd951b48222caaa10a796057f617cab04f928b0 Mon Sep 17 00:00:00 2001 +From 56cf2de232b0fb7195abfd379410845b595c9d9b Mon Sep 17 00:00:00 2001 From: Lukasz Wojciechowski Date: Sat, 17 Oct 2020 05:06:47 +0200 Subject: [PATCH] distributor: fix buffer use after free +[ upstream commit 6bd951b48222caaa10a796057f617cab04f928b0 ] + rte_distributor_request_pkt and rte_distributor_get_pkt dereferenced oldpkt parameter when in RTE_DIST_ALG_SINGLE even if number of returned buffers from worker to distributor was 0. @@ -14,7 +16,6 @@ 0 as number of returned packets, where packets are not returned. Fixes: 775003ad2f96 ("distributor: add new burst-capable library") -Cc: stable@dpdk.org Signed-off-by: Lukasz Wojciechowski Acked-by: David Hunt