From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 22117A0C47 for ; Tue, 10 Aug 2021 17:41:25 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 11F3B4014F; Tue, 10 Aug 2021 17:41:25 +0200 (CEST) Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by mails.dpdk.org (Postfix) with ESMTP id AD74F4114F for ; Tue, 10 Aug 2021 17:41:23 +0200 (CEST) Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPS id 6703B3F0A1 for ; Tue, 10 Aug 2021 15:41:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1628610083; bh=ltaOKkRlHbJ0IHaFutrptfSvYMCrTRi50fBf8tNzBLQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=KZBH2JLZ5RphwWHjcNQMnfpFtvzJu0nb2hs+80iHVe+Kyby1ytg8KuS5MZhx+Wxyf M54bnMnJFHZiajswmYVC7FX9ElVFIpFUJFaYTFKEsfi4eP92jND9lYVFie6fhbvv8L HRcYRrv229WW0NMbgfGuX3O1Uq7wQoaxma/5f7tE4r1i7arDOQtkSUmzLYcVyw0lLh Bs2nRUSsNATYYK+rHFbiqraaRi4spyw56V91DWvBOhX/3RryCloqNspQkFhMNC4PpY 7TTqg5Rrf1VTd9UW3exrz2PDG6EBVV391d0fSWUhEKjqhcFlbYgceFKyf+3PHkkISP 5OzXu++YrUGQw== Received: by mail-ej1-f70.google.com with SMTP id r21-20020a1709067055b02904be5f536463so5763390ejj.0 for ; Tue, 10 Aug 2021 08:41:23 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=ltaOKkRlHbJ0IHaFutrptfSvYMCrTRi50fBf8tNzBLQ=; b=pmbhemLHL3YHaXAaQhTucSpp7EwcErWD1CyRl5vj5wiyaQ1X2UyNTRchUOeb7knzEq wNxf0yv3cXdLEgFIWBR9p7vEfURuORSSa0Qcp+KFHfpAe0DriiRniKCRlfPuDhjnF090 zW+7qjh8br0NtUjr+3dW39t20iE03R/JvU6K0jkTlEkTi00OWPTX2k7UDv8kW6PX4WZF sg9/5JTAxF+XYlHm9ZnpIYOUb8HjO8BorAqunVvTu1ZGp986lemvXYhllxk0+uwbAQGp 29tKI9O+n9c9AFYqLyGJ9tR1deRr8QE3Ra1n56Es3VCyPvuYWzd1nPXnJEMd7WBpc8sK xBNQ== X-Gm-Message-State: AOAM532AlLLmdJ4Q0F/nd4J7uUCDk9+fmEre5PSspDgRiA9phYUFdstE gD6aQKLkJ7G4OXhPykUTCvNs5EVA8GOZcNHEn5G+Fe27XgAvERfI6rVT8p9me6r3wF/ymo1GzCp J2MTHKBhgPpoiPrx2KR10AuM+ X-Received: by 2002:a05:6402:2789:: with SMTP id b9mr5651693ede.44.1628610082851; Tue, 10 Aug 2021 08:41:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzk/gYNXpcCdwQTGyllKG+BvoKjG6cW+YkrlFPjgU+o9WSXTboRsx2xBfOzQeoOiDjbts8gag== X-Received: by 2002:a05:6402:2789:: with SMTP id b9mr5651681ede.44.1628610082681; Tue, 10 Aug 2021 08:41:22 -0700 (PDT) Received: from Keschdeichel.fritz.box ([2001:67c:1560:8007::aac:c4ad]) by smtp.gmail.com with ESMTPSA id dt2sm2452535ejc.51.2021.08.10.08.41.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Aug 2021 08:41:22 -0700 (PDT) From: christian.ehrhardt@canonical.com To: Owen Hilyard Cc: Vladimir Medvedkin , dpdk stable Date: Tue, 10 Aug 2021 17:38:58 +0200 Message-Id: <20210810154022.749358-18-christian.ehrhardt@canonical.com> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210810154022.749358-1-christian.ehrhardt@canonical.com> References: <20210810154022.749358-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] patch 'rib: fix max depth IPv6 lookup' has been queued to stable release 19.11.10 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to stable release 19.11.10 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 08/12/21. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/cpaelzer/dpdk-stable-queue This queued commit can be viewed at: https://github.com/cpaelzer/dpdk-stable-queue/commit/cb4043684101d319f6bc789a2228f53e79b2af84 Thanks. Christian Ehrhardt --- >From cb4043684101d319f6bc789a2228f53e79b2af84 Mon Sep 17 00:00:00 2001 From: Owen Hilyard Date: Wed, 23 Jun 2021 11:17:29 -0400 Subject: [PATCH] rib: fix max depth IPv6 lookup [ upstream commit 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 ] ASAN found a stack buffer overflow in lib/rib/rte_rib6.c:get_dir. The fix for the stack buffer overflow was to make sure depth was always < 128, since when depth = 128 it caused the index into the ip address to be 16, which read off the end of the array. While trying to solve the buffer overflow, I noticed that a few changes could be made to remove the for loop entirely. Fixes: f7e861e21c46 ("rib: support IPv6") Signed-off-by: Owen Hilyard Acked-by: Vladimir Medvedkin --- lib/librte_rib/rte_rib6.c | 29 +++++++++++++++++++++-------- 1 file changed, 21 insertions(+), 8 deletions(-) diff --git a/lib/librte_rib/rte_rib6.c b/lib/librte_rib/rte_rib6.c index 78b8dcfd94..6d265c2773 100644 --- a/lib/librte_rib/rte_rib6.c +++ b/lib/librte_rib/rte_rib6.c @@ -79,20 +79,33 @@ is_covered(const uint8_t ip1[RTE_RIB6_IPV6_ADDR_SIZE], static inline int get_dir(const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE], uint8_t depth) { - int i = 0; - uint8_t p_depth, msk; - - for (p_depth = depth; p_depth >= 8; p_depth -= 8) - i++; - - msk = 1 << (7 - p_depth); - return (ip[i] & msk) != 0; + uint8_t index, msk; + + /* + * depth & 127 clamps depth to values that will not + * read off the end of ip. + * depth is the number of bits deep into ip to traverse, and + * is incremented in blocks of 8 (1 byte). This means the last + * 3 bits are irrelevant to what the index of ip should be. + */ + index = (depth & (UINT8_MAX - 1)) / CHAR_BIT; + + /* + * msk is the bitmask used to extract the bit used to decide the + * direction of the next step of the binary search. + */ + msk = 1 << (7 - (depth & 7)); + + return (ip[index] & msk) != 0; } static inline struct rte_rib6_node * get_nxt_node(struct rte_rib6_node *node, const uint8_t ip[RTE_RIB6_IPV6_ADDR_SIZE]) { + if (node->depth == RIB6_MAXDEPTH) + return NULL; + return (get_dir(ip, node->depth)) ? node->right : node->left; } -- 2.32.0 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2021-08-10 15:11:13.783471546 +0200 +++ 0018-rib-fix-max-depth-IPv6-lookup.patch 2021-08-10 15:11:12.918637378 +0200 @@ -1 +1 @@ -From 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 Mon Sep 17 00:00:00 2001 +From cb4043684101d319f6bc789a2228f53e79b2af84 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 03b8372a9a73a6b3dce4ce6b447ea37c398a4685 ] + @@ -15 +16,0 @@ -Cc: stable@dpdk.org @@ -20 +21 @@ - lib/rib/rte_rib6.c | 29 +++++++++++++++++++++-------- + lib/librte_rib/rte_rib6.c | 29 +++++++++++++++++++++-------- @@ -23,4 +24,4 @@ -diff --git a/lib/rib/rte_rib6.c b/lib/rib/rte_rib6.c -index f6c55ee454..96424e9c9f 100644 ---- a/lib/rib/rte_rib6.c -+++ b/lib/rib/rte_rib6.c +diff --git a/lib/librte_rib/rte_rib6.c b/lib/librte_rib/rte_rib6.c +index 78b8dcfd94..6d265c2773 100644 +--- a/lib/librte_rib/rte_rib6.c ++++ b/lib/librte_rib/rte_rib6.c