* [dpdk-stable] [PATCH v1] test/mempool: fix out of memory bound for mempool
[not found] <20210331210557.4919-1-wenwux.ma@intel.com>
@ 2021-04-12 14:10 ` Wenwu Ma
2021-04-13 20:05 ` [dpdk-stable] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
1 sibling, 0 replies; 10+ messages in thread
From: Wenwu Ma @ 2021-04-12 14:10 UTC (permalink / raw)
To: build_sh; +Cc: Wenwu Ma, stable
Not enough memory be allocated for mempool which
cause out of bound memory access when get its private member.
Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org
Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
v1:
* Refine commit log.
app/test/test_mempool.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
MEMPOOL_SIZE,
MEMPOOL_ELT_SIZE,
- RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+ RTE_MEMPOOL_CACHE_MAX_SIZE,
+ sizeof(struct rte_pktmbuf_pool_private),
NULL, NULL,
my_obj_init, NULL,
SOCKET_ID_ANY, 0);
--
2.25.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
[not found] <20210331210557.4919-1-wenwux.ma@intel.com>
2021-04-12 14:10 ` [dpdk-stable] [PATCH v1] test/mempool: fix out of memory bound for mempool Wenwu Ma
@ 2021-04-13 20:05 ` Wenwu Ma
2021-04-13 11:52 ` Thomas Monjalon
2021-04-27 13:56 ` [dpdk-stable] [PATCH v3 1/2] " Olivier Matz
1 sibling, 2 replies; 10+ messages in thread
From: Wenwu Ma @ 2021-04-13 20:05 UTC (permalink / raw)
To: olivier.matz, andrew.rybchenko; +Cc: dev, Wenwu Ma, stable
Amount of allocated memory was not enough for mempool
which cause buffer overflow when access fields of mempool
private structure in the rte_pktmbuf_priv_size function.
Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org
Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
v2:
- refine commit log.
---
app/test/test_mempool.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
MEMPOOL_SIZE,
MEMPOOL_ELT_SIZE,
- RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+ RTE_MEMPOOL_CACHE_MAX_SIZE,
+ sizeof(struct rte_pktmbuf_pool_private),
NULL, NULL,
my_obj_init, NULL,
SOCKET_ID_ANY, 0);
--
2.25.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
2021-04-13 20:05 ` [dpdk-stable] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
@ 2021-04-13 11:52 ` Thomas Monjalon
2021-04-15 6:45 ` Olivier Matz
2021-04-27 13:56 ` [dpdk-stable] [PATCH v3 1/2] " Olivier Matz
1 sibling, 1 reply; 10+ messages in thread
From: Thomas Monjalon @ 2021-04-13 11:52 UTC (permalink / raw)
To: Wenwu Ma; +Cc: olivier.matz, andrew.rybchenko, stable, dev, aconole
13/04/2021 22:05, Wenwu Ma:
> Amount of allocated memory was not enough for mempool
> which cause buffer overflow when access fields of mempool
> private structure in the rte_pktmbuf_priv_size function.
Was it causing the test to fail?
How do you reproduce the overflow?
> Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
> Cc: stable@dpdk.org
>
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
2021-04-13 11:52 ` Thomas Monjalon
@ 2021-04-15 6:45 ` Olivier Matz
2021-04-15 12:51 ` Aaron Conole
0 siblings, 1 reply; 10+ messages in thread
From: Olivier Matz @ 2021-04-15 6:45 UTC (permalink / raw)
To: Thomas Monjalon
Cc: Wenwu Ma, andrew.rybchenko, stable, dev, aconole, zhihongx.peng
On Tue, Apr 13, 2021 at 01:52:26PM +0200, Thomas Monjalon wrote:
> 13/04/2021 22:05, Wenwu Ma:
> > Amount of allocated memory was not enough for mempool
> > which cause buffer overflow when access fields of mempool
> > private structure in the rte_pktmbuf_priv_size function.
>
> Was it causing the test to fail?
> How do you reproduce the overflow?
In the test, right after the rte_mempool_create(), the function
rte_mempool_obj_iter() is called too initialize the mempool objects with
the rte_pktmbuf_init() callback function. This callback expects that the
mempool is a packet pool, i.e. its private area is a struct
rte_pktmbuf_pool_private structure.
In the current test, the size of the private area is 0, which probably
causes the function rte_pktmbuf_priv_size() to return an unpredictable
value, and this value is used as a size in a memset.
This part of the test was added in commit 923ceaeac140 ("test/mempool:
add unit test cases").
Instead of changing the size of the private area like done in the patch,
I suggest to use another callback than rte_pktmbuf_init(). After all,
this is a mempool test, so we should not rely on mbuf features. The
function my_obj_init() could be used like in other places of the test,
like this:
@@ -552,7 +552,7 @@ test_mempool(void)
GOTO_ERR(ret, err);
/* test to initialize mempool objects and memory */
- nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
+ nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
NULL);
if (nb_objs == 0)
GOTO_ERR(ret, err);
Wenwu, does it solve your issue?
Regards,
Olivier
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
2021-04-15 6:45 ` Olivier Matz
@ 2021-04-15 12:51 ` Aaron Conole
2021-04-16 7:20 ` Olivier Matz
0 siblings, 1 reply; 10+ messages in thread
From: Aaron Conole @ 2021-04-15 12:51 UTC (permalink / raw)
To: Olivier Matz
Cc: Thomas Monjalon, Wenwu Ma, andrew.rybchenko, stable, dev, zhihongx.peng
Olivier Matz <olivier.matz@6wind.com> writes:
> On Tue, Apr 13, 2021 at 01:52:26PM +0200, Thomas Monjalon wrote:
>> 13/04/2021 22:05, Wenwu Ma:
>> > Amount of allocated memory was not enough for mempool
>> > which cause buffer overflow when access fields of mempool
>> > private structure in the rte_pktmbuf_priv_size function.
>>
>> Was it causing the test to fail?
>> How do you reproduce the overflow?
>
> In the test, right after the rte_mempool_create(), the function
> rte_mempool_obj_iter() is called too initialize the mempool objects with
> the rte_pktmbuf_init() callback function. This callback expects that the
> mempool is a packet pool, i.e. its private area is a struct
> rte_pktmbuf_pool_private structure.
>
> In the current test, the size of the private area is 0, which probably
> causes the function rte_pktmbuf_priv_size() to return an unpredictable
> value, and this value is used as a size in a memset.
Is it possible to have rte_mempool_get_priv() detect that the private
area isn't valid and return a ref to a const static member for this that
will have the correct mbuf_priv_size? There isn't really documentation
that I can find that describes this corner case with the mempool private
data section. Actually, it doesn't really say what happens if private
data size is 0, so maybe a documentation update should go with this test
case fix, too?
> This part of the test was added in commit 923ceaeac140 ("test/mempool:
> add unit test cases").
>
> Instead of changing the size of the private area like done in the patch,
> I suggest to use another callback than rte_pktmbuf_init(). After all,
> this is a mempool test, so we should not rely on mbuf features. The
> function my_obj_init() could be used like in other places of the test,
> like this:
>
> @@ -552,7 +552,7 @@ test_mempool(void)
> GOTO_ERR(ret, err);
>
> /* test to initialize mempool objects and memory */
> - nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
> + nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
> NULL);
> if (nb_objs == 0)
> GOTO_ERR(ret, err);
>
>
> Wenwu, does it solve your issue?
>
>
> Regards,
> Olivier
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
2021-04-15 12:51 ` Aaron Conole
@ 2021-04-16 7:20 ` Olivier Matz
0 siblings, 0 replies; 10+ messages in thread
From: Olivier Matz @ 2021-04-16 7:20 UTC (permalink / raw)
To: Aaron Conole
Cc: Thomas Monjalon, Wenwu Ma, andrew.rybchenko, stable, dev, zhihongx.peng
On Thu, Apr 15, 2021 at 08:51:27AM -0400, Aaron Conole wrote:
> Olivier Matz <olivier.matz@6wind.com> writes:
>
> > On Tue, Apr 13, 2021 at 01:52:26PM +0200, Thomas Monjalon wrote:
> >> 13/04/2021 22:05, Wenwu Ma:
> >> > Amount of allocated memory was not enough for mempool
> >> > which cause buffer overflow when access fields of mempool
> >> > private structure in the rte_pktmbuf_priv_size function.
> >>
> >> Was it causing the test to fail?
> >> How do you reproduce the overflow?
> >
> > In the test, right after the rte_mempool_create(), the function
> > rte_mempool_obj_iter() is called too initialize the mempool objects with
> > the rte_pktmbuf_init() callback function. This callback expects that the
> > mempool is a packet pool, i.e. its private area is a struct
> > rte_pktmbuf_pool_private structure.
> >
> > In the current test, the size of the private area is 0, which probably
> > causes the function rte_pktmbuf_priv_size() to return an unpredictable
> > value, and this value is used as a size in a memset.
>
> Is it possible to have rte_mempool_get_priv() detect that the private
> area isn't valid and return a ref to a const static member for this that
> will have the correct mbuf_priv_size? There isn't really documentation
> that I can find that describes this corner case with the mempool private
> data section. Actually, it doesn't really say what happens if private
> data size is 0, so maybe a documentation update should go with this test
> case fix, too?
Good point, we can indeed add something in the API documentation. To
detect that the private area is not big enough in rte_pktmbuf_init(),
unfortunatly the function has no return code, but for now we can add at
least an RTE_ASSERT() (only active when -DRTE_ENABLE_ASSERT is passed),
as it's already done for other checks.
I can do a new version of the patch. Wenwu, is it ok for you?
In a second step, we can think about changing the API of all mempool
callbacks and their wrappers to add a return code.
> > This part of the test was added in commit 923ceaeac140 ("test/mempool:
> > add unit test cases").
> >
> > Instead of changing the size of the private area like done in the patch,
> > I suggest to use another callback than rte_pktmbuf_init(). After all,
> > this is a mempool test, so we should not rely on mbuf features. The
> > function my_obj_init() could be used like in other places of the test,
> > like this:
> >
> > @@ -552,7 +552,7 @@ test_mempool(void)
> > GOTO_ERR(ret, err);
> >
> > /* test to initialize mempool objects and memory */
> > - nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
> > + nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
> > NULL);
> > if (nb_objs == 0)
> > GOTO_ERR(ret, err);
> >
> >
> > Wenwu, does it solve your issue?
> >
> >
> > Regards,
> > Olivier
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* [dpdk-stable] [PATCH v3 1/2] test/mempool: fix heap buffer overflow
2021-04-13 20:05 ` [dpdk-stable] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
2021-04-13 11:52 ` Thomas Monjalon
@ 2021-04-27 13:56 ` Olivier Matz
2021-05-04 18:07 ` Thomas Monjalon
1 sibling, 1 reply; 10+ messages in thread
From: Olivier Matz @ 2021-04-27 13:56 UTC (permalink / raw)
To: dev
Cc: Andrew Rybchenko, Pallantla Poornima, Wenwu Ma, Peng Zhihong,
Aaron Conole, Thomas Monjalon, stable
The function rte_pktmbuf_init() expects that the mempool private area is
large enough and was previously initialized by rte_pktmbuf_pool_init(),
which is not the case.
This causes the function rte_pktmbuf_priv_size() to return an
unpredictable value, and this value is used as a size in a memset.
Replace the mempool object initializer by my_obj_init(), which does not
have this constraint, and fits the needs for this test.
Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org
Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
app/test/test_mempool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fdaa..3adadd6731 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -552,7 +552,7 @@ test_mempool(void)
GOTO_ERR(ret, err);
/* test to initialize mempool objects and memory */
- nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, rte_pktmbuf_init,
+ nb_objs = rte_mempool_obj_iter(mp_stack_mempool_iter, my_obj_init,
NULL);
if (nb_objs == 0)
GOTO_ERR(ret, err);
--
2.29.2
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [dpdk-stable] [PATCH v3 1/2] test/mempool: fix heap buffer overflow
2021-04-27 13:56 ` [dpdk-stable] [PATCH v3 1/2] " Olivier Matz
@ 2021-05-04 18:07 ` Thomas Monjalon
0 siblings, 0 replies; 10+ messages in thread
From: Thomas Monjalon @ 2021-05-04 18:07 UTC (permalink / raw)
To: Wenwu Ma, Olivier Matz
Cc: dev, stable, Andrew Rybchenko, Pallantla Poornima, Peng Zhihong,
Aaron Conole
27/04/2021 15:56, Olivier Matz:
> The function rte_pktmbuf_init() expects that the mempool private area is
> large enough and was previously initialized by rte_pktmbuf_pool_init(),
> which is not the case.
>
> This causes the function rte_pktmbuf_priv_size() to return an
> unpredictable value, and this value is used as a size in a memset.
>
> Replace the mempool object initializer by my_obj_init(), which does not
> have this constraint, and fits the needs for this test.
>
> Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
> Cc: stable@dpdk.org
>
> Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
Replaced with Reported-by and added Olivier's signature
to match patch authorship.
Series applied, thanks.
^ permalink raw reply [flat|nested] 10+ messages in thread
* [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
@ 2021-04-13 19:22 Wenwu Ma
0 siblings, 0 replies; 10+ messages in thread
From: Wenwu Ma @ 2021-04-13 19:22 UTC (permalink / raw)
To: wenwux.ma; +Cc: stable
Amount of allocated memory was not enough for mempool
which cause buffer overflow when access fields of mempool
private structure in the rte_pktmbuf_priv_size function.
Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org
Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
v2:
- refine commit log.
---
app/test/test_mempool.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
MEMPOOL_SIZE,
MEMPOOL_ELT_SIZE,
- RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+ RTE_MEMPOOL_CACHE_MAX_SIZE,
+ sizeof(struct rte_pktmbuf_pool_private),
NULL, NULL,
my_obj_init, NULL,
SOCKET_ID_ANY, 0);
--
2.25.1
^ permalink raw reply [flat|nested] 10+ messages in thread
* [dpdk-stable] [v2] test/mempool: fix heap buffer overflow
@ 2021-04-13 20:03 Wenwu Ma
0 siblings, 0 replies; 10+ messages in thread
From: Wenwu Ma @ 2021-04-13 20:03 UTC (permalink / raw)
To: olivier.matz, andrew.rybchenko; +Cc: dev, Wenwu Ma, stable
Amount of allocated memory was not enough for mempool
which cause buffer overflow when access fields of mempool
private structure in the rte_pktmbuf_priv_size function.
Fixes: 923ceaeac140 ("test/mempool: add unit test cases")
Cc: stable@dpdk.org
Signed-off-by: Wenwu Ma <wenwux.ma@intel.com>
---
v2:
- refine commit log.
---
app/test/test_mempool.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/app/test/test_mempool.c b/app/test/test_mempool.c
index 084842fda..fc06a9c6f 100644
--- a/app/test/test_mempool.c
+++ b/app/test/test_mempool.c
@@ -543,7 +543,8 @@ test_mempool(void)
mp_stack_mempool_iter = rte_mempool_create("test_iter_obj",
MEMPOOL_SIZE,
MEMPOOL_ELT_SIZE,
- RTE_MEMPOOL_CACHE_MAX_SIZE, 0,
+ RTE_MEMPOOL_CACHE_MAX_SIZE,
+ sizeof(struct rte_pktmbuf_pool_private),
NULL, NULL,
my_obj_init, NULL,
SOCKET_ID_ANY, 0);
--
2.25.1
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2021-05-04 18:07 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <20210331210557.4919-1-wenwux.ma@intel.com>
2021-04-12 14:10 ` [dpdk-stable] [PATCH v1] test/mempool: fix out of memory bound for mempool Wenwu Ma
2021-04-13 20:05 ` [dpdk-stable] [v2] test/mempool: fix heap buffer overflow Wenwu Ma
2021-04-13 11:52 ` Thomas Monjalon
2021-04-15 6:45 ` Olivier Matz
2021-04-15 12:51 ` Aaron Conole
2021-04-16 7:20 ` Olivier Matz
2021-04-27 13:56 ` [dpdk-stable] [PATCH v3 1/2] " Olivier Matz
2021-05-04 18:07 ` Thomas Monjalon
2021-04-13 19:22 [dpdk-stable] [v2] " Wenwu Ma
2021-04-13 20:03 Wenwu Ma
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).