patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Ferruh Yigit <ferruh.yigit@intel.com>
To: Wei Huang <wei.huang@intel.com>,
	dev@dpdk.org, rosen.xu@intel.com, qi.z.zhang@intel.com
Cc: stable@dpdk.org, tianfei.zhang@intel.com
Subject: Re: [dpdk-stable] [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free
Date: Wed, 7 Apr 2021 14:59:12 +0100
Message-ID: <5a9f8365-d240-8acf-23e8-0d95c973f1ab@intel.com> (raw)
In-Reply-To: <1615969296-17021-2-git-send-email-wei.huang@intel.com>

On 3/17/2021 8:21 AM, Wei Huang wrote:
> In write_flash_image(), calling function "read" may taints variable
> "buf" which turn to an untrusted value as argument of "rte_free".
> 
> Coverity issue: 367477
> Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs")
> 

Hi Huang, Rosen,

I checked the coverity issue but still not clear about the problem. What does 
'read' taints 'buf' mean?
The 'buf' passed as an argument to read, so all 'read' can do is change the 
memory that 'buf' points, so why it should affect the 'free' at all?
If the memory is overflow etc, your change is just hiding the error not fixing it.

And the error message mentions from 'rte_free', not 'free', not sure how 
'rte_free' is involved in the problem, any idea?

> Signed-off-by: Wei Huang <wei.huang@intel.com>
> ---
>   drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> index 28198abd78..d32f1eccb1 100644
> --- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> +++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> @@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
>   	uint32_t offset)
>   {
>   	void *buf = NULL;
> +	void *buf_to_free = NULL;
>   	int retry = 0;
>   	uint32_t length = 0;
>   	uint32_t to_transfer = 0;
> @@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
>   		close(fd);
>   		return -ENOMEM;
>   	}
> +	buf_to_free = buf;
>   
>   	length = smgr->rsu_length;
>   	one_percent = length / 100;
> @@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
>   	printf("\n");
>   
>   end:
> -	free(buf);
> +	free(buf_to_free);
>   	close(fd);
>   	return ret;
>   }
> 


  parent reply	other threads:[~2021-04-07 13:59 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-03-17  8:21 [dpdk-stable] [PATCH v1 0/4] Fix coverity issues reported in DPDK-26380 Wei Huang
2021-03-17  8:21 ` [dpdk-stable] [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free Wei Huang
2021-04-01  7:46   ` Zhang, Tianfei
2021-04-01  8:47   ` Xu, Rosen
2021-04-07 13:59   ` Ferruh Yigit [this message]
2021-03-17  8:21 ` [dpdk-stable] [PATCH v1 2/4] raw/ifpga/base: check return value of lseek Wei Huang
2021-04-01  7:46   ` Zhang, Tianfei
2021-04-01  8:47   ` Xu, Rosen
2021-03-17  8:21 ` [dpdk-stable] [PATCH v1 3/4] raw/ifpga/base: assign unsigned value to length Wei Huang
2021-04-01  7:47   ` Zhang, Tianfei
2021-04-01  8:47   ` Xu, Rosen
2021-03-17  8:21 ` [dpdk-stable] [PATCH v1 4/4] raw/ifpga/base: check pointer before dereferencing Wei Huang
2021-04-01  7:47   ` Zhang, Tianfei
2021-04-01  8:48   ` Xu, Rosen
2021-04-01 11:50 ` [dpdk-stable] [PATCH v1 0/4] Fix coverity issues reported in DPDK-26380 Zhang, Qi Z

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=5a9f8365-d240-8acf-23e8-0d95c973f1ab@intel.com \
    --to=ferruh.yigit@intel.com \
    --cc=dev@dpdk.org \
    --cc=qi.z.zhang@intel.com \
    --cc=rosen.xu@intel.com \
    --cc=stable@dpdk.org \
    --cc=tianfei.zhang@intel.com \
    --cc=wei.huang@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

patches for DPDK stable branches

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://inbox.dpdk.org/stable \
		stable@dpdk.org
	public-inbox-index stable

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git