patches for DPDK stable branches
 help / color / mirror / Atom feed
From: "Burakov, Anatoly" <anatoly.burakov@intel.com>
To: Bing Zhao <bingz@mellanox.com>
Cc: dev@dpdk.org, sergio.gonzalez.monroy@intel.com, stable@dpdk.org
Subject: Re: [dpdk-stable] [PATCH] mem: fix the alloc size roundup overflow
Date: Mon, 20 Apr 2020 12:39:49 +0100
Message-ID: <88ce7ff0-27f7-9cf0-13bf-b66795bd64cd@intel.com> (raw)
In-Reply-To: <1586256364-185699-1-git-send-email-bingz@mellanox.com>

On 07-Apr-20 11:46 AM, Bing Zhao wrote:
> The size checking is done in the caller. The size parameter is an
> unsigned (64b wide) right now, so the comparison with zero should be
> enough in most cases. But it won't help in the following case.
> If the allocating request input a huge number by mistake, e.g., some
> overflow after the calculation (especially subtraction), the checking
> in the caller will succeed since it is not zero. Indeed, there is not
> enough space in the system to support such huge memory allocation.
> Usually it will return failure in the following code. But if the
> input size is just a little smaller than the UINT64_MAX, like -2 in
> signed type.
> The roundup will cause an overflow and then "reset" the size to 0,
> and then only a header (128B now) with zero length will be returned.
> The following will be the previous allocation header.
> It should be OK in most cases if the application won't access the
> memory body. Or else, some critical issue will be caused and not easy
> to debug. So this issue should be prevented at the beginning, like
> other big size failure, NULL pointer should be returned also.
> 
> Fixes: fdf20fa7bee9 ("add prefix to cache line macros")
> Cc: sergio.gonzalez.monroy@intel.com
> Cc: stable@dpdk.org
> 
> Signed-off-by: Bing Zhao <bingz@mellanox.com>
> ---
>   lib/librte_eal/common/malloc_heap.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c
> index 842eb9d..bd50656 100644
> --- a/lib/librte_eal/common/malloc_heap.c
> +++ b/lib/librte_eal/common/malloc_heap.c
> @@ -241,6 +241,9 @@
>   	size = RTE_CACHE_LINE_ROUNDUP(size);
>   	align = RTE_CACHE_LINE_ROUNDUP(align);
>   
> +	/* roundup might cause an overflow */
> +	if (size == 0)
> +		return NULL;
>   	elem = find_suitable_element(heap, size, flags, align, bound, contig);
>   	if (elem != NULL) {
>   		elem = malloc_elem_alloc(elem, size, align, bound, contig);
> 

Can we add a unit test for this in malloc_autotest?

Otherwise,

Acked-by: Anatoly Burakov <anatoly.burakov@intel.com>

-- 
Thanks,
Anatoly

  reply	other threads:[~2020-04-20 11:39 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-07 10:46 Bing Zhao
2020-04-20 11:39 ` Burakov, Anatoly [this message]
2020-04-21  3:18   ` Bing Zhao
2020-05-07  7:39 ` [dpdk-stable] [PATCH v2] " Bing Zhao
2020-05-07  7:41 ` Bing Zhao
2020-05-07  8:02   ` [dpdk-stable] [PATCH v3] " Bing Zhao
2020-05-11 14:52     ` [dpdk-stable] [dpdk-dev] " David Marchand
2020-05-07 11:55   ` [dpdk-stable] [PATCH v2] " Burakov, Anatoly
2020-05-07 12:12     ` David Marchand
2020-05-07 12:16       ` Bing Zhao
2020-05-07 12:18         ` David Marchand

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=88ce7ff0-27f7-9cf0-13bf-b66795bd64cd@intel.com \
    --to=anatoly.burakov@intel.com \
    --cc=bingz@mellanox.com \
    --cc=dev@dpdk.org \
    --cc=sergio.gonzalez.monroy@intel.com \
    --cc=stable@dpdk.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

patches for DPDK stable branches

This inbox may be cloned and mirrored by anyone:

	git clone --mirror https://inbox.dpdk.org/stable/0 stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ https://inbox.dpdk.org/stable \
		stable@dpdk.org
	public-inbox-index stable

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://inbox.dpdk.org/inbox.dpdk.stable


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git