From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5F3FA45527 for ; Fri, 28 Jun 2024 23:01:34 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 412F040EE2; Fri, 28 Jun 2024 23:01:34 +0200 (CEST) Received: from mail-wm1-f42.google.com (mail-wm1-f42.google.com [209.85.128.42]) by mails.dpdk.org (Postfix) with ESMTP id 109FA40E96 for ; Fri, 28 Jun 2024 23:01:33 +0200 (CEST) Received: by mail-wm1-f42.google.com with SMTP id 5b1f17b1804b1-42566fb8302so8012485e9.0 for ; Fri, 28 Jun 2024 14:01:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1719608492; x=1720213292; darn=dpdk.org; h=subject:from:cc:to:user-agent:mime-version:date:message-id:from:to :cc:subject:date:message-id:reply-to; bh=a5Knw7BMCo7MlZVT0IuJy/IFynxLoWTZnJfa95FnSxI=; b=MpYj9O37cZM6Ivjv7C4EW5xK5d6giZ16YlTbeiLzgHGDlppjxKW4LPtDY8vvMXzVNG fMrxHyGqfWTU2Gl6VVqIcDJP0i25WsB8jR8JS0ZzVACWIGcifnqWlrAnZmEvgOFVy8LO GtvWsEF7BfsQcdRKkD+ToUFacVljWLaDvLeZc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719608492; x=1720213292; h=subject:from:cc:to:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=a5Knw7BMCo7MlZVT0IuJy/IFynxLoWTZnJfa95FnSxI=; b=acfY3+AFtbfw1PkpsYd00lSLm6ZH3OB5TYCF0kOqfGABNJuvWeHnUc94A+ZJeMmN1V nHCGTDgPDNaxfRf5M19sa1xkskD/W+B/TNUwNo93RR4r2D8ylQX1uv25YqOnAuuybNNp DiDFXxOIhehDwYSySZvTA2R1uh89l1tzurSCpqfkCqrLwwEOzbnazxCkJ25SlHUes6lq v8BchzMiZxwbo/E9RJmwlFyw6ITq4dl/E5DUJHrteweB1yOaDbkrcVRmXeZI+PEvIuJb MntTt0+yXr7blVJxkIfKlwTc9ALSnfRDd53YaCNlCuXIkkfFbK1YYMkO0fcXpig2/gbV dNUA== X-Forwarded-Encrypted: i=1; AJvYcCUz5n4r8VxZccKd1piW+vtjtGh18LPgrT5WD16CCgFIRF1dLqlxP2ziD1qYuQs1PfrE7itCq6IO4kdd5vowWY4= X-Gm-Message-State: AOJu0YzzTemJ9trqp2++5qxIaJ+qbpwl/5imBtA23469sm8p3nODG9LI ZA9X0/qEa6v7ugGxZHAUUIHMU2TUljPK5crC96IwT10Wx8lKQosdYQpnyP6UWh/0LaO/eisOoqz ZF+5dE4CApbXplCaGV9kdB5vAtfSMLYfpBg== X-Google-Smtp-Source: AGHT+IHGQ4xkM0qU0ET8AgstQMerDBoIFfd/pLS26QGATN661m16lM2/pGZy0b/WP21j7U7voriSuw== X-Received: by 2002:a05:600c:4fd6:b0:425:73c9:e60e with SMTP id 5b1f17b1804b1-42573c9e72fmr13724335e9.25.1719608492474; Fri, 28 Jun 2024 14:01:32 -0700 (PDT) Received: from [192.168.0.8] ([92.81.76.237]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4256af376easm50465595e9.5.2024.06.28.14.01.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 28 Jun 2024 14:01:31 -0700 (PDT) Message-ID: Date: Sat, 29 Jun 2024 00:01:29 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird To: Jakub Grajciar , Ferruh Yigit Cc: dev@dpdk.org, Mihai Brodschi , stable@dpdk.org From: Mihai Brodschi Subject: [PATCH v2] net/memif: fix buffer overflow in zero copy Rx Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha-256; boundary="0000000000005f2fab061bf98d0b" X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org --0000000000005f2fab061bf98d0b Content-Language: en-US Content-Type: text/plain; charset="UTF-8" rte_pktmbuf_alloc_bulk is called by the zero-copy receiver to allocate new mbufs to be provided to the sender. The allocated mbuf pointers are stored in a ring, but the alloc function doesn't implement index wrap-around, so it writes past the end of the array. This results in memory corruption and duplicate mbufs being received. Allocate 2x the space for the mbuf ring, so that the alloc function has a contiguous array to write to, then copy the excess entries to the start of the array. Fixes: 43b815d88188 ("net/memif: support zero-copy slave") Cc: stable@dpdk.org Signed-off-by: Mihai Brodschi --- v2: - fix email formatting --- drivers/net/memif/rte_eth_memif.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/net/memif/rte_eth_memif.c b/drivers/net/memif/rte_eth_memif.c index 16da22b5c6..3491c53cf1 100644 --- a/drivers/net/memif/rte_eth_memif.c +++ b/drivers/net/memif/rte_eth_memif.c @@ -600,6 +600,10 @@ eth_memif_rx_zc(void *queue, struct rte_mbuf **bufs, uint16_t nb_pkts) ret = rte_pktmbuf_alloc_bulk(mq->mempool, &mq->buffers[head & mask], n_slots); if (unlikely(ret < 0)) goto no_free_mbufs; + if (unlikely(n_slots > ring_size - (head & mask))) { + rte_memcpy(mq->buffers, &mq->buffers[ring_size], + (n_slots + (head & mask) - ring_size) * sizeof(struct rte_mbuf *)); + } while (n_slots--) { s0 = head++ & mask; @@ -1245,8 +1249,12 @@ memif_init_queues(struct rte_eth_dev *dev) } mq->buffers = NULL; if (pmd->flags & ETH_MEMIF_FLAG_ZERO_COPY) { + /* + * Allocate 2x ring_size to reserve a contiguous array for + * rte_pktmbuf_alloc_bulk (to store allocated mbufs). + */ mq->buffers = rte_zmalloc("bufs", sizeof(struct rte_mbuf *) * - (1 << mq->log2_ring_size), 0); + (1 << (mq->log2_ring_size + 1)), 0); if (mq->buffers == NULL) return -ENOMEM; } -- 2.43.0 -- This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it. --0000000000005f2fab061bf98d0b Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIQcwYJKoZIhvcNAQcCoIIQZDCCEGACAQExDzANBglghkgBZQMEAgEFADALBgkqhkiG9w0BBwGg gg3KMIIFDTCCA/WgAwIBAgIQeEqpED+lv77edQixNJMdADANBgkqhkiG9w0BAQsFADBMMSAwHgYD VQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMzETMBEGA1UEChMKR2xvYmFsU2lnbjETMBEGA1UE AxMKR2xvYmFsU2lnbjAeFw0yMDA5MTYwMDAwMDBaFw0yODA5MTYwMDAwMDBaMFsxCzAJBgNVBAYT AkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTEwLwYDVQQDEyhHbG9iYWxTaWduIEdDQyBS MyBQZXJzb25hbFNpZ24gMiBDQSAyMDIwMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA vbCmXCcsbZ/a0fRIQMBxp4gJnnyeneFYpEtNydrZZ+GeKSMdHiDgXD1UnRSIudKo+moQ6YlCOu4t rVWO/EiXfYnK7zeop26ry1RpKtogB7/O115zultAz64ydQYLe+a1e/czkALg3sgTcOOcFZTXk38e aqsXsipoX1vsNurqPtnC27TWsA7pk4uKXscFjkeUE8JZu9BDKaswZygxBOPBQBwrA5+20Wxlk6k1 e6EKaaNaNZUy30q3ArEf30ZDpXyfCtiXnupjSK8WU2cK4qsEtj09JS4+mhi0CTCrCnXAzum3tgcH cHRg0prcSzzEUDQWoFxyuqwiwhHu3sPQNmFOMwIDAQABo4IB2jCCAdYwDgYDVR0PAQH/BAQDAgGG MGAGA1UdJQRZMFcGCCsGAQUFBwMCBggrBgEFBQcDBAYKKwYBBAGCNxQCAgYKKwYBBAGCNwoDBAYJ KwYBBAGCNxUGBgorBgEEAYI3CgMMBggrBgEFBQcDBwYIKwYBBQUHAxEwEgYDVR0TAQH/BAgwBgEB /wIBADAdBgNVHQ4EFgQUljPR5lgXWzR1ioFWZNW+SN6hj88wHwYDVR0jBBgwFoAUj/BLf6guRSSu TVD6Y5qL3uLdG7wwegYIKwYBBQUHAQEEbjBsMC0GCCsGAQUFBzABhiFodHRwOi8vb2NzcC5nbG9i YWxzaWduLmNvbS9yb290cjMwOwYIKwYBBQUHMAKGL2h0dHA6Ly9zZWN1cmUuZ2xvYmFsc2lnbi5j b20vY2FjZXJ0L3Jvb3QtcjMuY3J0MDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9jcmwuZ2xvYmFs c2lnbi5jb20vcm9vdC1yMy5jcmwwWgYDVR0gBFMwUTALBgkrBgEEAaAyASgwQgYKKwYBBAGgMgEo CjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAN BgkqhkiG9w0BAQsFAAOCAQEAdAXk/XCnDeAOd9nNEUvWPxblOQ/5o/q6OIeTYvoEvUUi2qHUOtbf jBGdTptFsXXe4RgjVF9b6DuizgYfy+cILmvi5hfk3Iq8MAZsgtW+A/otQsJvK2wRatLE61RbzkX8 9/OXEZ1zT7t/q2RiJqzpvV8NChxIj+P7WTtepPm9AIj0Keue+gS2qvzAZAY34ZZeRHgA7g5O4TPJ /oTd+4rgiU++wLDlcZYd/slFkaT3xg4qWDepEMjT4T1qFOQIL+ijUArYS4owpPg9NISTKa1qqKWJ jFoyms0d0GwOniIIbBvhI2MJ7BSY9MYtWVT5jJO3tsVHwj4cp92CSFuGwunFMzCCA18wggJHoAMC AQICCwQAAAAAASFYUwiiMA0GCSqGSIb3DQEBCwUAMEwxIDAeBgNVBAsTF0dsb2JhbFNpZ24gUm9v dCBDQSAtIFIzMRMwEQYDVQQKEwpHbG9iYWxTaWduMRMwEQYDVQQDEwpHbG9iYWxTaWduMB4XDTA5 MDMxODEwMDAwMFoXDTI5MDMxODEwMDAwMFowTDEgMB4GA1UECxMXR2xvYmFsU2lnbiBSb290IENB IC0gUjMxEzARBgNVBAoTCkdsb2JhbFNpZ24xEzARBgNVBAMTCkdsb2JhbFNpZ24wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDMJXaQeQZ4Ihb1wIO2hMoonv0FdhHFrYhy/EYCQ8eyip0E XyTLLkvhYIJG4VKrDIFHcGzdZNHr9SyjD4I9DCuul9e2FIYQebs7E4B3jAjhSdJqYi8fXvqWaN+J J5U4nwbXPsnLJlkNc96wyOkmDoMVxu9bi9IEYMpJpij2aTv2y8gokeWdimFXN6x0FNx04Druci8u nPvQu7/1PQDhBjPogiuuU6Y6FnOM3UEOIDrAtKeh6bJPkC4yYOlXy7kEkmho5TgmYHWyn3f/kRTv riBJ/K1AFUjRAjFhGV64l++td7dkmnq/X8ET75ti+w1s4FRpFqkD2m7pg5NxdsZphYIXAgMBAAGj QjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSP8Et/qC5FJK5N UPpjmove4t0bvDANBgkqhkiG9w0BAQsFAAOCAQEAS0DbwFCq/sgM7/eWVEVJu5YACUGssxOGhigH M8pr5nS5ugAtrqQK0/Xx8Q+Kv3NnSoPHRHt44K9ubG8DKY4zOUXDjuS5V2yq/BKW7FPGLeQkbLmU Y/vcU2hnVj6DuM81IcPJaP7O2sJTqsyQiunwXUaMld16WCgaLx3ezQA3QY/tRG3XUyiXfvNnBB4V 14qWtNPeTCekTBtzc3b0F5nCH3oO4y0IrQocLP88q1UOD5F+NuvDV0m+4S4tfGCLw0FREyOdzvcy a5QBqJnnLDMfOjsl0oZAzjsshnjJYS8Uuu7bVW/fhO4FCU29KNhyztNiUGUe65KXgzHZs7XKR1g/ XzCCBVIwggQ6oAMCAQICDHbaeqlxkxwG0oD4oTANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQGEwJC RTEZMBcGA1UEChMQR2xvYmFsU2lnbiBudi1zYTExMC8GA1UEAxMoR2xvYmFsU2lnbiBHQ0MgUjMg UGVyc29uYWxTaWduIDIgQ0EgMjAyMDAeFw0yMjExMTQxMTQ3MjRaFw0yNTExMTQxMTQ3MjRaMIGS MQswCQYDVQQGEwJJTjESMBAGA1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlCYW5nYWxvcmUxFjAU BgNVBAoTDUJyb2FkY29tIEluYy4xFzAVBgNVBAMTDk1paGFpIEJyb2RzY2hpMSowKAYJKoZIhvcN AQkBFhttaWhhaS5icm9kc2NoaUBicm9hZGNvbS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQDKeSQ6fd3ArZpB+9ObkhCvLHNKaI4Zarn0m98M/IZYwHIXVxxLVn0g9I8RbzaUa6GZ k6TzMA22mdd6Sy/mnwJHOy7pNVd/2MBVwIkhNYL+5CwdBjBanvOOLh9FBl8QzKhifV7xYDMWJQJD Mr+QIRdtZOKkm9i0sRs9bwF2Rxbvnxj2EwgBSPe4FVpHEx4Is25hBIOZcEIvZTVoZgisovq6vB5I ERa8kmgfcp8zNafingkraXyOhds+xUiXbrZOthVlXg3ijylyQ50+iCWICS3qWXOw1tJXqTZUGgB/ PmiSLVSsz9RLsdo8tAV035w8AbZbKyFKl7mQzcIIE/9Zbk/PAgMBAAGjggHcMIIB2DAOBgNVHQ8B Af8EBAMCBaAwgaMGCCsGAQUFBwEBBIGWMIGTME4GCCsGAQUFBzAChkJodHRwOi8vc2VjdXJlLmds b2JhbHNpZ24uY29tL2NhY2VydC9nc2djY3IzcGVyc29uYWxzaWduMmNhMjAyMC5jcnQwQQYIKwYB BQUHMAGGNWh0dHA6Ly9vY3NwLmdsb2JhbHNpZ24uY29tL2dzZ2NjcjNwZXJzb25hbHNpZ24yY2Ey MDIwME0GA1UdIARGMEQwQgYKKwYBBAGgMgEoCjA0MDIGCCsGAQUFBwIBFiZodHRwczovL3d3dy5n bG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzAJBgNVHRMEAjAAMEkGA1UdHwRCMEAwPqA8oDqGOGh0 dHA6Ly9jcmwuZ2xvYmFsc2lnbi5jb20vZ3NnY2NyM3BlcnNvbmFsc2lnbjJjYTIwMjAuY3JsMCYG A1UdEQQfMB2BG21paGFpLmJyb2RzY2hpQGJyb2FkY29tLmNvbTATBgNVHSUEDDAKBggrBgEFBQcD BDAfBgNVHSMEGDAWgBSWM9HmWBdbNHWKgVZk1b5I3qGPzzAdBgNVHQ4EFgQUTKjubK5dUstAoG+s gC9E5CNgobQwDQYJKoZIhvcNAQELBQADggEBADk/H+GmVd7WyerJTClll6xJOZorGnuKIVwthtoZ sVIrdxY2sspHYC0cmnRDxpw5/18UBLwjjIgPbv2PwJMPiiS4BG5r9ykQLpsSfbBzSiaUKkEX7jdH 5ONn8aGl4W0jcGJEKHK0KHziK1SJYWRExzSFfdTwFLTEj/g3yVZQT+mB+zv8NMRAmdG8DJ4waVPi L+E3ld0mdxuSCcvvAzi7ZNBrkCWUuC/YaiMtIRuyDqYnppUEkIXHE+SMfA+dirfXGmIYfk16DAOk rnI0rl6IAv30qz/Du0BDNsHi3gsTsQMfrA5M0saDCy65Bina2ExB2ZK6YyuajQd6BDtsygsH2Uwx ggJtMIICaQIBATBrMFsxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMTEw LwYDVQQDEyhHbG9iYWxTaWduIEdDQyBSMyBQZXJzb25hbFNpZ24gMiBDQSAyMDIwAgx22nqpcZMc BtKA+KEwDQYJYIZIAWUDBAIBBQCggdQwLwYJKoZIhvcNAQkEMSIEIDtSXNM7axUsm+JdikM5F3Bo oKmc6RwSemmGHVCLT3SzMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8X DTI0MDYyODIxMDEzMlowaQYJKoZIhvcNAQkPMVwwWjALBglghkgBZQMEASowCwYJYIZIAWUDBAEW MAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzALBgkqhkiG9w0BAQowCwYJKoZIhvcNAQEHMAsGCWCG SAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQBkzqIG7tPD0oG/3uCYS+t9/8ufyRIY3WGPL1kwCDMW 7hRWtIyEs1C8x697GVlFvTvR0vhx7LA1hF5f7V+pbnnYGMQFjsrKFrE+M+uBsxQesjiXBbuJMjNL GawV5mo+Hmo4VCYRIdw/o0H8TL9moGoaHwnXmmyCfBy/ZONJj8cL5HGBcvLqgfh298ETCYzVtkKs oJxrcL2xZ1jBB+qDvMUxK9rYHHyKRsb1uj9O6RQEJxdEbsKt2qIIWt24yo0DPxmT+728CKJdnvgG BLh8fcMGwjmtLyo4UcyqM9RB4EQmiPfJd2giwz6vOUgw33RIVgz+9Tl9YrHKgmG5ufRc58qp --0000000000005f2fab061bf98d0b--