diff mbox series

[v2] net/tap: fix buffer overflow for ptypes list

Message ID	20231215133858.207911-1-venkatx.sivaramakrishnan@intel.com (mailing list archive)
State	Superseded, archived
Delegated to:	Ferruh Yigit
Headers	From: Sivaramakrishnan Venkat <venkatx.sivaramakrishnan@intel.com> To: Hemant Agrawal <hemant.agrawal@nxp.com>, Sachin Saxena <sachin.saxena@nxp.com>, Zyta Szpak <zr@semihalf.com>, Liron Himi <lironh@marvell.com>, Chaoyong He <chaoyong.he@corigine.com>, Gagandeep Singh <g.singh@nxp.com>, Jerin Jacob <jerinj@marvell.com>, Maciej Czekaj <mczekaj@marvell.com> Cc: dev@dpdk.org, ciara.power@intel.com, Sivaramakrishnan Venkat <venkatx.sivaramakrishnan@intel.com>, pascal.mazon@6wind.com, tdu@semihalf.com, jianfeng.tan@intel.com, jerin.jacob@caviumnetworks.com, stable@dpdk.org Subject: [PATCH v2] net/tap: fix buffer overflow for ptypes list Date: Fri, 15 Dec 2023 13:38:58 +0000 Message-Id: <20231215133858.207911-1-venkatx.sivaramakrishnan@intel.com> In-Reply-To: <20231212143722.1803259-1-venkatx.sivaramakrishnan@intel.com> References: <20231212143722.1803259-1-venkatx.sivaramakrishnan@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: list Errors-To: dev-bounces@dpdk.org
Series	[v2] net/tap: fix buffer overflow for ptypes list \| [v2] net/tap: fix buffer overflow for ptypes list

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/loongarch-compilation	success	Compilation OK
ci/loongarch-unit-testing	success	Unit Testing PASS
ci/github-robot: build	success	github build: passed
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-broadcom-Functional	success	Functional Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-abi-testing	success	Testing PASS
ci/iol-compile-amd64-testing	success	Testing PASS
ci/iol-compile-arm64-testing	success	Testing PASS
ci/iol-unit-arm64-testing	success	Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-unit-amd64-testing	success	Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/intel-Functional	success	Functional PASS
ci/iol-sample-apps-testing	success	Testing PASS

Commit Message

Sivaramakrishnan Venkat Dec. 15, 2023, 1:38 p.m. UTC

  Incorrect ptypes list causes buffer overflow for Address Sanitizer
run. The last element in the ptypes lists to be "RTE_PTYPE_UNKNOWN"
for rte_eth_dev_get_supported_ptypes().
In rte_eth_dev_get_supported_ptypes(),the loop iterates until it
finds "RTE_PTYPE_UNKNOWN" to detect last element of the ptypes array.
Fix the ptypes list for drivers.

Fixes: 0849ac3b6122 ("net/tap: add packet type management")
Fixes: a7bdc3bd4244 ("net/dpaa: support packet type parsing")
Fixes: 4ccc8d770d3b ("net/mvneta: add PMD skeleton")
Fixes: f3f0d77db6b0 ("net/mrvl: support packet type parsing")
Fixes: 78a38edf66de ("ethdev: query supported packet types")
Fixes: 659b494d3d88 ("net/pfe: add packet types and basic statistics")
Fixes: 398a1be14168 ("net/thunderx: remove generic passX references")
Cc: pascal.mazon@6wind.com
Cc: zr@semihalf.com
Cc: tdu@semihalf.com
Cc: jianfeng.tan@intel.com
Cc: g.singh@nxp.com
Cc: jerin.jacob@caviumnetworks.com
Cc: stable@dpdk.org

Signed-off-by: Sivaramakrishnan Venkat <venkatx.sivaramakrishnan@intel.com>
--
V2:
fix ptypes list buffer flow for other drivers
---
 drivers/net/dpaa/dpaa_ethdev.c      | 3 ++-
 drivers/net/mvneta/mvneta_ethdev.c  | 3 ++-
 drivers/net/mvpp2/mrvl_ethdev.c     | 3 ++-
 drivers/net/nfp/nfp_net_common.c    | 1 +
 drivers/net/pfe/pfe_ethdev.c        | 3 ++-
 drivers/net/tap/rte_eth_tap.c       | 1 +
 drivers/net/thunderx/nicvf_ethdev.c | 1 +
 7 files changed, 11 insertions(+), 4 deletions(-)

Comments

Ferruh Yigit Dec. 15, 2023, 1:52 p.m. UTC | #1

On 12/15/2023 1:38 PM, Sivaramakrishnan Venkat wrote:
> Incorrect ptypes list causes buffer overflow for Address Sanitizer
> run. The last element in the ptypes lists to be "RTE_PTYPE_UNKNOWN"
> for rte_eth_dev_get_supported_ptypes().
> In rte_eth_dev_get_supported_ptypes(),the loop iterates until it
> finds "RTE_PTYPE_UNKNOWN" to detect last element of the ptypes array.
> Fix the ptypes list for drivers.
> 
> Fixes: 0849ac3b6122 ("net/tap: add packet type management")
> Fixes: a7bdc3bd4244 ("net/dpaa: support packet type parsing")
> Fixes: 4ccc8d770d3b ("net/mvneta: add PMD skeleton")
> Fixes: f3f0d77db6b0 ("net/mrvl: support packet type parsing")
> Fixes: 78a38edf66de ("ethdev: query supported packet types")
> Fixes: 659b494d3d88 ("net/pfe: add packet types and basic statistics")
> Fixes: 398a1be14168 ("net/thunderx: remove generic passX references")
> Cc: pascal.mazon@6wind.com
> Cc: zr@semihalf.com
> Cc: tdu@semihalf.com
> Cc: jianfeng.tan@intel.com
> Cc: g.singh@nxp.com
> Cc: jerin.jacob@caviumnetworks.com
> Cc: stable@dpdk.org
> 
> Signed-off-by: Sivaramakrishnan Venkat <venkatx.sivaramakrishnan@intel.com>
> 

Thanks Sivaramakrishnan for fixing all drivers.

Acked-by: Ferruh Yigit <ferruh.yigit@amd.com>



Is there any chance you can add relevant unit test to
'app/test/test_ethdev_api.c', this way it helps us prevent doing same
mistake in the future?

Sivaramakrishnan Venkat Dec. 15, 2023, 1:55 p.m. UTC | #2

Hi Ferruh,

> -----Original Message-----
> From: Ferruh Yigit <ferruh.yigit@amd.com>
> Sent: Friday, December 15, 2023 7:22 PM
> To: Sivaramakrishnan, VenkatX <venkatx.sivaramakrishnan@intel.com>; Hemant
> Agrawal <hemant.agrawal@nxp.com>; Sachin Saxena
> <sachin.saxena@nxp.com>; Zyta Szpak <zr@semihalf.com>; Liron Himi
> <lironh@marvell.com>; Chaoyong He <chaoyong.he@corigine.com>; Gagandeep
> Singh <g.singh@nxp.com>; Jerin Jacob <jerinj@marvell.com>; Maciej Czekaj
> <mczekaj@marvell.com>
> Cc: dev@dpdk.org; Power, Ciara <ciara.power@intel.com>;
> pascal.mazon@6wind.com; tdu@semihalf.com; jianfeng.tan@intel.com;
> jerin.jacob@caviumnetworks.com; stable@dpdk.org
> Subject: Re: [PATCH v2] net/tap: fix buffer overflow for ptypes list
> 
> On 12/15/2023 1:38 PM, Sivaramakrishnan Venkat wrote:
> > Incorrect ptypes list causes buffer overflow for Address Sanitizer
> > run. The last element in the ptypes lists to be "RTE_PTYPE_UNKNOWN"
> > for rte_eth_dev_get_supported_ptypes().
> > In rte_eth_dev_get_supported_ptypes(),the loop iterates until it finds
> > "RTE_PTYPE_UNKNOWN" to detect last element of the ptypes array.
> > Fix the ptypes list for drivers.
> >
> > Fixes: 0849ac3b6122 ("net/tap: add packet type management")
> > Fixes: a7bdc3bd4244 ("net/dpaa: support packet type parsing")
> > Fixes: 4ccc8d770d3b ("net/mvneta: add PMD skeleton")
> > Fixes: f3f0d77db6b0 ("net/mrvl: support packet type parsing")
> > Fixes: 78a38edf66de ("ethdev: query supported packet types")
> > Fixes: 659b494d3d88 ("net/pfe: add packet types and basic statistics")
> > Fixes: 398a1be14168 ("net/thunderx: remove generic passX references")
> > Cc: pascal.mazon@6wind.com
> > Cc: zr@semihalf.com
> > Cc: tdu@semihalf.com
> > Cc: jianfeng.tan@intel.com
> > Cc: g.singh@nxp.com
> > Cc: jerin.jacob@caviumnetworks.com
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Sivaramakrishnan Venkat
> > <venkatx.sivaramakrishnan@intel.com>
> >
> 
> Thanks Sivaramakrishnan for fixing all drivers.
> 
> Acked-by: Ferruh Yigit <ferruh.yigit@amd.com>
> 
> 
> 
> Is there any chance you can add relevant unit test to
> 'app/test/test_ethdev_api.c', this way it helps us prevent doing same mistake in
> the future?
> 
Currently, the application didn't crash for an invalid ptypes list.
It is a silent buffer overflow that was only detected by running ASAN.
 Could you please provide your inputs/ideas to implement a unit test for invalid ptypes list.

Thanks,
Venkat.

Ferruh Yigit Dec. 15, 2023, 5:21 p.m. UTC | #3

On 12/15/2023 1:55 PM, Sivaramakrishnan, VenkatX wrote:
> Hi Ferruh,
> 
>> -----Original Message-----
>> From: Ferruh Yigit <ferruh.yigit@amd.com>
>> Sent: Friday, December 15, 2023 7:22 PM
>> To: Sivaramakrishnan, VenkatX <venkatx.sivaramakrishnan@intel.com>; Hemant
>> Agrawal <hemant.agrawal@nxp.com>; Sachin Saxena
>> <sachin.saxena@nxp.com>; Zyta Szpak <zr@semihalf.com>; Liron Himi
>> <lironh@marvell.com>; Chaoyong He <chaoyong.he@corigine.com>; Gagandeep
>> Singh <g.singh@nxp.com>; Jerin Jacob <jerinj@marvell.com>; Maciej Czekaj
>> <mczekaj@marvell.com>
>> Cc: dev@dpdk.org; Power, Ciara <ciara.power@intel.com>;
>> pascal.mazon@6wind.com; tdu@semihalf.com; jianfeng.tan@intel.com;
>> jerin.jacob@caviumnetworks.com; stable@dpdk.org
>> Subject: Re: [PATCH v2] net/tap: fix buffer overflow for ptypes list
>>
>> On 12/15/2023 1:38 PM, Sivaramakrishnan Venkat wrote:
>>> Incorrect ptypes list causes buffer overflow for Address Sanitizer
>>> run. The last element in the ptypes lists to be "RTE_PTYPE_UNKNOWN"
>>> for rte_eth_dev_get_supported_ptypes().
>>> In rte_eth_dev_get_supported_ptypes(),the loop iterates until it finds
>>> "RTE_PTYPE_UNKNOWN" to detect last element of the ptypes array.
>>> Fix the ptypes list for drivers.
>>>
>>> Fixes: 0849ac3b6122 ("net/tap: add packet type management")
>>> Fixes: a7bdc3bd4244 ("net/dpaa: support packet type parsing")
>>> Fixes: 4ccc8d770d3b ("net/mvneta: add PMD skeleton")
>>> Fixes: f3f0d77db6b0 ("net/mrvl: support packet type parsing")
>>> Fixes: 78a38edf66de ("ethdev: query supported packet types")
>>> Fixes: 659b494d3d88 ("net/pfe: add packet types and basic statistics")
>>> Fixes: 398a1be14168 ("net/thunderx: remove generic passX references")
>>> Cc: pascal.mazon@6wind.com
>>> Cc: zr@semihalf.com
>>> Cc: tdu@semihalf.com
>>> Cc: jianfeng.tan@intel.com
>>> Cc: g.singh@nxp.com
>>> Cc: jerin.jacob@caviumnetworks.com
>>> Cc: stable@dpdk.org
>>>
>>> Signed-off-by: Sivaramakrishnan Venkat
>>> <venkatx.sivaramakrishnan@intel.com>
>>>
>>
>> Thanks Sivaramakrishnan for fixing all drivers.
>>
>> Acked-by: Ferruh Yigit <ferruh.yigit@amd.com>
>>
>>
>>
>> Is there any chance you can add relevant unit test to
>> 'app/test/test_ethdev_api.c', this way it helps us prevent doing same mistake in
>> the future?
>>
> Currently, the application didn't crash for an invalid ptypes list.
> It is a silent buffer overflow that was only detected by running ASAN.
>  Could you please provide your inputs/ideas to implement a unit test for invalid ptypes list.
> 

I was thinking just call the API and detect the crash, but if it doesn't
cause crash it won't help much.

This is .dev_supported_ptypes_get() design problem, it is relying on
driver set array ending with 'RTE_PTYPE_UNKNOWN' but there is no way to
verify it. Also this requirement is not documented very well.

Please scratch the ask to add unit test.
Perhaps we can change the '.dev_supported_ptypes_get()', this should be
possible without impacting the user, just by updating drivers.

'.dev_supported_ptypes_get()' can be updated as:
typedef const uint32_t *
(*eth_dev_supported_ptypes_get_t)(struct rte_eth_dev *dev, uint32_t num);
'num' is simply size of returned 'ptypes' array.

This eliminates need to have 'RTE_PTYPE_UNKNOWN' as last item, and
overall change is not so big.
What do you think, does new dev_ops fingerprint make sense to you?

diff mbox series

Patch

diff --git a/drivers/net/dpaa/dpaa_ethdev.c b/drivers/net/dpaa/dpaa_ethdev.c
index ef4c06db6a..779bdc5860 100644
--- a/drivers/net/dpaa/dpaa_ethdev.c
+++ b/drivers/net/dpaa/dpaa_ethdev.c
@@ -363,7 +363,8 @@  dpaa_supported_ptypes_get(struct rte_eth_dev *dev)
 		RTE_PTYPE_L4_TCP,
 		RTE_PTYPE_L4_UDP,
 		RTE_PTYPE_L4_SCTP,
-		RTE_PTYPE_TUNNEL_ESP
+		RTE_PTYPE_TUNNEL_ESP,
+		RTE_PTYPE_UNKNOWN
 	};
 
 	PMD_INIT_FUNC_TRACE();
diff --git a/drivers/net/mvneta/mvneta_ethdev.c b/drivers/net/mvneta/mvneta_ethdev.c
index daa69e533a..212c300c14 100644
--- a/drivers/net/mvneta/mvneta_ethdev.c
+++ b/drivers/net/mvneta/mvneta_ethdev.c
@@ -198,7 +198,8 @@  mvneta_dev_supported_ptypes_get(struct rte_eth_dev *dev __rte_unused)
 		RTE_PTYPE_L3_IPV4,
 		RTE_PTYPE_L3_IPV6,
 		RTE_PTYPE_L4_TCP,
-		RTE_PTYPE_L4_UDP
+		RTE_PTYPE_L4_UDP,
+		RTE_PTYPE_UNKNOWN
 	};
 
 	return ptypes;
diff --git a/drivers/net/mvpp2/mrvl_ethdev.c b/drivers/net/mvpp2/mrvl_ethdev.c
index c12364941d..4cc64c7cad 100644
--- a/drivers/net/mvpp2/mrvl_ethdev.c
+++ b/drivers/net/mvpp2/mrvl_ethdev.c
@@ -1777,7 +1777,8 @@  mrvl_dev_supported_ptypes_get(struct rte_eth_dev *dev __rte_unused)
 		RTE_PTYPE_L3_IPV6_EXT,
 		RTE_PTYPE_L2_ETHER_ARP,
 		RTE_PTYPE_L4_TCP,
-		RTE_PTYPE_L4_UDP
+		RTE_PTYPE_L4_UDP,
+		RTE_PTYPE_UNKNOWN
 	};
 
 	return ptypes;
diff --git a/drivers/net/nfp/nfp_net_common.c b/drivers/net/nfp/nfp_net_common.c
index e969b840d6..46d0e07850 100644
--- a/drivers/net/nfp/nfp_net_common.c
+++ b/drivers/net/nfp/nfp_net_common.c
@@ -1299,6 +1299,7 @@  nfp_net_supported_ptypes_get(struct rte_eth_dev *dev)
 		RTE_PTYPE_INNER_L4_NONFRAG,
 		RTE_PTYPE_INNER_L4_ICMP,
 		RTE_PTYPE_INNER_L4_SCTP,
+		RTE_PTYPE_UNKNOWN
 	};
 
 	if (dev->rx_pkt_burst != nfp_net_recv_pkts)
diff --git a/drivers/net/pfe/pfe_ethdev.c b/drivers/net/pfe/pfe_ethdev.c
index 551f3cf193..0073dd7405 100644
--- a/drivers/net/pfe/pfe_ethdev.c
+++ b/drivers/net/pfe/pfe_ethdev.c
@@ -520,7 +520,8 @@  pfe_supported_ptypes_get(struct rte_eth_dev *dev)
 		RTE_PTYPE_L3_IPV6_EXT,
 		RTE_PTYPE_L4_TCP,
 		RTE_PTYPE_L4_UDP,
-		RTE_PTYPE_L4_SCTP
+		RTE_PTYPE_L4_SCTP,
+		RTE_PTYPE_UNKNOWN
 	};
 
 	if (dev->rx_pkt_burst == pfe_recv_pkts ||
diff --git a/drivers/net/tap/rte_eth_tap.c b/drivers/net/tap/rte_eth_tap.c
index b41fa971cb..3fa03cdbee 100644
--- a/drivers/net/tap/rte_eth_tap.c
+++ b/drivers/net/tap/rte_eth_tap.c
@@ -1803,6 +1803,7 @@  tap_dev_supported_ptypes_get(struct rte_eth_dev *dev __rte_unused)
 		RTE_PTYPE_L4_UDP,
 		RTE_PTYPE_L4_TCP,
 		RTE_PTYPE_L4_SCTP,
+		RTE_PTYPE_UNKNOWN
 	};
 
 	return ptypes;
diff --git a/drivers/net/thunderx/nicvf_ethdev.c b/drivers/net/thunderx/nicvf_ethdev.c
index a504d41dfe..ff41714927 100644
--- a/drivers/net/thunderx/nicvf_ethdev.c
+++ b/drivers/net/thunderx/nicvf_ethdev.c
@@ -392,6 +392,7 @@  nicvf_dev_supported_ptypes_get(struct rte_eth_dev *dev)
 		RTE_PTYPE_L4_TCP,
 		RTE_PTYPE_L4_UDP,
 		RTE_PTYPE_L4_FRAG,
+		RTE_PTYPE_UNKNOWN
 	};
 	static const uint32_t ptypes_tunnel[] = {
 		RTE_PTYPE_TUNNEL_GRE,