From patchwork Sun Feb  5 16:54:20 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Isaac Boukris <iboukris@gmail.com>
X-Patchwork-Id: 123061
X-Patchwork-Delegate: thomas@monjalon.net
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 83FDF41BDC;
	Sun,  5 Feb 2023 17:54:34 +0100 (CET)
Received: from mails.dpdk.org (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 254BA40A89;
	Sun,  5 Feb 2023 17:54:34 +0100 (CET)
Received: from mail-lf1-f51.google.com (mail-lf1-f51.google.com
 [209.85.167.51]) by mails.dpdk.org (Postfix) with ESMTP id 4790C40A7D
 for <dev@dpdk.org>; Sun,  5 Feb 2023 17:54:33 +0100 (CET)
Received: by mail-lf1-f51.google.com with SMTP id w11so14551121lfu.11
 for <dev@dpdk.org>; Sun, 05 Feb 2023 08:54:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
 :date:message-id:reply-to;
 bh=/4gORpKlOtZp3ePmXEjq37ZwwSq3SCkJxSZWyWLHVT0=;
 b=LRt8udAxb/9X33RuycjlSq72XYRge1cIHKvwdrdHAGB7x/F7syIDmywEgQqH/2paQU
 eYVoZZPhlEBSIMDNS8jyADTNkoD8g8hx/feeyFBD8mNeCmqxirgWbld+Gkieo7CBHcOu
 iYGrVaOELYCn9+EymoSBr2R7Tk8EsiEBGD/bVwiOPciTH2izZDWnOsqlOVC7FQu0pQlV
 aqp48I5e3zDYBCpzAwMp2aZlxq2A0qyzRN6akbc0+lvUqOiwpL0PW6ji3i+QTipp6k/Z
 Zr1XbvQv0MnN0uh2WVZq0g10ui44L9HJH5IyYYABM3zj4NDcNo/Wb6sz2PiEy3lI6a+a
 ew6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=to:subject:message-id:date:from:mime-version:x-gm-message-state
 :from:to:cc:subject:date:message-id:reply-to;
 bh=/4gORpKlOtZp3ePmXEjq37ZwwSq3SCkJxSZWyWLHVT0=;
 b=hIBOtBD3F+hlFexgew6V4aYP49bbPU5M33Jo21ohxEhC2kF9qOWdZJ59C4nNx4seyU
 5VFoKLja1wIL/cQkJ4QOz7TS9dZlwB80sLNrvijMqYFGbGNO2MVQk4DognYPhcQPKvNj
 2dOZe+HKtIQN0t1sQXTU13lRF4SEKk1zVuzsQzgvP/uRe3WsUVFlyrhyIwh30FhlX2YJ
 aoUpJTTZ4fd4JbcYdYuH6RkyT2d5lkDegta9c4g4aEmo2SKvlRMNyBi5tF2USABizYRt
 X/twiabYVL5+z8ub3kZigIlPauEEqpUjdxZYGo/+bJYMzL0f1nJfPwo3cbDCf0z1b/w3
 P+aQ==
X-Gm-Message-State: AO0yUKVK8+dDs/yVyFtrfiVchzVu1ssIY1WfuYmHkiZSFTXjKJqSjeyR
 21fJrn0bezQYxNiVrJfCDa4pzDSulET5bHSITTvr0lB3Yoo=
X-Google-Smtp-Source: 
 AK7set/nfroYzM83SmbUUjWizcDtYhG7qHQJR5T2jMZQxX18ILjFXzQ61bot3z3kL7c6iWOAVI/kckHGAXuV6RaZqpE=
X-Received: by 2002:a05:6512:220c:b0:4cb:eb9:c98f with SMTP id
 h12-20020a056512220c00b004cb0eb9c98fmr3268586lfu.31.1675616072406; Sun, 05
 Feb 2023 08:54:32 -0800 (PST)
MIME-Version: 1.0
From: Isaac Boukris <iboukris@gmail.com>
Date: Sun, 5 Feb 2023 18:54:20 +0200
Message-ID: 
 <CAC-fF8Qt6ExgN4zM7NeOGTHPvWk5xykWTYzEPKYm3tsYwj7EAg@mail.gmail.com>
Subject: BUG: AddressSanitizer reports a buffer-overflow on rte_hash_lookup
To: dev@dpdk.org
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org

Hi,

I managed to reproduce it by modifying the helloworld app (see
attached). The report seem correct, as in case of 10 byte key the code
tries to look at the key as uint32 array and access k[2] which is two
bytes over, see:
https://github.com/DPDK/dpdk/blob/0bf5832222971a0154c9150d4a7a4b82ecbc9ddb/lib/hash/rte_jhash.h#L118

$ sudo build/helloworld --iova-mode=pa
EAL: Detected CPU lcores: 8
EAL: Detected NUMA nodes: 1
EAL: Detected static linkage of DPDK
EAL: Multi-process socket /var/run/dpdk/rte/mp_socket
EAL: Selected IOVA mode 'PA'
EAL: VFIO support initialized
EAL: Using IOMMU type 1 (Type 1)
EAL: Ignore mapping IO port bar(3)
EAL: Probe PCI driver: net_vmxnet3 (15ad:7b0) device: 0000:0b:00.0 (socket -1)
=================================================================
==21410==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000024fe428 at pc 0x000001293b0b bp 0x7fff126ef2d0 sp
0x7fff126ef2c0
READ of size 4 at 0x0000024fe428 thread T0
    #0 0x1293b0a in __rte_jhash_2hashes
(/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1293b0a)
    #1 0x12953bf in rte_jhash_2hashes
(/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x12953bf)
    #2 0x12954c8 in rte_jhash
(/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x12954c8)
    #3 0x1bd7168 in rte_hash_lookup
(/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1bd7168)
    #4 0x1295600 in main
(/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1295600)
    #5 0x7fe8fffbbd84 in __libc_start_main (/lib64/libc.so.6+0x3ad84)
    #6 0x129356d in _start
(/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x129356d)

0x0000024fe42a is located 0 bytes to the right of global variable
'hash_key' defined in 'main.c:34:13' (0x24fe420) of size 10
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/admin/dpdk/share/dpdk/examples/helloworld/build/helloworld-static+0x1293b0a)
in __rte_jhash_2hashes

From 44a74ac537fbee031bedda74fa05099f3fd3f552 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris@gmail.com>
Date: Sun, 5 Feb 2023 11:20:29 +0200
Subject: [PATCH] Demo bug in rte_hash_lookup

---
 examples/helloworld/Makefile |  2 +-
 examples/helloworld/main.c   | 23 +++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/examples/helloworld/Makefile b/examples/helloworld/Makefile
index 2a6a2f1527..14e44b8aa8 100644
--- a/examples/helloworld/Makefile
+++ b/examples/helloworld/Makefile
@@ -22,7 +22,7 @@ static: build/$(APP)-static
        ln -sf $(APP)-static build/$(APP)

 PC_FILE := $(shell $(PKGCONF) --path libdpdk 2>/dev/null)
-CFLAGS += -O3 $(shell $(PKGCONF) --cflags libdpdk)
+CFLAGS += -O0 -fsanitize=address $(shell $(PKGCONF) --cflags libdpdk)
 LDFLAGS_SHARED = $(shell $(PKGCONF) --libs libdpdk)
 LDFLAGS_STATIC = $(shell $(PKGCONF) --static --libs libdpdk)

diff --git a/examples/helloworld/main.c b/examples/helloworld/main.c
index af509138da..7460fbdfea 100644
--- a/examples/helloworld/main.c
+++ b/examples/helloworld/main.c
@@ -15,6 +15,11 @@
 #include <rte_lcore.h>
 #include <rte_debug.h>

+#include <assert.h>
+#include <rte_hash.h>
+#include <rte_fbk_hash.h>
+#include <rte_jhash.h>
+
 /* Launch a function on lcore. 8< */
 static int
 lcore_hello(__rte_unused void *arg)
@@ -26,18 +31,36 @@ lcore_hello(__rte_unused void *arg)
 }
 /* >8 End of launching function on lcore. */

+static char hash_key[10] = "";
+
+static struct rte_hash_parameters h_params = {
+       .entries = 64,
+       .key_len = sizeof(hash_key),
+       .hash_func = rte_jhash,
+       .hash_func_init_val = 0,
+       .socket_id = 0,
+};
+
 /* Initialization of Environment Abstraction Layer (EAL). 8< */
 int
 main(int argc, char **argv)
 {
        int ret;
        unsigned lcore_id;
+       struct rte_hash *handle;
+       int pos;

        ret = rte_eal_init(argc, argv);
        if (ret < 0)
                rte_panic("Cannot init EAL\n");
        /* >8 End of initialization of Environment Abstraction Layer */

+       handle = rte_hash_create(&h_params);
+       assert(handle != NULL);
+
+       pos = rte_hash_lookup(handle, &hash_key);
+       assert(pos == -ENOENT);
+
        /* Launches the function on each lcore. 8< */
        RTE_LCORE_FOREACH_WORKER(lcore_id) {
                /* Simpler equivalent. 8< */
--
2.31.1