diff mbox series

[v3] test/hash: fix buffer overflow

Message ID	1634233699-197151-1-git-send-email-vladimir.medvedkin@intel.com (mailing list archive)
State	Accepted, archived
Delegated to:	David Marchand
Headers	From: Vladimir Medvedkin <vladimir.medvedkin@intel.com> To: dev@dpdk.org Cc: yipeng1.wang@intel.com, sameh.gobriel@intel.com, bruce.richardson@intel.com, david.marchand@redhat.com, stable@dpdk.org Date: Thu, 14 Oct 2021 18:48:19 +0100 Message-Id: <1634233699-197151-1-git-send-email-vladimir.medvedkin@intel.com> In-Reply-To: <1634153265-193315-1-git-send-email-vladimir.medvedkin@intel.com> References: <1634153265-193315-1-git-send-email-vladimir.medvedkin@intel.com> Subject: [dpdk-dev] [PATCH v3] test/hash: fix buffer overflow Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	[v3] test/hash: fix buffer overflow \| [v3] test/hash: fix buffer overflow

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/github-robot: build	success	github build: passed
ci/iol-broadcom-Functional	success	Functional Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-intel-Functional	fail	Functional Testing issues
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-x86_64-compile-testing	success	Testing PASS
ci/iol-x86_64-unit-testing	success	Testing PASS
ci/iol-aarch64-unit-testing	success	Testing PASS
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/iol-aarch64-compile-testing	success	Testing PASS

Commit Message

Vladimir Medvedkin Oct. 14, 2021, 5:48 p.m. UTC

  This patch fixes buffer overflow reported by ASAN,
please reference https://bugs.dpdk.org/show_bug.cgi?id=818

Some tests for the rte_hash table use the rte_jhash_32b() as
the hash function. This hash function interprets the length
argument in units of 4 bytes.

This patch adds a wrapper function around rte_jhash_32b()
to reflect API differences regarding the length argument,
effectively dividing it by 4.

For some tests rte_jhash() is used with keys of length not
a multiple of 4 bytes. From the rte_jhash() documentation:
If input key is not aligned to four byte boundaries or a
multiple of four bytes in length, the memory region just
after may be read (but not used in the computation).

This patch increases the size of the proto field of the
flow_key struct up to uint32_t.

Bugzilla ID: 818
Fixes: af75078fece3 ("first public release")
Cc: stable@dpdk.org

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
---
 app/test/test_hash.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

Comments

David Marchand Oct. 15, 2021, 9:33 a.m. UTC | #1

On Thu, Oct 14, 2021 at 7:55 PM Vladimir Medvedkin
<vladimir.medvedkin@intel.com> wrote:
> @@ -1607,6 +1611,17 @@ static struct rte_hash_parameters hash_params_ex = {
>  };
>
>  /*
> + * Wrapper function around rte_jhash_32b.
> + * It is required because rte_jhash_32b() accepts the length
> + * as size of 4-byte units.
> + */
> +static inline uint32_t
> +test_jhash_32b(const void *k, uint32_t length, uint32_t initval)
> +{
> +       return rte_jhash_32b(k, length >> 2, initval);
> +}

I am confused.
Does it mean that rte_jhash_32b is not compliant with rte_hash_create API?

Vladimir Medvedkin Oct. 15, 2021, 1:02 p.m. UTC | #2

Hi David,

On 15/10/2021 11:33, David Marchand wrote:
> On Thu, Oct 14, 2021 at 7:55 PM Vladimir Medvedkin
> <vladimir.medvedkin@intel.com> wrote:
>> @@ -1607,6 +1611,17 @@ static struct rte_hash_parameters hash_params_ex = {
>>   };
>>
>>   /*
>> + * Wrapper function around rte_jhash_32b.
>> + * It is required because rte_jhash_32b() accepts the length
>> + * as size of 4-byte units.
>> + */
>> +static inline uint32_t
>> +test_jhash_32b(const void *k, uint32_t length, uint32_t initval)
>> +{
>> +       return rte_jhash_32b(k, length >> 2, initval);
>> +}
> 
> I am confused.
> Does it mean that rte_jhash_32b is not compliant with rte_hash_create API?
> 

I think so too, because despite the fact that the ABI is the same, the 
API remains different with respect to the length argument.

>

David Marchand Oct. 19, 2021, 7:02 a.m. UTC | #3

On Fri, Oct 15, 2021 at 3:02 PM Medvedkin, Vladimir
<vladimir.medvedkin@intel.com> wrote:
> > I am confused.
> > Does it mean that rte_jhash_32b is not compliant with rte_hash_create API?
> >
>
> I think so too, because despite the fact that the ABI is the same, the
> API remains different with respect to the length argument.

Sorry I don't follow you with "ABI is the same".
Can you explain please?

I am not against the fix, but it seems to test something different
than what an application using the hash library would do.
Or if an application directly calls this hash function, maybe the unit
test should not test it via rte_hash_create (which seems to defeat the
abstraction).

Vladimir Medvedkin Oct. 19, 2021, 3:57 p.m. UTC | #4

Hi David,

On 19/10/2021 09:02, David Marchand wrote:
> On Fri, Oct 15, 2021 at 3:02 PM Medvedkin, Vladimir
> <vladimir.medvedkin@intel.com> wrote:
>>> I am confused.
>>> Does it mean that rte_jhash_32b is not compliant with rte_hash_create API?
>>>
>>
>> I think so too, because despite the fact that the ABI is the same, the
>> API remains different with respect to the length argument.
> 
> Sorry I don't follow you with "ABI is the same".
> Can you explain please?
> 

I meant that rte_hash accepts:

/** Type of function that can be used for calculating the hash value. */
typedef uint32_t (*rte_hash_function)(const void *key, uint32_t key_len, 
  uint32_t init_val);

as a hash function. And signatures of rte_jhash() and rte_jhash_32b() 
are the same, but differ in the semantics of the "key_len" argument. 
Internally rte_hash passes a length of the key counted in bytes to this 
functions, so problems appears if configured hash function considers the 
key_len as something else than the size in bytes.

> 
> I am not against the fix, but it seems to test something different
> than what an application using the hash library would do.
> Or if an application directly calls this hash function, maybe the unit
> test should not test it via rte_hash_create (which seems to defeat the
> abstraction).
> 

I'd say that user should not use this hash function with rte_hash.
Yipeng, Sameh, Bruce,
what do you think?

>

David Marchand Oct. 20, 2021, 7:54 p.m. UTC | #5

On Tue, Oct 19, 2021 at 5:58 PM Medvedkin, Vladimir
<vladimir.medvedkin@intel.com> wrote:
> > I am not against the fix, but it seems to test something different
> > than what an application using the hash library would do.
> > Or if an application directly calls this hash function, maybe the unit
> > test should not test it via rte_hash_create (which seems to defeat the
> > abstraction).
> >
>
> I'd say that user should not use this hash function with rte_hash.
> Yipeng, Sameh, Bruce,
> what do you think?

Guys, can we conclude?
Thanks.

Wang, Yipeng1 Oct. 20, 2021, 8:49 p.m. UTC | #6

> -----Original Message-----
> From: David Marchand <david.marchand@redhat.com>
> Sent: Wednesday, October 20, 2021 12:54 PM
> To: Wang, Yipeng1 <yipeng1.wang@intel.com>; Gobriel, Sameh
> <sameh.gobriel@intel.com>; Richardson, Bruce
> <bruce.richardson@intel.com>
> Cc: dev <dev@dpdk.org>; dpdk stable <stable@dpdk.org>; Medvedkin,
> Vladimir <vladimir.medvedkin@intel.com>
> Subject: Re: [PATCH v3] test/hash: fix buffer overflow
> 
> On Tue, Oct 19, 2021 at 5:58 PM Medvedkin, Vladimir
> <vladimir.medvedkin@intel.com> wrote:
> > > I am not against the fix, but it seems to test something different
> > > than what an application using the hash library would do.
> > > Or if an application directly calls this hash function, maybe the
> > > unit test should not test it via rte_hash_create (which seems to
> > > defeat the abstraction).
> > >
> >
> > I'd say that user should not use this hash function with rte_hash.
> > Yipeng, Sameh, Bruce,
> > what do you think?
> 
> Guys, can we conclude?
> Thanks.
> 
> 
> --
> David Marchand
[Wang, Yipeng] 

Vladimir, Bruce and I discussed a bit offline and I think we agreed on this fix.
But we should be more clear in the comment of rte_hash_create about what hash function the API expected (I.e. key length is byte count).

Acked-by: Yipeng Wang <yipeng1.wang@intel.com>

David Marchand Oct. 21, 2021, 7:40 a.m. UTC | #7

On Thu, Oct 14, 2021 at 7:55 PM Vladimir Medvedkin
<vladimir.medvedkin@intel.com> wrote:
>
> This patch fixes buffer overflow reported by ASAN,
> please reference https://bugs.dpdk.org/show_bug.cgi?id=818
>
> Some tests for the rte_hash table use the rte_jhash_32b() as
> the hash function. This hash function interprets the length
> argument in units of 4 bytes.
>
> This patch adds a wrapper function around rte_jhash_32b()
> to reflect API differences regarding the length argument,
> effectively dividing it by 4.
>
> For some tests rte_jhash() is used with keys of length not
> a multiple of 4 bytes. From the rte_jhash() documentation:
> If input key is not aligned to four byte boundaries or a
> multiple of four bytes in length, the memory region just
> after may be read (but not used in the computation).
>
> This patch increases the size of the proto field of the
> flow_key struct up to uint32_t.
>
> Bugzilla ID: 818
> Fixes: af75078fece3 ("first public release")
> Cc: stable@dpdk.org
>
> Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Yipeng Wang <yipeng1.wang@intel.com>

Removed a few comments in code (about previous size of flow_key
struct), and applied.

Thanks.

diff mbox series

Patch

diff --git a/app/test/test_hash.c b/app/test/test_hash.c
index bd4d0cb..9daf99d 100644
--- a/app/test/test_hash.c
+++ b/app/test/test_hash.c
@@ -74,13 +74,17 @@  static uint32_t hashtest_key_lens[] = {0, 2, 4, 5, 6, 7, 8, 10, 11, 15, 16, 21,
 	}								\
 } while (0)
 
-/* 5-tuple key type */
+/*
+ * 5-tuple key type.
+ * Should be packed to avoid holes with potentially
+ * undefined content in the middle.
+ */
 struct flow_key {
 	uint32_t ip_src;
 	uint32_t ip_dst;
 	uint16_t port_src;
 	uint16_t port_dst;
-	uint8_t proto;
+	uint32_t proto;
 } __rte_packed;
 
 /*
@@ -1607,6 +1611,17 @@  static struct rte_hash_parameters hash_params_ex = {
 };
 
 /*
+ * Wrapper function around rte_jhash_32b.
+ * It is required because rte_jhash_32b() accepts the length
+ * as size of 4-byte units.
+ */
+static inline uint32_t
+test_jhash_32b(const void *k, uint32_t length, uint32_t initval)
+{
+	return rte_jhash_32b(k, length >> 2, initval);
+}
+
+/*
  * add/delete key with jhash2
  */
 static int
@@ -1618,7 +1633,7 @@  test_hash_add_delete_jhash2(void)
 
 	hash_params_ex.name = "hash_test_jhash2";
 	hash_params_ex.key_len = 4;
-	hash_params_ex.hash_func = (rte_hash_function)rte_jhash_32b;
+	hash_params_ex.hash_func = (rte_hash_function)test_jhash_32b;
 
 	handle = rte_hash_create(&hash_params_ex);
 	if (handle == NULL) {
@@ -1657,7 +1672,7 @@  test_hash_add_delete_2_jhash2(void)
 
 	hash_params_ex.name = "hash_test_2_jhash2";
 	hash_params_ex.key_len = 8;
-	hash_params_ex.hash_func = (rte_hash_function)rte_jhash_32b;
+	hash_params_ex.hash_func = (rte_hash_function)test_jhash_32b;
 
 	handle = rte_hash_create(&hash_params_ex);
 	if (handle == NULL)
@@ -2180,6 +2195,8 @@  test_hash_rcu_qsbr_sync_mode(uint8_t ext_bkt)
 static int
 test_hash(void)
 {
+	RTE_BUILD_BUG_ON(sizeof(struct flow_key) % sizeof(uint32_t) != 0);
+
 	if (test_add_delete() < 0)
 		return -1;
 	if (test_hash_add_delete_jhash2() < 0)