From patchwork Thu Oct 14 17:48:19 2021
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
X-Patchwork-Id: 101674
X-Patchwork-Delegate: david.marchand@redhat.com
Return-Path: <dev-bounces@dpdk.org>
X-Original-To: patchwork@inbox.dpdk.org
Delivered-To: patchwork@inbox.dpdk.org
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id EF2E3A0C4B;
	Thu, 14 Oct 2021 19:58:48 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id D54B74067C;
	Thu, 14 Oct 2021 19:58:48 +0200 (CEST)
Received: from mga11.intel.com (mga11.intel.com [192.55.52.93])
 by mails.dpdk.org (Postfix) with ESMTP id DBF854003C;
 Thu, 14 Oct 2021 19:58:46 +0200 (CEST)
X-IronPort-AV: E=McAfee;i="6200,9189,10137"; a="225213374"
X-IronPort-AV: E=Sophos;i="5.85,373,1624345200"; d="scan'208";a="225213374"
Received: from orsmga003.jf.intel.com ([10.7.209.27])
 by fmsmga102.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 14 Oct 2021 10:48:24 -0700
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.85,373,1624345200"; d="scan'208";a="442926777"
Received: from silpixa00400072.ir.intel.com ([10.237.222.213])
 by orsmga003.jf.intel.com with ESMTP; 14 Oct 2021 10:48:21 -0700
From: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
To: dev@dpdk.org
Cc: yipeng1.wang@intel.com, sameh.gobriel@intel.com,
 bruce.richardson@intel.com, david.marchand@redhat.com, stable@dpdk.org
Date: Thu, 14 Oct 2021 18:48:19 +0100
Message-Id: <1634233699-197151-1-git-send-email-vladimir.medvedkin@intel.com>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1634153265-193315-1-git-send-email-vladimir.medvedkin@intel.com>
References: <1634153265-193315-1-git-send-email-vladimir.medvedkin@intel.com>
Subject: [dpdk-dev] [PATCH v3] test/hash: fix buffer overflow
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

This patch fixes buffer overflow reported by ASAN,
please reference https://bugs.dpdk.org/show_bug.cgi?id=818

Some tests for the rte_hash table use the rte_jhash_32b() as
the hash function. This hash function interprets the length
argument in units of 4 bytes.

This patch adds a wrapper function around rte_jhash_32b()
to reflect API differences regarding the length argument,
effectively dividing it by 4.

For some tests rte_jhash() is used with keys of length not
a multiple of 4 bytes. From the rte_jhash() documentation:
If input key is not aligned to four byte boundaries or a
multiple of four bytes in length, the memory region just
after may be read (but not used in the computation).

This patch increases the size of the proto field of the
flow_key struct up to uint32_t.

Bugzilla ID: 818
Fixes: af75078fece3 ("first public release")
Cc: stable@dpdk.org

Signed-off-by: Vladimir Medvedkin <vladimir.medvedkin@intel.com>
Acked-by: Yipeng Wang <yipeng1.wang@intel.com>
Acked-by: Yipeng Wang <yipeng1.wang@intel.com>
---
 app/test/test_hash.c | 25 +++++++++++++++++++++----
 1 file changed, 21 insertions(+), 4 deletions(-)

diff --git a/app/test/test_hash.c b/app/test/test_hash.c
index bd4d0cb..9daf99d 100644
--- a/app/test/test_hash.c
+++ b/app/test/test_hash.c
@@ -74,13 +74,17 @@ static uint32_t hashtest_key_lens[] = {0, 2, 4, 5, 6, 7, 8, 10, 11, 15, 16, 21,
 	}								\
 } while (0)
 
-/* 5-tuple key type */
+/*
+ * 5-tuple key type.
+ * Should be packed to avoid holes with potentially
+ * undefined content in the middle.
+ */
 struct flow_key {
 	uint32_t ip_src;
 	uint32_t ip_dst;
 	uint16_t port_src;
 	uint16_t port_dst;
-	uint8_t proto;
+	uint32_t proto;
 } __rte_packed;
 
 /*
@@ -1607,6 +1611,17 @@ static struct rte_hash_parameters hash_params_ex = {
 };
 
 /*
+ * Wrapper function around rte_jhash_32b.
+ * It is required because rte_jhash_32b() accepts the length
+ * as size of 4-byte units.
+ */
+static inline uint32_t
+test_jhash_32b(const void *k, uint32_t length, uint32_t initval)
+{
+	return rte_jhash_32b(k, length >> 2, initval);
+}
+
+/*
  * add/delete key with jhash2
  */
 static int
@@ -1618,7 +1633,7 @@ test_hash_add_delete_jhash2(void)
 
 	hash_params_ex.name = "hash_test_jhash2";
 	hash_params_ex.key_len = 4;
-	hash_params_ex.hash_func = (rte_hash_function)rte_jhash_32b;
+	hash_params_ex.hash_func = (rte_hash_function)test_jhash_32b;
 
 	handle = rte_hash_create(&hash_params_ex);
 	if (handle == NULL) {
@@ -1657,7 +1672,7 @@ test_hash_add_delete_2_jhash2(void)
 
 	hash_params_ex.name = "hash_test_2_jhash2";
 	hash_params_ex.key_len = 8;
-	hash_params_ex.hash_func = (rte_hash_function)rte_jhash_32b;
+	hash_params_ex.hash_func = (rte_hash_function)test_jhash_32b;
 
 	handle = rte_hash_create(&hash_params_ex);
 	if (handle == NULL)
@@ -2180,6 +2195,8 @@ test_hash_rcu_qsbr_sync_mode(uint8_t ext_bkt)
 static int
 test_hash(void)
 {
+	RTE_BUILD_BUG_ON(sizeof(struct flow_key) % sizeof(uint32_t) != 0);
+
 	if (test_add_delete() < 0)
 		return -1;
 	if (test_hash_add_delete_jhash2() < 0)