diff mbox series

eal/linux: fix uevent message parsing

Message ID	20211102184020.438-1-david.marchand@redhat.com (mailing list archive)
State	Accepted, archived
Delegated to:	David Marchand
Headers	From: David Marchand <david.marchand@redhat.com> To: dev@dpdk.org Cc: yux.jiang@intel.com Date: Tue, 2 Nov 2021 19:40:20 +0100 Message-Id: <20211102184020.438-1-david.marchand@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII" Subject: [dpdk-dev] [PATCH] eal/linux: fix uevent message parsing Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	eal/linux: fix uevent message parsing \| eal/linux: fix uevent message parsing

Checks

Context	Check	Description
ci/checkpatch	warning	coding style issues
ci/github-robot: build	success	github build: passed
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-broadcom-Functional	success	Functional Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS
ci/iol-aarch64-unit-testing	success	Testing PASS
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-x86_64-compile-testing	success	Testing PASS
ci/iol-aarch64-compile-testing	success	Testing PASS
ci/iol-x86_64-unit-testing	success	Testing PASS

Commit Message

David Marchand Nov. 2, 2021, 6:40 p.m. UTC

  Caught with ASan:
==9727==ERROR: AddressSanitizer: stack-buffer-overflow on address
  0x7f0daa2fc0d0 at pc 0x7f0daeefacb2 bp 0x7f0daa2fadd0 sp 0x7f0daa2fa578
READ of size 1 at 0x7f0daa2fc0d0 thread T1
    #0 0x7f0daeefacb1  (/lib64/libasan.so.5+0xbacb1)
    #1 0x115eba1 in dev_uev_parse ../lib/eal/linux/eal_dev.c:167
    #2 0x115f281 in dev_uev_handler ../lib/eal/linux/eal_dev.c:248
    #3 0x1169b91 in eal_intr_process_interrupts
  ../lib/eal/linux/eal_interrupts.c:1026
    #4 0x116a3a2 in eal_intr_handle_interrupts
  ../lib/eal/linux/eal_interrupts.c:1100
    #5 0x116a7f0 in eal_intr_thread_main
  ../lib/eal/linux/eal_interrupts.c:1172
    #6 0x112640a in ctrl_thread_init
  ../lib/eal/common/eal_common_thread.c:202
    #7 0x7f0dade27159 in start_thread (/lib64/libpthread.so.0+0x8159)
    #8 0x7f0dadb58f72 in clone (/lib64/libc.so.6+0xfcf72)

Address 0x7f0daa2fc0d0 is located in stack of thread T1 at offset 4192
  in frame
    #0 0x115f0c9 in dev_uev_handler ../lib/eal/linux/eal_dev.c:226

  This frame has 2 object(s):
    [32, 48) 'uevent'
    [96, 4192) 'buf' <== Memory access at offset 4192 overflows this
  variable
HINT: this may be a false positive if your program uses some custom
  stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Thread T1 created by T0 here:
    #0 0x7f0daee92ea3 in __interceptor_pthread_create
  (/lib64/libasan.so.5+0x52ea3)
    #1 0x1126542 in rte_ctrl_thread_create
  ../lib/eal/common/eal_common_thread.c:228
    #2 0x116a8b5 in rte_eal_intr_init
  ../lib/eal/linux/eal_interrupts.c:1200
    #3 0x1159dd1 in rte_eal_init ../lib/eal/linux/eal.c:1044
    #4 0x7a22f8 in main ../app/test-pmd/testpmd.c:4105
    #5 0x7f0dada7f802 in __libc_start_main (/lib64/libc.so.6+0x23802)

Signed-off-by: David Marchand <david.marchand@redhat.com>
---
 lib/eal/linux/eal_dev.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

David Marchand Nov. 2, 2021, 6:43 p.m. UTC | #1

On Tue, Nov 2, 2021 at 7:41 PM David Marchand <david.marchand@redhat.com> wrote:
>
> Caught with ASan:
> ==9727==ERROR: AddressSanitizer: stack-buffer-overflow on address
>   0x7f0daa2fc0d0 at pc 0x7f0daeefacb2 bp 0x7f0daa2fadd0 sp 0x7f0daa2fa578
> READ of size 1 at 0x7f0daa2fc0d0 thread T1
>     #0 0x7f0daeefacb1  (/lib64/libasan.so.5+0xbacb1)
>     #1 0x115eba1 in dev_uev_parse ../lib/eal/linux/eal_dev.c:167
>     #2 0x115f281 in dev_uev_handler ../lib/eal/linux/eal_dev.c:248
>     #3 0x1169b91 in eal_intr_process_interrupts
>   ../lib/eal/linux/eal_interrupts.c:1026
>     #4 0x116a3a2 in eal_intr_handle_interrupts
>   ../lib/eal/linux/eal_interrupts.c:1100
>     #5 0x116a7f0 in eal_intr_thread_main
>   ../lib/eal/linux/eal_interrupts.c:1172
>     #6 0x112640a in ctrl_thread_init
>   ../lib/eal/common/eal_common_thread.c:202
>     #7 0x7f0dade27159 in start_thread (/lib64/libpthread.so.0+0x8159)
>     #8 0x7f0dadb58f72 in clone (/lib64/libc.so.6+0xfcf72)
>
> Address 0x7f0daa2fc0d0 is located in stack of thread T1 at offset 4192
>   in frame
>     #0 0x115f0c9 in dev_uev_handler ../lib/eal/linux/eal_dev.c:226
>
>   This frame has 2 object(s):
>     [32, 48) 'uevent'
>     [96, 4192) 'buf' <== Memory access at offset 4192 overflows this
>   variable
> HINT: this may be a false positive if your program uses some custom
>   stack unwind mechanism or swapcontext
>       (longjmp and C++ exceptions *are* supported)
> Thread T1 created by T0 here:
>     #0 0x7f0daee92ea3 in __interceptor_pthread_create
>   (/lib64/libasan.so.5+0x52ea3)
>     #1 0x1126542 in rte_ctrl_thread_create
>   ../lib/eal/common/eal_common_thread.c:228
>     #2 0x116a8b5 in rte_eal_intr_init
>   ../lib/eal/linux/eal_interrupts.c:1200
>     #3 0x1159dd1 in rte_eal_init ../lib/eal/linux/eal.c:1044
>     #4 0x7a22f8 in main ../app/test-pmd/testpmd.c:4105
>     #5 0x7f0dada7f802 in __libc_start_main (/lib64/libc.so.6+0x23802)

I sent the wrong patch, fixes ref is missing:
Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process")
Cc: stable@dpdk.org

>
> Signed-off-by: David Marchand <david.marchand@redhat.com>

David Marchand Nov. 3, 2021, 9:47 a.m. UTC | #2

On Tue, Nov 2, 2021 at 7:43 PM David Marchand <david.marchand@redhat.com> wrote:
> > Caught with ASan:
> > ==9727==ERROR: AddressSanitizer: stack-buffer-overflow on address
> >   0x7f0daa2fc0d0 at pc 0x7f0daeefacb2 bp 0x7f0daa2fadd0 sp 0x7f0daa2fa578
> > READ of size 1 at 0x7f0daa2fc0d0 thread T1
> >     #0 0x7f0daeefacb1  (/lib64/libasan.so.5+0xbacb1)
> >     #1 0x115eba1 in dev_uev_parse ../lib/eal/linux/eal_dev.c:167
> >     #2 0x115f281 in dev_uev_handler ../lib/eal/linux/eal_dev.c:248
> >     #3 0x1169b91 in eal_intr_process_interrupts
> >   ../lib/eal/linux/eal_interrupts.c:1026
> >     #4 0x116a3a2 in eal_intr_handle_interrupts
> >   ../lib/eal/linux/eal_interrupts.c:1100
> >     #5 0x116a7f0 in eal_intr_thread_main
> >   ../lib/eal/linux/eal_interrupts.c:1172
> >     #6 0x112640a in ctrl_thread_init
> >   ../lib/eal/common/eal_common_thread.c:202
> >     #7 0x7f0dade27159 in start_thread (/lib64/libpthread.so.0+0x8159)
> >     #8 0x7f0dadb58f72 in clone (/lib64/libc.so.6+0xfcf72)
> >
> > Address 0x7f0daa2fc0d0 is located in stack of thread T1 at offset 4192
> >   in frame
> >     #0 0x115f0c9 in dev_uev_handler ../lib/eal/linux/eal_dev.c:226
> >
> >   This frame has 2 object(s):
> >     [32, 48) 'uevent'
> >     [96, 4192) 'buf' <== Memory access at offset 4192 overflows this
> >   variable
> > HINT: this may be a false positive if your program uses some custom
> >   stack unwind mechanism or swapcontext
> >       (longjmp and C++ exceptions *are* supported)
> > Thread T1 created by T0 here:
> >     #0 0x7f0daee92ea3 in __interceptor_pthread_create
> >   (/lib64/libasan.so.5+0x52ea3)
> >     #1 0x1126542 in rte_ctrl_thread_create
> >   ../lib/eal/common/eal_common_thread.c:228
> >     #2 0x116a8b5 in rte_eal_intr_init
> >   ../lib/eal/linux/eal_interrupts.c:1200
> >     #3 0x1159dd1 in rte_eal_init ../lib/eal/linux/eal.c:1044
> >     #4 0x7a22f8 in main ../app/test-pmd/testpmd.c:4105
> >     #5 0x7f0dada7f802 in __libc_start_main (/lib64/libc.so.6+0x23802)
>
> I sent the wrong patch, fixes ref is missing:

Zhihong had opened a bz:

Bugzilla ID: 792
> Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process")
> Cc: stable@dpdk.org

Maxime Coquelin Nov. 4, 2021, 1:59 p.m. UTC | #3

On 11/2/21 19:40, David Marchand wrote:
> Caught with ASan:
> ==9727==ERROR: AddressSanitizer: stack-buffer-overflow on address
>    0x7f0daa2fc0d0 at pc 0x7f0daeefacb2 bp 0x7f0daa2fadd0 sp 0x7f0daa2fa578
> READ of size 1 at 0x7f0daa2fc0d0 thread T1
>      #0 0x7f0daeefacb1  (/lib64/libasan.so.5+0xbacb1)
>      #1 0x115eba1 in dev_uev_parse ../lib/eal/linux/eal_dev.c:167
>      #2 0x115f281 in dev_uev_handler ../lib/eal/linux/eal_dev.c:248
>      #3 0x1169b91 in eal_intr_process_interrupts
>    ../lib/eal/linux/eal_interrupts.c:1026
>      #4 0x116a3a2 in eal_intr_handle_interrupts
>    ../lib/eal/linux/eal_interrupts.c:1100
>      #5 0x116a7f0 in eal_intr_thread_main
>    ../lib/eal/linux/eal_interrupts.c:1172
>      #6 0x112640a in ctrl_thread_init
>    ../lib/eal/common/eal_common_thread.c:202
>      #7 0x7f0dade27159 in start_thread (/lib64/libpthread.so.0+0x8159)
>      #8 0x7f0dadb58f72 in clone (/lib64/libc.so.6+0xfcf72)
> 
> Address 0x7f0daa2fc0d0 is located in stack of thread T1 at offset 4192
>    in frame
>      #0 0x115f0c9 in dev_uev_handler ../lib/eal/linux/eal_dev.c:226
> 
>    This frame has 2 object(s):
>      [32, 48) 'uevent'
>      [96, 4192) 'buf' <== Memory access at offset 4192 overflows this
>    variable
> HINT: this may be a false positive if your program uses some custom
>    stack unwind mechanism or swapcontext
>        (longjmp and C++ exceptions *are* supported)
> Thread T1 created by T0 here:
>      #0 0x7f0daee92ea3 in __interceptor_pthread_create
>    (/lib64/libasan.so.5+0x52ea3)
>      #1 0x1126542 in rte_ctrl_thread_create
>    ../lib/eal/common/eal_common_thread.c:228
>      #2 0x116a8b5 in rte_eal_intr_init
>    ../lib/eal/linux/eal_interrupts.c:1200
>      #3 0x1159dd1 in rte_eal_init ../lib/eal/linux/eal.c:1044
>      #4 0x7a22f8 in main ../app/test-pmd/testpmd.c:4105
>      #5 0x7f0dada7f802 in __libc_start_main (/lib64/libc.so.6+0x23802)
> 
> Signed-off-by: David Marchand <david.marchand@redhat.com>
> ---
>   lib/eal/linux/eal_dev.c | 3 +++
>   1 file changed, 3 insertions(+)
> 
> diff --git a/lib/eal/linux/eal_dev.c b/lib/eal/linux/eal_dev.c
> index 925cdba553..1fd00a482b 100644
> --- a/lib/eal/linux/eal_dev.c
> +++ b/lib/eal/linux/eal_dev.c
> @@ -160,6 +160,9 @@ dev_uev_parse(const char *buf, struct rte_dev_event *event, int length)
>   				break;
>   			buf++;
>   		}
> +		if (i >= length)
> +			break;
> +
>   		/**
>   		 * check device uevent from kernel side, no need to check
>   		 * uevent from udev.
> 

Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Thanks,
Maxime

David Marchand Nov. 4, 2021, 2:20 p.m. UTC | #4

On Thu, Nov 4, 2021 at 3:00 PM Maxime Coquelin
<maxime.coquelin@redhat.com> wrote:
> On 11/2/21 19:40, David Marchand wrote:
> > Caught with ASan:
> > ==9727==ERROR: AddressSanitizer: stack-buffer-overflow on address
> >    0x7f0daa2fc0d0 at pc 0x7f0daeefacb2 bp 0x7f0daa2fadd0 sp 0x7f0daa2fa578
> > READ of size 1 at 0x7f0daa2fc0d0 thread T1
> >      #0 0x7f0daeefacb1  (/lib64/libasan.so.5+0xbacb1)
> >      #1 0x115eba1 in dev_uev_parse ../lib/eal/linux/eal_dev.c:167
> >      #2 0x115f281 in dev_uev_handler ../lib/eal/linux/eal_dev.c:248
> >      #3 0x1169b91 in eal_intr_process_interrupts
> >    ../lib/eal/linux/eal_interrupts.c:1026
> >      #4 0x116a3a2 in eal_intr_handle_interrupts
> >    ../lib/eal/linux/eal_interrupts.c:1100
> >      #5 0x116a7f0 in eal_intr_thread_main
> >    ../lib/eal/linux/eal_interrupts.c:1172
> >      #6 0x112640a in ctrl_thread_init
> >    ../lib/eal/common/eal_common_thread.c:202
> >      #7 0x7f0dade27159 in start_thread (/lib64/libpthread.so.0+0x8159)
> >      #8 0x7f0dadb58f72 in clone (/lib64/libc.so.6+0xfcf72)
> >
> > Address 0x7f0daa2fc0d0 is located in stack of thread T1 at offset 4192
> >    in frame
> >      #0 0x115f0c9 in dev_uev_handler ../lib/eal/linux/eal_dev.c:226
> >
> >    This frame has 2 object(s):
> >      [32, 48) 'uevent'
> >      [96, 4192) 'buf' <== Memory access at offset 4192 overflows this
> >    variable
> > HINT: this may be a false positive if your program uses some custom
> >    stack unwind mechanism or swapcontext
> >        (longjmp and C++ exceptions *are* supported)
> > Thread T1 created by T0 here:
> >      #0 0x7f0daee92ea3 in __interceptor_pthread_create
> >    (/lib64/libasan.so.5+0x52ea3)
> >      #1 0x1126542 in rte_ctrl_thread_create
> >    ../lib/eal/common/eal_common_thread.c:228
> >      #2 0x116a8b5 in rte_eal_intr_init
> >    ../lib/eal/linux/eal_interrupts.c:1200
> >      #3 0x1159dd1 in rte_eal_init ../lib/eal/linux/eal.c:1044
> >      #4 0x7a22f8 in main ../app/test-pmd/testpmd.c:4105
> >      #5 0x7f0dada7f802 in __libc_start_main (/lib64/libc.so.6+0x23802)
> >

Bugzilla ID: 792
Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process")
Cc: stable@dpdk.org

> > Signed-off-by: David Marchand <david.marchand@redhat.com>
Tested-by: Yan Xia <yanx.xia@intel.com>
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Applied, thanks.

diff mbox series

Patch

diff --git a/lib/eal/linux/eal_dev.c b/lib/eal/linux/eal_dev.c
index 925cdba553..1fd00a482b 100644
--- a/lib/eal/linux/eal_dev.c
+++ b/lib/eal/linux/eal_dev.c
@@ -160,6 +160,9 @@  dev_uev_parse(const char *buf, struct rte_dev_event *event, int length)
 				break;
 			buf++;
 		}
+		if (i >= length)
+			break;
+
 		/**
 		 * check device uevent from kernel side, no need to check
 		 * uevent from udev.