| Message ID | 5cd9086411342c7475e3227249d3aa3a3144897d.1640314881.git.wangyunjian@huawei.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Raslan Darawsheh |
| Headers | show |
| Series | [1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key | expand |
| Context | Check | Description |
|---|---|---|
| ci/intel-Testing | success | Testing PASS |
| ci/Intel-compilation | success | Compilation OK |
| ci/iol-abi-testing | success | Testing PASS |
| ci/iol-aarch64-compile-testing | success | Testing PASS |
| ci/iol-x86_64-compile-testing | success | Testing PASS |
| ci/iol-aarch64-unit-testing | success | Testing PASS |
| ci/iol-x86_64-unit-testing | success | Testing PASS |
| ci/iol-intel-Functional | success | Functional Testing PASS |
| ci/iol-intel-Performance | success | Performance Testing PASS |
| ci/iol-broadcom-Performance | success | Performance Testing PASS |
| ci/iol-mellanox-Performance | success | Performance Testing PASS |
| ci/iol-broadcom-Functional | success | Functional Testing PASS |
| ci/github-robot: build | success | github build: passed |
| ci/checkpatch | success | coding style OK |
Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Friday, December 24, 2021 11:06 AM > To: dev@dpdk.org > Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; > dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke > <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>; > stable@dpdk.org > Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's > rss_key > > The mlx5_drop_action_create function use mlx5_malloc for allocating > 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can > cause buffer overflow. > > Detected with address sanitizer: > 0 (/usr/lib64/libasan.so.4+0x7b8e2) > 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765 > 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800 > 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051 > 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846 > 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743 > 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501 > 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 > 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 > 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 > 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 > 11 in > mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150 > 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 > 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 > 14 in pci_probe ../drivers/bus/pci/pci_common.c:380 > 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 > 16 in rte_eal_init ../lib/eal/linux/eal.c:1286 > 17 in main ../app/test-pmd/testpmd.c:4112 > > Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code") > Cc: stable@dpdk.org > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > --- > drivers/net/mlx5/mlx5_rxq.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c > index f77d42dedf..a1e0b887a8 100644 > --- a/drivers/net/mlx5/mlx5_rxq.c > +++ b/drivers/net/mlx5/mlx5_rxq.c > @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev) > > if (priv->drop_queue.hrxq) > return priv->drop_queue.hrxq; > - hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY); > + hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + > MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY); > if (!hrxq) { > DRV_LOG(WARNING, > "Port %u cannot allocate memory for drop queue.", > -- > 2.27.0
Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Friday, December 24, 2021 11:06 AM > To: dev@dpdk.org > Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; > dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke > <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>; > stable@dpdk.org > Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's > rss_key > > The mlx5_drop_action_create function use mlx5_malloc for allocating > 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can > cause buffer overflow. > > Detected with address sanitizer: > 0 (/usr/lib64/libasan.so.4+0x7b8e2) > 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765 > 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800 > 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051 > 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846 > 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743 > 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501 > 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 > 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 > 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 > 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 > 11 in > mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150 > 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 > 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 > 14 in pci_probe ../drivers/bus/pci/pci_common.c:380 > 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 > 16 in rte_eal_init ../lib/eal/linux/eal.c:1286 > 17 in main ../app/test-pmd/testpmd.c:4112 > > Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code") > Cc: stable@dpdk.org > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > --- > drivers/net/mlx5/mlx5_rxq.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c > index f77d42dedf..a1e0b887a8 100644 > --- a/drivers/net/mlx5/mlx5_rxq.c > +++ b/drivers/net/mlx5/mlx5_rxq.c > @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev) > > if (priv->drop_queue.hrxq) > return priv->drop_queue.hrxq; > - hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY); > + hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + > MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY); > if (!hrxq) { > DRV_LOG(WARNING, > "Port %u cannot allocate memory for drop queue.", > -- > 2.27.0
Is there any ideas on this bug? -----Original Message----- From: wangyunjian [mailto:wangyunjian@huawei.com] Sent: Tuesday, February 8, 2022 6:56 PM To: dev@dpdk.org Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; stable@dpdk.org Subject: RE: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Friday, December 24, 2021 11:06 AM > To: dev@dpdk.org > Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; > dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke > <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>; > stable@dpdk.org > Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of > hrxq's rss_key > > The mlx5_drop_action_create function use mlx5_malloc for allocating > 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can > cause buffer overflow. > > Detected with address sanitizer: > 0 (/usr/lib64/libasan.so.4+0x7b8e2) > 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765 > 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800 > 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051 > 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846 > 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743 > 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501 > 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 > 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 > 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 > 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 > 11 in > mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150 > 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 > 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 > 14 in pci_probe ../drivers/bus/pci/pci_common.c:380 > 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 > 16 in rte_eal_init ../lib/eal/linux/eal.c:1286 > 17 in main ../app/test-pmd/testpmd.c:4112 > > Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code") > Cc: stable@dpdk.org > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > --- > drivers/net/mlx5/mlx5_rxq.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c > index f77d42dedf..a1e0b887a8 100644 > --- a/drivers/net/mlx5/mlx5_rxq.c > +++ b/drivers/net/mlx5/mlx5_rxq.c > @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev) > > if (priv->drop_queue.hrxq) > return priv->drop_queue.hrxq; > - hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY); > + hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + > MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY); > if (!hrxq) { > DRV_LOG(WARNING, > "Port %u cannot allocate memory for drop queue.", > -- > 2.27.0
diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c index f77d42dedf..a1e0b887a8 100644 --- a/drivers/net/mlx5/mlx5_rxq.c +++ b/drivers/net/mlx5/mlx5_rxq.c @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev) if (priv->drop_queue.hrxq) return priv->drop_queue.hrxq; - hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY); + hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY); if (!hrxq) { DRV_LOG(WARNING, "Port %u cannot allocate memory for drop queue.",
The mlx5_drop_action_create function use mlx5_malloc for allocating 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can cause buffer overflow. Detected with address sanitizer: 0 (/usr/lib64/libasan.so.4+0x7b8e2) 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 11 in mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 14 in pci_probe ../drivers/bus/pci/pci_common.c:380 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 16 in rte_eal_init ../lib/eal/linux/eal.c:1286 17 in main ../app/test-pmd/testpmd.c:4112 Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> --- drivers/net/mlx5/mlx5_rxq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)