diff mbox series

[1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key

Message ID	5cd9086411342c7475e3227249d3aa3a3144897d.1640314881.git.wangyunjian@huawei.com (mailing list archive)
State	Accepted, archived
Delegated to:	Raslan Darawsheh
Headers	From: Yunjian Wang <wangyunjian@huawei.com> To: <dev@dpdk.org> CC: <matan@nvidia.com>, <viacheslavo@nvidia.com>, <michaelba@nvidia.com>, <dingxiaoxiong@huawei.com>, <xudingke@huawei.com>, Yunjian Wang <wangyunjian@huawei.com>, <stable@dpdk.org> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key Date: Fri, 24 Dec 2021 11:06:19 +0800 Message-ID: <5cd9086411342c7475e3227249d3aa3a3144897d.1640314881.git.wangyunjian@huawei.com> MIME-Version: 1.0 Content-Type: text/plain Precedence: list Errors-To: dev-bounces@dpdk.org
Series	[1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key \| [1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK
ci/github-robot: build	success	github build: passed
ci/iol-broadcom-Functional	success	Functional Testing PASS
ci/iol-mellanox-Performance	success	Performance Testing PASS
ci/iol-broadcom-Performance	success	Performance Testing PASS
ci/iol-intel-Performance	success	Performance Testing PASS
ci/iol-intel-Functional	success	Functional Testing PASS
ci/iol-x86_64-unit-testing	success	Testing PASS
ci/iol-aarch64-unit-testing	success	Testing PASS
ci/iol-x86_64-compile-testing	success	Testing PASS
ci/iol-aarch64-compile-testing	success	Testing PASS
ci/iol-abi-testing	success	Testing PASS
ci/Intel-compilation	success	Compilation OK
ci/intel-Testing	success	Testing PASS

Commit Message

Wangyunjian(wangyunjian,TongTu) Dec. 24, 2021, 3:06 a.m. UTC

The mlx5_drop_action_create function use mlx5_malloc for allocating
'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
cause buffer overflow.

Detected with address sanitizer:
0 (/usr/lib64/libasan.so.4+0x7b8e2)
1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
11 in mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
14 in pci_probe ../drivers/bus/pci/pci_common.c:380
15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
16 in rte_eal_init ../lib/eal/linux/eal.c:1286
17 in main ../app/test-pmd/testpmd.c:4112

Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 drivers/net/mlx5/mlx5_rxq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Wangyunjian(wangyunjian,TongTu) Jan. 28, 2022, 9:41 a.m. UTC | #1

Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Friday, December 24, 2021 11:06 AM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com;
> dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke
> <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>;
> stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's
> rss_key
> 
> The mlx5_drop_action_create function use mlx5_malloc for allocating
> 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
> cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x7b8e2)
> 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
> 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
> 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
> 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
> 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
> 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
> 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 11 in
> mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
> 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 14 in pci_probe ../drivers/bus/pci/pci_common.c:380
> 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 16 in rte_eal_init ../lib/eal/linux/eal.c:1286
> 17 in main ../app/test-pmd/testpmd.c:4112
> 
> Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/mlx5_rxq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
> index f77d42dedf..a1e0b887a8 100644
> --- a/drivers/net/mlx5/mlx5_rxq.c
> +++ b/drivers/net/mlx5/mlx5_rxq.c
> @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
> 
>  	if (priv->drop_queue.hrxq)
>  		return priv->drop_queue.hrxq;
> -	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
> +	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) +
> MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
>  	if (!hrxq) {
>  		DRV_LOG(WARNING,
>  			"Port %u cannot allocate memory for drop queue.",
> --
> 2.27.0

Wangyunjian(wangyunjian,TongTu) Feb. 8, 2022, 10:55 a.m. UTC | #2

Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Friday, December 24, 2021 11:06 AM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com;
> dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke
> <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>;
> stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's
> rss_key
> 
> The mlx5_drop_action_create function use mlx5_malloc for allocating
> 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
> cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x7b8e2)
> 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
> 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
> 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
> 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
> 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
> 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
> 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 11 in
> mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
> 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 14 in pci_probe ../drivers/bus/pci/pci_common.c:380
> 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 16 in rte_eal_init ../lib/eal/linux/eal.c:1286
> 17 in main ../app/test-pmd/testpmd.c:4112
> 
> Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/mlx5_rxq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
> index f77d42dedf..a1e0b887a8 100644
> --- a/drivers/net/mlx5/mlx5_rxq.c
> +++ b/drivers/net/mlx5/mlx5_rxq.c
> @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
> 
>  	if (priv->drop_queue.hrxq)
>  		return priv->drop_queue.hrxq;
> -	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
> +	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) +
> MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
>  	if (!hrxq) {
>  		DRV_LOG(WARNING,
>  			"Port %u cannot allocate memory for drop queue.",
> --
> 2.27.0

Wangyunjian(wangyunjian,TongTu) March 2, 2022, 10:54 a.m. UTC | #3

Is there any ideas on this bug?

-----Original Message-----
From: wangyunjian [mailto:wangyunjian@huawei.com] 
Sent: Tuesday, February 8, 2022 6:56 PM
To: dev@dpdk.org
Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; stable@dpdk.org
Subject: RE: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key

Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Friday, December 24, 2021 11:06 AM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; 
> dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke 
> <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>; 
> stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of 
> hrxq's rss_key
> 
> The mlx5_drop_action_create function use mlx5_malloc for allocating 
> 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can 
> cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x7b8e2)
> 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
> 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
> 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
> 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
> 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
> 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
> 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 11 in
> mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
> 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 14 in pci_probe ../drivers/bus/pci/pci_common.c:380
> 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 16 in rte_eal_init ../lib/eal/linux/eal.c:1286
> 17 in main ../app/test-pmd/testpmd.c:4112
> 
> Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/mlx5_rxq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c 
> index f77d42dedf..a1e0b887a8 100644
> --- a/drivers/net/mlx5/mlx5_rxq.c
> +++ b/drivers/net/mlx5/mlx5_rxq.c
> @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
> 
>  	if (priv->drop_queue.hrxq)
>  		return priv->drop_queue.hrxq;
> -	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
> +	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) +
> MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
>  	if (!hrxq) {
>  		DRV_LOG(WARNING,
>  			"Port %u cannot allocate memory for drop queue.",
> --
> 2.27.0

Slava Ovsiienko June 20, 2022, 5:16 a.m. UTC | #4

Hi, Yunjian

My sincere apologies for the review delay.
I think patch is OK, thank you for finding this.
Just of curiosity - did you observe a real crash?
Or just found by sanitizer?

Acked-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>

With best regards,
Slava

Wangyunjian(wangyunjian,TongTu) June 20, 2022, 5:59 a.m. UTC | #5

Just found by sanitizer, thanks.

Yunjian

-----Original Message-----
From: Slava Ovsiienko [mailto:viacheslavo@nvidia.com] 
Sent: Monday, June 20, 2022 1:16 PM
To: wangyunjian <wangyunjian@huawei.com>; dev@dpdk.org; Raslan Darawsheh <rasland@nvidia.com>
Cc: Matan Azrad <matan@nvidia.com>; Michael Baum <michaelba@nvidia.com>; dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; stable@dpdk.org
Subject: RE: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key

Hi, Yunjian

My sincere apologies for the review delay.
I think patch is OK, thank you for finding this.
Just of curiosity - did you observe a real crash?
Or just found by sanitizer?

Acked-by: Viacheslav Ovsiienko <viacheslavo@nvidia.com>

With best regards,
Slava

Raslan Darawsheh June 20, 2022, 8:02 a.m. UTC | #6

Hi,

> -----Original Message-----
> From: Yunjian Wang <wangyunjian@huawei.com>
> Sent: Friday, December 24, 2021 5:06 AM
> To: dev@dpdk.org
> Cc: Matan Azrad <matan@nvidia.com>; Slava Ovsiienko
> <viacheslavo@nvidia.com>; Michael Baum <michaelba@nvidia.com>;
> dingxiaoxiong@huawei.com; xudingke@huawei.com; Yunjian Wang
> <wangyunjian@huawei.com>; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's
> rss_key
> 
> The mlx5_drop_action_create function use mlx5_malloc for allocating
> 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
> cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x7b8e2)
> 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
> 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
> 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
> 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
> 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
> 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
> 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 10 in mlx5_common_dev_probe
> ../drivers/common/mlx5/mlx5_common.c:711
> 11 in mlx5_common_pci_probe
> ../drivers/common/mlx5/mlx5_common_pci.c:150
> 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 14 in pci_probe ../drivers/bus/pci/pci_common.c:380
> 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 16 in rte_eal_init ../lib/eal/linux/eal.c:1286
> 17 in main ../app/test-pmd/testpmd.c:4112
> 
> Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>

Patch applied to next-net-mlx,

Kindest regards,
Raslan Darawsheh

diff mbox series

Patch

diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
index f77d42dedf..a1e0b887a8 100644
--- a/drivers/net/mlx5/mlx5_rxq.c
+++ b/drivers/net/mlx5/mlx5_rxq.c
@@ -2828,7 +2828,7 @@  mlx5_drop_action_create(struct rte_eth_dev *dev)
 
 	if (priv->drop_queue.hrxq)
 		return priv->drop_queue.hrxq;
-	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
+	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
 	if (!hrxq) {
 		DRV_LOG(WARNING,
 			"Port %u cannot allocate memory for drop queue.",