diff mbox series

[1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key

Message ID 5cd9086411342c7475e3227249d3aa3a3144897d.1640314881.git.wangyunjian@huawei.com (mailing list archive)
State New
Delegated to: Raslan Darawsheh
Headers show
Series [1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key | expand

Checks

Context Check Description
ci/intel-Testing success Testing PASS
ci/Intel-compilation success Compilation OK
ci/iol-abi-testing success Testing PASS
ci/iol-aarch64-compile-testing success Testing PASS
ci/iol-x86_64-compile-testing success Testing PASS
ci/iol-aarch64-unit-testing success Testing PASS
ci/iol-x86_64-unit-testing success Testing PASS
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-broadcom-Performance success Performance Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-broadcom-Functional success Functional Testing PASS
ci/github-robot: build success github build: passed
ci/checkpatch success coding style OK

Commit Message

wangyunjian Dec. 24, 2021, 3:06 a.m. UTC
The mlx5_drop_action_create function use mlx5_malloc for allocating
'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
cause buffer overflow.

Detected with address sanitizer:
0 (/usr/lib64/libasan.so.4+0x7b8e2)
1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
11 in mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
14 in pci_probe ../drivers/bus/pci/pci_common.c:380
15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
16 in rte_eal_init ../lib/eal/linux/eal.c:1286
17 in main ../app/test-pmd/testpmd.c:4112

Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 drivers/net/mlx5/mlx5_rxq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

wangyunjian Jan. 28, 2022, 9:41 a.m. UTC | #1
Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Friday, December 24, 2021 11:06 AM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com;
> dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke
> <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>;
> stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's
> rss_key
> 
> The mlx5_drop_action_create function use mlx5_malloc for allocating
> 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
> cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x7b8e2)
> 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
> 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
> 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
> 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
> 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
> 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
> 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 11 in
> mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
> 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 14 in pci_probe ../drivers/bus/pci/pci_common.c:380
> 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 16 in rte_eal_init ../lib/eal/linux/eal.c:1286
> 17 in main ../app/test-pmd/testpmd.c:4112
> 
> Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/mlx5_rxq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
> index f77d42dedf..a1e0b887a8 100644
> --- a/drivers/net/mlx5/mlx5_rxq.c
> +++ b/drivers/net/mlx5/mlx5_rxq.c
> @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
> 
>  	if (priv->drop_queue.hrxq)
>  		return priv->drop_queue.hrxq;
> -	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
> +	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) +
> MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
>  	if (!hrxq) {
>  		DRV_LOG(WARNING,
>  			"Port %u cannot allocate memory for drop queue.",
> --
> 2.27.0
wangyunjian Feb. 8, 2022, 10:55 a.m. UTC | #2
Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Friday, December 24, 2021 11:06 AM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com;
> dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke
> <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>;
> stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's
> rss_key
> 
> The mlx5_drop_action_create function use mlx5_malloc for allocating
> 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
> cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x7b8e2)
> 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
> 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
> 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
> 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
> 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
> 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
> 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 11 in
> mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
> 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 14 in pci_probe ../drivers/bus/pci/pci_common.c:380
> 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 16 in rte_eal_init ../lib/eal/linux/eal.c:1286
> 17 in main ../app/test-pmd/testpmd.c:4112
> 
> Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/mlx5_rxq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
> index f77d42dedf..a1e0b887a8 100644
> --- a/drivers/net/mlx5/mlx5_rxq.c
> +++ b/drivers/net/mlx5/mlx5_rxq.c
> @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
> 
>  	if (priv->drop_queue.hrxq)
>  		return priv->drop_queue.hrxq;
> -	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
> +	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) +
> MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
>  	if (!hrxq) {
>  		DRV_LOG(WARNING,
>  			"Port %u cannot allocate memory for drop queue.",
> --
> 2.27.0
wangyunjian March 2, 2022, 10:54 a.m. UTC | #3
Is there any ideas on this bug?

-----Original Message-----
From: wangyunjian [mailto:wangyunjian@huawei.com] 
Sent: Tuesday, February 8, 2022 6:56 PM
To: dev@dpdk.org
Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; stable@dpdk.org
Subject: RE: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key

Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Friday, December 24, 2021 11:06 AM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; michaelba@nvidia.com; 
> dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke 
> <xudingke@huawei.com>; wangyunjian <wangyunjian@huawei.com>; 
> stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of 
> hrxq's rss_key
> 
> The mlx5_drop_action_create function use mlx5_malloc for allocating 
> 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can 
> cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x7b8e2)
> 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
> 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
> 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
> 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
> 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
> 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
> 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 11 in
> mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
> 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 14 in pci_probe ../drivers/bus/pci/pci_common.c:380
> 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 16 in rte_eal_init ../lib/eal/linux/eal.c:1286
> 17 in main ../app/test-pmd/testpmd.c:4112
> 
> Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/mlx5_rxq.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c 
> index f77d42dedf..a1e0b887a8 100644
> --- a/drivers/net/mlx5/mlx5_rxq.c
> +++ b/drivers/net/mlx5/mlx5_rxq.c
> @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
> 
>  	if (priv->drop_queue.hrxq)
>  		return priv->drop_queue.hrxq;
> -	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
> +	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) +
> MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
>  	if (!hrxq) {
>  		DRV_LOG(WARNING,
>  			"Port %u cannot allocate memory for drop queue.",
> --
> 2.27.0
diff mbox series

Patch

diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
index f77d42dedf..a1e0b887a8 100644
--- a/drivers/net/mlx5/mlx5_rxq.c
+++ b/drivers/net/mlx5/mlx5_rxq.c
@@ -2828,7 +2828,7 @@  mlx5_drop_action_create(struct rte_eth_dev *dev)
 
 	if (priv->drop_queue.hrxq)
 		return priv->drop_queue.hrxq;
-	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
+	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
 	if (!hrxq) {
 		DRV_LOG(WARNING,
 			"Port %u cannot allocate memory for drop queue.",