From patchwork Fri Dec 24 03:06:19 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yunjian Wang X-Patchwork-Id: 105372 X-Patchwork-Delegate: rasland@nvidia.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id F2A06A00C5; Fri, 24 Dec 2021 04:07:07 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 834EB40691; Fri, 24 Dec 2021 04:07:07 +0100 (CET) Received: from szxga08-in.huawei.com (szxga08-in.huawei.com [45.249.212.255]) by mails.dpdk.org (Postfix) with ESMTP id E3E1E4068C; Fri, 24 Dec 2021 04:07:05 +0100 (CET) Received: from dggpemm500023.china.huawei.com (unknown [172.30.72.53]) by szxga08-in.huawei.com (SkyGuard) with ESMTP id 4JKsMr3jTSz1DKHY; Fri, 24 Dec 2021 11:03:52 +0800 (CST) Received: from dggpemm500008.china.huawei.com (7.185.36.136) by dggpemm500023.china.huawei.com (7.185.36.83) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Fri, 24 Dec 2021 11:07:03 +0800 Received: from localhost (10.174.242.157) by dggpemm500008.china.huawei.com (7.185.36.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2308.20; Fri, 24 Dec 2021 11:07:03 +0800 From: Yunjian Wang To: CC: , , , , , Yunjian Wang , Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow of hrxq's rss_key Date: Fri, 24 Dec 2021 11:06:19 +0800 Message-ID: <5cd9086411342c7475e3227249d3aa3a3144897d.1640314881.git.wangyunjian@huawei.com> X-Mailer: git-send-email 1.9.5.msysgit.1 MIME-Version: 1.0 X-Originating-IP: [10.174.242.157] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To dggpemm500008.china.huawei.com (7.185.36.136) X-CFilter-Loop: Reflected X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org The mlx5_drop_action_create function use mlx5_malloc for allocating 'hrxq', but don't allocate for 'rss_key'. This is wrong and it can cause buffer overflow. Detected with address sanitizer: 0 (/usr/lib64/libasan.so.4+0x7b8e2) 1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765 2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800 3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051 4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846 5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743 6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501 7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 11 in mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150 12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 14 in pci_probe ../drivers/bus/pci/pci_common.c:380 15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 16 in rte_eal_init ../lib/eal/linux/eal.c:1286 17 in main ../app/test-pmd/testpmd.c:4112 Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang Acked-by: Viacheslav Ovsiienko Acked-by: Viacheslav Ovsiienko --- drivers/net/mlx5/mlx5_rxq.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c index f77d42dedf..a1e0b887a8 100644 --- a/drivers/net/mlx5/mlx5_rxq.c +++ b/drivers/net/mlx5/mlx5_rxq.c @@ -2828,7 +2828,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev) if (priv->drop_queue.hrxq) return priv->drop_queue.hrxq; - hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY); + hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY); if (!hrxq) { DRV_LOG(WARNING, "Port %u cannot allocate memory for drop queue.",