diff mbox series

[1/1] net/mlx5: fix stack buffer overflow

Message ID 782531af297f80054ea965893bf2ed4a71af472c.1640071468.git.wangyunjian@huawei.com (mailing list archive)
State New
Delegated to: Raslan Darawsheh
Headers show
Series [1/1] net/mlx5: fix stack buffer overflow | expand

Checks

Context Check Description
ci/intel-Testing success Testing PASS
ci/Intel-compilation success Compilation OK
ci/github-robot: build success github build: passed
ci/iol-aarch64-unit-testing success Testing PASS
ci/iol-intel-Functional success Functional Testing PASS
ci/iol-intel-Performance success Performance Testing PASS
ci/iol-x86_64-compile-testing success Testing PASS
ci/iol-broadcom-Functional success Functional Testing PASS
ci/iol-x86_64-unit-testing success Testing PASS
ci/iol-aarch64-compile-testing success Testing PASS
ci/iol-mellanox-Performance success Performance Testing PASS
ci/iol-broadcom-Performance success Performance Testing PASS
ci/checkpatch success coding style OK

Commit Message

wangyunjian Dec. 21, 2021, 7:37 a.m. UTC
The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using
'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow.

Detected with address sanitizer:
0 (/usr/lib64/libasan.so.4+0x60b57)
1 vfscanf (/usr/lib64/libasan.so.4+0x6170f)
2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823)
3 mlx5_sysfs_switch_info ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098
4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417
5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
11 pci_probe ../drivers/bus/pci/pci_common.c:380
12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
13 rte_eal_init ../lib/eal/linux/eal.c:1286
14 main ../app/test-pmd/testpmd.c:4112
15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f)
16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3)

Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info")
Cc: stable@dpdk.org

Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
---
 drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

wangyunjian Jan. 28, 2022, 9:41 a.m. UTC | #1
Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Tuesday, December 21, 2021 3:38 PM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong
> <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>;
> wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow
> 
> The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using
> 'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x60b57)
> 1 vfscanf (/usr/lib64/libasan.so.4+0x6170f)
> 2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823)
> 3 mlx5_sysfs_switch_info ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098
> 4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417
> 5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 11 pci_probe ../drivers/bus/pci/pci_common.c:380
> 12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 13 rte_eal_init ../lib/eal/linux/eal.c:1286
> 14 main ../app/test-pmd/testpmd.c:4112
> 15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f)
> 16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3)
> 
> Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> index c19825ee52..1d97110864 100644
> --- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> +++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> @@ -1066,7 +1066,7 @@ int
>  mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info)  {
>  	char ifname[IF_NAMESIZE];
> -	char port_name[IF_NAMESIZE];
> +	char port_name[IF_NAMESIZE + 1];
>  	FILE *file;
>  	struct mlx5_switch_info data = {
>  		.master = 0,
> --
> 2.27.0
wangyunjian Feb. 8, 2022, 10:55 a.m. UTC | #2
Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Tuesday, December 21, 2021 3:38 PM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong
> <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>;
> wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow
> 
> The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using
> 'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x60b57)
> 1 vfscanf (/usr/lib64/libasan.so.4+0x6170f)
> 2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823)
> 3 mlx5_sysfs_switch_info ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098
> 4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417
> 5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 11 pci_probe ../drivers/bus/pci/pci_common.c:380
> 12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 13 rte_eal_init ../lib/eal/linux/eal.c:1286
> 14 main ../app/test-pmd/testpmd.c:4112
> 15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f)
> 16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3)
> 
> Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> index c19825ee52..1d97110864 100644
> --- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> +++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> @@ -1066,7 +1066,7 @@ int
>  mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info)  {
>  	char ifname[IF_NAMESIZE];
> -	char port_name[IF_NAMESIZE];
> +	char port_name[IF_NAMESIZE + 1];
>  	FILE *file;
>  	struct mlx5_switch_info data = {
>  		.master = 0,
> --
> 2.27.0
wangyunjian March 2, 2022, 10:55 a.m. UTC | #3
Is there any ideas on this bug?

-----Original Message-----
From: wangyunjian [mailto:wangyunjian@huawei.com] 
Sent: Tuesday, February 8, 2022 6:55 PM
To: dev@dpdk.org
Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; stable@dpdk.org
Subject: RE: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow

Friendly ping.

> -----Original Message-----
> From: wangyunjian
> Sent: Tuesday, December 21, 2021 3:38 PM
> To: dev@dpdk.org
> Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong 
> <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; 
> wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org
> Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow
> 
> The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using 
> 'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow.
> 
> Detected with address sanitizer:
> 0 (/usr/lib64/libasan.so.4+0x60b57)
> 1 vfscanf (/usr/lib64/libasan.so.4+0x6170f)
> 2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823)
> 3 mlx5_sysfs_switch_info 
> ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098
> 4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417
> 5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
> 6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
> 7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
> 8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
> 9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
> 10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
> 11 pci_probe ../drivers/bus/pci/pci_common.c:380
> 12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
> 13 rte_eal_init ../lib/eal/linux/eal.c:1286
> 14 main ../app/test-pmd/testpmd.c:4112
> 15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f)
> 16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3)
> 
> Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
> ---
>  drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> index c19825ee52..1d97110864 100644
> --- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> +++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
> @@ -1066,7 +1066,7 @@ int
>  mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info)  {
>  	char ifname[IF_NAMESIZE];
> -	char port_name[IF_NAMESIZE];
> +	char port_name[IF_NAMESIZE + 1];
>  	FILE *file;
>  	struct mlx5_switch_info data = {
>  		.master = 0,
> --
> 2.27.0
diff mbox series

Patch

diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
index c19825ee52..1d97110864 100644
--- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c
+++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c
@@ -1066,7 +1066,7 @@  int
 mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info)
 {
 	char ifname[IF_NAMESIZE];
-	char port_name[IF_NAMESIZE];
+	char port_name[IF_NAMESIZE + 1];
 	FILE *file;
 	struct mlx5_switch_info data = {
 		.master = 0,