| Message ID | 782531af297f80054ea965893bf2ed4a71af472c.1640071468.git.wangyunjian@huawei.com (mailing list archive) |
|---|---|
| State | New |
| Delegated to: | Raslan Darawsheh |
| Headers | show |
| Series | [1/1] net/mlx5: fix stack buffer overflow | expand |
| Context | Check | Description |
|---|---|---|
| ci/intel-Testing | success | Testing PASS |
| ci/Intel-compilation | success | Compilation OK |
| ci/github-robot: build | success | github build: passed |
| ci/iol-aarch64-unit-testing | success | Testing PASS |
| ci/iol-intel-Functional | success | Functional Testing PASS |
| ci/iol-intel-Performance | success | Performance Testing PASS |
| ci/iol-x86_64-compile-testing | success | Testing PASS |
| ci/iol-broadcom-Functional | success | Functional Testing PASS |
| ci/iol-x86_64-unit-testing | success | Testing PASS |
| ci/iol-aarch64-compile-testing | success | Testing PASS |
| ci/iol-mellanox-Performance | success | Performance Testing PASS |
| ci/iol-broadcom-Performance | success | Performance Testing PASS |
| ci/checkpatch | success | coding style OK |
Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Tuesday, December 21, 2021 3:38 PM > To: dev@dpdk.org > Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong > <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; > wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org > Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow > > The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using > 'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow. > > Detected with address sanitizer: > 0 (/usr/lib64/libasan.so.4+0x60b57) > 1 vfscanf (/usr/lib64/libasan.so.4+0x6170f) > 2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823) > 3 mlx5_sysfs_switch_info ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098 > 4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417 > 5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 > 6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 > 7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 > 8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 > 9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 > 10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 > 11 pci_probe ../drivers/bus/pci/pci_common.c:380 > 12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 > 13 rte_eal_init ../lib/eal/linux/eal.c:1286 > 14 main ../app/test-pmd/testpmd.c:4112 > 15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f) > 16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3) > > Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info") > Cc: stable@dpdk.org > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > --- > drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c > b/drivers/net/mlx5/linux/mlx5_ethdev_os.c > index c19825ee52..1d97110864 100644 > --- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c > +++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c > @@ -1066,7 +1066,7 @@ int > mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info) { > char ifname[IF_NAMESIZE]; > - char port_name[IF_NAMESIZE]; > + char port_name[IF_NAMESIZE + 1]; > FILE *file; > struct mlx5_switch_info data = { > .master = 0, > -- > 2.27.0
Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Tuesday, December 21, 2021 3:38 PM > To: dev@dpdk.org > Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong > <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; > wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org > Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow > > The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using > 'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow. > > Detected with address sanitizer: > 0 (/usr/lib64/libasan.so.4+0x60b57) > 1 vfscanf (/usr/lib64/libasan.so.4+0x6170f) > 2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823) > 3 mlx5_sysfs_switch_info ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098 > 4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417 > 5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 > 6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 > 7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 > 8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 > 9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 > 10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 > 11 pci_probe ../drivers/bus/pci/pci_common.c:380 > 12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 > 13 rte_eal_init ../lib/eal/linux/eal.c:1286 > 14 main ../app/test-pmd/testpmd.c:4112 > 15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f) > 16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3) > > Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info") > Cc: stable@dpdk.org > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > --- > drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c > b/drivers/net/mlx5/linux/mlx5_ethdev_os.c > index c19825ee52..1d97110864 100644 > --- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c > +++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c > @@ -1066,7 +1066,7 @@ int > mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info) { > char ifname[IF_NAMESIZE]; > - char port_name[IF_NAMESIZE]; > + char port_name[IF_NAMESIZE + 1]; > FILE *file; > struct mlx5_switch_info data = { > .master = 0, > -- > 2.27.0
Is there any ideas on this bug? -----Original Message----- From: wangyunjian [mailto:wangyunjian@huawei.com] Sent: Tuesday, February 8, 2022 6:55 PM To: dev@dpdk.org Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; stable@dpdk.org Subject: RE: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow Friendly ping. > -----Original Message----- > From: wangyunjian > Sent: Tuesday, December 21, 2021 3:38 PM > To: dev@dpdk.org > Cc: matan@nvidia.com; viacheslavo@nvidia.com; dingxiaoxiong > <dingxiaoxiong@huawei.com>; xudingke <xudingke@huawei.com>; > wangyunjian <wangyunjian@huawei.com>; stable@dpdk.org > Subject: [dpdk-dev] [PATCH 1/1] net/mlx5: fix stack buffer overflow > > The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using > 'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow. > > Detected with address sanitizer: > 0 (/usr/lib64/libasan.so.4+0x60b57) > 1 vfscanf (/usr/lib64/libasan.so.4+0x6170f) > 2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823) > 3 mlx5_sysfs_switch_info > ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098 > 4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417 > 5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 > 6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 > 7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 > 8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 > 9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 > 10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 > 11 pci_probe ../drivers/bus/pci/pci_common.c:380 > 12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 > 13 rte_eal_init ../lib/eal/linux/eal.c:1286 > 14 main ../app/test-pmd/testpmd.c:4112 > 15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f) > 16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3) > > Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info") > Cc: stable@dpdk.org > > Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> > --- > drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c > b/drivers/net/mlx5/linux/mlx5_ethdev_os.c > index c19825ee52..1d97110864 100644 > --- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c > +++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c > @@ -1066,7 +1066,7 @@ int > mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info) { > char ifname[IF_NAMESIZE]; > - char port_name[IF_NAMESIZE]; > + char port_name[IF_NAMESIZE + 1]; > FILE *file; > struct mlx5_switch_info data = { > .master = 0, > -- > 2.27.0
diff --git a/drivers/net/mlx5/linux/mlx5_ethdev_os.c b/drivers/net/mlx5/linux/mlx5_ethdev_os.c index c19825ee52..1d97110864 100644 --- a/drivers/net/mlx5/linux/mlx5_ethdev_os.c +++ b/drivers/net/mlx5/linux/mlx5_ethdev_os.c @@ -1066,7 +1066,7 @@ int mlx5_sysfs_switch_info(unsigned int ifindex, struct mlx5_switch_info *info) { char ifname[IF_NAMESIZE]; - char port_name[IF_NAMESIZE]; + char port_name[IF_NAMESIZE + 1]; FILE *file; struct mlx5_switch_info data = { .master = 0,
The mlx5_sysfs_switch_info function get 'phys_port_name' buffer, using 'IF_NAMESIZE' for that case will be wrong and it can cause buffer overflow. Detected with address sanitizer: 0 (/usr/lib64/libasan.so.4+0x60b57) 1 vfscanf (/usr/lib64/libasan.so.4+0x6170f) 2 __interceptor_fscanf (/usr/lib64/libasan.so.4+0x61823) 3 mlx5_sysfs_switch_info ../drivers/net/mlx5/linux/mlx5_ethdev_os.c:1098 4 mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2417 5 mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647 6 mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722 7 drivers_probe ../drivers/common/mlx5/mlx5_common.c:657 8 mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711 9 rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269 10 pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353 11 pci_probe ../drivers/bus/pci/pci_common.c:380 12 rte_bus_probe ../lib/eal/common/eal_common_bus.c:72 13 rte_eal_init ../lib/eal/linux/eal.c:1286 14 main ../app/test-pmd/testpmd.c:4112 15 __libc_start_main (/usr/lib64/libc.so.6+0x23f7f) 16 _start (dpdk/arm64-armv8a-linuxapp-gcc/app/dpdk-testpmd+0x4c88a3) Fixes: 63d1db710fbc ("net/mlx5: fix unlimited parsing of switch info") Cc: stable@dpdk.org Signed-off-by: Yunjian Wang <wangyunjian@huawei.com> --- drivers/net/mlx5/linux/mlx5_ethdev_os.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)