| Message ID | 1461656687-5396-1-git-send-email-slawomirx.mrozowicz@intel.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Delegated to: | Thomas Monjalon |
| Headers |
Return-Path: <dev-bounces@dpdk.org> X-Original-To: patchwork@dpdk.org Delivered-To: patchwork@dpdk.org Received: from [92.243.14.124] (localhost [IPv6:::1]) by dpdk.org (Postfix) with ESMTP id 4B7C33208; Tue, 26 Apr 2016 09:43:29 +0200 (CEST) Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 2B6432A1A for <dev@dpdk.org>; Tue, 26 Apr 2016 09:43:27 +0200 (CEST) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga102.fm.intel.com with ESMTP; 26 Apr 2016 00:43:26 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.24,536,1455004800"; d="scan'208";a="953012096" Received: from gklab-246-018.igk.intel.com (HELO stargo) ([10.217.246.18]) by fmsmga001.fm.intel.com with SMTP; 26 Apr 2016 00:43:23 -0700 Received: by stargo (sSMTP sendmail emulation); Tue, 26 Apr 2016 09:44:49 +0200 From: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> To: david.marchand@6wind.com Cc: dev@dpdk.org, Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> Date: Tue, 26 Apr 2016 09:44:47 +0200 Message-Id: <1461656687-5396-1-git-send-email-slawomirx.mrozowicz@intel.com> X-Mailer: git-send-email 1.9.1 Subject: [dpdk-dev] [PATCH] eal: out-of-bounds write X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK <dev.dpdk.org> List-Unsubscribe: <http://dpdk.org/ml/options/dev>, <mailto:dev-request@dpdk.org?subject=unsubscribe> List-Archive: <http://dpdk.org/ml/archives/dev/> List-Post: <mailto:dev@dpdk.org> List-Help: <mailto:dev-request@dpdk.org?subject=help> List-Subscribe: <http://dpdk.org/ml/listinfo/dev>, <mailto:dev-request@dpdk.org?subject=subscribe> Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org> |
Commit Message
Slawomir Mrozowicz
April 26, 2016, 7:44 a.m. UTC
Fix issue reported by Coverity.
Coverity ID 13282: Out-of-bounds write
overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements
at element index 257 using index j.
Fixes: af75078fece3 ("first public release")
Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com>
---
lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote: > Fix issue reported by Coverity. > > Coverity ID 13282: Out-of-bounds write > overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements > at element index 257 using index j. > > Fixes: af75078fece3 ("first public release") > > Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> > --- > lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c > index 5b9132c..1e737e4 100644 > --- a/lib/librte_eal/linuxapp/eal/eal_memory.c > +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c > @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void) > > if (new_memseg) { > j += 1; > - if (j == RTE_MAX_MEMSEG) > + if (j >= RTE_MAX_MEMSEG) > break; > > mcfg->memseg[j].phys_addr = hugepage[i].physaddr; > -- This does appear to be a valid fix for the issue. However, looking at the code, it appears that the only way we could actually hit the problem is if j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better fix for this issue (or perhaps we want both fixes). Thoughts? /Bruce
On 26/04/2016 09:53, Bruce Richardson wrote: > On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote: >> Fix issue reported by Coverity. >> >> Coverity ID 13282: Out-of-bounds write >> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements >> at element index 257 using index j. >> >> Fixes: af75078fece3 ("first public release") >> >> Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> >> --- >> lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c >> index 5b9132c..1e737e4 100644 >> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c >> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c >> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void) >> >> if (new_memseg) { >> j += 1; >> - if (j == RTE_MAX_MEMSEG) >> + if (j >= RTE_MAX_MEMSEG) >> break; >> >> mcfg->memseg[j].phys_addr = hugepage[i].physaddr; >> -- > This does appear to be a valid fix for the issue. However, looking at the code, > it appears that the only way we could actually hit the problem is if > j == RTE_MAX_MEMSEG on exiting the previous loop. Would a check there be a better > fix for this issue (or perhaps we want both fixes). > > Thoughts? It doesn't make sense to go into the loop if we don't have free memsegs. Either way we should print the error indicating that we reached MAX_MEMSEG. Sergio > /Bruce
>-----Original Message----- >From: Gonzalez Monroy, Sergio >Sent: Tuesday, April 26, 2016 11:44 AM >To: Richardson, Bruce <bruce.richardson@intel.com>; Mrozowicz, SlawomirX ><slawomirx.mrozowicz@intel.com> >Cc: david.marchand@6wind.com; dev@dpdk.org >Subject: Re: [dpdk-dev] [PATCH] eal: out-of-bounds write > >On 26/04/2016 09:53, Bruce Richardson wrote: >> On Tue, Apr 26, 2016 at 09:44:47AM +0200, Slawomir Mrozowicz wrote: >>> Fix issue reported by Coverity. >>> >>> Coverity ID 13282: Out-of-bounds write >>> overrun-local: Overrunning array mcfg->memseg of 256 44-byte elements >>> at element index 257 using index j. >>> >>> Fixes: af75078fece3 ("first public release") >>> >>> Signed-off-by: Slawomir Mrozowicz <slawomirx.mrozowicz@intel.com> >>> --- >>> lib/librte_eal/linuxapp/eal/eal_memory.c | 2 +- >>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> >>> diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c >>> b/lib/librte_eal/linuxapp/eal/eal_memory.c >>> index 5b9132c..1e737e4 100644 >>> --- a/lib/librte_eal/linuxapp/eal/eal_memory.c >>> +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c >>> @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void) >>> >>> if (new_memseg) { >>> j += 1; >>> - if (j == RTE_MAX_MEMSEG) >>> + if (j >= RTE_MAX_MEMSEG) >>> break; >>> >>> mcfg->memseg[j].phys_addr = hugepage[i].physaddr; >>> -- >> This does appear to be a valid fix for the issue. However, looking at >> the code, it appears that the only way we could actually hit the >> problem is if j == RTE_MAX_MEMSEG on exiting the previous loop. Would >> a check there be a better fix for this issue (or perhaps we want both fixes). >> >> Thoughts? > >It doesn't make sense to go into the loop if we don't have free memsegs. >Either way we should print the error indicating that we reached >MAX_MEMSEG. > >Sergio > It is possible to add additional checking available memseg before the loop. In this case it will be checked twice before loop and inside loop. In my opinion it is not necessary. Anyway it is valuable to add in line 1336 error message if the MAX_MEMSEG is reached. SÅ‚awomir > >> /Bruce
diff --git a/lib/librte_eal/linuxapp/eal/eal_memory.c b/lib/librte_eal/linuxapp/eal/eal_memory.c index 5b9132c..1e737e4 100644 --- a/lib/librte_eal/linuxapp/eal/eal_memory.c +++ b/lib/librte_eal/linuxapp/eal/eal_memory.c @@ -1333,7 +1333,7 @@ rte_eal_hugepage_init(void) if (new_memseg) { j += 1; - if (j == RTE_MAX_MEMSEG) + if (j >= RTE_MAX_MEMSEG) break; mcfg->memseg[j].phys_addr = hugepage[i].physaddr;