[dpdk-dev] [PATCH] mem: fix possible memzone integer overflow

Sergio Gonzalez Monroy sergio.gonzalez.monroy at intel.com
Tue Jun 14 20:07:18 CEST 2016


It is possible to get an integer overflow if we try to reserve a memzone
with len = 0 (meaning the maximum contiguous space available) and the
maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).

Issue reported by Coverity:

   >>> 10. overflow: Subtract operation overflows on operands len and
   >>>     64UL.
   >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
   >>> 11. overflow_sink: Overflowed or truncated value (or a value
   >>>     computed from an overflowed or truncated value)
   >>>     len - 64UL - align used as return value.
   122         return len - MALLOC_ELEM_OVERHEAD - align;

Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy at intel.com>
---
 lib/librte_eal/common/eal_common_memzone.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/lib/librte_eal/common/eal_common_memzone.c b/lib/librte_eal/common/eal_common_memzone.c
index 452679e..5d28341 100644
--- a/lib/librte_eal/common/eal_common_memzone.c
+++ b/lib/librte_eal/common/eal_common_memzone.c
@@ -119,6 +119,9 @@ find_heap_max_free_elem(int *s, unsigned align)
 		}
 	}
 
+	if (len < MALLOC_ELEM_OVERHEAD + align)
+		return 0;
+
 	return len - MALLOC_ELEM_OVERHEAD - align;
 }
 
@@ -197,8 +200,13 @@ memzone_reserve_aligned_thread_unsafe(const char *name, size_t len,
 	if (len == 0) {
 		if (bound != 0)
 			requested_len = bound;
-		else
+		else {
 			requested_len = find_heap_max_free_elem(&socket_id, align);
+			if (requested_len == 0) {
+				rte_errno = ENOMEM;
+				return NULL;
+			}
+		}
 	}
 
 	if (socket_id == SOCKET_ID_ANY)
-- 
2.4.11



More information about the dev mailing list