[dpdk-stable] [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free

[Ferruh Yigit]

On 3/17/2021 8:21 AM, Wei Huang wrote:
> In write_flash_image(), calling function "read" may taints variable
> "buf" which turn to an untrusted value as argument of "rte_free".
> 
> Coverity issue: 367477
> Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs")
> 

Hi Huang, Rosen,

I checked the coverity issue but still not clear about the problem. What does 
'read' taints 'buf' mean?
The 'buf' passed as an argument to read, so all 'read' can do is change the 
memory that 'buf' points, so why it should affect the 'free' at all?
If the memory is overflow etc, your change is just hiding the error not fixing it.

And the error message mentions from 'rte_free', not 'free', not sure how 
'rte_free' is involved in the problem, any idea?

> Signed-off-by: Wei Huang <wei.huang at intel.com>
> ---
>   drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++-
>   1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> index 28198abd78..d32f1eccb1 100644
> --- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> +++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c
> @@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
>   	uint32_t offset)
>   {
>   	void *buf = NULL;
> +	void *buf_to_free = NULL;
>   	int retry = 0;
>   	uint32_t length = 0;
>   	uint32_t to_transfer = 0;
> @@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
>   		close(fd);
>   		return -ENOMEM;
>   	}
> +	buf_to_free = buf;
>   
>   	length = smgr->rsu_length;
>   	one_percent = length / 100;
> @@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image,
>   	printf("\n");
>   
>   end:
> -	free(buf);
> +	free(buf_to_free);
>   	close(fd);
>   	return ret;
>   }
>