[dpdk-stable] patch 'app/eventdev: fix overflow in lcore list parsing' has been queued to stable release 20.11.2

Xueming Li xuemingl at nvidia.com
Sat Jun 12 01:01:41 CEST 2021

Previous message (by thread): [dpdk-stable] patch 'test/mempool: fix object initializer' has been queued to stable release 20.11.2
Next message (by thread): [dpdk-stable] patch 'eventdev: remove redundant thread name setting' has been queued to stable release 20.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 20.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 06/14/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/steevenlee/dpdk

This queued commit can be viewed at:
https://github.com/steevenlee/dpdk/commit/d173cc85c98dee2bbdfeaeb6b226fc2ee67bd18f

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From d173cc85c98dee2bbdfeaeb6b226fc2ee67bd18f Mon Sep 17 00:00:00 2001
From: "Min Hu (Connor)" <humin29 at huawei.com>
Date: Fri, 23 Apr 2021 15:38:08 +0800
Subject: [PATCH] app/eventdev: fix overflow in lcore list parsing
Cc: Luca Boccassi <bluca at debian.org>

[ upstream commit 32d7dbf269be84cb906979d73ad81b40e28d377a ]

Tainted and unvalidated integer 'idx' used as an index, which may
lead to buffer overflow.

This patch fixed it.

Fixes: 89e5eb118017 ("app/testeventdev: add string parsing helpers")

Signed-off-by: Min Hu (Connor) <humin29 at huawei.com>
Acked-by: Pavan Nikhilesh <pbhagavatula at marvell.com>
---
 app/test-eventdev/evt_options.c | 4 ++--
 app/test-eventdev/parser.c      | 6 ++++--
 app/test-eventdev/parser.h      | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/test-eventdev/evt_options.c b/app/test-eventdev/evt_options.c
index 0d04ea9f8d..8c9d3fcdce 100644
--- a/app/test-eventdev/evt_options.c
+++ b/app/test-eventdev/evt_options.c
@@ -218,7 +218,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
 {
 	int ret;
 
-	ret = parse_lcores_list(opt->plcores, corelist);
+	ret = parse_lcores_list(opt->plcores, RTE_MAX_LCORE, corelist);
 	if (ret == -E2BIG)
 		evt_err("duplicate lcores in plcores");
 
@@ -230,7 +230,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)
 {
 	int ret;
 
-	ret = parse_lcores_list(opt->wlcores, corelist);
+	ret = parse_lcores_list(opt->wlcores, RTE_MAX_LCORE, corelist);
 	if (ret == -E2BIG)
 		evt_err("duplicate lcores in wlcores");
 
diff --git a/app/test-eventdev/parser.c b/app/test-eventdev/parser.c
index 24f1855e9a..7a973cbb23 100644
--- a/app/test-eventdev/parser.c
+++ b/app/test-eventdev/parser.c
@@ -310,7 +310,7 @@ parse_hex_string(char *src, uint8_t *dst, uint32_t *size)
 }
 
 int
-parse_lcores_list(bool lcores[], const char *corelist)
+parse_lcores_list(bool lcores[], int lcores_num, const char *corelist)
 {
 	int i, idx = 0;
 	int min, max;
@@ -332,6 +332,8 @@ parse_lcores_list(bool lcores[], const char *corelist)
 		if (*corelist == '\0')
 			return -1;
 		idx = strtoul(corelist, &end, 10);
+		if (idx < 0 || idx > lcores_num)
+			return -1;
 
 		if (end == NULL)
 			return -1;
@@ -343,7 +345,7 @@ parse_lcores_list(bool lcores[], const char *corelist)
 			max = idx;
 			if (min == RTE_MAX_LCORE)
 				min = idx;
-			for (idx = min; idx <= max; idx++) {
+			for (idx = min; idx < max; idx++) {
 				if (lcores[idx] == 1)
 					return -E2BIG;
 				lcores[idx] = 1;
diff --git a/app/test-eventdev/parser.h b/app/test-eventdev/parser.h
index 673ff22d78..696b40a3e2 100644
--- a/app/test-eventdev/parser.h
+++ b/app/test-eventdev/parser.h
@@ -46,5 +46,5 @@ int parse_hex_string(char *src, uint8_t *dst, uint32_t *size);
 
 int parse_tokenize_string(char *string, char *tokens[], uint32_t *n_tokens);
 
-int parse_lcores_list(bool lcores[], const char *corelist);
+int parse_lcores_list(bool lcores[], int lcores_num, const char *corelist);
 #endif
-- 
2.25.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-06-12 06:53:56.882211000 +0800
+++ 0007-app-eventdev-fix-overflow-in-lcore-list-parsing.patch	2021-06-12 06:53:56.010000000 +0800
@@ -1 +1 @@
-From 32d7dbf269be84cb906979d73ad81b40e28d377a Mon Sep 17 00:00:00 2001
+From d173cc85c98dee2bbdfeaeb6b226fc2ee67bd18f Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Luca Boccassi <bluca at debian.org>
+
+[ upstream commit 32d7dbf269be84cb906979d73ad81b40e28d377a ]
@@ -12 +14,0 @@
-Cc: stable at dpdk.org
@@ -23 +25 @@
-index 0d55405741..061b63e12e 100644
+index 0d04ea9f8d..8c9d3fcdce 100644
@@ -26 +28 @@
-@@ -221,7 +221,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
+@@ -218,7 +218,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
@@ -35 +37 @@
-@@ -233,7 +233,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)
+@@ -230,7 +230,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)

Previous message (by thread): [dpdk-stable] patch 'test/mempool: fix object initializer' has been queued to stable release 20.11.2
Next message (by thread): [dpdk-stable] patch 'eventdev: remove redundant thread name setting' has been queued to stable release 20.11.2
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list