[dpdk-stable] patch 'app/eventdev: fix overflow in lcore list parsing' has been queued to stable release 19.11.9

Christian Ehrhardt christian.ehrhardt at canonical.com
Mon May 17 18:09:36 CEST 2021

Previous message (by thread): [dpdk-stable] patch 'test/mempool: fix object initializer' has been queued to stable release 19.11.9
Next message (by thread): [dpdk-stable] patch 'eventdev: remove redundant thread name setting' has been queued to stable release 19.11.9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 19.11.9

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/19/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/cpaelzer/dpdk-stable-queue

This queued commit can be viewed at:
https://github.com/cpaelzer/dpdk-stable-queue/commit/1e46d09ef92abc9304b7b38aff0e20878bc1aaa5

Thanks.

Christian Ehrhardt <christian.ehrhardt at canonical.com>

---
>From 1e46d09ef92abc9304b7b38aff0e20878bc1aaa5 Mon Sep 17 00:00:00 2001
From: "Min Hu (Connor)" <humin29 at huawei.com>
Date: Fri, 23 Apr 2021 15:38:08 +0800
Subject: [PATCH] app/eventdev: fix overflow in lcore list parsing

[ upstream commit 32d7dbf269be84cb906979d73ad81b40e28d377a ]

Tainted and unvalidated integer 'idx' used as an index, which may
lead to buffer overflow.

This patch fixed it.

Fixes: 89e5eb118017 ("app/testeventdev: add string parsing helpers")

Signed-off-by: Min Hu (Connor) <humin29 at huawei.com>
Acked-by: Pavan Nikhilesh <pbhagavatula at marvell.com>
---
 app/test-eventdev/evt_options.c | 4 ++--
 app/test-eventdev/parser.c      | 6 ++++--
 app/test-eventdev/parser.h      | 2 +-
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/app/test-eventdev/evt_options.c b/app/test-eventdev/evt_options.c
index 4f4800d99d..3c80c1a489 100644
--- a/app/test-eventdev/evt_options.c
+++ b/app/test-eventdev/evt_options.c
@@ -218,7 +218,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
 {
 	int ret;
 
-	ret = parse_lcores_list(opt->plcores, corelist);
+	ret = parse_lcores_list(opt->plcores, RTE_MAX_LCORE, corelist);
 	if (ret == -E2BIG)
 		evt_err("duplicate lcores in plcores");
 
@@ -230,7 +230,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)
 {
 	int ret;
 
-	ret = parse_lcores_list(opt->wlcores, corelist);
+	ret = parse_lcores_list(opt->wlcores, RTE_MAX_LCORE, corelist);
 	if (ret == -E2BIG)
 		evt_err("duplicate lcores in wlcores");
 
diff --git a/app/test-eventdev/parser.c b/app/test-eventdev/parser.c
index 24f1855e9a..7a973cbb23 100644
--- a/app/test-eventdev/parser.c
+++ b/app/test-eventdev/parser.c
@@ -310,7 +310,7 @@ parse_hex_string(char *src, uint8_t *dst, uint32_t *size)
 }
 
 int
-parse_lcores_list(bool lcores[], const char *corelist)
+parse_lcores_list(bool lcores[], int lcores_num, const char *corelist)
 {
 	int i, idx = 0;
 	int min, max;
@@ -332,6 +332,8 @@ parse_lcores_list(bool lcores[], const char *corelist)
 		if (*corelist == '\0')
 			return -1;
 		idx = strtoul(corelist, &end, 10);
+		if (idx < 0 || idx > lcores_num)
+			return -1;
 
 		if (end == NULL)
 			return -1;
@@ -343,7 +345,7 @@ parse_lcores_list(bool lcores[], const char *corelist)
 			max = idx;
 			if (min == RTE_MAX_LCORE)
 				min = idx;
-			for (idx = min; idx <= max; idx++) {
+			for (idx = min; idx < max; idx++) {
 				if (lcores[idx] == 1)
 					return -E2BIG;
 				lcores[idx] = 1;
diff --git a/app/test-eventdev/parser.h b/app/test-eventdev/parser.h
index 673ff22d78..696b40a3e2 100644
--- a/app/test-eventdev/parser.h
+++ b/app/test-eventdev/parser.h
@@ -46,5 +46,5 @@ int parse_hex_string(char *src, uint8_t *dst, uint32_t *size);
 
 int parse_tokenize_string(char *string, char *tokens[], uint32_t *n_tokens);
 
-int parse_lcores_list(bool lcores[], const char *corelist);
+int parse_lcores_list(bool lcores[], int lcores_num, const char *corelist);
 #endif
-- 
2.31.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-05-17 17:40:35.159789305 +0200
+++ 0147-app-eventdev-fix-overflow-in-lcore-list-parsing.patch	2021-05-17 17:40:29.423811460 +0200
@@ -1 +1 @@
-From 32d7dbf269be84cb906979d73ad81b40e28d377a Mon Sep 17 00:00:00 2001
+From 1e46d09ef92abc9304b7b38aff0e20878bc1aaa5 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 32d7dbf269be84cb906979d73ad81b40e28d377a ]
+
@@ -12 +13,0 @@
-Cc: stable at dpdk.org
@@ -23 +24 @@
-index 0d55405741..061b63e12e 100644
+index 4f4800d99d..3c80c1a489 100644
@@ -26 +27 @@
-@@ -221,7 +221,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
+@@ -218,7 +218,7 @@ evt_parse_plcores(struct evt_options *opt, const char *corelist)
@@ -35 +36 @@
-@@ -233,7 +233,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)
+@@ -230,7 +230,7 @@ evt_parse_work_lcores(struct evt_options *opt, const char *corelist)

Previous message (by thread): [dpdk-stable] patch 'test/mempool: fix object initializer' has been queued to stable release 19.11.9
Next message (by thread): [dpdk-stable] patch 'eventdev: remove redundant thread name setting' has been queued to stable release 19.11.9
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list