[dpdk-stable] patch 'eal/linux: fix uevent message parsing' has been queued to stable release 20.11.4

Xueming Li xuemingl at nvidia.com
Wed Nov 10 07:31:32 CET 2021

Previous message (by thread): [dpdk-stable] patch 'eal/linux: remove unused variable for socket memory' has been queued to stable release 20.11.4
Next message (by thread): [dpdk-stable] patch 'malloc: fix allocation with unknown socket ID' has been queued to stable release 20.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 20.11.4

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/12/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/steevenlee/dpdk

This queued commit can be viewed at:
https://github.com/steevenlee/dpdk/commit/3c1d9e3840a22f606b40fa8972d62cd848ffdbac

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 3c1d9e3840a22f606b40fa8972d62cd848ffdbac Mon Sep 17 00:00:00 2001
From: David Marchand <david.marchand at redhat.com>
Date: Tue, 2 Nov 2021 19:40:20 +0100
Subject: [PATCH] eal/linux: fix uevent message parsing
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit 4847122aab5ced55b3c656e8ee425e90c6eb5904 ]

Caught with ASan:
==9727==ERROR: AddressSanitizer: stack-buffer-overflow on address
  0x7f0daa2fc0d0 at pc 0x7f0daeefacb2 bp 0x7f0daa2fadd0 sp 0x7f0daa2fa578
READ of size 1 at 0x7f0daa2fc0d0 thread T1
    #0 0x7f0daeefacb1  (/lib64/libasan.so.5+0xbacb1)
    #1 0x115eba1 in dev_uev_parse ../lib/eal/linux/eal_dev.c:167
    #2 0x115f281 in dev_uev_handler ../lib/eal/linux/eal_dev.c:248
    #3 0x1169b91 in eal_intr_process_interrupts
  ../lib/eal/linux/eal_interrupts.c:1026
    #4 0x116a3a2 in eal_intr_handle_interrupts
  ../lib/eal/linux/eal_interrupts.c:1100
    #5 0x116a7f0 in eal_intr_thread_main
  ../lib/eal/linux/eal_interrupts.c:1172
    #6 0x112640a in ctrl_thread_init
  ../lib/eal/common/eal_common_thread.c:202
    #7 0x7f0dade27159 in start_thread (/lib64/libpthread.so.0+0x8159)
    #8 0x7f0dadb58f72 in clone (/lib64/libc.so.6+0xfcf72)

Address 0x7f0daa2fc0d0 is located in stack of thread T1 at offset 4192
  in frame
    #0 0x115f0c9 in dev_uev_handler ../lib/eal/linux/eal_dev.c:226

  This frame has 2 object(s):
    [32, 48) 'uevent'
    [96, 4192) 'buf' <== Memory access at offset 4192 overflows this
  variable
HINT: this may be a false positive if your program uses some custom
  stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Thread T1 created by T0 here:
    #0 0x7f0daee92ea3 in __interceptor_pthread_create
  (/lib64/libasan.so.5+0x52ea3)
    #1 0x1126542 in rte_ctrl_thread_create
  ../lib/eal/common/eal_common_thread.c:228
    #2 0x116a8b5 in rte_eal_intr_init
  ../lib/eal/linux/eal_interrupts.c:1200
    #3 0x1159dd1 in rte_eal_init ../lib/eal/linux/eal.c:1044
    #4 0x7a22f8 in main ../app/test-pmd/testpmd.c:4105
    #5 0x7f0dada7f802 in __libc_start_main (/lib64/libc.so.6+0x23802)

Bugzilla ID: 792
Fixes: 0d0f478d0483 ("eal/linux: add uevent parse and process")

Signed-off-by: David Marchand <david.marchand at redhat.com>
Tested-by: Yan Xia <yanx.xia at intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin at redhat.com>
---
 lib/librte_eal/linux/eal_dev.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/librte_eal/linux/eal_dev.c b/lib/librte_eal/linux/eal_dev.c
index 5c0e752b2d..ae0021e7b5 100644
--- a/lib/librte_eal/linux/eal_dev.c
+++ b/lib/librte_eal/linux/eal_dev.c
@@ -157,6 +157,9 @@ dev_uev_parse(const char *buf, struct rte_dev_event *event, int length)
 				break;
 			buf++;
 		}
+		if (i >= length)
+			break;
+
 		/**
 		 * check device uevent from kernel side, no need to check
 		 * uevent from udev.
-- 
2.33.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-11-10 14:17:11.104421332 +0800
+++ 0208-eal-linux-fix-uevent-message-parsing.patch	2021-11-10 14:17:02.017411557 +0800
@@ -1 +1 @@
-From 4847122aab5ced55b3c656e8ee425e90c6eb5904 Mon Sep 17 00:00:00 2001
+From 3c1d9e3840a22f606b40fa8972d62cd848ffdbac Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit 4847122aab5ced55b3c656e8ee425e90c6eb5904 ]
@@ -48 +50,0 @@
-Cc: stable at dpdk.org
@@ -54 +56 @@
- lib/eal/linux/eal_dev.c | 3 +++
+ lib/librte_eal/linux/eal_dev.c | 3 +++
@@ -57,5 +59,5 @@
-diff --git a/lib/eal/linux/eal_dev.c b/lib/eal/linux/eal_dev.c
-index 06820a3666..6aaeffb4e9 100644
---- a/lib/eal/linux/eal_dev.c
-+++ b/lib/eal/linux/eal_dev.c
-@@ -160,6 +160,9 @@ dev_uev_parse(const char *buf, struct rte_dev_event *event, int length)
+diff --git a/lib/librte_eal/linux/eal_dev.c b/lib/librte_eal/linux/eal_dev.c
+index 5c0e752b2d..ae0021e7b5 100644
+--- a/lib/librte_eal/linux/eal_dev.c
++++ b/lib/librte_eal/linux/eal_dev.c
+@@ -157,6 +157,9 @@ dev_uev_parse(const char *buf, struct rte_dev_event *event, int length)

Previous message (by thread): [dpdk-stable] patch 'eal/linux: remove unused variable for socket memory' has been queued to stable release 20.11.4
Next message (by thread): [dpdk-stable] patch 'malloc: fix allocation with unknown socket ID' has been queued to stable release 20.11.4
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list