net/softnic: fix illegal memory access
Checks
Commit Message
Fix pointer dereferencing and read after free (USE_AFTER_FREE).
Coverity issue: 302867
Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
---
drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
Comments
> -----Original Message-----
> From: Singh, Jasvinder
> Sent: Monday, July 16, 2018 1:42 PM
> To: dev@dpdk.org
> Cc: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> Subject: [PATCH] net/softnic: fix illegal memory access
>
> Fix pointer dereferencing and read after free (USE_AFTER_FREE).
>
> Coverity issue: 302867
> Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
>
> Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> ---
> drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
> 1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> b/drivers/net/softnic/rte_eth_softnic_swq.c
> index 1944fbb..604a2cc 100644
> --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p)
> void
> softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
> {
> - struct softnic_swq *swq;
> + for ( ; ; ) {
> + struct softnic_swq *swq;
> +
> + swq = TAILQ_FIRST(&p->swq_list);
> + if (swq == NULL)
> + break;
>
> - TAILQ_FOREACH(swq, &p->swq_list, node) {
> if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
> (strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
> continue;
> --
> 2.9.3
Where is the bug? We simply parse a linked list to free each element.
> -----Original Message-----
> From: Dumitrescu, Cristian
> Sent: Monday, July 16, 2018 5:04 PM
> To: Singh, Jasvinder <jasvinder.singh@intel.com>; dev@dpdk.org
> Subject: RE: [PATCH] net/softnic: fix illegal memory access
>
>
>
> > -----Original Message-----
> > From: Singh, Jasvinder
> > Sent: Monday, July 16, 2018 1:42 PM
> > To: dev@dpdk.org
> > Cc: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> > Subject: [PATCH] net/softnic: fix illegal memory access
> >
> > Fix pointer dereferencing and read after free (USE_AFTER_FREE).
> >
> > Coverity issue: 302867
> > Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> >
> > Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> > ---
> > drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
> > 1 file changed, 6 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> > b/drivers/net/softnic/rte_eth_softnic_swq.c
> > index 1944fbb..604a2cc 100644
> > --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> > +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> > @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p) void
> > softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p) {
> > - struct softnic_swq *swq;
> > + for ( ; ; ) {
> > + struct softnic_swq *swq;
> > +
> > + swq = TAILQ_FIRST(&p->swq_list);
> > + if (swq == NULL)
> > + break;
> >
> > - TAILQ_FOREACH(swq, &p->swq_list, node) {
> > if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
> > (strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
> > continue;
> > --
> > 2.9.3
>
> Where is the bug? We simply parse a linked list to free each element.
Below is coverity log on the issue;
void
softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
{
struct softnic_swq *swq;
1. Condition swq, taking true branch.
4. Condition swq, taking true branch.
7. alias: Assigning: swq = swq->node.tqe_next. Now both point to the same storage.
8. Condition swq, taking true branch.
CID 302867 (#1-2 of 2): Read from pointer after free (USE_AFTER_FREE)
15. deref_after_free: Dereferencing freed pointer swq.
TAILQ_FOREACH(swq, &p->swq_list, node) {
2. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking true branch.
5. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking true branch.
9. Condition strncmp(swq->name, "RXQ", strlen("RXQ")) == 0, taking false branch.
10. Condition strncmp(swq->name, "TXQ", strlen("TXQ")) == 0, taking false branch.
if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
3. Continuing loop.
6. Continuing loop.
continue;
11. Condition swq->node.tqe_next != NULL, taking true branch.
12. Falling through to end of if statement.
TAILQ_REMOVE(&p->swq_list, swq, node);
rte_ring_free(swq->r);
13. freed_arg: free frees swq.
free(swq);
14. Jumping back to the beginning of the loop.
}
}
> -----Original Message-----
> From: dev [mailto:dev-bounces@dpdk.org] On Behalf Of Singh, Jasvinder
> Sent: Monday, July 16, 2018 6:26 PM
> To: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>; dev@dpdk.org
> Subject: Re: [dpdk-dev] [PATCH] net/softnic: fix illegal memory access
>
>
>
> > -----Original Message-----
> > From: Dumitrescu, Cristian
> > Sent: Monday, July 16, 2018 5:04 PM
> > To: Singh, Jasvinder <jasvinder.singh@intel.com>; dev@dpdk.org
> > Subject: RE: [PATCH] net/softnic: fix illegal memory access
> >
> >
> >
> > > -----Original Message-----
> > > From: Singh, Jasvinder
> > > Sent: Monday, July 16, 2018 1:42 PM
> > > To: dev@dpdk.org
> > > Cc: Dumitrescu, Cristian <cristian.dumitrescu@intel.com>
> > > Subject: [PATCH] net/softnic: fix illegal memory access
> > >
> > > Fix pointer dereferencing and read after free (USE_AFTER_FREE).
> > >
> > > Coverity issue: 302867
> > > Fixes: bef50bcb1c47 ("net/softnic: implement start and stop")
> > >
> > > Signed-off-by: Jasvinder Singh <jasvinder.singh@intel.com>
> > > ---
> > > drivers/net/softnic/rte_eth_softnic_swq.c | 8 ++++++--
> > > 1 file changed, 6 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/drivers/net/softnic/rte_eth_softnic_swq.c
> > > b/drivers/net/softnic/rte_eth_softnic_swq.c
> > > index 1944fbb..604a2cc 100644
> > > --- a/drivers/net/softnic/rte_eth_softnic_swq.c
> > > +++ b/drivers/net/softnic/rte_eth_softnic_swq.c
> > > @@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p) void
> > > softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p) {
> > > - struct softnic_swq *swq;
> > > + for ( ; ; ) {
> > > + struct softnic_swq *swq;
> > > +
> > > + swq = TAILQ_FIRST(&p->swq_list);
> > > + if (swq == NULL)
> > > + break;
> > >
> > > - TAILQ_FOREACH(swq, &p->swq_list, node) {
> > > if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
> > > (strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
> > > continue;
> > > --
<snip>
Self NACK. Fix is incorrect. The infinite loop will never break due to non-empty swq_list.
@@ -36,9 +36,13 @@ softnic_swq_free(struct pmd_internals *p)
void
softnic_softnic_swq_free_keep_rxq_txq(struct pmd_internals *p)
{
- struct softnic_swq *swq;
+ for ( ; ; ) {
+ struct softnic_swq *swq;
+
+ swq = TAILQ_FIRST(&p->swq_list);
+ if (swq == NULL)
+ break;
- TAILQ_FOREACH(swq, &p->swq_list, node) {
if ((strncmp(swq->name, "RXQ", strlen("RXQ")) == 0) ||
(strncmp(swq->name, "TXQ", strlen("TXQ")) == 0))
continue;