From: bugzilla@dpdk.org
To: dev@dpdk.org
Subject: [Bug 1000] memory access overflow in skeleton_rawdev
Date: Fri, 22 Apr 2022 09:14:00 +0000 [thread overview]
Message-ID: <bug-1000-3@http.bugs.dpdk.org/> (raw)
https://bugs.dpdk.org/show_bug.cgi?id=1000
Bug ID: 1000
Summary: memory access overflow in skeleton_rawdev
Product: DPDK
Version: 21.11
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: core
Assignee: dev@dpdk.org
Reporter: yonghaoz1994@gmail.com
Target Milestone: ---
Hi all,
In function "skeleton_rawdev_enqueue_bugs", the variable "q_id" is "uint16_t",
but we convert the variable "context" to (int*), which may cause memory access
overflow.
See the following ASan report:
==3042499==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xffffdd8d6700 at pc 0x000010c57c80 bp 0xffffdd8d6600 sp 0xffffdd8d65f8
READ of size 4 at
0xffffdd8d6700 thread T0
/usr/local/bin/llvm-symbolizer: /usr/lib64/libtinfo.so.5: no version
information available (required by /usr/local/bin/llvm-symbolizer)
#0 0x10c57c7c in
skeleton_rawdev_enqueue_bufs
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
#1 0x1d74dbc in
rte_rawdev_enqueue_buffers
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:233:9
#2
0x10c5fb38 in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:382:8
#3 0x10c5ac30
in skeldev_test_run
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:425:9
#4
0x10c5a3bc in test_rawdev_skeldev
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:460:2
#5 0x1d77668
in rte_rawdev_selftest
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:388:9
#6 0xa3ccc8 in test_rawdev_selftest_impl
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:21:8
#7 0xa3cb08 in test_rawdev_selftest_skeleton
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:29:9
#8
0xa3c7f4 in test_rawdev_selftests
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:40:6
#9 0x4c6ec8 in cmd_autotest_parsed
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/commands.c:70:10
#10 0x207ef14 in cmdline_parse
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_parse.c:290:3
#11 0x2074fbc in cmdline_valid_buffer
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:26:8
#12 0x208fef4 in rdline_char_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_rdline.c:446:5
#13 0x2075d50 in cmdline_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:148:9
#14 0x4d4e54 in main
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test.c:214:8
#15 0xffff9caeaff8 (/usr/lib64/libc.so.6+0x2aff8)
#16 0xffff9caeb0c4 in __libc_start_main (/usr/lib64/libc.so.6+0x2b0c4)
#17 0x4296ac in _start
(/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/app/test/dpdk-test+0x4296ac)
Address 0xffffdd8d6700 is located in stack of thread T0 at offset 32 in frame
#0 0x10c5f75c in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:369
This frame has 3 object(s):
[32, 34) 'queue_id' (line 372) <== Memory access at offset 32 partially
overflows this variable
[48, 56) 'buffers' (line 373)
[80, 88) 'deq_buffers' (line 374)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions
*are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
in skeleton_rawdev_enqueue_bufs
--
You are receiving this mail because:
You are the assignee for the bug.
next reply other threads:[~2022-04-22 9:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-22 9:14 bugzilla [this message]
2022-10-04 19:12 ` [Bug 1000] memory access overflow in skeleton_rawdev bugzilla
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-1000-3@http.bugs.dpdk.org/ \
--to=bugzilla@dpdk.org \
--cc=dev@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.