[DPDK/other Bug 1665] __rte_trace_mem_get causing out of bounds write

[DPDK/other Bug 1665] __rte_trace_mem_get causing out of bounds write

[bugzilla]

[-- Attachment #1: Type: text/plain, Size: 1463 bytes --]

https://bugs.dpdk.org/show_bug.cgi?id=1665

            Bug ID: 1665
           Summary: __rte_trace_mem_get causing out of bounds write
           Product: DPDK
           Version: 24.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: Normal
         Component: other
          Assignee: dev@dpdk.org
          Reporter: oleksandrn@interfacemasters.com
  Target Milestone: ---

When almost out of trace memory, __rte_trace_mem_get can write out of bounds.

It happens in my case if I have trace events of sizes that are not aligned to
__RTE_TRACE_EVENT_HEADER_SZ. like 27,33 etc.

I suspect that the issue is with the incorrect bounds check in
__rte_trace_mem_get.

>    uint32_t offset = trace->offset;
>    if (unlikely((offset + sz) >= trace->len)) { // assume condition is false,
>    and offset is not aligned
>    ...}
>    offset = RTE_ALIGN_CEIL(offset, __RTE_TRACE_EVENT_HEADER_SZ); // after
>    offset alignment offset + size might be bigger than trace->len
>    void *mem = RTE_PTR_ADD(&trace->mem[0], offset); // returning memory chunk
>    that is smaller than requested size


For example:
offset = 21, len = 32, size = 9 -> offset + size is smaller than len
align offset to __RTE_TRACE_EVENT_HEADER_SZ -> offset = 24
offset + size is bigger than len.

-- 
You are receiving this mail because:
You are the assignee for the bug.

[-- Attachment #2: Type: text/html, Size: 3415 bytes --]