From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Marchand <david.marchand@6wind.com>
Subject: =?utf-8?q?=5BPATCH_6/6=5D_eal/linux=3A_avoid_out_of_bo?=
	=?utf-8?q?und_access?=
Date: Tue,  7 Jul 2015 11:00:34 +0200
Message-ID: <1436259634-7077-7-git-send-email-david.marchand@6wind.com>
References: <1436259634-7077-1-git-send-email-david.marchand@6wind.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
To: dev@dpdk.org
Return-path: <dev-bounces@dpdk.org>
Received: from mail-wg0-f53.google.com (mail-wg0-f53.google.com [74.125.82.53])
 by dpdk.org (Postfix) with ESMTP id 8B7FA5A65
 for <dev@dpdk.org>; Tue,  7 Jul 2015 11:00:55 +0200 (CEST)
Received: by wgbgr6 with SMTP id gr6so7714440wgb.3
 for <dev@dpdk.org>; Tue, 07 Jul 2015 02:00:55 -0700 (PDT)
Received: from alcyon.dev.6wind.com (6wind.net2.nerim.net. [213.41.151.210])
 by mx.google.com with ESMTPSA id y19sm32737674wia.15.2015.07.07.02.00.54
 for <dev@dpdk.org>
 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 07 Jul 2015 02:00:54 -0700 (PDT)
In-Reply-To: <1436259634-7077-1-git-send-email-david.marchand@6wind.com>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

Using IBM advance toolchain on Ubuntu 14.04 (package 8.0-3), gcc is compl=
aining
about out of bound accesses.

  CC eal_hugepage_info.o
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:
In function =E2=80=98eal_hugepage_info_init=E2=80=99:
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:350:35:
error: array subscript is above array bounds [-Werror=3Darray-bounds]
      internal_config.hugepage_info[j].hugepage_sz)
                                   ^
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:350:35:
error: array subscript is above array bounds [-Werror=3Darray-bounds]
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:349:37:
error: array subscript is above array bounds [-Werror=3Darray-bounds]
    if (internal_config.hugepage_info[j-1].hugepage_sz <
                                     ^
lib/librte_eal/linuxapp/eal/eal_hugepage_info.c:350:35:
error: array subscript is above array bounds [-Werror=3Darray-bounds]
      internal_config.hugepage_info[j].hugepage_sz)

Looking at the code, these warnings are invalid from my pov and they disa=
ppeared
when upgrading the toolchain to new version (8.0-4).

However, the code was buggy (sorting code is wrong), so fix this by using=
 qsort and adding a
check on num_sizes to avoid potential out of bound accesses.

Signed-off-by: David Marchand <david.marchand@6wind.com>
---
 lib/librte_eal/linuxapp/eal/eal_hugepage_info.c |   31 ++++++++++-------=
------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/lib/librte_eal/linuxapp/eal/eal_hugepage_info.c b/lib/librte=
_eal/linuxapp/eal/eal_hugepage_info.c
index df60f6e..2f96164 100644
--- a/lib/librte_eal/linuxapp/eal/eal_hugepage_info.c
+++ b/lib/librte_eal/linuxapp/eal/eal_hugepage_info.c
@@ -184,15 +184,6 @@ get_hugepage_dir(uint64_t hugepage_sz)
 	return retval;
 }
=20
-static inline void
-swap_hpi(struct hugepage_info *a, struct hugepage_info *b)
-{
-	char buf[sizeof(*a)];
-	memcpy(buf, a, sizeof(buf));
-	memcpy(a, b, sizeof(buf));
-	memcpy(b, buf, sizeof(buf));
-}
-
 /*
  * Clear the hugepage directory of whatever hugepage files
  * there are. Checks if the file is locked (i.e.
@@ -263,6 +254,15 @@ error:
 	return -1;
 }
=20
+static int
+compare_hpi(const void *a, const void *b)
+{
+	const struct hugepage_info *hpi_a =3D a;
+	const struct hugepage_info *hpi_b =3D b;
+
+	return hpi_b->hugepage_sz - hpi_a->hugepage_sz;
+}
+
 /*
  * when we initialize the hugepage info, everything goes
  * to socket 0 by default. it will later get sorted by memory
@@ -289,6 +289,9 @@ eal_hugepage_info_init(void)
 			    dirent_start_len) !=3D 0)
 			continue;
=20
+		if (num_sizes >=3D MAX_HUGEPAGE_SIZES)
+			break;
+
 		hpi =3D &internal_config.hugepage_info[num_sizes];
 		hpi->hugepage_sz =3D
 			rte_str_to_size(&dirent->d_name[dirent_start_len]);
@@ -343,14 +346,8 @@ eal_hugepage_info_init(void)
 	internal_config.num_hugepage_sizes =3D num_sizes;
=20
 	/* sort the page directory entries by size, largest to smallest */
-	for (i =3D 0; i < num_sizes; i++) {
-		unsigned j;
-		for (j =3D i+1; j < num_sizes; j++)
-			if (internal_config.hugepage_info[j-1].hugepage_sz <
-			     internal_config.hugepage_info[j].hugepage_sz)
-				swap_hpi(&internal_config.hugepage_info[j-1],
-					 &internal_config.hugepage_info[j]);
-	}
+	qsort(&internal_config.hugepage_info[0], num_sizes,
+	      sizeof(internal_config.hugepage_info[0]), compare_hpi);
=20
 	/* now we have all info, check we have at least one valid size */
 	for (i =3D 0; i < num_sizes; i++)
--=20
1.7.10.4