From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.7 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8DC97C433E0 for ; Sat, 13 Jun 2020 15:58:21 +0000 (UTC) Received: from dpdk.org (dpdk.org [92.243.14.124]) by mail.kernel.org (Postfix) with ESMTP id 5595520789 for ; Sat, 13 Jun 2020 15:58:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5595520789 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id D0E544C7A; Sat, 13 Jun 2020 17:58:15 +0200 (CEST) Received: from mga18.intel.com (mga18.intel.com [134.134.136.126]) by dpdk.org (Postfix) with ESMTP id 96DE6493D; Sat, 13 Jun 2020 17:58:14 +0200 (CEST) IronPort-SDR: qvm//v4bbDF3obOUB9PDuYtA+PNjOy4dyPAeKJeDRc1GaJFmtInR2CqDLXiyzxwEoKaT88rf9Y rCoJ6wPyrd8g== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga106.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 13 Jun 2020 08:58:13 -0700 IronPort-SDR: oiO6Va8jA/fJAXWnWiHXuGXm+wB4DJfd/yJWwUa8EI3tZZ9YgumTQr9MVrINvCjiRrcVhqdSdD vKZBVdYX2gZQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,507,1583222400"; d="scan'208";a="448663725" Received: from yexl-server.sh.intel.com ([10.67.116.183]) by orsmga005.jf.intel.com with ESMTP; 13 Jun 2020 08:58:11 -0700 From: Xiaolong Ye To: Olivier Matz , Thomas Monjalon , Konstantin Ananyev Cc: dev@dpdk.org, Xiaolong Ye , stable@dpdk.org Date: Sat, 13 Jun 2020 23:49:17 +0800 Message-Id: <20200613154922.42379-2-xiaolong.ye@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200613154922.42379-1-xiaolong.ye@intel.com> References: <20200613154922.42379-1-xiaolong.ye@intel.com> Subject: [dpdk-dev] [PATCH 1/5] mbuf: fix out-of-bounds access at dyn field register X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" We should make sure off + size < sizeof(struct rte_mbuf) to avoid possible out-of-bounds access of free_space array, there is no issue currently due to the low bits of free_flags (which is adjacent to free_space) are always set to 0. But we shouldn't rely on it since it's fragile and layout of struct mbuf_dyn_shm may be changed in the future. This patch adds boundary check explicitly to avoid potential risk of out-of-bounds access. Fixes: 4958ca3a443a ("mbuf: support dynamic fields and flags") Cc: stable@dpdk.org Signed-off-by: Xiaolong Ye Acked-by: Olivier Matz --- lib/librte_mbuf/rte_mbuf_dyn.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/librte_mbuf/rte_mbuf_dyn.c b/lib/librte_mbuf/rte_mbuf_dyn.c index 953e3ec31c..13d6da6d16 100644 --- a/lib/librte_mbuf/rte_mbuf_dyn.c +++ b/lib/librte_mbuf/rte_mbuf_dyn.c @@ -69,7 +69,8 @@ process_score(void) for (off = 0; off < sizeof(struct rte_mbuf); off++) { /* get the size of the free zone */ - for (size = 0; shm->free_space[off + size]; size++) + for (size = 0; (off + size) < sizeof(struct rte_mbuf) && + shm->free_space[off + size]; size++) ; if (size == 0) continue; -- 2.17.1