Re: [dpdk-dev] [dpdk-stable] [PATCH v2] mem: fix the alloc size roundup overflow

Thu, 07 May 2020 05:13:03 -0700 

On Thu, May 7, 2020 at 1:55 PM Burakov, Anatoly
<anatoly.bura...@intel.com> wrote:
>
> On 07-May-20 8:41 AM, Bing Zhao wrote:
> > The size checking is done in the caller. The size parameter is an
> > unsigned (64b wide) right now, so the comparison with zero should be
> > enough in most cases. But it won't help in the following case.
> > If the allocating request input a huge number by mistake, e.g., some
> > overflow after the calculation (especially subtraction), the checking
> > in the caller will succeed since it is not zero. Indeed, there is not
> > enough space in the system to support such huge memory allocation.
> > Usually it will return failure in the following code. But if the
> > input size is just a little smaller than the UINT64_MAX, like -2 in
> > signed type.
> > The roundup will cause an overflow and then "reset" the size to 0,
> > and then only a header (128B now) with zero length will be returned.
> > The following will be the previous allocation header.
> > It should be OK in most cases if the application won't access the
> > memory body. Or else, some critical issue will be caused and not easy
> > to debug. So this issue should be prevented at the beginning, like
> > other big size failure, NULL pointer should be returned also.
> >
> > Fixes: fdf20fa7bee9 ("add prefix to cache line macros")
> > Cc: sta...@dpdk.org
> >
> > Signed-off-by: Bing Zhao <bi...@mellanox.com>
> > ---
> > v2: add unit test for this case
> > ---
> >   app/test/test_malloc.c              | 12 ++++++++++++
> >   lib/librte_eal/common/malloc_heap.c |  3 +++
> >   2 files changed, 15 insertions(+)
> >
> > diff --git a/app/test/test_malloc.c b/app/test/test_malloc.c
> > index 40a2f50..a96c060 100644
> > --- a/app/test/test_malloc.c
> > +++ b/app/test/test_malloc.c
> > @@ -846,6 +846,18 @@
> >       if (bad_ptr != NULL)
> >               goto err_return;
> >
> > +     /* rte_malloc expected to return null with size will cause overflow */
> > +     align = RTE_CACHE_LINE_SIZE;
> > +     size = (size_t)-8;
> > +
> > +     bad_ptr = rte_malloc(type, size, align);
> > +     if (bad_ptr != NULL)
> > +             goto err_return;
> > +
> > +     bad_ptr = rte_realloc(NULL, size, align);
> > +        if (bad_ptr != NULL)
> > +                goto err_return;
>
> You're mixing space and tabs as indentation here.

Will fix while applying.

>
> Otherwise,
>
> Reviewed-by: Anatoly Burakov <anatoly.bura...@intel.com>

You acked the v1, so I will go with it.
Thanks for the work Bing, Anatoly.


-- 
David Marchand

Reply via email to