https://bugs.dpdk.org/show_bug.cgi?id=1000
Bug ID: 1000
Summary: memory access overflow in skeleton_rawdev
Product: DPDK
Version: 21.11
Hardware: All
OS: All
Status: UNCONFIRMED
Severity: normal
Priority: Normal
Component: core
Assignee: dev@dpdk.org
Reporter: yonghaoz1...@gmail.com
Target Milestone: ---
Hi all,
In function "skeleton_rawdev_enqueue_bugs", the variable "q_id" is "uint16_t",
but we convert the variable "context" to (int*), which may cause memory access
overflow.
See the following ASan report:
==3042499==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xffffdd8d6700 at pc 0x000010c57c80 bp 0xffffdd8d6600 sp 0xffffdd8d65f8
READ of size 4 at
0xffffdd8d6700 thread T0
/usr/local/bin/llvm-symbolizer: /usr/lib64/libtinfo.so.5: no version
information available (required by /usr/local/bin/llvm-symbolizer)
#0 0x10c57c7c in
skeleton_rawdev_enqueue_bufs
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
#1 0x1d74dbc in
rte_rawdev_enqueue_buffers
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:233:9
#2
0x10c5fb38 in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:382:8
#3 0x10c5ac30
in skeldev_test_run
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:425:9
#4
0x10c5a3bc in test_rawdev_skeldev
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:460:2
#5 0x1d77668
in rte_rawdev_selftest
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/rawdev/rte_rawdev.c:388:9
#6 0xa3ccc8 in test_rawdev_selftest_impl
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:21:8
#7 0xa3cb08 in test_rawdev_selftest_skeleton
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:29:9
#8
0xa3c7f4 in test_rawdev_selftests
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test_rawdev.c:40:6
#9 0x4c6ec8 in cmd_autotest_parsed
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/commands.c:70:10
#10 0x207ef14 in cmdline_parse
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_parse.c:290:3
#11 0x2074fbc in cmdline_valid_buffer
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:26:8
#12 0x208fef4 in rdline_char_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline_rdline.c:446:5
#13 0x2075d50 in cmdline_in
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../lib/cmdline/cmdline.c:148:9
#14 0x4d4e54 in main
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../app/test/test.c:214:8
#15 0xffff9caeaff8 (/usr/lib64/libc.so.6+0x2aff8)
#16 0xffff9caeb0c4 in __libc_start_main (/usr/lib64/libc.so.6+0x2b0c4)
#17 0x4296ac in _start
(/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/app/test/dpdk-test+0x4296ac)
Address 0xffffdd8d6700 is located in stack of thread T0 at offset 32 in frame
#0 0x10c5f75c in test_rawdev_enqdeq
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev_test.c:369
This frame has 3 object(s):
[32, 34) 'queue_id' (line 372) <== Memory access at offset 32 partially
overflows this variable
[48, 56) 'buffers' (line 373)
[80, 88) 'deq_buffers' (line 374)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions
*are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/baijiaju/test_dpdk/dpdk-21.11-EH/build/../drivers/raw/skeleton/skeleton_rawdev.c:424:9
in skeleton_rawdev_enqueue_bufs
--
You are receiving this mail because:
You are the assignee for the bug.
