[dpdk-dev] [PATCH v2] mem: fix the alloc size roundup overflow

[Burakov, Anatoly]

On 07-May-20 8:41 AM, Bing Zhao wrote:
> The size checking is done in the caller. The size parameter is an
> unsigned (64b wide) right now, so the comparison with zero should be
> enough in most cases. But it won't help in the following case.
> If the allocating request input a huge number by mistake, e.g., some
> overflow after the calculation (especially subtraction), the checking
> in the caller will succeed since it is not zero. Indeed, there is not
> enough space in the system to support such huge memory allocation.
> Usually it will return failure in the following code. But if the
> input size is just a little smaller than the UINT64_MAX, like -2 in
> signed type.
> The roundup will cause an overflow and then "reset" the size to 0,
> and then only a header (128B now) with zero length will be returned.
> The following will be the previous allocation header.
> It should be OK in most cases if the application won't access the
> memory body. Or else, some critical issue will be caused and not easy
> to debug. So this issue should be prevented at the beginning, like
> other big size failure, NULL pointer should be returned also.
> 
> Fixes: fdf20fa7bee9 ("add prefix to cache line macros")
> Cc: sergio.gonzalez.monroy at intel.com
> Cc: stable at dpdk.org
> 
> Signed-off-by: Bing Zhao <bingz at mellanox.com>
> ---
> v2: add unit test for this case
> ---
>   app/test/test_malloc.c              | 12 ++++++++++++
>   lib/librte_eal/common/malloc_heap.c |  3 +++
>   2 files changed, 15 insertions(+)
> 
> diff --git a/app/test/test_malloc.c b/app/test/test_malloc.c
> index 40a2f50..a96c060 100644
> --- a/app/test/test_malloc.c
> +++ b/app/test/test_malloc.c
> @@ -846,6 +846,18 @@
>   	if (bad_ptr != NULL)
>   		goto err_return;
>   
> +	/* rte_malloc expected to return null with size will cause overflow */
> +	align = RTE_CACHE_LINE_SIZE;
> +	size = (size_t)-8;
> +
> +	bad_ptr = rte_malloc(type, size, align);
> +	if (bad_ptr != NULL)
> +		goto err_return;
> +
> +	bad_ptr = rte_realloc(NULL, size, align);
> +        if (bad_ptr != NULL)
> +                goto err_return;

You're mixing space and tabs as indentation here.

Otherwise,

Reviewed-by: Anatoly Burakov <anatoly.burakov at intel.com>

> +
>   	return 0;
>   
>   err_return:
> diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c
> index 842eb9d..bd50656 100644
> --- a/lib/librte_eal/common/malloc_heap.c
> +++ b/lib/librte_eal/common/malloc_heap.c
> @@ -241,6 +241,9 @@
>   	size = RTE_CACHE_LINE_ROUNDUP(size);
>   	align = RTE_CACHE_LINE_ROUNDUP(align);
>   
> +	/* roundup might cause an overflow */
> +	if (size == 0)
> +		return NULL;
>   	elem = find_suitable_element(heap, size, flags, align, bound, contig);
>   	if (elem != NULL) {
>   		elem = malloc_elem_alloc(elem, size, align, bound, contig);
> 


-- 
Thanks,
Anatoly