[dpdk-dev] [PATCH v2] mem: fix the alloc size roundup overflow
Burakov, Anatoly
anatoly.burakov at intel.com
Thu May 7 13:55:24 CEST 2020
On 07-May-20 8:41 AM, Bing Zhao wrote:
> The size checking is done in the caller. The size parameter is an
> unsigned (64b wide) right now, so the comparison with zero should be
> enough in most cases. But it won't help in the following case.
> If the allocating request input a huge number by mistake, e.g., some
> overflow after the calculation (especially subtraction), the checking
> in the caller will succeed since it is not zero. Indeed, there is not
> enough space in the system to support such huge memory allocation.
> Usually it will return failure in the following code. But if the
> input size is just a little smaller than the UINT64_MAX, like -2 in
> signed type.
> The roundup will cause an overflow and then "reset" the size to 0,
> and then only a header (128B now) with zero length will be returned.
> The following will be the previous allocation header.
> It should be OK in most cases if the application won't access the
> memory body. Or else, some critical issue will be caused and not easy
> to debug. So this issue should be prevented at the beginning, like
> other big size failure, NULL pointer should be returned also.
>
> Fixes: fdf20fa7bee9 ("add prefix to cache line macros")
> Cc: sergio.gonzalez.monroy at intel.com
> Cc: stable at dpdk.org
>
> Signed-off-by: Bing Zhao <bingz at mellanox.com>
> ---
> v2: add unit test for this case
> ---
> app/test/test_malloc.c | 12 ++++++++++++
> lib/librte_eal/common/malloc_heap.c | 3 +++
> 2 files changed, 15 insertions(+)
>
> diff --git a/app/test/test_malloc.c b/app/test/test_malloc.c
> index 40a2f50..a96c060 100644
> --- a/app/test/test_malloc.c
> +++ b/app/test/test_malloc.c
> @@ -846,6 +846,18 @@
> if (bad_ptr != NULL)
> goto err_return;
>
> + /* rte_malloc expected to return null with size will cause overflow */
> + align = RTE_CACHE_LINE_SIZE;
> + size = (size_t)-8;
> +
> + bad_ptr = rte_malloc(type, size, align);
> + if (bad_ptr != NULL)
> + goto err_return;
> +
> + bad_ptr = rte_realloc(NULL, size, align);
> + if (bad_ptr != NULL)
> + goto err_return;
You're mixing space and tabs as indentation here.
Otherwise,
Reviewed-by: Anatoly Burakov <anatoly.burakov at intel.com>
> +
> return 0;
>
> err_return:
> diff --git a/lib/librte_eal/common/malloc_heap.c b/lib/librte_eal/common/malloc_heap.c
> index 842eb9d..bd50656 100644
> --- a/lib/librte_eal/common/malloc_heap.c
> +++ b/lib/librte_eal/common/malloc_heap.c
> @@ -241,6 +241,9 @@
> size = RTE_CACHE_LINE_ROUNDUP(size);
> align = RTE_CACHE_LINE_ROUNDUP(align);
>
> + /* roundup might cause an overflow */
> + if (size == 0)
> + return NULL;
> elem = find_suitable_element(heap, size, flags, align, bound, contig);
> if (elem != NULL) {
> elem = malloc_elem_alloc(elem, size, align, bound, contig);
>
--
Thanks,
Anatoly
More information about the dev
mailing list