[dpdk-dev] [dpdk-stable] [PATCH v2] mem: fix the alloc size roundup overflow
David Marchand
david.marchand at redhat.com
Thu May 7 14:12:21 CEST 2020
On Thu, May 7, 2020 at 1:55 PM Burakov, Anatoly
<anatoly.burakov at intel.com> wrote:
>
> On 07-May-20 8:41 AM, Bing Zhao wrote:
> > The size checking is done in the caller. The size parameter is an
> > unsigned (64b wide) right now, so the comparison with zero should be
> > enough in most cases. But it won't help in the following case.
> > If the allocating request input a huge number by mistake, e.g., some
> > overflow after the calculation (especially subtraction), the checking
> > in the caller will succeed since it is not zero. Indeed, there is not
> > enough space in the system to support such huge memory allocation.
> > Usually it will return failure in the following code. But if the
> > input size is just a little smaller than the UINT64_MAX, like -2 in
> > signed type.
> > The roundup will cause an overflow and then "reset" the size to 0,
> > and then only a header (128B now) with zero length will be returned.
> > The following will be the previous allocation header.
> > It should be OK in most cases if the application won't access the
> > memory body. Or else, some critical issue will be caused and not easy
> > to debug. So this issue should be prevented at the beginning, like
> > other big size failure, NULL pointer should be returned also.
> >
> > Fixes: fdf20fa7bee9 ("add prefix to cache line macros")
> > Cc: stable at dpdk.org
> >
> > Signed-off-by: Bing Zhao <bingz at mellanox.com>
> > ---
> > v2: add unit test for this case
> > ---
> > app/test/test_malloc.c | 12 ++++++++++++
> > lib/librte_eal/common/malloc_heap.c | 3 +++
> > 2 files changed, 15 insertions(+)
> >
> > diff --git a/app/test/test_malloc.c b/app/test/test_malloc.c
> > index 40a2f50..a96c060 100644
> > --- a/app/test/test_malloc.c
> > +++ b/app/test/test_malloc.c
> > @@ -846,6 +846,18 @@
> > if (bad_ptr != NULL)
> > goto err_return;
> >
> > + /* rte_malloc expected to return null with size will cause overflow */
> > + align = RTE_CACHE_LINE_SIZE;
> > + size = (size_t)-8;
> > +
> > + bad_ptr = rte_malloc(type, size, align);
> > + if (bad_ptr != NULL)
> > + goto err_return;
> > +
> > + bad_ptr = rte_realloc(NULL, size, align);
> > + if (bad_ptr != NULL)
> > + goto err_return;
>
> You're mixing space and tabs as indentation here.
Will fix while applying.
>
> Otherwise,
>
> Reviewed-by: Anatoly Burakov <anatoly.burakov at intel.com>
You acked the v1, so I will go with it.
Thanks for the work Bing, Anatoly.
--
David Marchand
More information about the dev
mailing list