malloc_heap: Possible Control Block Overwrite When Insufficient Space in Elem

wuchangsheng (C) wuchangsheng2 at huawei.com
Thu Mar 30 13:34:10 CEST 2023

Previous message (by thread): [Bug 1205] iavf: cannot create 2 rte_flows with E810 VF, but can with E810 PF
Next message (by thread): Should we try to be more graceful in library init on old Hardware?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

I seem to have discovered a problem in the heap memory allocation and deallocation operations.

    |------------------|----------------------------|

  elem  padsize    newelem

In the malloc_elem_alloc function, when padsize > cache-line (such as 64 bytes) and padsize < sizeof(struct malloc_elem), the initialization of new_elem will overwrite and damage the struct malloc_elem information of elem, while setting the state of new_elem to ELEM_PAD. When releasing new_elem in malloc_elem_free, it will be converted to elem using RTE_PTR_SUB(new_elem, new_elem->pad), but at this point, the struct malloc_elem information of elem is damaged.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mails.dpdk.org/archives/dev/attachments/20230330/3c19ef16/attachment.htm>

Previous message (by thread): [Bug 1205] iavf: cannot create 2 rte_flows with E810 VF, but can with E810 PF
Next message (by thread): Should we try to be more graceful in library init on old Hardware?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list