[PATCH v2 1/2] examples/l3fwd: fix read beyond array bondaries

[Stephen Hemminger]

On Tue, 30 Jul 2024 13:22:34 +0100
Konstantin Ananyev <konstantin.v.ananyev at yandex.ru> wrote:

> From: Konstantin Ananyev <konstantin.ananyev at huawei.com>
> 
> ASAN report:
> ERROR: AddressSanitizer: unknown-crash on address 0x7ffffef92e32 at pc 0x00000053d1e9 bp 0x7ffffef92c00 sp 0x7ffffef92bf8
> READ of size 16 at 0x7ffffef92e32 thread T0
>     #0 0x53d1e8 in _mm_loadu_si128 /usr/lib64/gcc/x86_64-suse-linux/11/include/emmintrin.h:703
>     #1 0x53d1e8 in send_packets_multi ../examples/l3fwd/l3fwd_sse.h:125
>     #2 0x53d1e8 in acl_send_packets ../examples/l3fwd/l3fwd_acl.c:1048
>     #3 0x53ec18 in acl_main_loop ../examples/l3fwd/l3fwd_acl.c:1127
>     #4 0x12151eb in rte_eal_mp_remote_launch ../lib/eal/common/eal_common_launch.c:83
>     #5 0x5bf2df in main ../examples/l3fwd/main.c:1647
>     #6 0x7f6d42a0d2bc in __libc_start_main (/lib64/libc.so.6+0x352bc)
>     #7 0x527499 in _start (/home/kananyev/dpdk-l3fwd-acl/x86_64-native-linuxapp-gcc-dbg-b1/examples/dpdk-l3fwd+0x527499)
> 
> Reason for that is that send_packets_multi() uses 16B loads to access
> input dst_port[]and might read beyond array boundaries.
> Right now, it doesn't cause any real issue - junk values are ignored, also
> inside l3fwd we always allocate dst_port[] array on the stack, so
> memory beyond it is always available.
> Anyway, it probably need to be fixed.
> The patch below simply allocates extra space for dst_port[], so
> send_packets_multi() will never read beyond its boundaries.
> 
> Probably a better fix would be to change send_packets_multi()
> itself to avoid access beyond 'nb_rx' entries.
> 
> Bugzilla ID: 1502
> Fixes: 94c54b4158d5 ("examples/l3fwd: rework exact-match")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>

Acked-by: Stephen Hemminger <stephen at networkplumber.org>