[dpdk-stable] patch 'raw/ifpga: use trusted buffer to free' has been queued to stable release 19.11.6

luca.boccassi at gmail.com luca.boccassi at gmail.com
Mon Nov 9 19:41:01 CET 2020


Hi,

FYI, your patch has been queued to stable release 19.11.6

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 11/11/20. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/df2ceeafd3b44d66ffc416019a1fdeedc3c68a32

Thanks.

Luca Boccassi

---
>From df2ceeafd3b44d66ffc416019a1fdeedc3c68a32 Mon Sep 17 00:00:00 2001
From: Wei Huang <wei.huang at intel.com>
Date: Fri, 30 Oct 2020 03:35:07 -0400
Subject: [PATCH] raw/ifpga: use trusted buffer to free

[ upstream commit ceccbcd73829c495e148e3380de916ef4874c104 ]

In rte_fpga_do_pr, calling function read() may taints argument buffer
which turn to an untrusted value as argument of rte_free().

Coverity issue: 279449
Fixes: ef1e8ede3da5 ("raw/ifpga: add Intel FPGA bus rawdev driver")

Signed-off-by: Wei Huang <wei.huang at intel.com>
Acked-by: Qi Zhang <qi.z.zhang at intel.com>
---
 drivers/raw/ifpga/ifpga_rawdev.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/raw/ifpga/ifpga_rawdev.c b/drivers/raw/ifpga/ifpga_rawdev.c
index 05b6de6312..0c5392d082 100644
--- a/drivers/raw/ifpga/ifpga_rawdev.c
+++ b/drivers/raw/ifpga/ifpga_rawdev.c
@@ -780,7 +780,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
 	int file_fd;
 	int ret = 0;
 	ssize_t buffer_size;
-	void *buffer;
+	void *buffer, *buf_to_free;
 	u64 pr_error;
 
 	if (!file_name)
@@ -812,6 +812,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
 		ret = -ENOMEM;
 		goto close_fd;
 	}
+	buf_to_free = buffer;
 
 	/*read the raw data*/
 	if (buffer_size != read(file_fd, (void *)buffer, buffer_size)) {
@@ -829,8 +830,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
 	}
 
 free_buffer:
-	if (buffer)
-		rte_free(buffer);
+	if (buf_to_free)
+		rte_free(buf_to_free);
 close_fd:
 	close(file_fd);
 	file_fd = 0;
-- 
2.27.0

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2020-11-09 18:40:13.893459938 +0000
+++ 0073-raw-ifpga-use-trusted-buffer-to-free.patch	2020-11-09 18:40:11.215312589 +0000
@@ -1 +1 @@
-From ceccbcd73829c495e148e3380de916ef4874c104 Mon Sep 17 00:00:00 2001
+From df2ceeafd3b44d66ffc416019a1fdeedc3c68a32 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit ceccbcd73829c495e148e3380de916ef4874c104 ]
+
@@ -11 +12,0 @@
-Cc: stable at dpdk.org
@@ -20 +21 @@
-index f9de1677b4..27129b133e 100644
+index 05b6de6312..0c5392d082 100644
@@ -23 +24 @@
-@@ -786,7 +786,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
+@@ -780,7 +780,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
@@ -32 +33 @@
-@@ -818,6 +818,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
+@@ -812,6 +812,7 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
@@ -40 +41 @@
-@@ -835,8 +836,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,
+@@ -829,8 +830,8 @@ rte_fpga_do_pr(struct rte_rawdev *rawdev, int port_id,


More information about the stable mailing list