patch 'net/mlx5: fix stack buffer overflow in drop action' has been queued to stable release 20.11.6

Xueming Li xuemingl at nvidia.com
Wed Jul 20 10:21:03 CEST 2022

Previous message (by thread): patch 'net/mlx5: fix RSS expansion for patterns with ICMP item' has been queued to stable release 20.11.6
Next message (by thread): patch 'raw/ioat: fix build when ioat dmadev enabled' has been queued to stable release 20.11.6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

FYI, your patch has been queued to stable release 20.11.6

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/22/22. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/steevenlee/dpdk

This queued commit can be viewed at:
https://github.com/steevenlee/dpdk/commit/40538d0b04ca679aa426a4cfb20d1c7833be23b1

Thanks.

Xueming Li <xuemingl at nvidia.com>

---
>From 40538d0b04ca679aa426a4cfb20d1c7833be23b1 Mon Sep 17 00:00:00 2001
From: Yunjian Wang <wangyunjian at huawei.com>
Date: Fri, 24 Dec 2021 11:06:19 +0800
Subject: [PATCH] net/mlx5: fix stack buffer overflow in drop action
Cc: Xueming Li <xuemingl at nvidia.com>

[ upstream commit a73b78554aee830605c8d8714239dc53fa443d5e ]

The mlx5_drop_action_create function use mlx5_malloc for allocating
'hrxq', but don't allocate for 'rss_key'. This is wrong and it can
cause buffer overflow.

Detected with address sanitizer:
0 (/usr/lib64/libasan.so.4+0x7b8e2)
1 in mlx5_devx_tir_attr_set ../drivers/net/mlx5/mlx5_devx.c:765
2 in mlx5_devx_hrxq_new ../drivers/net/mlx5/mlx5_devx.c:800
3 in mlx5_devx_drop_action_create ../drivers/net/mlx5/mlx5_devx.c:1051
4 in mlx5_drop_action_create ../drivers/net/mlx5/mlx5_rxq.c:2846
5 in mlx5_dev_spawn ../drivers/net/mlx5/linux/mlx5_os.c:1743
6 in mlx5_os_pci_probe_pf ../drivers/net/mlx5/linux/mlx5_os.c:2501
7 in mlx5_os_pci_probe ../drivers/net/mlx5/linux/mlx5_os.c:2647
8 in mlx5_os_net_probe ../drivers/net/mlx5/linux/mlx5_os.c:2722
9 in drivers_probe ../drivers/common/mlx5/mlx5_common.c:657
10 in mlx5_common_dev_probe ../drivers/common/mlx5/mlx5_common.c:711
11 in mlx5_common_pci_probe ../drivers/common/mlx5/mlx5_common_pci.c:150
12 in rte_pci_probe_one_driver ../drivers/bus/pci/pci_common.c:269
13 in pci_probe_all_drivers ../drivers/bus/pci/pci_common.c:353
14 in pci_probe ../drivers/bus/pci/pci_common.c:380
15 in rte_bus_probe ../lib/eal/common/eal_common_bus.c:72
16 in rte_eal_init ../lib/eal/linux/eal.c:1286
17 in main ../app/test-pmd/testpmd.c:4112

Fixes: 0c762e81da9b ("net/mlx5: share Rx queue drop action code")

Signed-off-by: Yunjian Wang <wangyunjian at huawei.com>
Acked-by: Viacheslav Ovsiienko <viacheslavo at nvidia.com>
---
 drivers/net/mlx5/mlx5_rxq.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/mlx5/mlx5_rxq.c b/drivers/net/mlx5/mlx5_rxq.c
index cb743a773c..ac7482c211 100644
--- a/drivers/net/mlx5/mlx5_rxq.c
+++ b/drivers/net/mlx5/mlx5_rxq.c
@@ -2554,7 +2554,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
 
 	if (priv->drop_queue.hrxq)
 		return priv->drop_queue.hrxq;
-	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq), 0, SOCKET_ID_ANY);
+	hrxq = mlx5_malloc(MLX5_MEM_ZERO, sizeof(*hrxq) + MLX5_RSS_HASH_KEY_LEN, 0, SOCKET_ID_ANY);
 	if (!hrxq) {
 		DRV_LOG(WARNING,
 			"Port %u cannot allocate memory for drop queue.",
-- 
2.35.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2022-07-20 15:01:00.389183768 +0800
+++ 0034-net-mlx5-fix-stack-buffer-overflow-in-drop-action.patch	2022-07-20 15:00:58.741000448 +0800
@@ -1 +1 @@
-From a73b78554aee830605c8d8714239dc53fa443d5e Mon Sep 17 00:00:00 2001
+From 40538d0b04ca679aa426a4cfb20d1c7833be23b1 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit a73b78554aee830605c8d8714239dc53fa443d5e ]
@@ -31 +33,0 @@
-Cc: stable at dpdk.org
@@ -40 +42 @@
-index a2d03f9f67..eaf23d0df4 100644
+index cb743a773c..ac7482c211 100644
@@ -43 +45 @@
-@@ -3078,7 +3078,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)
+@@ -2554,7 +2554,7 @@ mlx5_drop_action_create(struct rte_eth_dev *dev)

Previous message (by thread): patch 'net/mlx5: fix RSS expansion for patterns with ICMP item' has been queued to stable release 20.11.6
Next message (by thread): patch 'raw/ioat: fix build when ioat dmadev enabled' has been queued to stable release 20.11.6
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the stable mailing list