patch 'examples/l3fwd: fix read beyond boundaries' has been queued to stable release 23.11.3
Xueming Li
xuemingl at nvidia.com
Sat Dec 7 08:59:43 CET 2024
Hi,
FYI, your patch has been queued to stable release 23.11.3
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 12/10/24. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://git.dpdk.org/dpdk-stable/log/?h=23.11-staging
This queued commit can be viewed at:
https://git.dpdk.org/dpdk-stable/commit/?h=23.11-staging&id=66749b0785fc75a28a32fbbcfbf1085f0dabbb53
Thanks.
Xueming Li <xuemingl at nvidia.com>
---
>From 66749b0785fc75a28a32fbbcfbf1085f0dabbb53 Mon Sep 17 00:00:00 2001
From: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Date: Thu, 7 Nov 2024 13:50:51 -0500
Subject: [PATCH] examples/l3fwd: fix read beyond boundaries
Cc: Xueming Li <xuemingl at nvidia.com>
[ upstream commit ebab0e8b2257aa049dd35dedc7efd230b0f45b88 ]
ASAN report:
ERROR: AddressSanitizer: unknown-crash on address 0x7ffffef92e32 at pc 0x00000053d1e9 bp 0x7ffffef92c00 sp 0x7ffffef92bf8
READ of size 16 at 0x7ffffef92e32 thread T0
#0 0x53d1e8 in _mm_loadu_si128 /usr/lib64/gcc/x86_64-suse-linux/11/include/emmintrin.h:703
#1 0x53d1e8 in send_packets_multi ../examples/l3fwd/l3fwd_sse.h:125
#2 0x53d1e8 in acl_send_packets ../examples/l3fwd/l3fwd_acl.c:1048
#3 0x53ec18 in acl_main_loop ../examples/l3fwd/l3fwd_acl.c:1127
#4 0x12151eb in rte_eal_mp_remote_launch ../lib/eal/common/eal_common_launch.c:83
#5 0x5bf2df in main ../examples/l3fwd/main.c:1647
#6 0x7f6d42a0d2bc in __libc_start_main (/lib64/libc.so.6+0x352bc)
#7 0x527499 in _start (/home/kananyev/dpdk-l3fwd-acl/x86_64-native-linuxapp-gcc-dbg-b1/examples/dpdk-l3fwd+0x527499)
Reason for that is that send_packets_multi() uses 16B loads to access
input dst_port[]and might read beyond array boundaries.
Right now, it doesn't cause any real issue - junk values are ignored, also
inside l3fwd we always allocate dst_port[] array on the stack, so
memory beyond it is always available.
Anyway, it probably need to be fixed.
The patch below simply allocates extra space for dst_port[], so
send_packets_multi() will never read beyond its boundaries.
Probably a better fix would be to change send_packets_multi()
itself to avoid access beyond 'nb_rx' entries.
Bugzilla ID: 1502
Fixes: 94c54b4158d5 ("examples/l3fwd: rework exact-match")
Signed-off-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Acked-by: Stephen Hemminger <stephen at networkplumber.org>
---
.mailmap | 2 +-
examples/l3fwd/l3fwd_altivec.h | 6 +++++-
examples/l3fwd/l3fwd_common.h | 7 +++++++
examples/l3fwd/l3fwd_em_hlm.h | 2 +-
examples/l3fwd/l3fwd_em_sequential.h | 2 +-
examples/l3fwd/l3fwd_fib.c | 2 +-
examples/l3fwd/l3fwd_lpm_altivec.h | 2 +-
examples/l3fwd/l3fwd_lpm_neon.h | 2 +-
examples/l3fwd/l3fwd_lpm_sse.h | 2 +-
examples/l3fwd/l3fwd_neon.h | 6 +++++-
examples/l3fwd/l3fwd_sse.h | 6 +++++-
11 files changed, 29 insertions(+), 10 deletions(-)
diff --git a/.mailmap b/.mailmap
index 7990edf2d0..879d0fd81c 100644
--- a/.mailmap
+++ b/.mailmap
@@ -770,7 +770,7 @@ Kirill Rybalchenko <kirill.rybalchenko at intel.com>
Kishore Padmanabha <kishore.padmanabha at broadcom.com>
Klaus Degner <kd at allegro-packets.com>
Kommula Shiva Shankar <kshankar at marvell.com>
-Konstantin Ananyev <konstantin.v.ananyev at yandex.ru> <konstantin.ananyev at huawei.com> <konstantin.ananyev at intel.com>
+Konstantin Ananyev <konstantin.ananyev at huawei.com> <konstantin.v.ananyev at yandex.ru> <konstantin.ananyev at intel.com>
Krishna Murthy <krishna.j.murthy at intel.com>
Krzysztof Galazka <krzysztof.galazka at intel.com>
Krzysztof Kanas <kkanas at marvell.com> <krzysztof.kanas at caviumnetworks.com>
diff --git a/examples/l3fwd/l3fwd_altivec.h b/examples/l3fwd/l3fwd_altivec.h
index e45e138e59..b91a6b5587 100644
--- a/examples/l3fwd/l3fwd_altivec.h
+++ b/examples/l3fwd/l3fwd_altivec.h
@@ -11,6 +11,9 @@
#include "altivec/port_group.h"
#include "l3fwd_common.h"
+#undef SENDM_PORT_OVERHEAD
+#define SENDM_PORT_OVERHEAD(x) ((x) + 2 * FWDSTEP)
+
/*
* Update source and destination MAC addresses in the ethernet header.
* Perform RFC1812 checks and updates for IPV4 packets.
@@ -117,7 +120,8 @@ process_packet(struct rte_mbuf *pkt, uint16_t *dst_port)
*/
static __rte_always_inline void
send_packets_multi(struct lcore_conf *qconf, struct rte_mbuf **pkts_burst,
- uint16_t dst_port[MAX_PKT_BURST], int nb_rx)
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)],
+ int nb_rx)
{
int32_t k;
int j = 0;
diff --git a/examples/l3fwd/l3fwd_common.h b/examples/l3fwd/l3fwd_common.h
index 224b1c08e8..d94e5f1357 100644
--- a/examples/l3fwd/l3fwd_common.h
+++ b/examples/l3fwd/l3fwd_common.h
@@ -18,6 +18,13 @@
/* Minimum value of IPV4 total length (20B) in network byte order. */
#define IPV4_MIN_LEN_BE (sizeof(struct rte_ipv4_hdr) << 8)
+/*
+ * send_packet_multi() specific number of dest ports
+ * due to implementation we need to allocate array bigger then
+ * actual max number of elements in the array.
+ */
+#define SENDM_PORT_OVERHEAD(x) (x)
+
/*
* From http://www.rfc-editor.org/rfc/rfc1812.txt section 5.2.2:
* - The IP version number must be 4.
diff --git a/examples/l3fwd/l3fwd_em_hlm.h b/examples/l3fwd/l3fwd_em_hlm.h
index 31cda9ddc1..c1d819997a 100644
--- a/examples/l3fwd/l3fwd_em_hlm.h
+++ b/examples/l3fwd/l3fwd_em_hlm.h
@@ -249,7 +249,7 @@ static inline void
l3fwd_em_send_packets(int nb_rx, struct rte_mbuf **pkts_burst, uint16_t portid,
struct lcore_conf *qconf)
{
- uint16_t dst_port[MAX_PKT_BURST];
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)];
l3fwd_em_process_packets(nb_rx, pkts_burst, dst_port, portid, qconf, 0);
send_packets_multi(qconf, pkts_burst, dst_port, nb_rx);
diff --git a/examples/l3fwd/l3fwd_em_sequential.h b/examples/l3fwd/l3fwd_em_sequential.h
index 067f23889a..3a40b2e434 100644
--- a/examples/l3fwd/l3fwd_em_sequential.h
+++ b/examples/l3fwd/l3fwd_em_sequential.h
@@ -79,7 +79,7 @@ l3fwd_em_send_packets(int nb_rx, struct rte_mbuf **pkts_burst,
uint16_t portid, struct lcore_conf *qconf)
{
int32_t i, j;
- uint16_t dst_port[MAX_PKT_BURST];
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)];
if (nb_rx > 0) {
rte_prefetch0(rte_pktmbuf_mtod(pkts_burst[0],
diff --git a/examples/l3fwd/l3fwd_fib.c b/examples/l3fwd/l3fwd_fib.c
index f38b19af3f..a36330119a 100644
--- a/examples/l3fwd/l3fwd_fib.c
+++ b/examples/l3fwd/l3fwd_fib.c
@@ -121,7 +121,7 @@ fib_send_packets(int nb_rx, struct rte_mbuf **pkts_burst,
{
uint32_t ipv4_arr[nb_rx];
uint8_t ipv6_arr[nb_rx][RTE_FIB6_IPV6_ADDR_SIZE];
- uint16_t hops[nb_rx];
+ uint16_t hops[SENDM_PORT_OVERHEAD(nb_rx)];
uint64_t hopsv4[nb_rx], hopsv6[nb_rx];
uint8_t type_arr[nb_rx];
uint32_t ipv4_cnt = 0, ipv6_cnt = 0;
diff --git a/examples/l3fwd/l3fwd_lpm_altivec.h b/examples/l3fwd/l3fwd_lpm_altivec.h
index adb82f1478..91aad5c313 100644
--- a/examples/l3fwd/l3fwd_lpm_altivec.h
+++ b/examples/l3fwd/l3fwd_lpm_altivec.h
@@ -145,7 +145,7 @@ static inline void
l3fwd_lpm_send_packets(int nb_rx, struct rte_mbuf **pkts_burst, uint8_t portid,
struct lcore_conf *qconf)
{
- uint16_t dst_port[MAX_PKT_BURST];
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)];
l3fwd_lpm_process_packets(nb_rx, pkts_burst, portid, dst_port, qconf,
0);
diff --git a/examples/l3fwd/l3fwd_lpm_neon.h b/examples/l3fwd/l3fwd_lpm_neon.h
index 2a68c4c15e..3c1f827424 100644
--- a/examples/l3fwd/l3fwd_lpm_neon.h
+++ b/examples/l3fwd/l3fwd_lpm_neon.h
@@ -171,7 +171,7 @@ static inline void
l3fwd_lpm_send_packets(int nb_rx, struct rte_mbuf **pkts_burst, uint16_t portid,
struct lcore_conf *qconf)
{
- uint16_t dst_port[MAX_PKT_BURST];
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)];
l3fwd_lpm_process_packets(nb_rx, pkts_burst, portid, dst_port, qconf,
0);
diff --git a/examples/l3fwd/l3fwd_lpm_sse.h b/examples/l3fwd/l3fwd_lpm_sse.h
index db15030320..50f1abbd8a 100644
--- a/examples/l3fwd/l3fwd_lpm_sse.h
+++ b/examples/l3fwd/l3fwd_lpm_sse.h
@@ -129,7 +129,7 @@ static inline void
l3fwd_lpm_send_packets(int nb_rx, struct rte_mbuf **pkts_burst, uint16_t portid,
struct lcore_conf *qconf)
{
- uint16_t dst_port[MAX_PKT_BURST];
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)];
l3fwd_lpm_process_packets(nb_rx, pkts_burst, portid, dst_port, qconf,
0);
diff --git a/examples/l3fwd/l3fwd_neon.h b/examples/l3fwd/l3fwd_neon.h
index 40807d5965..bc2bab8265 100644
--- a/examples/l3fwd/l3fwd_neon.h
+++ b/examples/l3fwd/l3fwd_neon.h
@@ -10,6 +10,9 @@
#include "neon/port_group.h"
#include "l3fwd_common.h"
+#undef SENDM_PORT_OVERHEAD
+#define SENDM_PORT_OVERHEAD(x) ((x) + 2 * FWDSTEP)
+
/*
* Update source and destination MAC addresses in the ethernet header.
* Perform RFC1812 checks and updates for IPV4 packets.
@@ -92,7 +95,8 @@ process_packet(struct rte_mbuf *pkt, uint16_t *dst_port)
*/
static __rte_always_inline void
send_packets_multi(struct lcore_conf *qconf, struct rte_mbuf **pkts_burst,
- uint16_t dst_port[MAX_PKT_BURST], int nb_rx)
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)],
+ int nb_rx)
{
int32_t k;
int j = 0;
diff --git a/examples/l3fwd/l3fwd_sse.h b/examples/l3fwd/l3fwd_sse.h
index 083729cdef..6236b7873c 100644
--- a/examples/l3fwd/l3fwd_sse.h
+++ b/examples/l3fwd/l3fwd_sse.h
@@ -10,6 +10,9 @@
#include "sse/port_group.h"
#include "l3fwd_common.h"
+#undef SENDM_PORT_OVERHEAD
+#define SENDM_PORT_OVERHEAD(x) ((x) + 2 * FWDSTEP)
+
/*
* Update source and destination MAC addresses in the ethernet header.
* Perform RFC1812 checks and updates for IPV4 packets.
@@ -91,7 +94,8 @@ process_packet(struct rte_mbuf *pkt, uint16_t *dst_port)
*/
static __rte_always_inline void
send_packets_multi(struct lcore_conf *qconf, struct rte_mbuf **pkts_burst,
- uint16_t dst_port[MAX_PKT_BURST], int nb_rx)
+ uint16_t dst_port[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)],
+ int nb_rx)
{
int32_t k;
int j = 0;
--
2.34.1
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2024-12-06 23:26:44.967228916 +0800
+++ 0025-examples-l3fwd-fix-read-beyond-boundaries.patch 2024-12-06 23:26:43.903044828 +0800
@@ -1 +1 @@
-From ebab0e8b2257aa049dd35dedc7efd230b0f45b88 Mon Sep 17 00:00:00 2001
+From 66749b0785fc75a28a32fbbcfbf1085f0dabbb53 Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Xueming Li <xuemingl at nvidia.com>
+
+[ upstream commit ebab0e8b2257aa049dd35dedc7efd230b0f45b88 ]
@@ -32 +34,0 @@
-Cc: stable at dpdk.org
@@ -38 +39,0 @@
- examples/l3fwd/l3fwd_acl.c | 2 +-
@@ -49 +50 @@
- 12 files changed, 30 insertions(+), 11 deletions(-)
+ 11 files changed, 29 insertions(+), 10 deletions(-)
@@ -52 +53 @@
-index 4894219f2f..4eef08df30 100644
+index 7990edf2d0..879d0fd81c 100644
@@ -55 +56 @@
-@@ -804,7 +804,7 @@ Kirill Rybalchenko <kirill.rybalchenko at intel.com>
+@@ -770,7 +770,7 @@ Kirill Rybalchenko <kirill.rybalchenko at intel.com>
@@ -64,13 +64,0 @@
-diff --git a/examples/l3fwd/l3fwd_acl.c b/examples/l3fwd/l3fwd_acl.c
-index b635011ef7..baa01e6dde 100644
---- a/examples/l3fwd/l3fwd_acl.c
-+++ b/examples/l3fwd/l3fwd_acl.c
-@@ -1056,7 +1056,7 @@ int
- acl_main_loop(__rte_unused void *dummy)
- {
- struct rte_mbuf *pkts_burst[MAX_PKT_BURST];
-- uint16_t hops[MAX_PKT_BURST];
-+ uint16_t hops[SENDM_PORT_OVERHEAD(MAX_PKT_BURST)];
- unsigned int lcore_id;
- uint64_t prev_tsc, diff_tsc, cur_tsc;
- int i, nb_rx;
@@ -146 +134 @@
-index a0eef05a5d..e1eb8c61c8 100644
+index f38b19af3f..a36330119a 100644
@@ -152 +140 @@
- struct rte_ipv6_addr ipv6_arr[nb_rx];
+ uint8_t ipv6_arr[nb_rx][RTE_FIB6_IPV6_ADDR_SIZE];
More information about the stable
mailing list