ring: fix overflow in memory size calcuation
Checks
Commit Message
Parameters count and esize are both unsigned int, and their product can
legally exceed unsigned int and lead to runtime access violation.
Fixes: cc4b218790f6 ("ring: support configurable element size")
Cc: stable@dpdk.org
Signed-off-by: Zhihong Wang <wangzhihong.wzh@bytedance.com>
---
lib/ring/rte_ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Tue, Dec 14, 2021 at 11:30:16AM +0800, Zhihong Wang wrote:
> Parameters count and esize are both unsigned int, and their product can
> legally exceed unsigned int and lead to runtime access violation.
>
> Fixes: cc4b218790f6 ("ring: support configurable element size")
> Cc: stable@dpdk.org
>
> Signed-off-by: Zhihong Wang <wangzhihong.wzh@bytedance.com>
> ---
> lib/ring/rte_ring.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
> index f17bd966be..d1b80597af 100644
> --- a/lib/ring/rte_ring.c
> +++ b/lib/ring/rte_ring.c
> @@ -75,7 +75,7 @@ rte_ring_get_memsize_elem(unsigned int esize, unsigned int count)
> return -EINVAL;
> }
>
> - sz = sizeof(struct rte_ring) + count * esize;
> + sz = sizeof(struct rte_ring) + (ssize_t)count * esize;
> sz = RTE_ALIGN(sz, RTE_CACHE_LINE_SIZE);
> return sz;
> }
> --
> 2.11.0
>
Reviewed-by Liang Ma <liangma@liangbit.com>
> From: Liang Ma [mailto:liangma@liangbit.com]
> Sent: Wednesday, 15 December 2021 09.01
>
> On Tue, Dec 14, 2021 at 11:30:16AM +0800, Zhihong Wang wrote:
> > Parameters count and esize are both unsigned int, and their product
> can
> > legally exceed unsigned int and lead to runtime access violation.
> >
> > Fixes: cc4b218790f6 ("ring: support configurable element size")
> > Cc: stable@dpdk.org
> >
> > Signed-off-by: Zhihong Wang <wangzhihong.wzh@bytedance.com>
> > ---
> > lib/ring/rte_ring.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
> > index f17bd966be..d1b80597af 100644
> > --- a/lib/ring/rte_ring.c
> > +++ b/lib/ring/rte_ring.c
> > @@ -75,7 +75,7 @@ rte_ring_get_memsize_elem(unsigned int esize,
> unsigned int count)
> > return -EINVAL;
> > }
> >
> > - sz = sizeof(struct rte_ring) + count * esize;
> > + sz = sizeof(struct rte_ring) + (ssize_t)count * esize;
> > sz = RTE_ALIGN(sz, RTE_CACHE_LINE_SIZE);
> > return sz;
> > }
> > --
> > 2.11.0
> >
> Reviewed-by Liang Ma <liangma@liangbit.com>
I was wondering about the type conversion to signed (instead of unsigned), but sz is ssize_t, so the conversion to ssize_t is correct. Otherwise, sz should be changed from ssize_t to size_t too.
No need for further changes.
Reviewed-by: Morten Brørup <mb@smartsharesystems.com>
> Parameters count and esize are both unsigned int, and their product can
> legally exceed unsigned int and lead to runtime access violation.
>
> Fixes: cc4b218790f6 ("ring: support configurable element size")
> Cc: stable@dpdk.org
>
> Signed-off-by: Zhihong Wang <wangzhihong.wzh@bytedance.com>
> ---
> lib/ring/rte_ring.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/ring/rte_ring.c b/lib/ring/rte_ring.c
> index f17bd966be..d1b80597af 100644
> --- a/lib/ring/rte_ring.c
> +++ b/lib/ring/rte_ring.c
> @@ -75,7 +75,7 @@ rte_ring_get_memsize_elem(unsigned int esize, unsigned int count)
> return -EINVAL;
> }
>
> - sz = sizeof(struct rte_ring) + count * esize;
> + sz = sizeof(struct rte_ring) + (ssize_t)count * esize;
> sz = RTE_ALIGN(sz, RTE_CACHE_LINE_SIZE);
> return sz;
> }
> --
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
> 2.11.0
On Tue, Dec 14, 2021 at 4:30 AM Zhihong Wang
<wangzhihong.wzh@bytedance.com> wrote:
>
> Parameters count and esize are both unsigned int, and their product can
> legally exceed unsigned int and lead to runtime access violation.
>
> Fixes: cc4b218790f6 ("ring: support configurable element size")
> Cc: stable@dpdk.org
>
> Signed-off-by: Zhihong Wang <wangzhihong.wzh@bytedance.com>
Reviewed-by: Liang Ma <liangma@liangbit.com>
Reviewed-by: Morten Brørup <mb@smartsharesystems.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@intel.com>
Applied, thanks.
@@ -75,7 +75,7 @@ rte_ring_get_memsize_elem(unsigned int esize, unsigned int count)
return -EINVAL;
}
- sz = sizeof(struct rte_ring) + count * esize;
+ sz = sizeof(struct rte_ring) + (ssize_t)count * esize;
sz = RTE_ALIGN(sz, RTE_CACHE_LINE_SIZE);
return sz;
}