[v4,1/2] net/tap: fix buffer overflow for ptypes list through updation of last element.
Checks
Commit Message
Incorrect ptypes list causes buffer overflow for Address Sanitizer
run. The last element in the ptypes lists to be "RTE_PTYPE_UNKNOWN"
for rte_eth_dev_get_supported_ptypes().
In rte_eth_dev_get_supported_ptypes(),the loop iterates until it
finds "RTE_PTYPE_UNKNOWN" to detect last element of the ptypes array.
Fix the ptypes list for drivers.
Fixes: 0849ac3b6122 ("net/tap: add packet type management")
Fixes: a7bdc3bd4244 ("net/dpaa: support packet type parsing")
Fixes: 4ccc8d770d3b ("net/mvneta: add PMD skeleton")
Fixes: f3f0d77db6b0 ("net/mrvl: support packet type parsing")
Fixes: 78a38edf66de ("ethdev: query supported packet types")
Fixes: 659b494d3d88 ("net/pfe: add packet types and basic statistics")
Fixes: 398a1be14168 ("net/thunderx: remove generic passX references")
Cc: pascal.mazon@6wind.com
Cc: zr@semihalf.com
Cc: tdu@semihalf.com
Cc: jianfeng.tan@intel.com
Cc: g.singh@nxp.com
Cc: jerin.jacob@caviumnetworks.com
Cc: stable@dpdk.org
Signed-off-by: Sivaramakrishnan Venkat <venkatx.sivaramakrishnan@intel.com>
---
drivers/net/dpaa/dpaa_ethdev.c | 3 ++-
drivers/net/mvneta/mvneta_ethdev.c | 3 ++-
drivers/net/mvpp2/mrvl_ethdev.c | 3 ++-
drivers/net/nfp/nfp_net_common.c | 1 +
drivers/net/pfe/pfe_ethdev.c | 3 ++-
drivers/net/tap/rte_eth_tap.c | 1 +
drivers/net/thunderx/nicvf_ethdev.c | 2 ++
7 files changed, 12 insertions(+), 4 deletions(-)
Comments
On 1/4/2024 5:51 PM, Sivaramakrishnan Venkat wrote:
> Incorrect ptypes list causes buffer overflow for Address Sanitizer
> run.
>
I think it cause buffer overflow anyway, but detected with Address
Sanitizer, so perhaps we can say:
"Address Sanitizer detected buffer overflow caused by incorrect ptypes
list."
> The last element in the ptypes lists to be "RTE_PTYPE_UNKNOWN"
> for rte_eth_dev_get_supported_ptypes().
> In rte_eth_dev_get_supported_ptypes(),the loop iterates until it
> finds "RTE_PTYPE_UNKNOWN" to detect last element of the ptypes array.
>
It implies but can be good to put clearly that missing
"RTE_PTYPE_UNKNOWN" causes the buffer overflow in the loop.
> Fix the ptypes list for drivers.
>
> Fixes: 0849ac3b6122 ("net/tap: add packet type management")
> Fixes: a7bdc3bd4244 ("net/dpaa: support packet type parsing")
> Fixes: 4ccc8d770d3b ("net/mvneta: add PMD skeleton")
> Fixes: f3f0d77db6b0 ("net/mrvl: support packet type parsing")
> Fixes: 78a38edf66de ("ethdev: query supported packet types")
>
Is this fixes line correct, as far as I can see drivers added with this
commit is correct.
nfp driver also seems fixed, maybe intention was add fixes for it?
> Fixes: 659b494d3d88 ("net/pfe: add packet types and basic statistics")
> Fixes: 398a1be14168 ("net/thunderx: remove generic passX references")
> Cc: pascal.mazon@6wind.com
> Cc: zr@semihalf.com
> Cc: tdu@semihalf.com
> Cc: jianfeng.tan@intel.com
> Cc: g.singh@nxp.com
> Cc: jerin.jacob@caviumnetworks.com
> Cc: stable@dpdk.org
>
> Signed-off-by: Sivaramakrishnan Venkat <venkatx.sivaramakrishnan@intel.com>
>
Patch is no more tap patch, can you please update the patch title in
next version, it can be something like:
"drivers/net: fix buffer overflow for ptypes list"
> ---
> drivers/net/dpaa/dpaa_ethdev.c | 3 ++-
> drivers/net/mvneta/mvneta_ethdev.c | 3 ++-
> drivers/net/mvpp2/mrvl_ethdev.c | 3 ++-
> drivers/net/nfp/nfp_net_common.c | 1 +
> drivers/net/pfe/pfe_ethdev.c | 3 ++-
> drivers/net/tap/rte_eth_tap.c | 1 +
> drivers/net/thunderx/nicvf_ethdev.c | 2 ++
> 7 files changed, 12 insertions(+), 4 deletions(-)
>
Code changes looks good to me.
@@ -363,7 +363,8 @@ dpaa_supported_ptypes_get(struct rte_eth_dev *dev)
RTE_PTYPE_L4_TCP,
RTE_PTYPE_L4_UDP,
RTE_PTYPE_L4_SCTP,
- RTE_PTYPE_TUNNEL_ESP
+ RTE_PTYPE_TUNNEL_ESP,
+ RTE_PTYPE_UNKNOWN
};
PMD_INIT_FUNC_TRACE();
@@ -198,7 +198,8 @@ mvneta_dev_supported_ptypes_get(struct rte_eth_dev *dev __rte_unused)
RTE_PTYPE_L3_IPV4,
RTE_PTYPE_L3_IPV6,
RTE_PTYPE_L4_TCP,
- RTE_PTYPE_L4_UDP
+ RTE_PTYPE_L4_UDP,
+ RTE_PTYPE_UNKNOWN
};
return ptypes;
@@ -1777,7 +1777,8 @@ mrvl_dev_supported_ptypes_get(struct rte_eth_dev *dev __rte_unused)
RTE_PTYPE_L3_IPV6_EXT,
RTE_PTYPE_L2_ETHER_ARP,
RTE_PTYPE_L4_TCP,
- RTE_PTYPE_L4_UDP
+ RTE_PTYPE_L4_UDP,
+ RTE_PTYPE_UNKNOWN
};
return ptypes;
@@ -1299,6 +1299,7 @@ nfp_net_supported_ptypes_get(struct rte_eth_dev *dev)
RTE_PTYPE_INNER_L4_NONFRAG,
RTE_PTYPE_INNER_L4_ICMP,
RTE_PTYPE_INNER_L4_SCTP,
+ RTE_PTYPE_UNKNOWN
};
if (dev->rx_pkt_burst != nfp_net_recv_pkts)
@@ -520,7 +520,8 @@ pfe_supported_ptypes_get(struct rte_eth_dev *dev)
RTE_PTYPE_L3_IPV6_EXT,
RTE_PTYPE_L4_TCP,
RTE_PTYPE_L4_UDP,
- RTE_PTYPE_L4_SCTP
+ RTE_PTYPE_L4_SCTP,
+ RTE_PTYPE_UNKNOWN
};
if (dev->rx_pkt_burst == pfe_recv_pkts ||
@@ -1803,6 +1803,7 @@ tap_dev_supported_ptypes_get(struct rte_eth_dev *dev __rte_unused)
RTE_PTYPE_L4_UDP,
RTE_PTYPE_L4_TCP,
RTE_PTYPE_L4_SCTP,
+ RTE_PTYPE_UNKNOWN
};
return ptypes;
@@ -392,12 +392,14 @@ nicvf_dev_supported_ptypes_get(struct rte_eth_dev *dev)
RTE_PTYPE_L4_TCP,
RTE_PTYPE_L4_UDP,
RTE_PTYPE_L4_FRAG,
+ RTE_PTYPE_UNKNOWN
};
static const uint32_t ptypes_tunnel[] = {
RTE_PTYPE_TUNNEL_GRE,
RTE_PTYPE_TUNNEL_GENEVE,
RTE_PTYPE_TUNNEL_VXLAN,
RTE_PTYPE_TUNNEL_NVGRE,
+ RTE_PTYPE_UNKNOWN
};
static const uint32_t ptypes_end = RTE_PTYPE_UNKNOWN;