diff mbox

[dpdk-dev] mem: fix possible memzone integer overflow

Message ID	1465927638-71892-1-git-send-email-sergio.gonzalez.monroy@intel.com (mailing list archive)
State	Accepted, archived
Delegated to:	Thomas Monjalon
Headers	From: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com> To: dev@dpdk.org Date: Tue, 14 Jun 2016 19:07:18 +0100 Message-Id: <1465927638-71892-1-git-send-email-sergio.gonzalez.monroy@intel.com> Subject: [dpdk-dev] [PATCH] mem: fix possible memzone integer overflow Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>

Commit Message

Sergio Gonzalez Monroy June 14, 2016, 6:07 p.m. UTC

  It is possible to get an integer overflow if we try to reserve a memzone
with len = 0 (meaning the maximum contiguous space available) and the
maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).

Issue reported by Coverity:

   >>> 10. overflow: Subtract operation overflows on operands len and
   >>>     64UL.
   >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
   >>> 11. overflow_sink: Overflowed or truncated value (or a value
   >>>     computed from an overflowed or truncated value)
   >>>     len - 64UL - align used as return value.
   122         return len - MALLOC_ELEM_OVERHEAD - align;

Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc")

Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>
---
 lib/librte_eal/common/eal_common_memzone.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

Comments

Thomas Monjalon June 20, 2016, 8:57 a.m. UTC | #1

2016-06-14 19:07, Sergio Gonzalez Monroy:
> It is possible to get an integer overflow if we try to reserve a memzone
> with len = 0 (meaning the maximum contiguous space available) and the
> maximum available elem size is less than (MALLOC_ELEM_OVERHEAD + align).
> 
> Issue reported by Coverity:
> 
>    >>> 10. overflow: Subtract operation overflows on operands len and
>    >>>     64UL.
>    >>> CID 107111 (#1 of 1): Overflowed return value (INTEGER_OVERFLOW)
>    >>> 11. overflow_sink: Overflowed or truncated value (or a value
>    >>>     computed from an overflowed or truncated value)
>    >>>     len - 64UL - align used as return value.
>    122         return len - MALLOC_ELEM_OVERHEAD - align;
> 
> Fixes: fafcc11985a2 ("mem: rework memzone to be allocated by malloc")
> 
> Signed-off-by: Sergio Gonzalez Monroy <sergio.gonzalez.monroy@intel.com>

Applied, thanks

diff mbox

Patch

diff --git a/lib/librte_eal/common/eal_common_memzone.c b/lib/librte_eal/common/eal_common_memzone.c
index 452679e..5d28341 100644
--- a/lib/librte_eal/common/eal_common_memzone.c
+++ b/lib/librte_eal/common/eal_common_memzone.c
@@ -119,6 +119,9 @@  find_heap_max_free_elem(int *s, unsigned align)
 		}
 	}
 
+	if (len < MALLOC_ELEM_OVERHEAD + align)
+		return 0;
+
 	return len - MALLOC_ELEM_OVERHEAD - align;
 }
 
@@ -197,8 +200,13 @@  memzone_reserve_aligned_thread_unsafe(const char *name, size_t len,
 	if (len == 0) {
 		if (bound != 0)
 			requested_len = bound;
-		else
+		else {
 			requested_len = find_heap_max_free_elem(&socket_id, align);
+			if (requested_len == 0) {
+				rte_errno = ENOMEM;
+				return NULL;
+			}
+		}
 	}
 
 	if (socket_id == SOCKET_ID_ANY)