diff options
author | Jieqiang Wang <jieqiang.wang@arm.com> | 2021-07-29 17:03:16 +0000 |
---|---|---|
committer | Dave Barach <dave@barachs.net> | 2021-10-04 10:30:54 -0400 |
commit | 039f289e516b073f6db67f7b35aa3aa64fdc9c82 (patch) | |
tree | 0cf73798f3641af66b35b463ac6945e8789e364c | |
parent | 2c0dc3e58625062da2018ff7aa15c8a0b2dbbc3c (diff) |
vppinfra: fix potential memory access error in _pool_init_fixed
_pool_init_fixed uses mmap to initialize a fixed-size and preallocated
pool, whose size is the sum of vector_size and free_index_size with
alignment to the CLIB_CACHE_LINE_BYTES and page size. In this way
vector_size equals to pool_header_t + vec_header_t + elt_size * max_elts
so moving to the end of the pool space should be pool_header_t pointer +
vector_size, instead of vec_header_t pointer + vector_size.
Simple code to reproduce this error:
u64 *pool;
pool_init_fixed(pool, 2042);
Improve unit test to cover this case
Type: fix
Signed-off-by: Jieqiang Wang <jieqiang.wang@arm.com>
Reviewed-by: Lijian Zhang <lijian.zhang@arm.com>
Reviewed-by: Tianyu Li <tianyu.li@arm.com>
Change-Id: If088ef89b3dcb2d874ee837ae9da60983b14615c
Signed-off-by: Dave Barach <dave@barachs.net>
-rw-r--r-- | src/plugins/unittest/pool_test.c | 38 | ||||
-rw-r--r-- | src/vppinfra/pool.c | 2 |
2 files changed, 24 insertions, 16 deletions
diff --git a/src/plugins/unittest/pool_test.c b/src/plugins/unittest/pool_test.c index 237b6beea09..23ac6d6d95f 100644 --- a/src/plugins/unittest/pool_test.c +++ b/src/plugins/unittest/pool_test.c @@ -19,29 +19,37 @@ static clib_error_t * test_pool_command_fn (vlib_main_t *vm, unformat_input_t *input, vlib_cli_command_t *cmd) { - int i; + static int sizes[] = { 3, 31, 2042, 2048 }; + + int i, j; u64 *pool; + uword this_size; - pool_init_fixed (pool, 2048); + for (j = 0; j < ARRAY_LEN (sizes); j++) + { + this_size = sizes[j]; - i = 0; + pool_init_fixed (pool, this_size); - while (pool_free_elts (pool) > 0) - { - u64 *p __attribute__ ((unused)); + i = 0; - pool_get (pool, p); - i++; - } + while (pool_free_elts (pool) > 0) + { + u64 *p __attribute__ ((unused)); - vlib_cli_output (vm, "allocated %d elts\n", i); + pool_get (pool, p); + i++; + } - for (--i; i >= 0; i--) - { - pool_put_index (pool, i); - } + vlib_cli_output (vm, "allocated %d elts\n", i); - ALWAYS_ASSERT (pool_free_elts (pool) == 2048); + for (--i; i >= 0; i--) + { + pool_put_index (pool, i); + } + + ALWAYS_ASSERT (pool_free_elts (pool) == this_size); + } vlib_cli_output (vm, "Test succeeded...\n"); return 0; diff --git a/src/vppinfra/pool.c b/src/vppinfra/pool.c index 78361b5457e..c2f587a93f4 100644 --- a/src/vppinfra/pool.c +++ b/src/vppinfra/pool.c @@ -97,7 +97,7 @@ _pool_init_fixed (void **pool_ptr, u32 elt_size, u32 max_elts) vh->len = max_elts; /* Build the free-index vector */ - vh = (vec_header_t *) (v + vector_size); + vh = (vec_header_t *) ((u8 *) fh + vector_size); vh->len = max_elts; fi = (u32 *) (vh + 1); |