From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 718F9C433B4 for ; Wed, 7 Apr 2021 13:59:22 +0000 (UTC) Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by mail.kernel.org (Postfix) with ESMTP id EEF17610A5 for ; Wed, 7 Apr 2021 13:59:21 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org EEF17610A5 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=intel.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=dev-bounces@dpdk.org Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 15AA6406A3; Wed, 7 Apr 2021 15:59:21 +0200 (CEST) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id D310D4013F; Wed, 7 Apr 2021 15:59:18 +0200 (CEST) IronPort-SDR: /m4jHzRRU/+NilHsCMzgqeZ4CY3hRErpEfEqLydNr0wx0rzvJqJyVoY0kXO3RFwM0ikQVaEdda 8FVib54girkg== X-IronPort-AV: E=McAfee;i="6000,8403,9947"; a="180441197" X-IronPort-AV: E=Sophos;i="5.82,203,1613462400"; d="scan'208";a="180441197" Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Apr 2021 06:59:17 -0700 IronPort-SDR: TFpoc6CfHPPSiGkyttGT3tfpdKCz63HWdWET76DnHZBPXQZMVAC/uo/FY9Dgj0VRNJSGTUoT2O xupnkdpn4Cwg== X-IronPort-AV: E=Sophos;i="5.82,203,1613462400"; d="scan'208";a="379833868" Received: from fyigit-mobl1.ger.corp.intel.com (HELO [10.213.202.196]) ([10.213.202.196]) by orsmga003-auth.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 07 Apr 2021 06:59:16 -0700 To: Wei Huang , dev@dpdk.org, rosen.xu@intel.com, qi.z.zhang@intel.com Cc: stable@dpdk.org, tianfei.zhang@intel.com References: <1615969296-17021-1-git-send-email-wei.huang@intel.com> <1615969296-17021-2-git-send-email-wei.huang@intel.com> From: Ferruh Yigit X-User: ferruhy Message-ID: <5a9f8365-d240-8acf-23e8-0d95c973f1ab@intel.com> Date: Wed, 7 Apr 2021 14:59:12 +0100 MIME-Version: 1.0 In-Reply-To: <1615969296-17021-2-git-send-email-wei.huang@intel.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Subject: Re: [dpdk-dev] [dpdk-stable] [PATCH v1 1/4] raw/ifpga/base: use trusted buffer to free X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" On 3/17/2021 8:21 AM, Wei Huang wrote: > In write_flash_image(), calling function "read" may taints variable > "buf" which turn to an untrusted value as argument of "rte_free". > > Coverity issue: 367477 > Fixes: 7a4f3993f269 ("raw/ifpga: add FPGA RSU APIs") > Hi Huang, Rosen, I checked the coverity issue but still not clear about the problem. What does 'read' taints 'buf' mean? The 'buf' passed as an argument to read, so all 'read' can do is change the memory that 'buf' points, so why it should affect the 'free' at all? If the memory is overflow etc, your change is just hiding the error not fixing it. And the error message mentions from 'rte_free', not 'free', not sure how 'rte_free' is involved in the problem, any idea? > Signed-off-by: Wei Huang > --- > drivers/raw/ifpga/base/ifpga_fme_rsu.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/drivers/raw/ifpga/base/ifpga_fme_rsu.c b/drivers/raw/ifpga/base/ifpga_fme_rsu.c > index 28198abd78..d32f1eccb1 100644 > --- a/drivers/raw/ifpga/base/ifpga_fme_rsu.c > +++ b/drivers/raw/ifpga/base/ifpga_fme_rsu.c > @@ -92,6 +92,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image, > uint32_t offset) > { > void *buf = NULL; > + void *buf_to_free = NULL; > int retry = 0; > uint32_t length = 0; > uint32_t to_transfer = 0; > @@ -122,6 +123,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image, > close(fd); > return -ENOMEM; > } > + buf_to_free = buf; > > length = smgr->rsu_length; > one_percent = length / 100; > @@ -177,7 +179,7 @@ static int write_flash_image(struct ifpga_sec_mgr *smgr, const char *image, > printf("\n"); > > end: > - free(buf); > + free(buf_to_free); > close(fd); > return ret; > } >