From 7d24e2a4cd23deae229bdfa594273343a3624613 Mon Sep 17 00:00:00 2001 From: Daniel Verkamp Date: Thu, 5 Jul 2018 11:23:55 -0700 Subject: [PATCH] env_dpdk: fix mem_map translation for sizes >2MB Add a check to prevent spdk_mem_map_set_translation() or spdk_mem_map_clear_translation() calls that start within the valid address range but specify a size that would access parts of the mem map outside of the valid region. spdk_mem_map_translate() is safe without any extra checks since it only accesses the first entry regardless of size, and the MASK_256TB check catches out-of-range accesses to that entry. Change-Id: Ie1437e57b5158363bb98a6b42a26fb41a089bbad Signed-off-by: Daniel Verkamp Reviewed-on: https://review.gerrithub.io/418106 Reviewed-by: Ben Walker Reviewed-by: Jim Harris Tested-by: SPDK Automated Test System --- lib/env_dpdk/memory.c | 4 ++++ test/env/memory/memory_ut.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/lib/env_dpdk/memory.c b/lib/env_dpdk/memory.c index 8bf2f9817..db0ce9216 100644 --- a/lib/env_dpdk/memory.c +++ b/lib/env_dpdk/memory.c @@ -360,6 +360,10 @@ spdk_mem_map_get_map_1gb(struct spdk_mem_map *map, uint64_t vfn_2mb) uint64_t idx_256tb = MAP_256TB_IDX(vfn_2mb); size_t i; + if (spdk_unlikely(idx_256tb >= SPDK_COUNTOF(map->map_256tb.map))) { + return NULL; + } + map_1gb = map->map_256tb.map[idx_256tb]; if (!map_1gb) { diff --git a/test/env/memory/memory_ut.c b/test/env/memory/memory_ut.c index 2ae12c3c7..d1cf58eec 100644 --- a/test/env/memory/memory_ut.c +++ b/test/env/memory/memory_ut.c @@ -193,6 +193,10 @@ test_mem_map_translation(void) rc = spdk_mem_map_set_translation(map, 0x1000000000000ULL, VALUE_2MB, 0x5678); CU_ASSERT(rc == -EINVAL); + /* Attempt to set translation starting at a valid address but exceeding the valid range */ + rc = spdk_mem_map_set_translation(map, 0xffffffe00000ULL, VALUE_2MB * 2, 0x123123); + CU_ASSERT(rc != 0); + spdk_mem_map_free(&map); CU_ASSERT(map == NULL); }