Juniper Openstack

DPDK vRouter: Memory corruption/incorrect memory usage in big tables

  1. Series trunk
  2. Bug #1678704
Bug #1678704 reported by Anand H. Krishnan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Juniper Openstack
Status tracked in Trunk
R3.2
Fix Committed
Undecided
Anand H. Krishnan
Juniper Openstack r3.2.3.0
Trunk
Fix Committed
Undecided
Anand H. Krishnan
Juniper Openstack r4.0.0.0-fcs "r4.0.0.0"

Bug Description

In vr_btable_attach, for the btable metadata, we allocate memory only for a pointer, while end up using that memory as a structure. One of the customers found this bug and here is their description:

From the customer:

the bug we mentioned during the meeting involves bad allocation size in vRouter Extension.

On Linux, kernel can allocate more memory than requested (a multiple of page size), so a write past allocated buffer will sometimes not crash. That's why this bug was hidden. However, on Windows, kernel allocates exactly the amount requested (the remaining page space can be used in another allocation).

The bug involves wrong calculation of required allocation size. Vr_btable_attach() function uses sizeof(struct vr_btable *) in the calculation (which is always 8 bytes on 64bit systems), but later uses it like it was the whole struct (not a pointer to it). The struct is larger than 8 bytes. This leads to memory corruption after the allocated block.

The correct solution is to simply use sizeof(struct vr_btable).

Tags: vrouter
Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] master

Review in progress for https://review.opencontrail.org/30045
Submitter: Anand H. Krishnan (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : [Review update] R3.2

Review in progress for https://review.opencontrail.org/30046
Submitter: Anand H. Krishnan (<email address hidden>)

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote : A change has been merged

Reviewed: https://review.opencontrail.org/30045
Committed: http://github.org/Juniper/contrail-vrouter/commit/a5fef9e555ec11f33daf18c1f6e773025ad8ef00
Submitter: Zuul (<email address hidden>)
Branch: master

commit a5fef9e555ec11f33daf18c1f6e773025ad8ef00
Author: Anand H. Krishnan <email address hidden>
Date: Mon Apr 3 10:49:08 2017 +0530

Allocate memory for the btable structure

In vr_btable_attach, for the btable metadata, we allocate memory
only for a pointer, while end up using that memory as a structure.
Hence, allocate memory for the whole structrure rather than for
the pointer to the structure.

Change-Id: Iccf2793a6c3bcac06aed9cfe2011e9364e1f9397
Closes-Bug: #1678704

Revision history for this message
OpenContrail Admin (ci-admin-f) wrote :

Reviewed: https://review.opencontrail.org/30046
Committed: http://github.org/Juniper/contrail-vrouter/commit/300fd131c40540ed60dd90cebc2c275b891f85f3
Submitter: Zuul (<email address hidden>)
Branch: R3.2

commit 300fd131c40540ed60dd90cebc2c275b891f85f3
Author: Anand H. Krishnan <email address hidden>
Date: Mon Apr 3 10:49:08 2017 +0530

Allocate memory for the btable structure

In vr_btable_attach, for the btable metadata, we allocate memory
only for a pointer, while end up using that memory as a structure.
Hence, allocate memory for the whole structrure rather than for
the pointer to the structure.

Change-Id: Iccf2793a6c3bcac06aed9cfe2011e9364e1f9397
Closes-Bug: #1678704

Ashish Ranjan (aranjan-n)
information type: Proprietary → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.