DPDK vRouter: Memory corruption/incorrect memory usage in big tables
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R3.2 |
Fix Committed
|
Undecided
|
Anand H. Krishnan | |||
Trunk |
Fix Committed
|
Undecided
|
Anand H. Krishnan |
Bug Description
In vr_btable_attach, for the btable metadata, we allocate memory only for a pointer, while end up using that memory as a structure. One of the customers found this bug and here is their description:
From the customer:
the bug we mentioned during the meeting involves bad allocation size in vRouter Extension.
On Linux, kernel can allocate more memory than requested (a multiple of page size), so a write past allocated buffer will sometimes not crash. That's why this bug was hidden. However, on Windows, kernel allocates exactly the amount requested (the remaining page space can be used in another allocation).
The bug involves wrong calculation of required allocation size. Vr_btable_attach() function uses sizeof(struct vr_btable *) in the calculation (which is always 8 bytes on 64bit systems), but later uses it like it was the whole struct (not a pointer to it). The struct is larger than 8 bytes. This leads to memory corruption after the allocated block.
The correct solution is to simply use sizeof(struct vr_btable).
information type: | Proprietary → Public |
Review in progress for https:/ /review. opencontrail. org/30045
Submitter: Anand H. Krishnan (<email address hidden>)