util/bufpool: Check against accessing outside of buffers

Sean Hefty · Sean Hefty · commit 9b4c2672dc61 · 2021-02-19T10:37:20.000-08:00
Add magic values to verify that users do not access buffers
outside of the exposed areas.

Signed-off-by: Sean Hefty &lt;sean.hefty@intel.com&gt;
diff --git a/include/ofi_mem.h b/include/ofi_mem.h
@@ -333,13 +333,20 @@ struct ofi_bufpool_region {
 	OFI_DBG_VAR(size_t,		use_cnt)
 };
 
+struct ofi_bufpool_ftr {
+	size_t				magic;
+};
+
 struct ofi_bufpool_hdr {
 	union {
 		struct slist_entry	slist;
 		struct dlist_entry	dlist;
 	} entry;
 	struct ofi_bufpool_region	*region;
 	size_t 				index;
+
+	OFI_DBG_VAR(struct ofi_bufpool_ftr *, ftr)
+	OFI_DBG_VAR(size_t,		magic)
 };
 
 int ofi_bufpool_create_attr(struct ofi_bufpool_attr *attr,
@@ -391,6 +398,9 @@ static inline void ofi_buf_free(void *buf)
 {
 	assert(ofi_buf_region(buf)->use_cnt--);
 	assert(!(ofi_buf_pool(buf)->attr.flags & OFI_BUFPOOL_INDEXED));
+	assert(ofi_buf_hdr(buf)->magic == OFI_MAGIC_SIZE_T);
+	assert(ofi_buf_hdr(buf)->ftr->magic == OFI_MAGIC_SIZE_T);
+
 	slist_insert_head(&ofi_buf_hdr(buf)->entry.slist,
 			  &ofi_buf_pool(buf)->free_list.entries);
 }
@@ -402,13 +412,15 @@ static inline void ofi_ibuf_free(void *buf)
 {
 	struct ofi_bufpool_hdr *buf_hdr;
 
-	assert(ofi_buf_pool(buf)->attr.flags & OFI_BUFPOOL_INDEXED);
-	assert(ofi_buf_region(buf)->use_cnt--);
 	buf_hdr = ofi_buf_hdr(buf);
 
+	assert(ofi_buf_region(buf)->use_cnt--);
+	assert(ofi_buf_pool(buf)->attr.flags & OFI_BUFPOOL_INDEXED);
+	assert(buf_hdr->magic == OFI_MAGIC_SIZE_T);
+	assert(buf_hdr->ftr->magic == OFI_MAGIC_SIZE_T);
+
 	dlist_insert_order(&buf_hdr->region->free_list,
 			   ofi_ibuf_is_lower, &buf_hdr->entry.dlist);
-
 	if (dlist_empty(&buf_hdr->region->entry)) {
 		dlist_insert_order(&buf_hdr->region->pool->free_list.regions,
 				   ofi_ibufpool_region_is_lower,
diff --git a/prov/util/src/util_buf.c b/prov/util/src/util_buf.c
@@ -114,6 +114,12 @@ int ofi_bufpool_grow(struct ofi_bufpool *pool)
 		buf_hdr = ofi_buf_hdr(buf);
 		buf_hdr->region = buf_region;
 		buf_hdr->index = pool->entry_cnt + i;
+		OFI_DBG_SET(buf_hdr->magic, OFI_MAGIC_SIZE_T);
+		OFI_DBG_SET(buf_hdr->ftr,
+			    (struct ofi_bufpool_ftr *) ((char *) buf +
+			    pool->entry_size - sizeof(struct ofi_bufpool_ftr)));
+		OFI_DBG_SET(buf_hdr->ftr->magic, OFI_MAGIC_SIZE_T);
+
 		if (pool->attr.init_fn) {
 			OFI_DBG_SET(buf_hdr->entry.dlist.next, OFI_MAGIC_PTR);
 			OFI_DBG_SET(buf_hdr->entry.dlist.prev, OFI_MAGIC_PTR);
@@ -163,6 +169,7 @@ int ofi_bufpool_create_attr(struct ofi_bufpool_attr *attr,
 	pool->attr = *attr;
 
 	entry_sz = (attr->size + sizeof(struct ofi_bufpool_hdr));
+	OFI_DBG_ADD(entry_sz, sizeof(struct ofi_bufpool_ftr));
 	pool->entry_size = ofi_get_aligned_size(entry_sz, attr->alignment);
 
 	if (!attr->chunk_cnt) {
