Merge pull request #748 from arutk/fas

fix potential out of bound access in req->alock_status manipulation

src/ocf_request.c

@@ -1,5 +1,5 @@
 /*
- * Copyright(c) 2012-2021 Intel Corporation
+ * Copyright(c) 2012-2022 Intel Corporation
  * SPDX-License-Identifier: BSD-3-Clause
  */
 
@@ -43,19 +43,29 @@ static inline size_t ocf_req_sizeof_map(struct ocf_request *req)
 	return size;
 }
 
-static inline size_t ocf_req_sizeof_alock_status(struct ocf_request *req)
+static inline size_t ocf_req_sizeof_alock_status(uint32_t lines)
 {
-	uint32_t lines = req->core_line_count;
-	size_t size = (lines * sizeof(uint8_t));
+	uint32_t size;
 
 	ENV_BUG_ON(lines == 0);
-	return size;
+
+	/* 1 bit per cacheline */
+	size = OCF_DIV_ROUND_UP(lines, 8);
+
+	/* round up to 8B to avoid out of boundary access in bit operations
+	 * on alock status */
+	return OCF_DIV_ROUND_UP(size, sizeof(long)) * sizeof(long);
 }
 
 int ocf_req_allocator_init(struct ocf_ctx *ocf_ctx)
 {
-	ocf_ctx->resources.req = env_mpool_create(sizeof(struct ocf_request),
-		sizeof(struct ocf_map_info) + sizeof(uint8_t), ENV_MEM_NORMAL, ocf_req_size_128,
+	enum ocf_req_size max_req_size = ocf_req_size_128;
+	size_t alock_status_size = ocf_req_sizeof_alock_status(
+			(1U << (unsigned)max_req_size));
+	size_t header_size = sizeof(struct ocf_request) + alock_status_size;
+
+	ocf_ctx->resources.req = env_mpool_create(header_size,
+		sizeof(struct ocf_map_info), ENV_MEM_NORMAL, max_req_size,
 		false, NULL, "ocf_req", true);
 
 	if (ocf_ctx->resources.req == NULL)
@@ -142,7 +152,8 @@ int ocf_req_alloc_map(struct ocf_request *req)
 		return 0;
 
 	req->map = env_zalloc(ocf_req_sizeof_map(req) +
-			ocf_req_sizeof_alock_status(req), ENV_MEM_NOIO);
+			ocf_req_sizeof_alock_status(req->core_line_count),
+			ENV_MEM_NOIO);
 	if (!req->map) {
 		req->error = -OCF_ERR_NO_MEM;
 		return -OCF_ERR_NO_MEM;