Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/88262/?format=api
{ "id": 88262, "url": "http://patchwork.dpdk.org/api/patches/88262/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/patch/20210226073321.66996-1-yong.liu@intel.com/", "project": { "id": 1, "url": "http://patchwork.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20210226073321.66996-1-yong.liu@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20210226073321.66996-1-yong.liu@intel.com", "date": "2021-02-26T07:33:21", "name": "vhost: fix potential buffer overflow", "commit_ref": null, "pull_url": null, "state": "superseded", "archived": true, "hash": "632a0735f347960deb452f3b79be0abcbdee7095", "submitter": { "id": 17, "url": "http://patchwork.dpdk.org/api/people/17/?format=api", "name": "Marvin Liu", "email": "yong.liu@intel.com" }, "delegate": { "id": 2642, "url": "http://patchwork.dpdk.org/api/users/2642/?format=api", "username": "mcoquelin", "first_name": "Maxime", "last_name": "Coquelin", "email": "maxime.coquelin@redhat.com" }, "mbox": "http://patchwork.dpdk.org/project/dpdk/patch/20210226073321.66996-1-yong.liu@intel.com/mbox/", "series": [ { "id": 15393, "url": "http://patchwork.dpdk.org/api/series/15393/?format=api", "web_url": "http://patchwork.dpdk.org/project/dpdk/list/?series=15393", "date": "2021-02-26T07:33:21", "name": "vhost: fix potential buffer overflow", "version": 1, "mbox": "http://patchwork.dpdk.org/series/15393/mbox/" } ], "comments": "http://patchwork.dpdk.org/api/patches/88262/comments/", "check": "fail", "checks": "http://patchwork.dpdk.org/api/patches/88262/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id E541BA034F;\n\tFri, 26 Feb 2021 08:33:49 +0100 (CET)", "from [217.70.189.124] (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 68525407FF;\n\tFri, 26 Feb 2021 08:33:49 +0100 (CET)", "from mga09.intel.com (mga09.intel.com [134.134.136.24])\n by mails.dpdk.org (Postfix) with ESMTP id 472F340692;\n Fri, 26 Feb 2021 08:33:47 +0100 (CET)", "from orsmga008.jf.intel.com ([10.7.209.65])\n by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 25 Feb 2021 23:33:45 -0800", "from npg-dpdk-virtual-marvin-dev.sh.intel.com ([10.67.119.108])\n by orsmga008.jf.intel.com with ESMTP; 25 Feb 2021 23:33:42 -0800" ], "IronPort-SDR": [ "\n oZMeKnnwgkc+GSfJhoNwcmf8ln6Y46LbO/vsG5l6Zle3s3A61BspykIzo19//0uRu+ubOtDpVZ\n 4tseHUY/fV4w==", "\n icxluKGVSpIh7NxGl1FD/uLH3opnXFa8VUL4dNEy7u3q5GAoNVWEsofrs3H3ItRx5xDNjQtbjo\n 5Mb048Dlt8UA==" ], "X-IronPort-AV": [ "E=McAfee;i=\"6000,8403,9906\"; a=\"185927902\"", "E=Sophos;i=\"5.81,207,1610438400\"; d=\"scan'208\";a=\"185927902\"", "E=Sophos;i=\"5.81,207,1610438400\"; d=\"scan'208\";a=\"404792256\"" ], "X-ExtLoop1": "1", "From": "Marvin Liu <yong.liu@intel.com>", "To": "maxime.coquelin@redhat.com,\n\tchenbo.xia@intel.com", "Cc": "dev@dpdk.org,\n\tMarvin Liu <yong.liu@intel.com>,\n\tstable@dpdk.org", "Date": "Fri, 26 Feb 2021 15:33:21 +0800", "Message-Id": "<20210226073321.66996-1-yong.liu@intel.com>", "X-Mailer": "git-send-email 2.17.1", "Subject": "[dpdk-dev] [PATCH] vhost: fix potential buffer overflow", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "In vhost datapath, descriptor's length are mostly used in two coherent\noperations. First step is used for address translation, second step is\nused for memory transaction from guest to host. But the iterval between\ntwo steps will give a window for malicious guest, in which can change\ndescriptor length after vhost calcuated buffer size. Thus may lead to\nbuffer overflow in vhost side. This potential risk can be eliminated by\naccessing the descriptor length once.\n\nFixes: 1be4ebb1c464 (\"vhost: support indirect descriptor in mergeable Rx\")\nFixes: 2f3225a7d69b (\"vhost: add vector filling support for packed ring\")\nFixes: 75ed51697820 (\"vhost: add packed ring batch dequeue\")\n\nSigned-off-by: Marvin Liu <yong.liu@intel.com>\nCc: stable@dpdk.org", "diff": "diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c\nindex 583bf379c6..0a7d008a91 100644\n--- a/lib/librte_vhost/virtio_net.c\n+++ b/lib/librte_vhost/virtio_net.c\n@@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,\n \t\t\treturn -1;\n \t\t}\n \n-\t\tlen += descs[idx].len;\n+\t\tdlen = descs[idx].len;\n+\t\tlen += dlen;\n \n \t\tif (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,\n-\t\t\t\t\t\tdescs[idx].addr, descs[idx].len,\n+\t\t\t\t\t\tdescs[idx].addr, dlen,\n \t\t\t\t\t\tperm))) {\n \t\t\tfree_ind_table(idesc);\n \t\t\treturn -1;\n@@ -668,9 +669,10 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev,\n \t\t\treturn -1;\n \t\t}\n \n-\t\t*len += descs[i].len;\n+\t\tdlen = descs[i].len;\n+\t\t*len += dlen;\n \t\tif (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,\n-\t\t\t\t\t\tdescs[i].addr, descs[i].len,\n+\t\t\t\t\t\tdescs[i].addr, dlen,\n \t\t\t\t\t\tperm)))\n \t\t\treturn -1;\n \t}\n@@ -691,6 +693,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,\n \tbool wrap_counter = vq->avail_wrap_counter;\n \tstruct vring_packed_desc *descs = vq->desc_packed;\n \tuint16_t vec_id = *vec_idx;\n+\tuint64_t dlen;\n \n \tif (avail_idx < vq->last_avail_idx)\n \t\twrap_counter ^= 1;\n@@ -723,11 +726,12 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,\n \t\t\t\t\t\t\tlen, perm) < 0))\n \t\t\t\treturn -1;\n \t\t} else {\n-\t\t\t*len += descs[avail_idx].len;\n+\t\t\tdlen = descs[avail_idx].len;\n+\t\t\t*len += dlen;\n \n \t\t\tif (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,\n \t\t\t\t\t\t\tdescs[avail_idx].addr,\n-\t\t\t\t\t\t\tdescs[avail_idx].len,\n+\t\t\t\t\t\t\tdlen,\n \t\t\t\t\t\t\tperm)))\n \t\t\t\treturn -1;\n \t\t}\n@@ -2314,7 +2318,7 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev,\n \t}\n \n \tvhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {\n-\t\tpkts[i]->pkt_len = descs[avail_idx + i].len - buf_offset;\n+\t\tpkts[i]->pkt_len = lens[i] - buf_offset;\n \t\tpkts[i]->data_len = pkts[i]->pkt_len;\n \t\tids[i] = descs[avail_idx + i].id;\n \t}\n", "prefixes": [] }