[v3,2/2] vhost: improve error handling in desc_to_mbuf
Checks
Commit Message
check when increasing vec_idx that it is still valid
in the (buf_len < dev->vhost_hlen) case too.
Tested-by: Claudio Fontana <cfontana@suse.de>
Signed-off-by: Claudio Fontana <cfontana@suse.de>
---
lib/vhost/virtio_net.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
Comments
On 8/2/22 02:49, Claudio Fontana wrote:
> check when increasing vec_idx that it is still valid
> in the (buf_len < dev->vhost_hlen) case too.
>
> Tested-by: Claudio Fontana <cfontana@suse.de>
> Signed-off-by: Claudio Fontana <cfontana@suse.de>
> ---
> lib/vhost/virtio_net.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c
> index eb19e54c2b..20ed951979 100644
> --- a/lib/vhost/virtio_net.c
> +++ b/lib/vhost/virtio_net.c
> @@ -2704,12 +2704,15 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
> if (unlikely(buf_len < dev->vhost_hlen)) {
> buf_offset = dev->vhost_hlen - buf_len;
> vec_idx++;
> + if (unlikely(vec_idx >= nr_vec))
> + goto error;
> buf_addr = buf_vec[vec_idx].buf_addr;
> buf_iova = buf_vec[vec_idx].buf_iova;
> buf_len = buf_vec[vec_idx].buf_len;
> buf_avail = buf_len - buf_offset;
> } else if (buf_len == dev->vhost_hlen) {
> - if (unlikely(++vec_idx >= nr_vec))
> + vec_idx++;
> + if (unlikely(vec_idx >= nr_vec))
> goto error;
> buf_addr = buf_vec[vec_idx].buf_addr;
> buf_iova = buf_vec[vec_idx].buf_iova;
This patch is no more required since fixes for CVE-2022-2132 takes care
of this:
dc1516e260a0 ("vhost: fix header spanned across more than two descriptors")
71bd0cc536ad ("vhost: discard too small descriptor chains")
Maxime
@@ -2704,12 +2704,15 @@ desc_to_mbuf(struct virtio_net *dev, struct vhost_virtqueue *vq,
if (unlikely(buf_len < dev->vhost_hlen)) {
buf_offset = dev->vhost_hlen - buf_len;
vec_idx++;
+ if (unlikely(vec_idx >= nr_vec))
+ goto error;
buf_addr = buf_vec[vec_idx].buf_addr;
buf_iova = buf_vec[vec_idx].buf_iova;
buf_len = buf_vec[vec_idx].buf_len;
buf_avail = buf_len - buf_offset;
} else if (buf_len == dev->vhost_hlen) {
- if (unlikely(++vec_idx >= nr_vec))
+ vec_idx++;
+ if (unlikely(vec_idx >= nr_vec))
goto error;
buf_addr = buf_vec[vec_idx].buf_addr;
buf_iova = buf_vec[vec_idx].buf_iova;