From patchwork Thu Mar 10 12:50:58 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Marchand X-Patchwork-Id: 108653 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 87E89A0093; Thu, 10 Mar 2022 13:51:28 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 6E27341140; Thu, 10 Mar 2022 13:51:28 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id 5A47E4113E for ; Thu, 10 Mar 2022 13:51:26 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646916684; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=BCDNS/DAGwK1zr0sayws/wKL4sEyhDzzUd0qtOd0fwM=; b=XqJYJOIBr02d9GKt2snT0H98ZbpqaX1em2S8UAMOLRwjGOYzR4jjdaOdGHcA5vB767Uk4W f9W+UskD6Po2f5abN1HfO4AyqeF86XH/1/v9VbwxhueIgv7gBNgvn+NGUI20LPNNwoAgqS EVYOeugjujJwF/eBc2SomMJ952z4c7E= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-641-0KV_8G0uMQaNeYASKV1zAA-1; Thu, 10 Mar 2022 07:51:19 -0500 X-MC-Unique: 0KV_8G0uMQaNeYASKV1zAA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A8C5B1006AA7; Thu, 10 Mar 2022 12:51:18 +0000 (UTC) Received: from dmarchan.remote.csb (unknown [10.40.194.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id 2FBE16C950; Thu, 10 Mar 2022 12:51:03 +0000 (UTC) From: David Marchand To: dev@dpdk.org Cc: maxime.coquelin@redhat.com, chenbo.xia@intel.com, stable@dpdk.org, Wenxiang Qian Subject: [PATCH 1/2] vhost: fix queue number check when setting inflight FD Date: Thu, 10 Mar 2022 13:50:58 +0100 Message-Id: <20220310125059.30562-1-david.marchand@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=david.marchand@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org From: Chenbo Xia In function vhost_user_set_inflight_fd, queue number in inflight message is used to access virtqueue. However, queue number could be larger than VHOST_MAX_VRING and cause write OOB as this number will be used to write inflight info in virtqueue structure. This patch checks the queue number to avoid the issue and also make sure virtqueues are allocated before setting inflight information. Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") Cc: stable@dpdk.org Reported-by: Wenxiang Qian Signed-off-by: Chenbo Xia Reviewed-by: Maxime Coquelin --- lib/vhost/vhost_user.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c index 589b950458..1ec4357bee 100644 --- a/lib/vhost/vhost_user.c +++ b/lib/vhost/vhost_user.c @@ -2883,6 +2883,9 @@ vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, case VHOST_USER_SET_VRING_ADDR: vring_idx = ctx->msg.payload.addr.index; break; + case VHOST_USER_SET_INFLIGHT_FD: + vring_idx = ctx->msg.payload.inflight.num_queues - 1; + break; default: return 0; } From patchwork Thu Mar 10 12:50:59 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Marchand X-Patchwork-Id: 108654 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5F68EA0093; Thu, 10 Mar 2022 13:51:35 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 50FEA4113F; Thu, 10 Mar 2022 13:51:35 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id A92304113E for ; Thu, 10 Mar 2022 13:51:33 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1646916693; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+AbTWccbBgtnoEFvaE4VYjmLm6zkru9AcdEv7n/VRq8=; b=ZlB7Uxm6bH50jaRkMrwqidRcyzKgajlJrKazDq5tYD6KSmjLDY078Q2s3kHAcUnAUOfdQJ zMxniPdyEgiALY/A3xc3JNb+R4U5L4NSIVnCo2hOBPkbmtsspQkMOj0SijQrkmYvZtxSNI 9OzXgIpmyQMFEiz3sBUPnrS9oSV8BgQ= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-651-mxwuGv_FPKmoKRXul5N2yg-1; Thu, 10 Mar 2022 07:51:30 -0500 X-MC-Unique: mxwuGv_FPKmoKRXul5N2yg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 251ED800D55; Thu, 10 Mar 2022 12:51:29 +0000 (UTC) Received: from dmarchan.remote.csb (unknown [10.40.194.78]) by smtp.corp.redhat.com (Postfix) with ESMTP id EB0246C950; Thu, 10 Mar 2022 12:51:21 +0000 (UTC) From: David Marchand To: dev@dpdk.org Cc: maxime.coquelin@redhat.com, chenbo.xia@intel.com, stable@dpdk.org Subject: [PATCH 2/2] vhost: fix FD leak with inflight messages Date: Thu, 10 Mar 2022 13:50:59 +0100 Message-Id: <20220310125059.30562-2-david.marchand@redhat.com> In-Reply-To: <20220310125059.30562-1-david.marchand@redhat.com> References: <20220310125059.30562-1-david.marchand@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=david.marchand@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Even if unlikely, a buggy vhost-user master might attach fds to inflight messages. Add checks like for other types of vhost-user messages. Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") Cc: stable@dpdk.org Signed-off-by: David Marchand Reviewed-by: Maxime Coquelin --- lib/vhost/vhost_user.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c index 1ec4357bee..1d390677fa 100644 --- a/lib/vhost/vhost_user.c +++ b/lib/vhost/vhost_user.c @@ -1602,6 +1602,9 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, int numa_node = SOCKET_ID_ANY; void *addr; + if (validate_msg_fds(dev, ctx, 0) != 0) + return RTE_VHOST_MSG_RESULT_ERR; + if (ctx->msg.size != sizeof(ctx->msg.payload.inflight)) { VHOST_LOG_CONFIG(ERR, "(%s) invalid get_inflight_fd message size is %d\n", dev->ifname, ctx->msg.size); @@ -1699,6 +1702,9 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, int fd, i; int numa_node = SOCKET_ID_ANY; + if (validate_msg_fds(dev, ctx, 1) != 0) + return RTE_VHOST_MSG_RESULT_ERR; + fd = ctx->fds[0]; if (ctx->msg.size != sizeof(ctx->msg.payload.inflight) || fd < 0) { VHOST_LOG_CONFIG(ERR, "(%s) invalid set_inflight_fd message size is %d,fd is %d\n",