From patchwork Mon May 18 13:16:59 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 70382 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 74CD4A0093; Mon, 18 May 2020 15:17:18 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 0EB9C1D446; Mon, 18 May 2020 15:17:13 +0200 (CEST) Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id 8C9681D418; Mon, 18 May 2020 15:17:10 +0200 (CEST) IronPort-SDR: uu55cpQa7Dp/cStYibgomS6vaBQ3yMhXH5qmVvrOgkPC3o/kU0EIvXd/Cqplh/QPJkLdAZUBhU 3muegQZOqsNQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:17:10 -0700 IronPort-SDR: CPDWDiSWEoQcE+IQ/SEYWao7N5J4c3rNiwI3Oj36UUS0WIpsqCRJrH0dPhdjm7dC/epksBLdJd CDEl3/c85PPQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="263950671" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:08 -0700 From: Ferruh Yigit To: dev@dpdk.org Cc: Ferruh Yigit , Maxime Coquelin , stable@dpdk.org, Ilja Van Sprundel , Xiaolong Ye Date: Mon, 18 May 2020 14:16:59 +0100 Message-Id: <20200518131704.715877-2-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 1/6] vhost: check log mmap offset and size overflow X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Maxime Coquelin vhost_user_set_log_base() is a message handler that is called to handle the VHOST_USER_SET_LOG_BASE message. Its payload contains a 64 bit size and offset. Both are added up and used as a size when calling mmap(). There is no integer overflow check. If an integer overflow occurs a smaller memory map would be created than requested. Since the returned mapping is mapped as writable and used for logging, a memory corruption could occur. CVE-2020-10722 Fixes: fbc4d248b198 ("vhost: fix offset while mmaping log base address") Cc: stable@dpdk.org Reported-by: Ilja Van Sprundel Signed-off-by: Maxime Coquelin Reviewed-by: Xiaolong Ye Reviewed-by: Ilja Van Sprundel --- lib/librte_vhost/vhost_user.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index bd1be01040..1eea371fc8 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -2059,10 +2059,10 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg, size = msg->payload.log.mmap_size; off = msg->payload.log.mmap_offset; - /* Don't allow mmap_offset to point outside the mmap region */ - if (off > size) { + /* Check for mmap size and offset overflow. */ + if (off >= -size) { VHOST_LOG_CONFIG(ERR, - "log offset %#"PRIx64" exceeds log size %#"PRIx64"\n", + "log offset %#"PRIx64" and log size %#"PRIx64" overflow\n", off, size); return RTE_VHOST_MSG_RESULT_ERR; } From patchwork Mon May 18 13:17:00 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 70383 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8FD6EA0093; Mon, 18 May 2020 15:17:30 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id E119C1D51A; Mon, 18 May 2020 15:17:18 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 6A34F1D510; Mon, 18 May 2020 15:17:16 +0200 (CEST) IronPort-SDR: r5f24cQ0m6Qdn3+rnZV72sjJYXgqKSGmNx1JjQKsR77YK+rki3gCz1rdywy4PJYTZrO8VM+Wnf MU2p+Iw5KYHg== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:17:15 -0700 IronPort-SDR: OUA6kR8xiB20IUoyN80wrQjIRLbrHWUldzIVObZBVouqjrnPTwihjZk27p0QGRNm/5rEK8ZBY9 5Xtlh4zpCgPw== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="263950709" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:14 -0700 From: Ferruh Yigit To: dev@dpdk.org Cc: Ferruh Yigit , Maxime Coquelin , stable@dpdk.org, Ilja Van Sprundel , Xiaolong Ye Date: Mon, 18 May 2020 14:17:00 +0100 Message-Id: <20200518131704.715877-3-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 2/6] vhost: fix vring index check X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Maxime Coquelin vhost_user_check_and_alloc_queue_pair() is used to extract a vring index from a payload. This function validates the index and is called early on in when performing message handling. Most message handlers depend on it correctly validating the vring index. Depending on the message type the vring index is in different parts of the payload. The function contains a switch/case for each type and copies the index. This is stored in a uint16. This index is then validated. Depending on the message, the source index is an unsigned int. If integer truncation occurs (uint->uint16) the top 16 bits of the index are never validated. When they are used later on (e.g. in vhost_user_set_vring_num() or vhost_user_set_vring_addr()) it can lead to out of bound indexing. The out of bound indexed data gets written to, and hence this can cause memory corruption. This patch fixes this vulnerability by declaring vring index as an unsigned int in vhost_user_check_and_alloc_queue_pair(). CVE-2020-10723 Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation") Cc: stable@dpdk.org Reported-by: Ilja Van Sprundel Signed-off-by: Maxime Coquelin Reviewed-by: Xiaolong Ye Reviewed-by: Ilja Van Sprundel --- lib/librte_vhost/vhost_user.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 1eea371fc8..e51a8a6b77 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -2526,7 +2526,7 @@ static int vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev, struct VhostUserMsg *msg) { - uint16_t vring_idx; + uint32_t vring_idx; switch (msg->request.master) { case VHOST_USER_SET_VRING_KICK: From patchwork Mon May 18 13:17:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 70384 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 58CE2A0093; Mon, 18 May 2020 15:17:41 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 3D8591D526; Mon, 18 May 2020 15:17:20 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 38CF21D509; Mon, 18 May 2020 15:17:18 +0200 (CEST) IronPort-SDR: t77w/I/+OLMdQdSTvIbmwpZt+NtEERfJRRdNfWSNl7c49EEXzOPgXQgn3+kvfANYpCSkUXX754 6KZYXb+lHMUQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:17:17 -0700 IronPort-SDR: x0GrdGgg16cnDfaj21MH0GwLihlVDbZwBN2kCaanWHklquPmOt1kfF0DY1Gf9YNU/D3TPi0WmF Ly2W2JPdnikA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="263950724" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:16 -0700 From: Ferruh Yigit To: dev@dpdk.org Cc: Ferruh Yigit , Maxime Coquelin , stable@dpdk.org, Ilja Van Sprundel , Xiaolong Ye Date: Mon, 18 May 2020 14:17:01 +0100 Message-Id: <20200518131704.715877-4-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 3/6] vhost/crypto: validate keys lengths X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Maxime Coquelin transform_cipher_param() and transform_chain_param() handle the payload data for the VHOST_USER_CRYPTO_CREATE_SESS message. These payloads have to be validated, since it could come from untrusted sources. Two buffers and their lenghts are defined in this payload, one the the auth key and one for the cipher key. But above functions do not validate the key length inputs, which could lead to read out of bounds, as buffers have static sizes of 64 bytes for the cipher key and 512 bytes for the auth key. This patch adds necessary checks on the key length field before being used. CVE-2020-10724 Fixes: e80a98708166 ("vhost/crypto: add session message handler") Cc: stable@dpdk.org Reported-by: Ilja Van Sprundel Signed-off-by: Maxime Coquelin Reviewed-by: Xiaolong Ye Reviewed-by: Ilja Van Sprundel --- lib/librte_vhost/vhost_crypto.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/lib/librte_vhost/vhost_crypto.c b/lib/librte_vhost/vhost_crypto.c index 2e52ecae87..0f9df4059d 100644 --- a/lib/librte_vhost/vhost_crypto.c +++ b/lib/librte_vhost/vhost_crypto.c @@ -238,6 +238,11 @@ transform_cipher_param(struct rte_crypto_sym_xform *xform, if (unlikely(ret < 0)) return ret; + if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) { + VC_LOG_DBG("Invalid cipher key length\n"); + return -VIRTIO_CRYPTO_BADMSG; + } + xform->type = RTE_CRYPTO_SYM_XFORM_CIPHER; xform->cipher.key.length = param->cipher_key_len; if (xform->cipher.key.length > 0) @@ -288,6 +293,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms, &xform_cipher->cipher.algo); if (unlikely(ret < 0)) return ret; + + if (param->cipher_key_len > VHOST_USER_CRYPTO_MAX_CIPHER_KEY_LENGTH) { + VC_LOG_DBG("Invalid cipher key length\n"); + return -VIRTIO_CRYPTO_BADMSG; + } + xform_cipher->type = RTE_CRYPTO_SYM_XFORM_CIPHER; xform_cipher->cipher.key.length = param->cipher_key_len; xform_cipher->cipher.key.data = param->cipher_key_buf; @@ -302,6 +313,12 @@ transform_chain_param(struct rte_crypto_sym_xform *xforms, ret = auth_algo_transform(param->hash_algo, &xform_auth->auth.algo); if (unlikely(ret < 0)) return ret; + + if (param->auth_key_len > VHOST_USER_CRYPTO_MAX_HMAC_KEY_LENGTH) { + VC_LOG_DBG("Invalid auth key length\n"); + return -VIRTIO_CRYPTO_BADMSG; + } + xform_auth->auth.digest_length = param->digest_len; xform_auth->auth.key.length = param->auth_key_len; xform_auth->auth.key.data = param->auth_key_buf; From patchwork Mon May 18 13:17:02 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 70385 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 66EABA0093; Mon, 18 May 2020 15:17:50 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 981C51D52A; Mon, 18 May 2020 15:17:22 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 71FA21D529; Mon, 18 May 2020 15:17:20 +0200 (CEST) IronPort-SDR: fjh6UyfgxGGAzkOZ4aJM3FCyKFPW7KgkHUr9aCMdHNDJ2iOaDOlsyLoh1Znvlc0X2LS7vAGXH4 Qs4HkwmAojeA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:17:20 -0700 IronPort-SDR: X3xpz//fxCcwgKG4SA9S9/J2R3GgQuCQ9HHhwYVt1ihsJ08SRoYmTbh61QPaQmndULoZXcJZLV WcwhwnhMwWKg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="263950737" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:18 -0700 From: Ferruh Yigit To: dev@dpdk.org Cc: Ferruh Yigit , Marvin Liu , stable@dpdk.org, Maxime Coquelin Date: Mon, 18 May 2020 14:17:02 +0100 Message-Id: <20200518131704.715877-5-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 4/6] vhost: fix translated address not checked X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Marvin Liu Malicious guest can construct desc with invalid address and zero buffer length. That will request vhost to check both translated address and translated data length. This patch will add missed address check. CVE-2020-10725 Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue") Fixes: ef861692c398 ("vhost: add packed ring batch enqueue") Cc: stable@dpdk.org Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 1fc30c6819..8504897e7a 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -1072,6 +1072,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev, VHOST_ACCESS_RW); vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { + if (unlikely(!desc_addrs[i])) + return -1; if (unlikely(lens[i] != descs[avail_idx + i].len)) return -1; } @@ -1827,6 +1829,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev, } vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { + if (unlikely(!desc_addrs[i])) + return -1; if (unlikely((lens[i] != descs[avail_idx + i].len))) return -1; } From patchwork Mon May 18 13:17:03 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 70386 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 8C0B8A0093; Mon, 18 May 2020 15:18:02 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 225FD1D521; Mon, 18 May 2020 15:17:26 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 9F42E1D52B; Mon, 18 May 2020 15:17:22 +0200 (CEST) IronPort-SDR: miMfj3OmsYxjMTaRBp4jKvi3+aBaG/TcndhFh4me0OG9hHd2WwiQouOdgJDBhxzPUZjWVqtlmL eyow/CUJwpqQ== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:17:22 -0700 IronPort-SDR: iisJyD3bPZlx6MOp4eQFJDqNFGuPbAPiZOJAVKr/2606OzZlFAdaCBgUNyDWRjANOayL2ngr8t P31ZxAhnZYFg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="263950752" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:21 -0700 From: Ferruh Yigit To: dev@dpdk.org Cc: Ferruh Yigit , Xiaolong Ye , stable@dpdk.org, Maxime Coquelin Date: Mon, 18 May 2020 14:17:03 +0100 Message-Id: <20200518131704.715877-6-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 5/6] vhost: fix potential memory space leak X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Xiaolong Ye A malicious container which has direct access to the vhost-user socket can keep sending VHOST_USER_GET_INFLIGHT_FD messages which may cause leaking resources until resulting a DOS. Fix it by unmapping the dev->inflight_info->addr before assigning new mapped addr to it. CVE-2020-10726 Fixes: d87f1a1cb7b6 ("vhost: support inflight info sharing") Cc: stable@dpdk.org Signed-off-by: Xiaolong Ye Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index e51a8a6b77..0424e49cb8 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1433,6 +1433,11 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, } memset(addr, 0, mmap_size); + if (dev->inflight_info->addr) { + munmap(dev->inflight_info->addr, dev->inflight_info->size); + dev->inflight_info->addr = NULL; + } + dev->inflight_info->addr = addr; dev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size; dev->inflight_info->fd = msg->fds[0] = fd; @@ -1517,8 +1522,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, } } - if (dev->inflight_info->addr) + if (dev->inflight_info->addr) { munmap(dev->inflight_info->addr, dev->inflight_info->size); + dev->inflight_info->addr = NULL; + } addr = mmap(0, mmap_size, PROT_READ | PROT_WRITE, MAP_SHARED, fd, mmap_offset); From patchwork Mon May 18 13:17:04 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ferruh Yigit X-Patchwork-Id: 70387 X-Patchwork-Delegate: david.marchand@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id D3EAFA0093; Mon, 18 May 2020 15:18:17 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id B3C971D55F; Mon, 18 May 2020 15:17:27 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id E9C101D539; Mon, 18 May 2020 15:17:24 +0200 (CEST) IronPort-SDR: +16uLGsgKwHI4ycgpgAsfGzkrMOll0VyGV41pRgmZLQgEgstp+Iz3tK0BGY8a9LMsv3Ase3Q1q C1yYeIjOPkrw== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:17:24 -0700 IronPort-SDR: guR+tdExj4CNdawyueALesdx+NQTUyIuqoZ17VB57cjeBbjZkSu3cNRHygxkYlhBrhm/pUCXol A3dse4vBDHXQ== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="263950762" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:23 -0700 From: Ferruh Yigit To: dev@dpdk.org Cc: Ferruh Yigit , Xuan Ding , stable@dpdk.org, Xiaolong Ye , Maxime Coquelin Date: Mon, 18 May 2020 14:17:04 +0100 Message-Id: <20200518131704.715877-7-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Subject: [dpdk-dev] [PATCH 6/6] vhost: fix potential fd leak X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Xuan Ding Vhost will create temporary file when receiving VHOST_USER_GET_INFLIGHT_FD message. Malicious guest can send endless this message to drain out the resource of host. When receiving VHOST_USER_GET_INFLIGHT_FD message repeatedly, closing the file created during the last handling of this message. CVE-2020-10726 Fixes: d87f1a1cb7b666550 ("vhost: support inflight info sharing") Cc: stable@dpdk.org Signed-off-by: Xuan Ding Signed-off-by: Xiaolong Ye Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 0424e49cb8..0916f5abc0 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -206,7 +206,7 @@ vhost_backend_cleanup(struct virtio_net *dev) dev->inflight_info->addr = NULL; } - if (dev->inflight_info->fd > 0) { + if (dev->inflight_info->fd >= 0) { close(dev->inflight_info->fd); dev->inflight_info->fd = -1; } @@ -1408,6 +1408,7 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, "failed to alloc dev inflight area\n"); return RTE_VHOST_MSG_RESULT_ERR; } + dev->inflight_info->fd = -1; } num_queues = msg->payload.inflight.num_queues; @@ -1438,6 +1439,11 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, dev->inflight_info->addr = NULL; } + if (dev->inflight_info->fd >= 0) { + close(dev->inflight_info->fd); + dev->inflight_info->fd = -1; + } + dev->inflight_info->addr = addr; dev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size; dev->inflight_info->fd = msg->fds[0] = fd; @@ -1520,6 +1526,7 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, "failed to alloc dev inflight area\n"); return RTE_VHOST_MSG_RESULT_ERR; } + dev->inflight_info->fd = -1; } if (dev->inflight_info->addr) { @@ -1534,8 +1541,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, return RTE_VHOST_MSG_RESULT_ERR; } - if (dev->inflight_info->fd) + if (dev->inflight_info->fd >= 0) { close(dev->inflight_info->fd); + dev->inflight_info->fd = -1; + } dev->inflight_info->fd = fd; dev->inflight_info->addr = addr;