Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/124555/?format=api
https://patches.dpdk.org/api/patches/124555/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20230227105927.3643421-1-david.marchand@redhat.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20230227105927.3643421-1-david.marchand@redhat.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20230227105927.3643421-1-david.marchand@redhat.com", "date": "2023-02-27T10:59:27", "name": "vhost: fix OOB access for invalid vid", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "34718da40f6dc4af2adc50d83760f226201b612d", "submitter": { "id": 1173, "url": "https://patches.dpdk.org/api/people/1173/?format=api", "name": "David Marchand", "email": "david.marchand@redhat.com" }, "delegate": { "id": 2642, "url": "https://patches.dpdk.org/api/users/2642/?format=api", "username": "mcoquelin", "first_name": "Maxime", "last_name": "Coquelin", "email": "maxime.coquelin@redhat.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20230227105927.3643421-1-david.marchand@redhat.com/mbox/", "series": [ { "id": 27182, "url": "https://patches.dpdk.org/api/series/27182/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=27182", "date": "2023-02-27T10:59:27", "name": "vhost: fix OOB access for invalid vid", "version": 1, "mbox": "https://patches.dpdk.org/series/27182/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/124555/comments/", "check": "success", "checks": "https://patches.dpdk.org/api/patches/124555/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id CDC6741D8F;\n\tMon, 27 Feb 2023 11:59:37 +0100 (CET)", "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 5B97240A84;\n\tMon, 27 Feb 2023 11:59:37 +0100 (CET)", "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by mails.dpdk.org (Postfix) with ESMTP id 5912A400D5\n for <dev@dpdk.org>; Mon, 27 Feb 2023 11:59:36 +0100 (CET)", "from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com\n [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS\n (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n us-mta-537-WezfSdb1MtGjiFRPv_VGqQ-1; Mon, 27 Feb 2023 05:59:32 -0500", "from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com\n [10.11.54.3])\n (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n (No client certificate requested)\n by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 378E187B2A2;\n Mon, 27 Feb 2023 10:59:32 +0000 (UTC)", "from dmarchan.redhat.com (unknown [10.45.224.55])\n by smtp.corp.redhat.com (Postfix) with ESMTP id 47BDF1121314;\n Mon, 27 Feb 2023 10:59:30 +0000 (UTC)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1677495575;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=pdgrAf5GASDJwpDJUlicmY1s6By6PNuBhC7JQSifJw4=;\n b=SF1Asa6MP4kRtJCvZB1yVRtksGkqd1ygkH2UErOlcL2DRve9onOAGB8rabnsopMjbN8S4j\n zvj1QxbSD/YeolhJq29jPeh/x47Bjdc09CL+WzKiXXbA/eBGX5lv4Pr2PiZdI4k7JVvBvG\n u0n6OM9UG5cufCCQOwW6zxFDUgKURVw=", "X-MC-Unique": "WezfSdb1MtGjiFRPv_VGqQ-1", "From": "David Marchand <david.marchand@redhat.com>", "To": "dev@dpdk.org", "Cc": "stable@dpdk.org, Maxime Coquelin <maxime.coquelin@redhat.com>,\n Chenbo Xia <chenbo.xia@intel.com>", "Subject": "[PATCH] vhost: fix OOB access for invalid vid", "Date": "Mon, 27 Feb 2023 11:59:27 +0100", "Message-Id": "<20230227105927.3643421-1-david.marchand@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 3.1 on 10.11.54.3", "X-Mimecast-Spam-Score": "0", "X-Mimecast-Originator": "redhat.com", "Content-Transfer-Encoding": "8bit", "Content-Type": "text/plain; charset=\"US-ASCII\"; x-default=true", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.29", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org" }, "content": "The net/vhost pmd currently provides a -1 vid when disabling interrupt\nafter a virtio port got disconnected.\n\nThis can be caught when running with ASan.\n\nFirst, start dpdk-l3fwd-power in interrupt mode with a net/vhost port.\n\n$ ./build-clang/examples/dpdk-l3fwd-power -l0,1 --in-memory \\\n\t-a 0000:00:00.0 \\\n\t--vdev net_vhost0,iface=plop.sock,client=1\\\n\t-- \\\n\t-p 0x1 \\\n\t--interrupt-only \\\n\t--config '(0,0,1)' \\\n\t--parse-ptype 0\n\nThen start testpmd with virtio-user.\n\n$ ./build-clang/app/dpdk-testpmd -l0,2 --single-file-segment --in-memory \\\n\t-a 0000:00:00.0 \\\n\t--vdev net_virtio_user0,path=plop.sock,server=1 \\\n\t-- \\\n\t-i\n\nFinally stop testpmd.\nASan then splats in dpdk-l3fwd-power:\n\n=================================================================\n==3641005==ERROR: AddressSanitizer: global-buffer-overflow on address\n\t0x000005ed0778 at pc 0x000001270f81 bp 0x7fddbd2eee20\n\tsp 0x7fddbd2eee18\nREAD of size 8 at 0x000005ed0778 thread T2\n #0 0x1270f80 in get_device .../lib/vhost/vhost.h:801:27\n #1 0x1270f80 in rte_vhost_get_vhost_vring .../lib/vhost/vhost.c:951:8\n #2 0x3ac95cb in eth_rxq_intr_disable\n\t.../drivers/net/vhost/rte_eth_vhost.c:647:8\n #3 0x170e0bf in rte_eth_dev_rx_intr_disable\n\t.../lib/ethdev/rte_ethdev.c:5443:25\n #4 0xf72ba7 in turn_on_off_intr .../examples/l3fwd-power/main.c:881:4\n #5 0xf71045 in main_intr_loop .../examples/l3fwd-power/main.c:1061:6\n #6 0x17f9292 in eal_thread_loop\n\t.../lib/eal/common/eal_common_thread.c:210:9\n #7 0x18373f5 in eal_worker_thread_loop .../lib/eal/linux/eal.c:915:2\n #8 0x7fddc16ae12c in start_thread (/lib64/libc.so.6+0x8b12c)\n\t(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)\n #9 0x7fddc172fbbf in __GI___clone3 (/lib64/libc.so.6+0x10cbbf)\n\t(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)\n\n0x000005ed0778 is located 8 bytes to the left of global variable\n\t'vhost_devices' defined in '.../lib/vhost/vhost.c:24'\n\t(0x5ed0780) of size 8192\n0x000005ed0778 is located 20 bytes to the right of global variable\n\t'vhost_config_log_level' defined in '.../lib/vhost/vhost.c:2174'\n\t(0x5ed0760) of size 4\nSUMMARY: AddressSanitizer: global-buffer-overflow\n\t.../lib/vhost/vhost.h:801:27 in get_device\nShadow bytes around the buggy address:\n 0x000080bd2090: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\n 0x000080bd20a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\n 0x000080bd20b0: f9 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9\n 0x000080bd20c0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9\n 0x000080bd20d0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00\n=>0x000080bd20e0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 04 f9 f9[f9]\n 0x000080bd20f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x000080bd2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x000080bd2110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x000080bd2120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n 0x000080bd2130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n Addressable: 00\n Partially addressable: 01 02 03 04 05 06 07\n Heap left redzone: fa\n Freed heap region: fd\n Stack left redzone: f1\n Stack mid redzone: f2\n Stack right redzone: f3\n Stack after return: f5\n Stack use after scope: f8\n Global redzone: f9\n Global init order: f6\n Poisoned by user: f7\n Container overflow: fc\n Array cookie: ac\n Intra object redzone: bb\n ASan internal: fe\n Left alloca redzone: ca\n Right alloca redzone: cb\nThread T2 created by T0 here:\n #0 0xe98996 in __interceptor_pthread_create\n\t(.examples/dpdk-l3fwd-power+0xe98996)\n\t(BuildId: d0b984a3b0287b9e0f301b73426fa921aeecca3a)\n #1 0x1836767 in eal_worker_thread_create .../lib/eal/linux/eal.c:952:6\n #2 0x1834b83 in rte_eal_init .../lib/eal/linux/eal.c:1257:9\n #3 0xf68902 in main .../examples/l3fwd-power/main.c:2496:8\n #4 0x7fddc164a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\t(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)\n\n==3641005==ABORTING\n\nMore generally, any application passing an incorrect vid would trigger\nsuch an OOB access.\n\nCc: stable@dpdk.org\n\nSigned-off-by: David Marchand <david.marchand@redhat.com>\n---\nNote: even after this patch, reconnecting the virtio-user port with\ndpdk-l3fwd-power in interrupt mode still seems broken, as the net/vhost\npmd keeps complaining about an issue with rx interrupt fds.\n\n---\n lib/vhost/vhost.h | 5 ++++-\n 1 file changed, 4 insertions(+), 1 deletion(-)", "diff": "diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h\nindex 5750f0c005..d9e97280fa 100644\n--- a/lib/vhost/vhost.h\n+++ b/lib/vhost/vhost.h\n@@ -798,7 +798,10 @@ hva_to_gpa(struct virtio_net *dev, uint64_t vva, uint64_t len)\n static __rte_always_inline struct virtio_net *\n get_device(int vid)\n {\n-\tstruct virtio_net *dev = vhost_devices[vid];\n+\tstruct virtio_net *dev = NULL;\n+\n+\tif (vid >= 0 && vid < RTE_MAX_VHOST_DEVICE)\n+\t\tdev = vhost_devices[vid];\n \n \tif (unlikely(!dev)) {\n \t\tVHOST_LOG_CONFIG(\"device\", ERR, \"(%d) device not found.\\n\", vid);\n", "prefixes": [] }{ "id": 124555, "url": "