Patch Detail

HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 124555,
    "url": "https://patches.dpdk.org/api/patches/124555/?format=api",
    "web_url": "https://patches.dpdk.org/project/dpdk/patch/20230227105927.3643421-1-david.marchand@redhat.com/",
    "project": {
        "id": 1,
        "url": "https://patches.dpdk.org/api/projects/1/?format=api",
        "name": "DPDK",
        "link_name": "dpdk",
        "list_id": "dev.dpdk.org",
        "list_email": "dev@dpdk.org",
        "web_url": "http://core.dpdk.org",
        "scm_url": "git://dpdk.org/dpdk",
        "webscm_url": "http://git.dpdk.org/dpdk",
        "list_archive_url": "https://inbox.dpdk.org/dev",
        "list_archive_url_format": "https://inbox.dpdk.org/dev/{}",
        "commit_url_format": ""
    },
    "msgid": "<20230227105927.3643421-1-david.marchand@redhat.com>",
    "list_archive_url": "https://inbox.dpdk.org/dev/20230227105927.3643421-1-david.marchand@redhat.com",
    "date": "2023-02-27T10:59:27",
    "name": "vhost: fix OOB access for invalid vid",
    "commit_ref": null,
    "pull_url": null,
    "state": "accepted",
    "archived": true,
    "hash": "34718da40f6dc4af2adc50d83760f226201b612d",
    "submitter": {
        "id": 1173,
        "url": "https://patches.dpdk.org/api/people/1173/?format=api",
        "name": "David Marchand",
        "email": "david.marchand@redhat.com"
    },
    "delegate": {
        "id": 2642,
        "url": "https://patches.dpdk.org/api/users/2642/?format=api",
        "username": "mcoquelin",
        "first_name": "Maxime",
        "last_name": "Coquelin",
        "email": "maxime.coquelin@redhat.com"
    },
    "mbox": "https://patches.dpdk.org/project/dpdk/patch/20230227105927.3643421-1-david.marchand@redhat.com/mbox/",
    "series": [
        {
            "id": 27182,
            "url": "https://patches.dpdk.org/api/series/27182/?format=api",
            "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=27182",
            "date": "2023-02-27T10:59:27",
            "name": "vhost: fix OOB access for invalid vid",
            "version": 1,
            "mbox": "https://patches.dpdk.org/series/27182/mbox/"
        }
    ],
    "comments": "https://patches.dpdk.org/api/patches/124555/comments/",
    "check": "success",
    "checks": "https://patches.dpdk.org/api/patches/124555/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "<dev-bounces@dpdk.org>",
        "X-Original-To": "patchwork@inbox.dpdk.org",
        "Delivered-To": "patchwork@inbox.dpdk.org",
        "Received": [
            "from mails.dpdk.org (mails.dpdk.org [217.70.189.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id CDC6741D8F;\n\tMon, 27 Feb 2023 11:59:37 +0100 (CET)",
            "from mails.dpdk.org (localhost [127.0.0.1])\n\tby mails.dpdk.org (Postfix) with ESMTP id 5B97240A84;\n\tMon, 27 Feb 2023 11:59:37 +0100 (CET)",
            "from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [170.10.129.124])\n by mails.dpdk.org (Postfix) with ESMTP id 5912A400D5\n for <dev@dpdk.org>; Mon, 27 Feb 2023 11:59:36 +0100 (CET)",
            "from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com\n [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS\n (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id\n us-mta-537-WezfSdb1MtGjiFRPv_VGqQ-1; Mon, 27 Feb 2023 05:59:32 -0500",
            "from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com\n [10.11.54.3])\n (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n (No client certificate requested)\n by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 378E187B2A2;\n Mon, 27 Feb 2023 10:59:32 +0000 (UTC)",
            "from dmarchan.redhat.com (unknown [10.45.224.55])\n by smtp.corp.redhat.com (Postfix) with ESMTP id 47BDF1121314;\n Mon, 27 Feb 2023 10:59:30 +0000 (UTC)"
        ],
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1677495575;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=pdgrAf5GASDJwpDJUlicmY1s6By6PNuBhC7JQSifJw4=;\n b=SF1Asa6MP4kRtJCvZB1yVRtksGkqd1ygkH2UErOlcL2DRve9onOAGB8rabnsopMjbN8S4j\n zvj1QxbSD/YeolhJq29jPeh/x47Bjdc09CL+WzKiXXbA/eBGX5lv4Pr2PiZdI4k7JVvBvG\n u0n6OM9UG5cufCCQOwW6zxFDUgKURVw=",
        "X-MC-Unique": "WezfSdb1MtGjiFRPv_VGqQ-1",
        "From": "David Marchand <david.marchand@redhat.com>",
        "To": "dev@dpdk.org",
        "Cc": "stable@dpdk.org, Maxime Coquelin <maxime.coquelin@redhat.com>,\n Chenbo Xia <chenbo.xia@intel.com>",
        "Subject": "[PATCH] vhost: fix OOB access for invalid vid",
        "Date": "Mon, 27 Feb 2023 11:59:27 +0100",
        "Message-Id": "<20230227105927.3643421-1-david.marchand@redhat.com>",
        "MIME-Version": "1.0",
        "X-Scanned-By": "MIMEDefang 3.1 on 10.11.54.3",
        "X-Mimecast-Spam-Score": "0",
        "X-Mimecast-Originator": "redhat.com",
        "Content-Transfer-Encoding": "8bit",
        "Content-Type": "text/plain; charset=\"US-ASCII\"; x-default=true",
        "X-BeenThere": "dev@dpdk.org",
        "X-Mailman-Version": "2.1.29",
        "Precedence": "list",
        "List-Id": "DPDK patches and discussions <dev.dpdk.org>",
        "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>",
        "List-Archive": "<http://mails.dpdk.org/archives/dev/>",
        "List-Post": "<mailto:dev@dpdk.org>",
        "List-Help": "<mailto:dev-request@dpdk.org?subject=help>",
        "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>",
        "Errors-To": "dev-bounces@dpdk.org"
    },
    "content": "The net/vhost pmd currently provides a -1 vid when disabling interrupt\nafter a virtio port got disconnected.\n\nThis can be caught when running with ASan.\n\nFirst, start dpdk-l3fwd-power in interrupt mode with a net/vhost port.\n\n$ ./build-clang/examples/dpdk-l3fwd-power -l0,1 --in-memory \\\n\t-a 0000:00:00.0 \\\n\t--vdev net_vhost0,iface=plop.sock,client=1\\\n\t-- \\\n\t-p 0x1 \\\n\t--interrupt-only \\\n\t--config '(0,0,1)' \\\n\t--parse-ptype 0\n\nThen start testpmd with virtio-user.\n\n$ ./build-clang/app/dpdk-testpmd -l0,2 --single-file-segment --in-memory \\\n\t-a 0000:00:00.0 \\\n\t--vdev net_virtio_user0,path=plop.sock,server=1 \\\n\t-- \\\n\t-i\n\nFinally stop testpmd.\nASan then splats in dpdk-l3fwd-power:\n\n=================================================================\n==3641005==ERROR: AddressSanitizer: global-buffer-overflow on address\n\t0x000005ed0778 at pc 0x000001270f81 bp 0x7fddbd2eee20\n\tsp 0x7fddbd2eee18\nREAD of size 8 at 0x000005ed0778 thread T2\n    #0 0x1270f80 in get_device .../lib/vhost/vhost.h:801:27\n    #1 0x1270f80 in rte_vhost_get_vhost_vring .../lib/vhost/vhost.c:951:8\n    #2 0x3ac95cb in eth_rxq_intr_disable\n\t.../drivers/net/vhost/rte_eth_vhost.c:647:8\n    #3 0x170e0bf in rte_eth_dev_rx_intr_disable\n\t.../lib/ethdev/rte_ethdev.c:5443:25\n    #4 0xf72ba7 in turn_on_off_intr .../examples/l3fwd-power/main.c:881:4\n    #5 0xf71045 in main_intr_loop .../examples/l3fwd-power/main.c:1061:6\n    #6 0x17f9292 in eal_thread_loop\n\t.../lib/eal/common/eal_common_thread.c:210:9\n    #7 0x18373f5 in eal_worker_thread_loop .../lib/eal/linux/eal.c:915:2\n    #8 0x7fddc16ae12c in start_thread (/lib64/libc.so.6+0x8b12c)\n\t(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)\n    #9 0x7fddc172fbbf in __GI___clone3 (/lib64/libc.so.6+0x10cbbf)\n\t(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)\n\n0x000005ed0778 is located 8 bytes to the left of global variable\n\t'vhost_devices' defined in '.../lib/vhost/vhost.c:24'\n\t(0x5ed0780) of size 8192\n0x000005ed0778 is located 20 bytes to the right of global variable\n\t'vhost_config_log_level' defined in '.../lib/vhost/vhost.c:2174'\n\t(0x5ed0760) of size 4\nSUMMARY: AddressSanitizer: global-buffer-overflow\n\t.../lib/vhost/vhost.h:801:27 in get_device\nShadow bytes around the buggy address:\n  0x000080bd2090: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\n  0x000080bd20a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9\n  0x000080bd20b0: f9 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9\n  0x000080bd20c0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9\n  0x000080bd20d0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00\n=>0x000080bd20e0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 04 f9 f9[f9]\n  0x000080bd20f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x000080bd2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x000080bd2110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x000080bd2120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x000080bd2130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n  Addressable:           00\n  Partially addressable: 01 02 03 04 05 06 07\n  Heap left redzone:       fa\n  Freed heap region:       fd\n  Stack left redzone:      f1\n  Stack mid redzone:       f2\n  Stack right redzone:     f3\n  Stack after return:      f5\n  Stack use after scope:   f8\n  Global redzone:          f9\n  Global init order:       f6\n  Poisoned by user:        f7\n  Container overflow:      fc\n  Array cookie:            ac\n  Intra object redzone:    bb\n  ASan internal:           fe\n  Left alloca redzone:     ca\n  Right alloca redzone:    cb\nThread T2 created by T0 here:\n    #0 0xe98996 in __interceptor_pthread_create\n\t(.examples/dpdk-l3fwd-power+0xe98996)\n\t(BuildId: d0b984a3b0287b9e0f301b73426fa921aeecca3a)\n    #1 0x1836767 in eal_worker_thread_create .../lib/eal/linux/eal.c:952:6\n    #2 0x1834b83 in rte_eal_init .../lib/eal/linux/eal.c:1257:9\n    #3 0xf68902 in main .../examples/l3fwd-power/main.c:2496:8\n    #4 0x7fddc164a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)\n\t(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)\n\n==3641005==ABORTING\n\nMore generally, any application passing an incorrect vid would trigger\nsuch an OOB access.\n\nCc: stable@dpdk.org\n\nSigned-off-by: David Marchand <david.marchand@redhat.com>\n---\nNote: even after this patch, reconnecting the virtio-user port with\ndpdk-l3fwd-power in interrupt mode still seems broken, as the net/vhost\npmd keeps complaining about an issue with rx interrupt fds.\n\n---\n lib/vhost/vhost.h | 5 ++++-\n 1 file changed, 4 insertions(+), 1 deletion(-)",
    "diff": "diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h\nindex 5750f0c005..d9e97280fa 100644\n--- a/lib/vhost/vhost.h\n+++ b/lib/vhost/vhost.h\n@@ -798,7 +798,10 @@ hva_to_gpa(struct virtio_net *dev, uint64_t vva, uint64_t len)\n static __rte_always_inline struct virtio_net *\n get_device(int vid)\n {\n-\tstruct virtio_net *dev = vhost_devices[vid];\n+\tstruct virtio_net *dev = NULL;\n+\n+\tif (vid >= 0 && vid < RTE_MAX_VHOST_DEVICE)\n+\t\tdev = vhost_devices[vid];\n \n \tif (unlikely(!dev)) {\n \t\tVHOST_LOG_CONFIG(\"device\", ERR, \"(%d) device not found.\\n\", vid);\n",
    "prefixes": []
}