Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/62895/?format=api
{ "id": 62895, "url": "https://patches.dpdk.org/api/patches/62895/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20191112151852.27341-4-maxime.coquelin@redhat.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20191112151852.27341-4-maxime.coquelin@redhat.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20191112151852.27341-4-maxime.coquelin@redhat.com", "date": "2019-11-12T15:18:52", "name": "[v16.11,v2,4/4] vhost: fix possible denial of service by leaking FDs", "commit_ref": null, "pull_url": null, "state": "not-applicable", "archived": true, "hash": "6077c30002a55335239f9e98328965b57ca59458", "submitter": { "id": 512, "url": "https://patches.dpdk.org/api/people/512/?format=api", "name": "Maxime Coquelin", "email": "maxime.coquelin@redhat.com" }, "delegate": { "id": 2642, "url": "https://patches.dpdk.org/api/users/2642/?format=api", "username": "mcoquelin", "first_name": "Maxime", "last_name": "Coquelin", "email": "maxime.coquelin@redhat.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20191112151852.27341-4-maxime.coquelin@redhat.com/mbox/", "series": [ { "id": 7417, "url": "https://patches.dpdk.org/api/series/7417/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=7417", "date": "2019-11-12T15:18:49", "name": "[v16.11,v2,1/4] vhost: validate virtqueue size", "version": 2, "mbox": "https://patches.dpdk.org/series/7417/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/62895/comments/", "check": "pending", "checks": "https://patches.dpdk.org/api/patches/62895/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from dpdk.org (dpdk.org [92.243.14.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id BA077A04B6;\n\tTue, 12 Nov 2019 16:19:39 +0100 (CET)", "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id C70352BEA;\n\tTue, 12 Nov 2019 16:19:18 +0100 (CET)", "from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com\n [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id 7F3562BF1\n for <dev@dpdk.org>; Tue, 12 Nov 2019 16:19:15 +0100 (CET)", "from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com\n [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id\n us-mta-394-sY7BW2IrPSmVDOroPrQImw-1; Tue, 12 Nov 2019 10:19:13 -0500", "from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com\n [10.5.11.15])\n (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n (No client certificate requested)\n by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CD06D1010E00;\n Tue, 12 Nov 2019 15:19:12 +0000 (UTC)", "from localhost.localdomain (ovpn-112-39.ams2.redhat.com\n [10.36.112.39])\n by smtp.corp.redhat.com (Postfix) with ESMTP id 8039E54560;\n Tue, 12 Nov 2019 15:19:11 +0000 (UTC)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1573571954;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=F4AbeOnmSMbXgrCJC7iparFLB4KABYIp1q/9Zj2ByRg=;\n b=hoR5Fa4d1Pj3kcB22hvRTG+YYV4xgjmbwdRv6gSYAYa0X7nLFribcJ0kCiKpdkN7/KLOh6\n HpX8166rVA9plw7tbBZPEZNsmsZ+yGKbSTw5JPLCIR9uTZalJYL1OQx5UZXLNlhlaC5Vov\n Ck/0JYCvWn6elburYg9IGhr+qJH7ajA=", "From": "Maxime Coquelin <maxime.coquelin@redhat.com>", "To": "dev@dpdk.org,\n\tstable@dpdk.org", "Cc": "Maxime Coquelin <maxime.coquelin@redhat.com>", "Date": "Tue, 12 Nov 2019 16:18:52 +0100", "Message-Id": "<20191112151852.27341-4-maxime.coquelin@redhat.com>", "In-Reply-To": "<20191112151852.27341-1-maxime.coquelin@redhat.com>", "References": "<b45c3416-0b1d-0ee4-89eb-c23a69e7cef3@intel.com>\n <20191112151852.27341-1-maxime.coquelin@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 2.79 on 10.5.11.15", "X-MC-Unique": "sY7BW2IrPSmVDOroPrQImw-1", "X-Mimecast-Spam-Score": "0", "Content-Type": "text/plain; charset=WINDOWS-1252", "Content-Transfer-Encoding": "quoted-printable", "Subject": "[dpdk-dev] [v16.11 PATCH v2 4/4] vhost: fix possible denial of\n\tservice by leaking FDs", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "A malicious Vhost-user master could send in loop hand-crafted\nvhost-user messages containing more file descriptors the\nvhost-user slave expects. Doing so causes the application using\nthe vhost-user library to run out of FDs.\n\nThis issue has been assigned CVE-2019-14818\n\nFixes: 8f972312b8f4 (\"vhost: support vhost-user\")\n\nSigned-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>\n---\n lib/librte_vhost/vhost_user.c | 87 +++++++++++++++++++++++++++++++++++\n 1 file changed, 87 insertions(+)", "diff": "diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c\nindex cebc72f78f..a6ab131543 100644\n--- a/lib/librte_vhost/vhost_user.c\n+++ b/lib/librte_vhost/vhost_user.c\n@@ -75,6 +75,36 @@ static const char *vhost_message_str[VHOST_USER_MAX] = {\n \t[VHOST_USER_SEND_RARP] = \"VHOST_USER_SEND_RARP\",\n };\n \n+static void\n+close_msg_fds(struct VhostUserMsg *msg)\n+{\n+\tint i;\n+\n+\tfor (i = 0; i < msg->fd_num; i++)\n+\t\tclose(msg->fds[i]);\n+}\n+\n+/*\n+ * Ensure the expected number of FDs is received,\n+ * close all FDs and return an error if this is not the case.\n+ */\n+static int\n+validate_msg_fds(struct VhostUserMsg *msg, int expected_fds)\n+{\n+\tif (msg->fd_num == expected_fds)\n+\t\treturn 0;\n+\n+\tRTE_LOG(ERR, VHOST_CONFIG,\n+\t\t\" Expect %d FDs for request %s, received %d\\n\",\n+\t\texpected_fds,\n+\t\tvhost_message_str[msg->request],\n+\t\tmsg->fd_num);\n+\n+\tclose_msg_fds(msg);\n+\n+\treturn -1;\n+}\n+\n static uint64_t\n get_blk_size(int fd)\n {\n@@ -1104,35 +1134,59 @@ vhost_user_msg_handler(int vid, int fd)\n \tret = 0;\n \tswitch (msg.request) {\n \tcase VHOST_USER_GET_FEATURES:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tmsg.payload.u64 = vhost_user_get_features();\n \t\tmsg.size = sizeof(msg.payload.u64);\n \t\tsend_vhost_message(fd, &msg);\n \t\tbreak;\n \tcase VHOST_USER_SET_FEATURES:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_features(dev, msg.payload.u64);\n \t\tbreak;\n \n \tcase VHOST_USER_GET_PROTOCOL_FEATURES:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tmsg.payload.u64 = VHOST_USER_PROTOCOL_FEATURES;\n \t\tmsg.size = sizeof(msg.payload.u64);\n \t\tsend_vhost_message(fd, &msg);\n \t\tbreak;\n \tcase VHOST_USER_SET_PROTOCOL_FEATURES:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_protocol_features(dev, msg.payload.u64);\n \t\tbreak;\n \n \tcase VHOST_USER_SET_OWNER:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_owner();\n \t\tbreak;\n \tcase VHOST_USER_RESET_OWNER:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_reset_owner(dev);\n \t\tbreak;\n \n \tcase VHOST_USER_SET_MEM_TABLE:\n+\t\tif (validate_msg_fds(&msg, msg.payload.memory.nregions) != 0)\n+\t\t\treturn -1;\n+\n \t\tvhost_user_set_mem_table(dev, &msg);\n \t\tbreak;\n \n \tcase VHOST_USER_SET_LOG_BASE:\n+\t\tif (validate_msg_fds(&msg, 1) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_log_base(dev, &msg);\n \t\tif (ret)\n \t\t\tbreak;\n@@ -1144,21 +1198,36 @@ vhost_user_msg_handler(int vid, int fd)\n \t\tsend_vhost_message(fd, &msg);\n \t\tbreak;\n \tcase VHOST_USER_SET_LOG_FD:\n+\t\tif (validate_msg_fds(&msg, 1) != 0)\n+\t\t\treturn -1;\n+\n \t\tclose(msg.fds[0]);\n \t\tRTE_LOG(INFO, VHOST_CONFIG, \"not implemented.\\n\");\n \t\tbreak;\n \n \tcase VHOST_USER_SET_VRING_NUM:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_vring_num(dev, &msg.payload.state);\n \t\tbreak;\n \tcase VHOST_USER_SET_VRING_ADDR:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_vring_addr(&dev, &msg.payload.addr);\n \t\tbreak;\n \tcase VHOST_USER_SET_VRING_BASE:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_vring_base(dev, &msg.payload.state);\n \t\tbreak;\n \n \tcase VHOST_USER_GET_VRING_BASE:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_get_vring_base(dev, &msg.payload.state);\n \t\tif (ret)\n \t\t\tbreak;\n@@ -1167,28 +1236,46 @@ vhost_user_msg_handler(int vid, int fd)\n \t\tbreak;\n \n \tcase VHOST_USER_SET_VRING_KICK:\n+\t\tif (validate_msg_fds(&msg, 1) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_vring_kick(dev, &msg);\n \t\tbreak;\n \tcase VHOST_USER_SET_VRING_CALL:\n+\t\tif (validate_msg_fds(&msg, 1) != 0)\n+\t\t\treturn -1;\n+\n \t\tvhost_user_set_vring_call(dev, &msg);\n \t\tbreak;\n \n \tcase VHOST_USER_SET_VRING_ERR:\n+\t\tif (validate_msg_fds(&msg, 1) != 0)\n+\t\t\treturn -1;\n+\n \t\tif (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK))\n \t\t\tclose(msg.fds[0]);\n \t\tRTE_LOG(INFO, VHOST_CONFIG, \"not implemented\\n\");\n \t\tbreak;\n \n \tcase VHOST_USER_GET_QUEUE_NUM:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tmsg.payload.u64 = VHOST_MAX_QUEUE_PAIRS;\n \t\tmsg.size = sizeof(msg.payload.u64);\n \t\tsend_vhost_message(fd, &msg);\n \t\tbreak;\n \n \tcase VHOST_USER_SET_VRING_ENABLE:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_set_vring_enable(dev, &msg.payload.state);\n \t\tbreak;\n \tcase VHOST_USER_SEND_RARP:\n+\t\tif (validate_msg_fds(&msg, 0) != 0)\n+\t\t\treturn -1;\n+\n \t\tret = vhost_user_send_rarp(dev, &msg);\n \t\tbreak;\n \n", "prefixes": [ "v16.11", "v2", "4/4" ] }