Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/62900/?format=api
{ "id": 62900, "url": "https://patches.dpdk.org/api/patches/62900/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20191112151932.27470-2-maxime.coquelin@redhat.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20191112151932.27470-2-maxime.coquelin@redhat.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20191112151932.27470-2-maxime.coquelin@redhat.com", "date": "2019-11-12T15:19:32", "name": "[v18.11,v2,2/2] vhost: fix possible denial of service by leaking FDs", "commit_ref": null, "pull_url": null, "state": "not-applicable", "archived": true, "hash": "397f950a3033747d2df61a15a3e57488b283eea8", "submitter": { "id": 512, "url": "https://patches.dpdk.org/api/people/512/?format=api", "name": "Maxime Coquelin", "email": "maxime.coquelin@redhat.com" }, "delegate": { "id": 2642, "url": "https://patches.dpdk.org/api/users/2642/?format=api", "username": "mcoquelin", "first_name": "Maxime", "last_name": "Coquelin", "email": "maxime.coquelin@redhat.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20191112151932.27470-2-maxime.coquelin@redhat.com/mbox/", "series": [ { "id": 7419, "url": "https://patches.dpdk.org/api/series/7419/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=7419", "date": "2019-11-12T15:19:31", "name": "[v18.11,v2,1/2] vhost: fix possible denial of service on SET_VRING_NUM", "version": 2, "mbox": "https://patches.dpdk.org/series/7419/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/62900/comments/", "check": "pending", "checks": "https://patches.dpdk.org/api/patches/62900/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from dpdk.org (dpdk.org [92.243.14.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id E8982A04B6;\n\tTue, 12 Nov 2019 16:20:47 +0100 (CET)", "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id 1094D7CBC;\n\tTue, 12 Nov 2019 16:19:53 +0100 (CET)", "from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com\n [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id DFBF237B4\n for <dev@dpdk.org>; Tue, 12 Nov 2019 16:19:45 +0100 (CET)", "from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com\n [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id\n us-mta-394-H42pox6JPl2KAaYpwpAQEw-1; Tue, 12 Nov 2019 10:19:44 -0500", "from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com\n [10.5.11.22])\n (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))\n (No client certificate requested)\n by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 5498910071FB;\n Tue, 12 Nov 2019 15:19:40 +0000 (UTC)", "from localhost.localdomain (ovpn-112-39.ams2.redhat.com\n [10.36.112.39])\n by smtp.corp.redhat.com (Postfix) with ESMTP id E72E7100EBCC;\n Tue, 12 Nov 2019 15:19:38 +0000 (UTC)" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1573571985;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding:\n in-reply-to:in-reply-to:references:references;\n bh=GZLYQBNTVzNJRJ8slaYoAkwtokiEi1+VZyBB7iXVZ3Y=;\n b=Ra6ZMX0KWyofuuJg3SBvvrF+qRaqL/eu7/lDkd3pv8PHQ+v+Ybh3nZmxYTGkIo5YWLf/na\n NxCkq3L7o3w9gAJNFcR8RVnAVo2yzh5u7zTRP6H+pDsQYj+JwPhd8Q2zI80D5l/B9nLDFx\n 4j0L4MYv2QqTWxjUdXdO4q+HzIxT9Ek=", "From": "Maxime Coquelin <maxime.coquelin@redhat.com>", "To": "dev@dpdk.org,\n\tstable@dpdk.org", "Cc": "Maxime Coquelin <maxime.coquelin@redhat.com>", "Date": "Tue, 12 Nov 2019 16:19:32 +0100", "Message-Id": "<20191112151932.27470-2-maxime.coquelin@redhat.com>", "In-Reply-To": "<20191112151932.27470-1-maxime.coquelin@redhat.com>", "References": "<b45c3416-0b1d-0ee4-89eb-c23a69e7cef3@intel.com>\n <20191112151932.27470-1-maxime.coquelin@redhat.com>", "MIME-Version": "1.0", "X-Scanned-By": "MIMEDefang 2.84 on 10.5.11.22", "X-MC-Unique": "H42pox6JPl2KAaYpwpAQEw-1", "X-Mimecast-Spam-Score": "0", "Content-Type": "text/plain; charset=WINDOWS-1252", "Content-Transfer-Encoding": "quoted-printable", "Subject": "[dpdk-dev] [v18.11 PATCH v2 2/2] vhost: fix possible denial of\n\tservice by leaking FDs", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "A malicious Vhost-user master could send in loop hand-crafted\nvhost-user messages containing more file descriptors the\nvhost-user slave expects. Doing so causes the application using\nthe vhost-user library to run out of FDs.\n\nThis issue has been assigned CVE-2019-14818\n\nFixes: 8f972312b8f4 (\"vhost: support vhost-user\")\n\nSigned-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>\n---\n lib/librte_vhost/vhost_user.c | 118 ++++++++++++++++++++++++++++++++--\n 1 file changed, 114 insertions(+), 4 deletions(-)", "diff": "diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c\nindex 457e62d97e..98cd670e03 100644\n--- a/lib/librte_vhost/vhost_user.c\n+++ b/lib/librte_vhost/vhost_user.c\n@@ -83,6 +83,36 @@ static const char *vhost_message_str[VHOST_USER_MAX] = {\n static int send_vhost_reply(int sockfd, struct VhostUserMsg *msg);\n static int read_vhost_message(int sockfd, struct VhostUserMsg *msg);\n \n+static void\n+close_msg_fds(struct VhostUserMsg *msg)\n+{\n+\tint i;\n+\n+\tfor (i = 0; i < msg->fd_num; i++)\n+\t\tclose(msg->fds[i]);\n+}\n+\n+/*\n+ * Ensure the expected number of FDs is received,\n+ * close all FDs and return an error if this is not the case.\n+ */\n+static int\n+validate_msg_fds(struct VhostUserMsg *msg, int expected_fds)\n+{\n+\tif (msg->fd_num == expected_fds)\n+\t\treturn 0;\n+\n+\tRTE_LOG(ERR, VHOST_CONFIG,\n+\t\t\" Expect %d FDs for request %s, received %d\\n\",\n+\t\texpected_fds,\n+\t\tvhost_message_str[msg->request.master],\n+\t\tmsg->fd_num);\n+\n+\tclose_msg_fds(msg);\n+\n+\treturn -1;\n+}\n+\n static uint64_t\n get_blk_size(int fd)\n {\n@@ -179,18 +209,25 @@ vhost_backend_cleanup(struct virtio_net *dev)\n */\n static int\n vhost_user_set_owner(struct virtio_net **pdev __rte_unused,\n-\t\t\tstruct VhostUserMsg *msg __rte_unused,\n+\t\t\tstruct VhostUserMsg *msg,\n \t\t\tint main_fd __rte_unused)\n {\n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \treturn VH_RESULT_OK;\n }\n \n static int\n vhost_user_reset_owner(struct virtio_net **pdev,\n-\t\t\tstruct VhostUserMsg *msg __rte_unused,\n+\t\t\tstruct VhostUserMsg *msg,\n \t\t\tint main_fd __rte_unused)\n {\n \tstruct virtio_net *dev = *pdev;\n+\n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tvhost_destroy_device_notify(dev);\n \n \tcleanup_device(dev, 0);\n@@ -208,6 +245,9 @@ vhost_user_get_features(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct virtio_net *dev = *pdev;\n \tuint64_t features = 0;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \trte_vhost_driver_get_features(dev->ifname, &features);\n \n \tmsg->payload.u64 = features;\n@@ -227,6 +267,9 @@ vhost_user_get_queue_num(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct virtio_net *dev = *pdev;\n \tuint32_t queue_num = 0;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \trte_vhost_driver_get_queue_num(dev->ifname, &queue_num);\n \n \tmsg->payload.u64 = (uint64_t)queue_num;\n@@ -249,6 +292,9 @@ vhost_user_set_features(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct rte_vdpa_device *vdpa_dev;\n \tint did = -1;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \trte_vhost_driver_get_features(dev->ifname, &vhost_features);\n \tif (features & ~vhost_features) {\n \t\tRTE_LOG(ERR, VHOST_CONFIG,\n@@ -329,6 +375,9 @@ vhost_user_set_vring_num(struct virtio_net **pdev,\n \tstruct virtio_net *dev = *pdev;\n \tstruct vhost_virtqueue *vq = dev->virtqueue[msg->payload.state.index];\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tvq->size = msg->payload.state.num;\n \n \t/* VIRTIO 1.0, 2.4 Virtqueues says:\n@@ -708,6 +757,9 @@ vhost_user_set_vring_addr(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct vhost_virtqueue *vq;\n \tstruct vhost_vring_addr *addr = &msg->payload.addr;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (dev->mem == NULL)\n \t\treturn VH_RESULT_ERR;\n \n@@ -746,6 +798,9 @@ vhost_user_set_vring_base(struct virtio_net **pdev,\n \tstruct vhost_virtqueue *vq = dev->virtqueue[msg->payload.state.index];\n \tuint64_t val = msg->payload.state.num;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (vq_is_packed(dev)) {\n \t\t/*\n \t\t * Bit[0:14]: avail index\n@@ -907,6 +962,9 @@ vhost_user_set_mem_table(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tint populate;\n \tint fd;\n \n+\tif (validate_msg_fds(msg, memory->nregions) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (memory->nregions > VHOST_MEMORY_MAX_NREGIONS) {\n \t\tRTE_LOG(ERR, VHOST_CONFIG,\n \t\t\t\"too many memory regions (%u)\\n\", memory->nregions);\n@@ -917,8 +975,7 @@ vhost_user_set_mem_table(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \t\tRTE_LOG(INFO, VHOST_CONFIG,\n \t\t\t\"(%d) memory regions not changed\\n\", dev->vid);\n \n-\t\tfor (i = 0; i < memory->nregions; i++)\n-\t\t\tclose(msg->fds[i]);\n+\t\tclose_msg_fds(msg);\n \n \t\treturn VH_RESULT_OK;\n \t}\n@@ -1061,6 +1118,10 @@ vhost_user_set_mem_table(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \t\t\t\t\"Failed to read qemu ack on postcopy set-mem-table\\n\");\n \t\t\tgoto err_mmap;\n \t\t}\n+\n+\t\tif (validate_msg_fds(&ack_msg, 0) != 0)\n+\t\t\tgoto err_mmap;\n+\n \t\tif (ack_msg.request.master != VHOST_USER_SET_MEM_TABLE) {\n \t\t\tRTE_LOG(ERR, VHOST_CONFIG,\n \t\t\t\t\"Bad qemu ack on postcopy set-mem-table (%d)\\n\",\n@@ -1181,6 +1242,9 @@ vhost_user_set_vring_call(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct vhost_vring_file file;\n \tstruct vhost_virtqueue *vq;\n \n+\tif (validate_msg_fds(msg, 1) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tfile.index = msg->payload.u64 & VHOST_USER_VRING_IDX_MASK;\n \tif (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK)\n \t\tfile.fd = VIRTIO_INVALID_EVENTFD;\n@@ -1202,6 +1266,9 @@ static int vhost_user_set_vring_err(struct virtio_net **pdev __rte_unused,\n \t\t\tstruct VhostUserMsg *msg,\n \t\t\tint main_fd __rte_unused)\n {\n+\tif (validate_msg_fds(msg, 1) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (!(msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK))\n \t\tclose(msg->fds[0]);\n \tRTE_LOG(INFO, VHOST_CONFIG, \"not implemented\\n\");\n@@ -1217,6 +1284,9 @@ vhost_user_set_vring_kick(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct vhost_vring_file file;\n \tstruct vhost_virtqueue *vq;\n \n+\tif (validate_msg_fds(msg, 1) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tfile.index = msg->payload.u64 & VHOST_USER_VRING_IDX_MASK;\n \tif (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK)\n \t\tfile.fd = VIRTIO_INVALID_EVENTFD;\n@@ -1273,6 +1343,9 @@ vhost_user_get_vring_base(struct virtio_net **pdev,\n \tstruct vhost_virtqueue *vq = dev->virtqueue[msg->payload.state.index];\n \tuint64_t val;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \t/* We have to stop the queue (virtio) if it is running. */\n \tvhost_destroy_device_notify(dev);\n \n@@ -1346,6 +1419,9 @@ vhost_user_set_vring_enable(struct virtio_net **pdev,\n \tstruct rte_vdpa_device *vdpa_dev;\n \tint did = -1;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tRTE_LOG(INFO, VHOST_CONFIG,\n \t\t\"set queue enable: %d to qp idx: %d\\n\",\n \t\tenable, index);\n@@ -1376,6 +1452,9 @@ vhost_user_get_protocol_features(struct virtio_net **pdev,\n \tstruct virtio_net *dev = *pdev;\n \tuint64_t features, protocol_features;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \trte_vhost_driver_get_features(dev->ifname, &features);\n \trte_vhost_driver_get_protocol_features(dev->ifname, &protocol_features);\n \n@@ -1404,6 +1483,9 @@ vhost_user_set_protocol_features(struct virtio_net **pdev,\n \tuint64_t protocol_features = msg->payload.u64;\n \tuint64_t slave_protocol_features = 0;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \trte_vhost_driver_get_protocol_features(dev->ifname,\n \t\t\t&slave_protocol_features);\n \tif (protocol_features & ~slave_protocol_features) {\n@@ -1427,6 +1509,9 @@ vhost_user_set_log_base(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tuint64_t size, off;\n \tvoid *addr;\n \n+\tif (validate_msg_fds(msg, 1) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (fd < 0) {\n \t\tRTE_LOG(ERR, VHOST_CONFIG, \"invalid log fd: %d\\n\", fd);\n \t\treturn VH_RESULT_ERR;\n@@ -1490,6 +1575,9 @@ static int vhost_user_set_log_fd(struct virtio_net **pdev __rte_unused,\n \t\t\tstruct VhostUserMsg *msg,\n \t\t\tint main_fd __rte_unused)\n {\n+\tif (validate_msg_fds(msg, 1) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tclose(msg->fds[0]);\n \tRTE_LOG(INFO, VHOST_CONFIG, \"not implemented.\\n\");\n \n@@ -1513,6 +1601,9 @@ vhost_user_send_rarp(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct rte_vdpa_device *vdpa_dev;\n \tint did = -1;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tRTE_LOG(DEBUG, VHOST_CONFIG,\n \t\t\":: mac: %02x:%02x:%02x:%02x:%02x:%02x\\n\",\n \t\tmac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);\n@@ -1540,6 +1631,10 @@ vhost_user_net_set_mtu(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \t\t\tint main_fd __rte_unused)\n {\n \tstruct virtio_net *dev = *pdev;\n+\n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (msg->payload.u64 < VIRTIO_MIN_MTU ||\n \t\t\tmsg->payload.u64 > VIRTIO_MAX_MTU) {\n \t\tRTE_LOG(ERR, VHOST_CONFIG, \"Invalid MTU size (%\"PRIu64\")\\n\",\n@@ -1560,6 +1655,9 @@ vhost_user_set_req_fd(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tstruct virtio_net *dev = *pdev;\n \tint fd = msg->fds[0];\n \n+\tif (validate_msg_fds(msg, 1) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (fd < 0) {\n \t\tRTE_LOG(ERR, VHOST_CONFIG,\n \t\t\t\t\"Invalid file descriptor for slave channel (%d)\\n\",\n@@ -1630,6 +1728,9 @@ vhost_user_iotlb_msg(struct virtio_net **pdev, struct VhostUserMsg *msg,\n \tuint16_t i;\n \tuint64_t vva, len;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tswitch (imsg->type) {\n \tcase VHOST_IOTLB_UPDATE:\n \t\tlen = imsg->size;\n@@ -1676,6 +1777,9 @@ vhost_user_set_postcopy_advise(struct virtio_net **pdev,\n #ifdef RTE_LIBRTE_VHOST_POSTCOPY\n \tstruct uffdio_api api_struct;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tdev->postcopy_ufd = syscall(__NR_userfaultfd, O_CLOEXEC | O_NONBLOCK);\n \n \tif (dev->postcopy_ufd == -1) {\n@@ -1711,6 +1815,9 @@ vhost_user_set_postcopy_listen(struct virtio_net **pdev,\n {\n \tstruct virtio_net *dev = *pdev;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tif (dev->mem && dev->mem->nregions) {\n \t\tRTE_LOG(ERR, VHOST_CONFIG,\n \t\t\t\"Regions already registered at postcopy-listen\\n\");\n@@ -1727,6 +1834,9 @@ vhost_user_postcopy_end(struct virtio_net **pdev, struct VhostUserMsg *msg,\n {\n \tstruct virtio_net *dev = *pdev;\n \n+\tif (validate_msg_fds(msg, 0) != 0)\n+\t\treturn VH_RESULT_ERR;\n+\n \tdev->postcopy_listening = 0;\n \tif (dev->postcopy_ufd >= 0) {\n \t\tclose(dev->postcopy_ufd);\n", "prefixes": [ "v18.11", "v2", "2/2" ] }