Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/70387/?format=api
https://patches.dpdk.org/api/patches/70387/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/patch/20200518131704.715877-7-ferruh.yigit@intel.com/", "project": { "id": 1, "url": "https://patches.dpdk.org/api/projects/1/?format=api", "name": "DPDK", "link_name": "dpdk", "list_id": "dev.dpdk.org", "list_email": "dev@dpdk.org", "web_url": "http://core.dpdk.org", "scm_url": "git://dpdk.org/dpdk", "webscm_url": "http://git.dpdk.org/dpdk", "list_archive_url": "https://inbox.dpdk.org/dev", "list_archive_url_format": "https://inbox.dpdk.org/dev/{}", "commit_url_format": "" }, "msgid": "<20200518131704.715877-7-ferruh.yigit@intel.com>", "list_archive_url": "https://inbox.dpdk.org/dev/20200518131704.715877-7-ferruh.yigit@intel.com", "date": "2020-05-18T13:17:04", "name": "[6/6] vhost: fix potential fd leak", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": true, "hash": "11b8291a296ae91ab97375a6715370ca760ed312", "submitter": { "id": 324, "url": "https://patches.dpdk.org/api/people/324/?format=api", "name": "Ferruh Yigit", "email": "ferruh.yigit@intel.com" }, "delegate": { "id": 24651, "url": "https://patches.dpdk.org/api/users/24651/?format=api", "username": "dmarchand", "first_name": "David", "last_name": "Marchand", "email": "david.marchand@redhat.com" }, "mbox": "https://patches.dpdk.org/project/dpdk/patch/20200518131704.715877-7-ferruh.yigit@intel.com/mbox/", "series": [ { "id": 10129, "url": "https://patches.dpdk.org/api/series/10129/?format=api", "web_url": "https://patches.dpdk.org/project/dpdk/list/?series=10129", "date": "2020-05-18T13:16:58", "name": "Fix vhost security issues", "version": 1, "mbox": "https://patches.dpdk.org/series/10129/mbox/" } ], "comments": "https://patches.dpdk.org/api/patches/70387/comments/", "check": "success", "checks": "https://patches.dpdk.org/api/patches/70387/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<dev-bounces@dpdk.org>", "X-Original-To": "patchwork@inbox.dpdk.org", "Delivered-To": "patchwork@inbox.dpdk.org", "Received": [ "from dpdk.org (dpdk.org [92.243.14.124])\n\tby inbox.dpdk.org (Postfix) with ESMTP id D3EAFA0093;\n\tMon, 18 May 2020 15:18:17 +0200 (CEST)", "from [92.243.14.124] (localhost [127.0.0.1])\n\tby dpdk.org (Postfix) with ESMTP id B3C971D55F;\n\tMon, 18 May 2020 15:17:27 +0200 (CEST)", "from mga07.intel.com (mga07.intel.com [134.134.136.100])\n by dpdk.org (Postfix) with ESMTP id E9C101D539;\n Mon, 18 May 2020 15:17:24 +0200 (CEST)", "from orsmga003.jf.intel.com ([10.7.209.27])\n by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;\n 18 May 2020 06:17:24 -0700", "from silpixa00399752.ir.intel.com (HELO\n silpixa00399752.ger.corp.intel.com) ([10.237.222.180])\n by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:23 -0700" ], "IronPort-SDR": [ "\n +16uLGsgKwHI4ycgpgAsfGzkrMOll0VyGV41pRgmZLQgEgstp+Iz3tK0BGY8a9LMsv3Ase3Q1q\n C1yYeIjOPkrw==", "\n guR+tdExj4CNdawyueALesdx+NQTUyIuqoZ17VB57cjeBbjZkSu3cNRHygxkYlhBrhm/pUCXol\n A3dse4vBDHXQ==" ], "X-Amp-Result": "SKIPPED(no attachment in message)", "X-Amp-File-Uploaded": "False", "X-ExtLoop1": "1", "X-IronPort-AV": "E=Sophos;i=\"5.73,407,1583222400\"; d=\"scan'208\";a=\"263950762\"", "From": "Ferruh Yigit <ferruh.yigit@intel.com>", "To": "dev@dpdk.org", "Cc": "Ferruh Yigit <ferruh.yigit@intel.com>, Xuan Ding <xuan.ding@intel.com>,\n stable@dpdk.org, Xiaolong Ye <xiaolong.ye@intel.com>,\n Maxime Coquelin <maxime.coquelin@redhat.com>", "Date": "Mon, 18 May 2020 14:17:04 +0100", "Message-Id": "<20200518131704.715877-7-ferruh.yigit@intel.com>", "X-Mailer": "git-send-email 2.25.4", "In-Reply-To": "<20200518131704.715877-1-ferruh.yigit@intel.com>", "References": "<20200518131704.715877-1-ferruh.yigit@intel.com>", "MIME-Version": "1.0", "Content-Transfer-Encoding": "8bit", "Subject": "[dpdk-dev] [PATCH 6/6] vhost: fix potential fd leak", "X-BeenThere": "dev@dpdk.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "DPDK patches and discussions <dev.dpdk.org>", "List-Unsubscribe": "<https://mails.dpdk.org/options/dev>,\n <mailto:dev-request@dpdk.org?subject=unsubscribe>", "List-Archive": "<http://mails.dpdk.org/archives/dev/>", "List-Post": "<mailto:dev@dpdk.org>", "List-Help": "<mailto:dev-request@dpdk.org?subject=help>", "List-Subscribe": "<https://mails.dpdk.org/listinfo/dev>,\n <mailto:dev-request@dpdk.org?subject=subscribe>", "Errors-To": "dev-bounces@dpdk.org", "Sender": "\"dev\" <dev-bounces@dpdk.org>" }, "content": "From: Xuan Ding <xuan.ding@intel.com>\n\nVhost will create temporary file when receiving VHOST_USER_GET_INFLIGHT_FD\nmessage. Malicious guest can send endless this message to drain out the\nresource of host.\n\nWhen receiving VHOST_USER_GET_INFLIGHT_FD message repeatedly, closing the\nfile created during the last handling of this message.\n\nCVE-2020-10726\nFixes: d87f1a1cb7b666550 (\"vhost: support inflight info sharing\")\nCc: stable@dpdk.org\n\nSigned-off-by: Xuan Ding <xuan.ding@intel.com>\nSigned-off-by: Xiaolong Ye <xiaolong.ye@intel.com>\nReviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>\n---\n lib/librte_vhost/vhost_user.c | 13 +++++++++++--\n 1 file changed, 11 insertions(+), 2 deletions(-)", "diff": "diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c\nindex 0424e49cb8..0916f5abc0 100644\n--- a/lib/librte_vhost/vhost_user.c\n+++ b/lib/librte_vhost/vhost_user.c\n@@ -206,7 +206,7 @@ vhost_backend_cleanup(struct virtio_net *dev)\n \t\t\tdev->inflight_info->addr = NULL;\n \t\t}\n \n-\t\tif (dev->inflight_info->fd > 0) {\n+\t\tif (dev->inflight_info->fd >= 0) {\n \t\t\tclose(dev->inflight_info->fd);\n \t\t\tdev->inflight_info->fd = -1;\n \t\t}\n@@ -1408,6 +1408,7 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev,\n \t\t\t\t\"failed to alloc dev inflight area\\n\");\n \t\t\treturn RTE_VHOST_MSG_RESULT_ERR;\n \t\t}\n+\t\tdev->inflight_info->fd = -1;\n \t}\n \n \tnum_queues = msg->payload.inflight.num_queues;\n@@ -1438,6 +1439,11 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev,\n \t\tdev->inflight_info->addr = NULL;\n \t}\n \n+\tif (dev->inflight_info->fd >= 0) {\n+\t\tclose(dev->inflight_info->fd);\n+\t\tdev->inflight_info->fd = -1;\n+\t}\n+\n \tdev->inflight_info->addr = addr;\n \tdev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size;\n \tdev->inflight_info->fd = msg->fds[0] = fd;\n@@ -1520,6 +1526,7 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg,\n \t\t\t\t\"failed to alloc dev inflight area\\n\");\n \t\t\treturn RTE_VHOST_MSG_RESULT_ERR;\n \t\t}\n+\t\tdev->inflight_info->fd = -1;\n \t}\n \n \tif (dev->inflight_info->addr) {\n@@ -1534,8 +1541,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg,\n \t\treturn RTE_VHOST_MSG_RESULT_ERR;\n \t}\n \n-\tif (dev->inflight_info->fd)\n+\tif (dev->inflight_info->fd >= 0) {\n \t\tclose(dev->inflight_info->fd);\n+\t\tdev->inflight_info->fd = -1;\n+\t}\n \n \tdev->inflight_info->fd = fd;\n \tdev->inflight_info->addr = addr;\n", "prefixes": [ "6/6" ] }{ "id": 70387, "url": "