From patchwork Wed Nov 13 05:03:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: =?utf-8?b?546L5b+X5YWL?= X-Patchwork-Id: 62916 X-Patchwork-Delegate: maxime.coquelin@redhat.com Return-Path: X-Original-To: patchwork@inbox.dpdk.org Delivered-To: patchwork@inbox.dpdk.org Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id DD024A0353; Wed, 13 Nov 2019 06:03:14 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id F3D7F2BF9; Wed, 13 Nov 2019 06:03:13 +0100 (CET) Received: from m12-17.163.com (m12-17.163.com [220.181.12.17]) by dpdk.org (Postfix) with ESMTP id 275512BC7; Wed, 13 Nov 2019 06:03:11 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=QjKJ6z8HSTyYWjPf6n JCYYYJ6Z/Kb1zVGwRuzXzvkw0=; b=eU57jOZYimH/LSIsPQaAzZjbFBWtBOMNGV 69N3iI+oCw74qXoncEF42GTkiGw1Mlg6csDP086ls5/yYXXtTNYBuL2thoah0P9B ER13VzOspdoylKMpPS7YwRo1+nzZHoYCLo7/CrfwJD/Gm9itcrJySUTQm34wWDfm weTrvTOdQ= Received: from localhost.localdomain (unknown [106.38.115.15]) by smtp13 (Coremail) with SMTP id EcCowADX4P6HjstdKqMcUA--.65183S2; Wed, 13 Nov 2019 13:03:08 +0800 (CST) From: Zhike Wang To: dev@dpdk.org Cc: security@dpdk.org, wangzhike@jd.com, Zhike Wang Date: Wed, 13 Nov 2019 13:03:01 +0800 Message-Id: <1573621381-3893-1-git-send-email-wangzk320@163.com> X-Mailer: git-send-email 1.8.3.1 X-CM-TRANSID: EcCowADX4P6HjstdKqMcUA--.65183S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7ZF47XF1fGryUAFW5ArWfuFg_yoW8CrW8pF 9xJr12yrWxKrs3C3s7ZFnYk34akwnYkF1xWrZa9a13ZFW0gwnxZa9akr4jgFy3AFZ8AFyj ya10qas8G34Uua7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0zRJEfwUUUUU= X-Originating-IP: [106.38.115.15] X-CM-SenderInfo: pzdqw6bntsiqqrwthudrp/1tbiVgxsulqzigotCgAAsC Subject: [dpdk-dev] [PATCH] vhost: fix validate_msg_fds if VHOST_USER_VRING_NOFD_MASK set. X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" When VHOST_USER_VRING_NOFD_MASK is set, the fd_num is 0. Fixes: bf47225 ("vhost: fix possible denial of service by leaking FDs") Signed-off-by: Zhike Wang Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 90ecee1..0cfb8b7 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -1563,8 +1563,10 @@ struct virtio_net *dev = *pdev; struct vhost_vring_file file; struct vhost_virtqueue *vq; + int expected_fds; - if (validate_msg_fds(msg, 1) != 0) + expected_fds = (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1; + if (validate_msg_fds(msg, expected_fds) != 0) return RTE_VHOST_MSG_RESULT_ERR; file.index = msg->payload.u64 & VHOST_USER_VRING_IDX_MASK; @@ -1588,7 +1590,10 @@ static int vhost_user_set_vring_err(struct virtio_net **pdev __rte_unused, struct VhostUserMsg *msg, int main_fd __rte_unused) { - if (validate_msg_fds(msg, 1) != 0) + int expected_fds; + + expected_fds = (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1; + if (validate_msg_fds(msg, expected_fds) != 0) return RTE_VHOST_MSG_RESULT_ERR; if (!(msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK)) @@ -1790,8 +1795,10 @@ static int vhost_user_set_vring_err(struct virtio_net **pdev __rte_unused, struct virtio_net *dev = *pdev; struct vhost_vring_file file; struct vhost_virtqueue *vq; + int expected_fds; - if (validate_msg_fds(msg, 1) != 0) + expected_fds = (msg->payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1; + if (validate_msg_fds(msg, expected_fds) != 0) return RTE_VHOST_MSG_RESULT_ERR; file.index = msg->payload.u64 & VHOST_USER_VRING_IDX_MASK;