diff mbox series

[1/3] vhost: fix split ring potential buffer overflow

Message ID	20210331064939.56107-1-yong.liu@intel.com (mailing list archive)
State	Accepted, archived
Delegated to:	Maxime Coquelin
Headers	IronPort-SDR: 4DDXmY8GJscooazN308DnRULITeXKXHFKWN1ZyQqZkxnlD/dIq6vB5Xn1NB4kA6HFVJFAIDzlp 977kZnN0RGOw== IronPort-SDR: kAzwI261UI9e7fNYUwc4Ne4lvkD8wh/svw/nMWD5/BpjNLf2hb4zy0mu2nHNs8liA8+aPjxe8x XccY9zcXbGcw== From: Marvin Liu <yong.liu@intel.com> To: maxime.coquelin@redhat.com, chenbo.xia@intel.com Cc: dev@dpdk.org, Marvin Liu <yong.liu@intel.com>, stable@dpdk.org Date: Wed, 31 Mar 2021 14:49:37 +0800 Message-Id: <20210331064939.56107-1-yong.liu@intel.com> Subject: [dpdk-dev] [PATCH 1/3] vhost: fix split ring potential buffer overflow Precedence: list Errors-To: dev-bounces@dpdk.org Sender: "dev" <dev-bounces@dpdk.org>
Series	[1/3] vhost: fix split ring potential buffer overflow \| [1/3] vhost: fix split ring potential buffer overflow [2/3] vhost: fix packed ring potential buffer overflow [3/3] vhost: fix potential buffer overflow when batch dequeue

Checks

Context	Check	Description
ci/checkpatch	success	coding style OK

Commit Message

Marvin Liu March 31, 2021, 6:49 a.m. UTC

  In vhost datapath, descriptor's length are mostly used in two coherent
operations. First step is used for address translation, second step is
used for memory transaction from guest to host. But the iterval between
two steps will give a window for malicious guest, in which can change
descriptor length after vhost calcuated buffer size. Thus may lead to
buffer overflow in vhost side. This potential risk can be eliminated by
accessing the descriptor length once.

Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")
Cc: stable@dpdk.org

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

Comments

Chenbo Xia March 31, 2021, 7:48 a.m. UTC | #1

> -----Original Message-----
> From: Liu, Yong <yong.liu@intel.com>
> Sent: Wednesday, March 31, 2021 2:50 PM
> To: maxime.coquelin@redhat.com; Xia, Chenbo <chenbo.xia@intel.com>
> Cc: dev@dpdk.org; Liu, Yong <yong.liu@intel.com>; stable@dpdk.org
> Subject: [PATCH 1/3] vhost: fix split ring potential buffer overflow
> 
> In vhost datapath, descriptor's length are mostly used in two coherent
> operations. First step is used for address translation, second step is
> used for memory transaction from guest to host. But the iterval between
> two steps will give a window for malicious guest, in which can change
> descriptor length after vhost calcuated buffer size. Thus may lead to
> buffer overflow in vhost side. This potential risk can be eliminated by
> accessing the descriptor length once.
> 
> Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")
> Cc: stable@dpdk.org
> 
> Signed-off-by: Marvin Liu <yong.liu@intel.com>
> Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
> --
> 2.17.1

Series applied to next-virtio/main, Thanks!

diff mbox series

Patch

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 583bf379c6..576a0a20c0 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -548,10 +548,11 @@  fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 			return -1;
 		}
 
-		len += descs[idx].len;
+		dlen = descs[idx].len;
+		len += dlen;
 
 		if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,
-						descs[idx].addr, descs[idx].len,
+						descs[idx].addr, dlen,
 						perm))) {
 			free_ind_table(idesc);
 			return -1;