diff mbox series

[v3,1/2] vhost: fix possible FDs leak

Message ID 20230207162240.292020-2-maxime.coquelin@redhat.com (mailing list archive)
State Accepted, archived
Delegated to: Maxime Coquelin
Headers
Series Vhost: fix FD leaks and improve logs |

Checks

Context Check Description
ci/checkpatch warning coding style issues

Commit Message

Maxime Coquelin Feb. 7, 2023, 4:22 p.m. UTC 
  On failure, read_vhost_message() only closed the message
FDs if the header size was unexpected, but there are other
cases where it is required. For exemple in the case the
payload size read from the header is greater than the
expected maximum payload size.

This patch fixes this by closing all messages FDs in all
error cases. It also improve error logging by displaying
the request name when failure happens if possible.

Fixes: bf472259dde6 ("vhost: fix possible denial of service by leaking FDs")
Cc: stable@dpdk.org

Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
Signed-off-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Chenbo Xia <chenbo.xia@intel.com>
---
 lib/vhost/vhost_user.c | 40 ++++++++++++++++++++++++++--------------
 1 file changed, 26 insertions(+), 14 deletions(-)
diff mbox series

Patch

diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
index 8f33d5f4d9..a6d8269d91 100644
--- a/lib/vhost/vhost_user.c
+++ b/lib/vhost/vhost_user.c
@@ -2827,29 +2827,36 @@  read_vhost_message(struct virtio_net *dev, int sockfd, struct  vhu_msg_context *
 
 	ret = read_fd_message(dev->ifname, sockfd, (char *)&ctx->msg, VHOST_USER_HDR_SIZE,
 		ctx->fds, VHOST_MEMORY_MAX_NREGIONS, &ctx->fd_num);
-	if (ret <= 0) {
-		return ret;
-	} else if (ret != VHOST_USER_HDR_SIZE) {
+	if (ret <= 0)
+		goto out;
+
+	if (ret != VHOST_USER_HDR_SIZE) {
 		VHOST_LOG_CONFIG(dev->ifname, ERR, "Unexpected header size read\n");
-		close_msg_fds(ctx);
-		return -1;
+		ret = -1;
+		goto out;
 	}
 
 	if (ctx->msg.size) {
 		if (ctx->msg.size > sizeof(ctx->msg.payload)) {
 			VHOST_LOG_CONFIG(dev->ifname, ERR, "invalid msg size: %d\n",
 				ctx->msg.size);
-			return -1;
+			ret = -1;
+			goto out;
 		}
 		ret = read(sockfd, &ctx->msg.payload, ctx->msg.size);
 		if (ret <= 0)
-			return ret;
+			goto out;
 		if (ret != (int)ctx->msg.size) {
 			VHOST_LOG_CONFIG(dev->ifname, ERR, "read control message failed\n");
-			return -1;
+			ret = -1;
+			goto out;
 		}
 	}
 
+out:
+	if (ret <= 0)
+		close_msg_fds(ctx);
+
 	return ret;
 }
 
@@ -2997,13 +3004,10 @@  vhost_user_msg_handler(int vid, int fd)
 		}
 	}
 
+	ctx.msg.request.master = VHOST_USER_NONE;
 	ret = read_vhost_message(dev, fd, &ctx);
-	if (ret <= 0) {
-		if (ret < 0)
-			VHOST_LOG_CONFIG(dev->ifname, ERR, "vhost read message failed\n");
-		else
-			VHOST_LOG_CONFIG(dev->ifname, INFO, "vhost peer closed\n");
-
+	if (ret == 0) {
+		VHOST_LOG_CONFIG(dev->ifname, INFO, "vhost peer closed\n");
 		return -1;
 	}
 
@@ -3013,6 +3017,14 @@  vhost_user_msg_handler(int vid, int fd)
 	else
 		msg_handler = NULL;
 
+	if (ret < 0) {
+		VHOST_LOG_CONFIG(dev->ifname, ERR, "vhost read message %s%s%sfailed\n",
+				msg_handler != NULL ? "for " : "",
+				msg_handler != NULL ? msg_handler->description : "",
+				msg_handler != NULL ? " " : "");
+		return -1;
+	}
+
 	if (msg_handler != NULL && msg_handler->description != NULL) {
 		if (request != VHOST_USER_IOTLB_MSG)
 			VHOST_LOG_CONFIG(dev->ifname, INFO,