DPDK announcements
 help / color / mirror / Atom feed
* [dpdk-announce] Vhost-user CVE-2018-1059
@ 2018-04-23 15:55 Maxime Coquelin
  0 siblings, 0 replies; only message in thread
From: Maxime Coquelin @ 2018-04-23 15:55 UTC (permalink / raw)
  To: announce

Dear users,

All versions of DPDK's Vhost-user library are vulnerable to out-of-bound
accesses initiated by a buggy or malicious guest.

This vulnerability has been assigned CVE-2018-1059.

Users are strongly encouraged to upgrade to the latest releases:
- v16.11.6 (LTS): https://fast.dpdk.org/rel/dpdk-16.11.6.tar.xz
- v17.08.2: https://fast.dpdk.org/rel/dpdk-17.08.2.tar.xz
- v17.11.2 (LTS): https://fast.dpdk.org/rel/dpdk-17.11.2.tar.xz
- v18.02.1: https://fast.dpdk.org/rel/dpdk-18.02.1.tar.xz

Starting DPDK v17.11, rte_vhost_gpa_to_vva() API was introduced for
external Vhost backends to be able to translate guest's physical
addresses to Vhost process's virtual addresses.
This API is now marked as deprecated, and users must replace its use
with the new rte_vhost_va_from_guest_pa() API. This new API takes an
extra length parameter that must be checked properly.

Patches fixing this vulnerability will soon be posted to the dev
mailing-list for upstream master, and to the stable mailing-list for
stable branches.

Kind regards,

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-04-23 15:56 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-04-23 15:55 [dpdk-announce] Vhost-user CVE-2018-1059 Maxime Coquelin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).