From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pa0-f42.google.com (mail-pa0-f42.google.com [209.85.220.42]) by dpdk.org (Postfix) with ESMTP id 63CF18E98 for ; Thu, 12 Nov 2015 09:02:51 +0100 (CET) Received: by padhx2 with SMTP id hx2so57743214pad.1 for ; Thu, 12 Nov 2015 00:02:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bigswitch_com.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:date:message-id; bh=YEc3gVFovAhOLhOVB3Akws34LxGwsvInqeMPB3GwpVg=; b=hGUGRGfxPm3nTOExT9nvp3LIe6x2jtFPGXyyw1+THwn24mea5gkN76r01lphaiolNi Nes0bK614fGNU525nxDcPymzc5zfqiidIkxu9Kidr5/VMJm++Xn7lp+EP0ykWHfX2cj7 KbYEpqtm+V85ePeVEIyDElF3M0T/THIP+o8hiUbijUkd++BqRR8u73GqtpUedkY3Pc5A eoa9EB+e8Ue+o8sds46zlfW6C3/7wkJ9/Z0JvkmraNwNyD0o1fIJYJNwhXr6BzKFTJvO yfCi0wjVGh6aidcv9rCopvZCHxOALv0ZyptQZmU1zoL9Vuf/fCVKU19G3b7/Bq+aqQRo EAWQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=YEc3gVFovAhOLhOVB3Akws34LxGwsvInqeMPB3GwpVg=; b=W7OYg8jRu5sBrscT2DsSCUbIHE4kR3VSlBQXobiVyUFGk3GRxnKmEIpnQsJvGe6xs8 MCFW+JIwuUPyLs7F6JzHj1bRbfHtlFP4y7q2tPzE6h+4PVe1pKZe9xlBgcmz3Qha8mfF PGWNXhhFz1H6qJIdAnvQkbZtvkNzjGbt0rK7knTsX4nD/SOOmiY+TzVAIzyDWBU5QBlM H/nDLnDFLFkPPzzGUvF+3IF7DJ9vq8IFXYS5eM2nqkj/qmXD/B35BIy/Rb1W4fSUe8uk c9rFu9fuzJSSfgIH0AEYcmKgSwjAXYRlj1R9dIhg2wGBT6+VKaT2QWoDqBH86ryxRQjT ob1w== X-Gm-Message-State: ALoCoQkIID7/Ma5D1HGKiPenxOsFAD7BIGmUkXOfptEsMoZw1wgRqhmfvNchHwajOikodMqWVEJe X-Received: by 10.68.130.194 with SMTP id og2mr21221590pbb.167.1447315370641; Thu, 12 Nov 2015 00:02:50 -0800 (PST) Received: from rlane-work.eng.bigswitch.com (c-67-188-28-208.hsd1.ca.comcast.net. [67.188.28.208]) by smtp.gmail.com with ESMTPSA id ey2sm13262240pbd.77.2015.11.12.00.02.49 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Thu, 12 Nov 2015 00:02:50 -0800 (PST) From: Rich Lane X-Google-Original-From: Rich Lane To: dev@dpdk.org Date: Thu, 12 Nov 2015 00:02:33 -0800 Message-Id: <1447315353-42152-1-git-send-email-rlane@bigswitch.com> X-Mailer: git-send-email 1.9.1 Subject: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 08:02:51 -0000 The guest could trigger this buffer overflow by creating a cycle of descriptors (which would also cause an infinite loop). The more common case is that vq->avail->idx jumps out of the range [last_used_idx, last_used_idx+256). This happens nearly every time when restarting a DPDK app inside a VM connected to a vhost-user vswitch because the virtqueue memory allocated by the previous run is zeroed. Signed-off-by: Rich Lane --- lib/librte_vhost/vhost_rxtx.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c index 9322ce6..d95b478 100644 --- a/lib/librte_vhost/vhost_rxtx.c +++ b/lib/librte_vhost/vhost_rxtx.c @@ -453,7 +453,7 @@ update_secure_len(struct vhost_virtqueue *vq, uint32_t id, vq->buf_vec[vec_id].desc_idx = idx; vec_id++; - if (vq->desc[idx].flags & VRING_DESC_F_NEXT) { + if (vq->desc[idx].flags & VRING_DESC_F_NEXT && vec_id < BUF_VECTOR_MAX) { idx = vq->desc[idx].next; next_desc = 1; } -- 1.9.1