Re: [dpdk-dev] thoughts on DPDK after a few days of reading sources

DPDK patches and discussions
 help / color / mirror / Atom feed

From: Stephen Hemminger <stephen@networkplumber.org>
To: Seth Arnold <seth.arnold@canonical.com>
Cc: dev@dpdk.org
Subject: Re: [dpdk-dev] thoughts on DPDK after a few days of reading sources
Date: Thu, 11 Feb 2016 14:48:28 -0800	[thread overview]
Message-ID: <20160211144828.1404e9c1@xeon-e3> (raw)
In-Reply-To: <20160211030540.GB25680@hunt>

On Wed, 10 Feb 2016 19:05:40 -0800
Seth Arnold <seth.arnold@canonical.com> wrote:

> - ./drivers/net/virtio/virtio_ethdev.c virtio_set_multiple_queues() calls
>   virtio_send_command(), which performs:
>   memcpy(vq->virtio_net_hdr_mz->addr, ctrl, sizeof(struct virtio_pmd_ctrl));
>   This copies a potentially huge amount of uninitialized data into ->addr
>   because the struct virtio_pmd_ctrl ctrl was not zeroed before being
>   passed. How much of this data leaves the system? Does this require a
>   CVE?

This is not really a security issue.
The guest (virtio) has to trust the host to follow the protocol.
If the host is malicious there are far worse things it can do.

In this case. The onstack variabl ctrl is only partially initialized
but only partially used. The hdr part (virtio_net_ctrl_hdr) is fully
initialized, and status is set to 0 in virtio_send_command.

Although partially unitialized data is copied into region shared with host,
only the first part is actually referenced by the ring element:

 	vq->vq_ring.desc[head].flags = VRING_DESC_F_NEXT;
	vq->vq_ring.desc[head].addr = vq->virtio_net_hdr_mz->phys_addr;
	vq->vq_ring.desc[head].len = sizeof(struct virtio_net_ctrl_hdr);

Therefore it is not a real problem.

     prev parent reply	other threads:[~2016-02-11 22:48 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-02-11  3:05 Seth Arnold
2016-02-11  3:41 ` Matthew Hall
2016-02-11  7:58 ` Thomas Monjalon
2016-02-11 11:58   ` Alejandro Lucero
2016-02-17  9:35     ` Christian Ehrhardt
2016-02-11 16:13   ` Dave Neary
2016-02-11 16:20     ` Thomas Monjalon
2016-02-11 16:29       ` Wiles, Keith
2016-02-15 10:36   ` Christian Ehrhardt
2016-02-11 22:48 ` Stephen Hemminger [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160211144828.1404e9c1@xeon-e3 \
    --to=stephen@networkplumber.org \
    --cc=dev@dpdk.org \
    --cc=seth.arnold@canonical.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).