From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id A1A30A04B6;
	Tue, 12 Nov 2019 16:20:23 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 0F5D64C99;
	Tue, 12 Nov 2019 16:19:49 +0100 (CET)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120]) by dpdk.org (Postfix) with ESMTP id 789A837B4
 for <dev@dpdk.org>; Tue, 12 Nov 2019 16:19:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1573571983;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=DVSCsFdSvfRmAelurE4lNW68LvuNmb4KNcDN8eFSO4w=;
 b=POVlOhPakstX6IKlbfHJf1b08hNFiPrrvC0K1mV9RTNwRlgH8DV5uSWUs6U4oOgPHgXbT1
 F/JiPPzomeNnnRdd0XfcKnsFHqUCwPcjL6fPojy59SZ3AJPhmFRtDO4OLJJkJE8+Tb+YsT
 hk2SbEFaTxSqJqtksXvvXH8ublc8xeU=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-216-WEkN0ysxP6WfSBn57A2xYA-1; Tue, 12 Nov 2019 10:19:42 -0500
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com
 [10.5.11.16])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 11E3518828F8
 for <dev@dpdk.org>; Tue, 12 Nov 2019 15:19:42 +0000 (UTC)
Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com
 [10.36.112.39])
 by smtp.corp.redhat.com (Postfix) with ESMTP id BBD3063764;
 Tue, 12 Nov 2019 15:19:37 +0000 (UTC)
From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: dev@dpdk.org
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
 Jason Wang <jasowang@redhat.com>
Date: Tue, 12 Nov 2019 16:19:34 +0100
Message-Id: <20191112151935.27518-1-maxime.coquelin@redhat.com>
In-Reply-To: <b45c3416-0b1d-0ee4-89eb-c23a69e7cef3@intel.com>
References: <b45c3416-0b1d-0ee4-89eb-c23a69e7cef3@intel.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
X-MC-Unique: WEkN0ysxP6WfSBn57A2xYA-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Subject: [dpdk-dev] [master PATCH v2 1/2] vhost: fix possible denial of
	service on SET_VRING_NUM
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

vhost_user_set_vring_num() performs multiple allocations
without checking whether data were previously allocated.

It may cause a denial of service because of the memory leaks
that happen if a malicious vhost-user master keeps sending
VHOST_USER_SET_VRING_NUM request until the slave runs out
of memory.

This issue has been assigned CVE-2019-14818

Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")

Reported-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/vhost_user.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index ce4e9fb32f..6d2431e604 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -348,6 +348,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
 =09=09vq->nr_zmbuf =3D 0;
 =09=09vq->last_zmbuf_idx =3D 0;
 =09=09vq->zmbuf_size =3D vq->size;
+=09=09if (vq->zmbufs)
+=09=09=09rte_free(vq->zmbufs);
 =09=09vq->zmbufs =3D rte_zmalloc(NULL, vq->zmbuf_size *
 =09=09=09=09=09 sizeof(struct zcopy_mbuf), 0);
 =09=09if (vq->zmbufs =3D=3D NULL) {
@@ -360,6 +362,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
 =09}
=20
 =09if (vq_is_packed(dev)) {
+=09=09if (vq->shadow_used_packed)
+=09=09=09rte_free(vq->shadow_used_packed);
 =09=09vq->shadow_used_packed =3D rte_malloc(NULL,
 =09=09=09=09vq->size *
 =09=09=09=09sizeof(struct vring_used_elem_packed),
@@ -371,6 +375,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
 =09=09}
=20
 =09} else {
+=09=09if (vq->shadow_used_split)
+=09=09=09rte_free(vq->shadow_used_split);
 =09=09vq->shadow_used_split =3D rte_malloc(NULL,
 =09=09=09=09vq->size * sizeof(struct vring_used_elem),
 =09=09=09=09RTE_CACHE_LINE_SIZE);
@@ -381,6 +387,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
 =09=09}
 =09}
=20
+=09if (vq->batch_copy_elems)
+=09=09rte_free(vq->batch_copy_elems);
 =09vq->batch_copy_elems =3D rte_malloc(NULL,
 =09=09=09=09vq->size * sizeof(struct batch_copy_elem),
 =09=09=09=09RTE_CACHE_LINE_SIZE);
--=20
2.21.0