From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 26A5645EDD; Wed, 18 Dec 2024 17:37:25 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 1624040DF5; Wed, 18 Dec 2024 17:37:25 +0100 (CET) Received: from mail-pl1-f180.google.com (mail-pl1-f180.google.com [209.85.214.180]) by mails.dpdk.org (Postfix) with ESMTP id 3180140DDE for ; Wed, 18 Dec 2024 17:37:24 +0100 (CET) Received: by mail-pl1-f180.google.com with SMTP id d9443c01a7336-2161eb94cceso46269855ad.2 for ; Wed, 18 Dec 2024 08:37:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20230601.gappssmtp.com; s=20230601; t=1734539843; x=1735144643; darn=dpdk.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=eFUSMR9MJQ4EWxQQVGzZSM/f0Lt7hce6i1vqn7Pwztc=; b=DFBZMGWn7/dKQshLSEZwf/7H6F1Ifj5p2hP2y6o3GURGww+u++npLEEUDq2US0kBB7 owIpcnoZN9tCLyu4vn9RMnNrkaNitpcWUjOtJMvb0iuk5I191RuSdjGyWoi2KiIk1Abp MWG9zE7Y7hl6HfguBYcYH+D03UnIA7fkoHKvPkJDHcERSkf/HkbguvzYg0wBk6dD5zCA GZbAZYyGcFjJTs3wNjqpLrfB0VPgAVJEqyNh9VbtsOZ4gbCJMZ8kjWDnUtHeH8yZtWWi BzXkJLZeVYUD5Qr6hcZz3GYXK8N8yCaTpZeSknZllbbV1Y1ONFew3L7YsXkfuLoC0GJV e+XQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734539843; x=1735144643; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eFUSMR9MJQ4EWxQQVGzZSM/f0Lt7hce6i1vqn7Pwztc=; b=JkCJfwu+4/qoSocR9zodHGuiVdC4ggHaNui4Lfg95R2H/Oq5H0kbZ8RzXDJqEnc7k+ XH47fZztw8WCJLrbh4Lyc0dgypqXzc7+wnbXnTyRcpbXXEfm0qTxxfPg5R5OseqVPxrI yH0QxuFCGovDJelwsRFI4bw/tR9FkIWnwfOfWKKWAMlLjs2t16gBZoi5fLhdqbOVQxZs 0te+HknQ7MjlSJOXzUJ7p55Um1cwfkYMepKmTpaf7Bo2mroUSv4G3h9GCSUwSsts2RZU 4i5XTi28/2ePcg2qijcQ7RcHMHfV755FsFOJhMhakoSKB+pk/Wr4Es32ghCWHn0oOnXd 0EnA== X-Forwarded-Encrypted: i=1; AJvYcCVhNFGwqUSMinl8V2Ak1ng6OfAlm9X3zvHzHQfwqoCDFGBy+/xP8ZV9g/pTwHgOU2WgC98=@dpdk.org X-Gm-Message-State: AOJu0YwWTMP/9qtHouQYfLr3lhBSNwKnmQ/91VSIh/EFo5NcsrugU9uN fjHx//H9HOBeAz/Twv4rUtSMFDZPe2sr2QbZBNVqV9P0NFn+OhBIh1zQrY49OIA= X-Gm-Gg: ASbGnctkqxzths9DR28gCOSBaH/miQq2WlK6JPiKUnx+aEEISfRddv+gh+FZpKNHgiN ccQrjtX2cHW6jQLubMAQ9jKvEh3mZk0aMNVmtieUbNJgfBFrd3DgLT+NdjXU7oLa3QTqkrCJoqa zMRemDgmBERRXslkVdjflyK3efaEhnAx9lWcBcgZepPXERxwg3e+wwzMl6ufEU85Rd8zC3PtoL/ slw7IAtJD7YjWKhlnuWwyZ7uiBpasxWqu3ZxXSXiNA6WdaBLxkigPaXp/N3sidlfl1DqCFNFhYz ifqZJdM8wiVKTtlLBvDFAKsIxGv/TYOFLA== X-Google-Smtp-Source: AGHT+IEAxVc06nSYEVxdcdK8Uh/yamj6lGZKBjSewZ/Nk3BMJrkHDkWY4A6cwf4oz8ayvoYUcmg9Gw== X-Received: by 2002:a17:903:1105:b0:215:ac55:fd72 with SMTP id d9443c01a7336-218d724d2fbmr56386125ad.37.1734539842443; Wed, 18 Dec 2024 08:37:22 -0800 (PST) Received: from hermes.local (204-195-96-226.wavecable.com. [204.195.96.226]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-218a1e50ca5sm78406915ad.132.2024.12.18.08.37.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Dec 2024 08:37:22 -0800 (PST) Date: Wed, 18 Dec 2024 08:37:20 -0800 From: Stephen Hemminger To: Olivier Matz Cc: Maxime Coquelin , "Wangyunjian(wangyunjian,TongTu)" , "dev@dpdk.org" , Maxime Gouin , "Lilijun (Jerry)" , wangzengyuan , "xiawei (H)" Subject: Re: [PATCH] net/virtio: fix Rx checksum calculation Message-ID: <20241218083720.4a694cd6@hermes.local> In-Reply-To: References: <20241217153253.457646-1-maxime.coquelin@redhat.com> <8fdd9fc017f64ed088932d66119edc38@huawei.com> <4649ed66-274a-483c-9241-59ba3a40c820@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On Wed, 18 Dec 2024 10:20:47 +0100 Olivier Matz wrote: > Hi, > > On Wed, Dec 18, 2024 at 09:59:05AM +0100, Maxime Coquelin wrote: > > Hi, > > > > On 12/18/24 08:34, Wangyunjian(wangyunjian,TongTu) wrote: > > > > -----Original Message----- > > > > From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com] > > > > Sent: Tuesday, December 17, 2024 11:33 PM > > > > To: dev@dpdk.org > > > > Cc: Olivier Matz ; Maxime Gouin > > > > ; Maxime Coquelin > > > > > > > > Subject: [PATCH] net/virtio: fix Rx checksum calculation > > > > > > > > From: Olivier Matz > > > > > > > > If hdr->csum_start is larger than packet length, the len argument passed > > > > to rte_raw_cksum_mbuf() overflows and causes a segmentation fault. > > > > > > > > Ignore checksum computation in this case. > > > > > > > > CVE-2024-11614 > > > > > > > > Fixes: ca7036b4af3a ("vhost: fix offload flags in Rx path") > > > > > > > > Signed-off-by: Maxime Gouin > > > > Signed-off-by: Olivier Matz > > > > Reviewed-by: Maxime Coquelin > > > > --- > > > > lib/vhost/virtio_net.c | 3 +++ > > > > 1 file changed, 3 insertions(+) > > > > > > > > diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c > > > > index d764d4bc6a..69901ab3b5 100644 > > > > --- a/lib/vhost/virtio_net.c > > > > +++ b/lib/vhost/virtio_net.c > > > > @@ -2823,6 +2823,9 @@ vhost_dequeue_offload(struct virtio_net *dev, > > > > struct virtio_net_hdr *hdr, > > > > */ > > > > uint16_t csum = 0, off; > > > > > > > > + if (hdr->csum_start >= rte_pktmbuf_pkt_len(m)) > > > > + return; > > > > + > > > > > > The hdr->csum_start does two successive reads from user space to read > > > a variable length data structure. The result overflow if the data structure > > > changes between the two reads. > > > > > > We can prevent double fetch issue by using the temporary variable csum_start. > > This is an interesting remark, thanks! > > However, in practical, I'd say that the hdr->csum_start is fetched in a register > only once if using optimized compilation, because the compiler has no reason to > think that hdr->csum_start can be modified. > > Olivier True, but security never depend on optimization. Needs a fetch and compiler barrier to be truly safe against compilers.