From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id BFE2745EDA; Wed, 18 Dec 2024 10:20:52 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 18C104066E; Wed, 18 Dec 2024 10:20:52 +0100 (CET) Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) by mails.dpdk.org (Postfix) with ESMTP id ACAB7402AE for ; Wed, 18 Dec 2024 10:20:50 +0100 (CET) Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-434f398a171so5527095e9.2 for ; Wed, 18 Dec 2024 01:20:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=6wind.com; s=google; t=1734513650; x=1735118450; darn=dpdk.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=aDJbRarSn3sgoYL/VDB2PPhWjM3fJ1+USgNwgfFLr3c=; b=iEkANefximpllQomsFI///B2R6kWRwc/XeJseoMtDpg/Lj38em2gqKO924dMlGOsD2 zDu/8QleJD7OGk0SnESQmpxAOzobFes/8CASPCAy5GHGhX5DAdVZo1sus1uMHX3QQdSa QJgPKVP1oujtmGhPqmIr61QLict9DLJ+szioRxw8SsXs466xn/a4VFLefzbAjjF1vjKz NdlOWM3GCgQdsYM/CkVAU38l9JA/SmFSbA9CFI936mARqA9W4f2oML4EbsBbvVEgWugp P8Cg+FVfHZoRyt/RGikXbGigD1Bp393VM2VI2v2TgFNaktzOObI7a8exZlnh3OI5t8O+ nMtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734513650; x=1735118450; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=aDJbRarSn3sgoYL/VDB2PPhWjM3fJ1+USgNwgfFLr3c=; b=eDoBmm1SqKu1sMGdLAOQkr9VdlKjkq+Gqt+EHq6TUCG9dmM8k5XxqtLSbMVJbd4HYi ul2TSaHzjAbWZdCDb+8O0tJ+6zL9w9zT5nd4aszVrz19OZhrcHqb4HB/4HgRDwYXP/zT R2dKQPSY5hW5XQSYsZopGsoBZgXxzl1DSyP2lsMrV92BswVNMoggAZSpe/yq4bmMJLKM KIj9CqwcniCURXTkPFCMaknYSImALKG9lmjSlGbH4SI2oShuKaxw3+i/e8xq7be+p2W2 FQhaVq/MJSYO0lVz33VnaCdG5OH/YzyZPcnQC/jZXHAcKT7+PIXNv/miwmVcFV5CDQWW AYlg== X-Forwarded-Encrypted: i=1; AJvYcCUV9JEFsJddAfNwwATbki5uERv/qGaZ4/C302w4CF0+o5Mr9oUJkyGq/e6uiiWHqTy0nZQ=@dpdk.org X-Gm-Message-State: AOJu0Yw7cJIBFNKK28gg692Fwr0nJ529JEK3Pr541FVRuMbS+uTTBAWR ymZTyZIuyJUkVKlh2AGt0kUbByJLQuek1VD1v39zXuUomTC5ht7Cz7E6zPe4igg= X-Gm-Gg: ASbGncs3Qqd5H++r9l9zVxySSYcoTPGDpxJ6AjKrjH2zL6aBUNk/yVTLOQNt9m7cfan ubGzJPMB9cu/w8oI7HkMo9skFnF6JT3Dg0u4GPCI+lbkOrNi/5CpKqReZBYcDy0t13DG6UkF2h+ Ib0FOXbIgLPrRTP36OXYnAZ3n1XgyoFVb2Msh7e633ZTY0pjhvYEjn8TZcewzadZk1mgV2dyI/p xNL4oZZM6x72eJYNb6EC41hutdz3jqnC9JhKLrxpuVAPY++jUr2G78kmg4= X-Google-Smtp-Source: AGHT+IFoPwouU0xr7mDSwBp7qGfleQOH1/DSoKT9jpSIm6WPwUjuP2Ud606xA9aN46GY4caxG7n89A== X-Received: by 2002:a05:600c:4e06:b0:434:f7f0:189c with SMTP id 5b1f17b1804b1-43655401970mr6458195e9.7.1734513650206; Wed, 18 Dec 2024 01:20:50 -0800 (PST) Received: from 6wind.com ([2a01:e0a:5ac:6460:c065:401d:87eb:9b25]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43656b1a195sm13978165e9.36.2024.12.18.01.20.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 18 Dec 2024 01:20:48 -0800 (PST) Date: Wed, 18 Dec 2024 10:20:47 +0100 From: Olivier Matz To: Maxime Coquelin Cc: "Wangyunjian(wangyunjian,TongTu)" , "dev@dpdk.org" , Maxime Gouin , "Lilijun (Jerry)" , wangzengyuan , "xiawei (H)" Subject: Re: [PATCH] net/virtio: fix Rx checksum calculation Message-ID: References: <20241217153253.457646-1-maxime.coquelin@redhat.com> <8fdd9fc017f64ed088932d66119edc38@huawei.com> <4649ed66-274a-483c-9241-59ba3a40c820@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4649ed66-274a-483c-9241-59ba3a40c820@redhat.com> X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Hi, On Wed, Dec 18, 2024 at 09:59:05AM +0100, Maxime Coquelin wrote: > Hi, > > On 12/18/24 08:34, Wangyunjian(wangyunjian,TongTu) wrote: > > > -----Original Message----- > > > From: Maxime Coquelin [mailto:maxime.coquelin@redhat.com] > > > Sent: Tuesday, December 17, 2024 11:33 PM > > > To: dev@dpdk.org > > > Cc: Olivier Matz ; Maxime Gouin > > > ; Maxime Coquelin > > > > > > Subject: [PATCH] net/virtio: fix Rx checksum calculation > > > > > > From: Olivier Matz > > > > > > If hdr->csum_start is larger than packet length, the len argument passed > > > to rte_raw_cksum_mbuf() overflows and causes a segmentation fault. > > > > > > Ignore checksum computation in this case. > > > > > > CVE-2024-11614 > > > > > > Fixes: ca7036b4af3a ("vhost: fix offload flags in Rx path") > > > > > > Signed-off-by: Maxime Gouin > > > Signed-off-by: Olivier Matz > > > Reviewed-by: Maxime Coquelin > > > --- > > > lib/vhost/virtio_net.c | 3 +++ > > > 1 file changed, 3 insertions(+) > > > > > > diff --git a/lib/vhost/virtio_net.c b/lib/vhost/virtio_net.c > > > index d764d4bc6a..69901ab3b5 100644 > > > --- a/lib/vhost/virtio_net.c > > > +++ b/lib/vhost/virtio_net.c > > > @@ -2823,6 +2823,9 @@ vhost_dequeue_offload(struct virtio_net *dev, > > > struct virtio_net_hdr *hdr, > > > */ > > > uint16_t csum = 0, off; > > > > > > + if (hdr->csum_start >= rte_pktmbuf_pkt_len(m)) > > > + return; > > > + > > > > The hdr->csum_start does two successive reads from user space to read > > a variable length data structure. The result overflow if the data structure > > changes between the two reads. > > > > We can prevent double fetch issue by using the temporary variable csum_start. This is an interesting remark, thanks! However, in practical, I'd say that the hdr->csum_start is fetched in a register only once if using optimized compilation, because the compiler has no reason to think that hdr->csum_start can be modified. Olivier > > Right, that's a good catch! The exploitation od this issue seem > difficult though. > > We may systematically copy the full header, as we only do it for ones > not contiguous in host VA space. > > What do you think? Are you willing to contribute a fix? > > Thanks, > Maxime > > > > Thanks, > > Yunjian > > > > > if (rte_raw_cksum_mbuf(m, hdr->csum_start, > > > rte_pktmbuf_pkt_len(m) - hdr->csum_start, &csum) < > > > 0) > > > return; > > > -- > > > 2.47.0 > > >