DPDK patches and discussions
 help / color / mirror / Atom feed
* [dpdk-dev] [Bug 656] CVE-YYYY-NNNN State: Report
@ 2021-03-11 12:02 bugzilla
  0 siblings, 0 replies; only message in thread
From: bugzilla @ 2021-03-11 12:02 UTC (permalink / raw)
  To: dev

https://bugs.dpdk.org/show_bug.cgi?id=656

            Bug ID: 656
           Summary: CVE-YYYY-NNNN State: Report
           Product: DPDK
           Version: 20.11
          Hardware: All
                OS: All
            Status: UNCONFIRMED
          Severity: normal
          Priority: High
         Component: vhost/virtio
          Assignee: dev@dpdk.org
          Reporter: ferruh.yigit@intel.com
                CC: ferruh.yigit@intel.com, maxime.coquelin@redhat.com,
                    security@dpdk.org, stephen@networkplumber.org,
                    thomas@monjalon.net
  Target Milestone: ---
             Group: security

Report From: dsfasd daf <coolboy43433@gmail.com>
Report Date: Thu, 11 Mar 2021 10:24:24 +0000

Report:

Dear maintainers,

I’m writing this email to report a security issue. 

Description:
Vhost-user allocates temporary file descriptors when receiving multiple
vhost-user messages. 
However, in some situations where the content of message is abnormal, the file
descriptor resources are not cleaned up sometimes.
Malicious containers can send endless messages with wrong content to drain out
of the file descriptors.

Evidence:
For example, in vhost_user_set_mem_table() function, if malicious guest sends
the memory table message indicating memory regions exceed the max number, error
will be returned without fd clean-up.

if (memory->nregions > VHOST_MEMORY_MAX_NREGIONS) {
               VHOST_LOG_CONFIG(ERR,
                              "too many memory regions (%u)\n",
memory->nregions);
               return RTE_VHOST_MSG_RESULT_ERR;
}

This issue touches many places that returns ‘RTE_VHOST_MSG_RESULT_ERR’ but does
not clean up fd resources.
After checking, the target functions are vhost_user_set_mem_table(), and
vhost_user_set_log_base().

Fix:
I also prepared the fixed patch, just add close_msg_fds at these location.

Could you help to evaluate if this issue can be qualified as a security
vulnerability? So that it can enter the CVE progress.
Thank you very much.

Best regards,
Xuan(Xarvier)

-- 
You are receiving this mail because:
You are the assignee for the bug.

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2021-03-11 12:02 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-03-11 12:02 [dpdk-dev] [Bug 656] CVE-YYYY-NNNN State: Report bugzilla

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).