From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga11.intel.com (mga11.intel.com [192.55.52.93]) by dpdk.org (Postfix) with ESMTP id 0AD999E7 for ; Wed, 15 Feb 2017 07:24:38 +0100 (CET) Received: from orsmga001.jf.intel.com ([10.7.209.18]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 14 Feb 2017 22:24:37 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.35,164,1484035200"; d="scan'208";a="1094927431" Received: from yliu-dev.sh.intel.com ([10.239.67.162]) by orsmga001.jf.intel.com with ESMTP; 14 Feb 2017 22:24:36 -0800 From: Yuanhan Liu To: Yuanhan Liu Cc: Xieming Katty , Maxime Coquelin , dpdk stable Date: Wed, 15 Feb 2017 14:26:14 +0800 Message-Id: <1487140012-13314-2-git-send-email-yuanhan.liu@linux.intel.com> X-Mailer: git-send-email 1.9.0 In-Reply-To: <1487140012-13314-1-git-send-email-yuanhan.liu@linux.intel.com> References: <1487140012-13314-1-git-send-email-yuanhan.liu@linux.intel.com> Subject: [dpdk-stable] patch 'vhost: fix dead loop in enqueue path' has been queued to stable release 16.11.1 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Feb 2017 06:24:39 -0000 Hi, FYI, your patch has been queued to stable release 16.11.1 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 02/18/17. So please shout if anyone has objections. Thanks. --yliu --- >>From 9e9efea9b6ab8abf73c5d1560f7ed500d27a4146 Mon Sep 17 00:00:00 2001 From: Yuanhan Liu Date: Sun, 22 Jan 2017 16:46:58 +0800 Subject: [PATCH] vhost: fix dead loop in enqueue path [ upstream commit cc7301908c031a288eeb6c12db21b938755b67ee ] If a malicious guest forges a dead loop desc chain (let desc->next point to itself) and desc->len is zero, this could lead to a dead loop in copy_mbuf_to_desc(following is a simplified code to show this issue clearly): while (mbuf_is_not_totally_consumed) { if (desc_avail == 0) { desc = &descs[desc->next]; desc_avail = desc->len; } COPY(desc, mbuf, desc_avail); } I have actually fixed a same issue before: commit a436f53ebfeb ("vhost: avoid dead loop chain"); it fixes the dequeue path though, leaving the enqueue path still vulnerable. The fix is the same. Add a var nr_desc to avoid the dead loop. Fixes: f1a519ad981c ("vhost: fix enqueue/dequeue to handle chained vring descriptors") Reported-by: Xieming Katty Signed-off-by: Yuanhan Liu Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 595f67c..143c0fa 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -195,6 +195,8 @@ copy_mbuf_to_desc(struct virtio_net *dev, struct vring_desc *descs, struct vring_desc *desc; uint64_t desc_addr; struct virtio_net_hdr_mrg_rxbuf virtio_hdr = {{0, 0, 0, 0, 0, 0}, 0}; + /* A counter to avoid desc dead loop chain */ + uint16_t nr_desc = 1; desc = &descs[desc_idx]; desc_addr = gpa_to_vva(dev, desc->addr); @@ -233,7 +235,7 @@ copy_mbuf_to_desc(struct virtio_net *dev, struct vring_desc *descs, /* Room in vring buffer is not enough */ return -1; } - if (unlikely(desc->next >= size)) + if (unlikely(desc->next >= size || ++nr_desc > size)) return -1; desc = &descs[desc->next]; -- 1.9.0