From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 58192A04B6 for ; Tue, 12 Nov 2019 16:19:22 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 5FB812C2B; Tue, 12 Nov 2019 16:19:20 +0100 (CET) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) by dpdk.org (Postfix) with ESMTP id 577822C12 for ; Tue, 12 Nov 2019 16:19:17 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571956; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=F4AbeOnmSMbXgrCJC7iparFLB4KABYIp1q/9Zj2ByRg=; b=NC7z/YYG37to2uKhLqWb2aFreKAjLMH81kwGrlN7o/IXk4nihNbF2TLjcFsECdy4ljUiWs sIKr/Mgwgdvv+Z9RURW4I8rNORlNShKX5fZ/YRPVRDow3CI5cVuOU2Ojd2wNtdxKbw1opu cQSJxhas9oDMVQG23fEe0BCA6urPEa4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-394-sY7BW2IrPSmVDOroPrQImw-1; Tue, 12 Nov 2019 10:19:13 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id CD06D1010E00; Tue, 12 Nov 2019 15:19:12 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 8039E54560; Tue, 12 Nov 2019 15:19:11 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin Date: Tue, 12 Nov 2019 16:18:52 +0100 Message-Id: <20191112151852.27341-4-maxime.coquelin@redhat.com> In-Reply-To: <20191112151852.27341-1-maxime.coquelin@redhat.com> References: <20191112151852.27341-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: sY7BW2IrPSmVDOroPrQImw-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Subject: [dpdk-stable] [v16.11 PATCH v2 4/4] vhost: fix possible denial of service by leaking FDs X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" A malicious Vhost-user master could send in loop hand-crafted vhost-user messages containing more file descriptors the vhost-user slave expects. Doing so causes the application using the vhost-user library to run out of FDs. This issue has been assigned CVE-2019-14818 Fixes: 8f972312b8f4 ("vhost: support vhost-user") Signed-off-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 87 +++++++++++++++++++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index cebc72f78f..a6ab131543 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -75,6 +75,36 @@ static const char *vhost_message_str[VHOST_USER_MAX] =3D= { =09[VHOST_USER_SEND_RARP] =3D "VHOST_USER_SEND_RARP", }; =20 +static void +close_msg_fds(struct VhostUserMsg *msg) +{ +=09int i; + +=09for (i =3D 0; i < msg->fd_num; i++) +=09=09close(msg->fds[i]); +} + +/* + * Ensure the expected number of FDs is received, + * close all FDs and return an error if this is not the case. + */ +static int +validate_msg_fds(struct VhostUserMsg *msg, int expected_fds) +{ +=09if (msg->fd_num =3D=3D expected_fds) +=09=09return 0; + +=09RTE_LOG(ERR, VHOST_CONFIG, +=09=09" Expect %d FDs for request %s, received %d\n", +=09=09expected_fds, +=09=09vhost_message_str[msg->request], +=09=09msg->fd_num); + +=09close_msg_fds(msg); + +=09return -1; +} + static uint64_t get_blk_size(int fd) { @@ -1104,35 +1134,59 @@ vhost_user_msg_handler(int vid, int fd) =09ret =3D 0; =09switch (msg.request) { =09case VHOST_USER_GET_FEATURES: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09msg.payload.u64 =3D vhost_user_get_features(); =09=09msg.size =3D sizeof(msg.payload.u64); =09=09send_vhost_message(fd, &msg); =09=09break; =09case VHOST_USER_SET_FEATURES: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_features(dev, msg.payload.u64); =09=09break; =20 =09case VHOST_USER_GET_PROTOCOL_FEATURES: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09msg.payload.u64 =3D VHOST_USER_PROTOCOL_FEATURES; =09=09msg.size =3D sizeof(msg.payload.u64); =09=09send_vhost_message(fd, &msg); =09=09break; =09case VHOST_USER_SET_PROTOCOL_FEATURES: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_protocol_features(dev, msg.payload.u64); =09=09break; =20 =09case VHOST_USER_SET_OWNER: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_owner(); =09=09break; =09case VHOST_USER_RESET_OWNER: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_reset_owner(dev); =09=09break; =20 =09case VHOST_USER_SET_MEM_TABLE: +=09=09if (validate_msg_fds(&msg, msg.payload.memory.nregions) !=3D 0) +=09=09=09return -1; + =09=09vhost_user_set_mem_table(dev, &msg); =09=09break; =20 =09case VHOST_USER_SET_LOG_BASE: +=09=09if (validate_msg_fds(&msg, 1) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_log_base(dev, &msg); =09=09if (ret) =09=09=09break; @@ -1144,21 +1198,36 @@ vhost_user_msg_handler(int vid, int fd) =09=09send_vhost_message(fd, &msg); =09=09break; =09case VHOST_USER_SET_LOG_FD: +=09=09if (validate_msg_fds(&msg, 1) !=3D 0) +=09=09=09return -1; + =09=09close(msg.fds[0]); =09=09RTE_LOG(INFO, VHOST_CONFIG, "not implemented.\n"); =09=09break; =20 =09case VHOST_USER_SET_VRING_NUM: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_vring_num(dev, &msg.payload.state); =09=09break; =09case VHOST_USER_SET_VRING_ADDR: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_vring_addr(&dev, &msg.payload.addr); =09=09break; =09case VHOST_USER_SET_VRING_BASE: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_vring_base(dev, &msg.payload.state); =09=09break; =20 =09case VHOST_USER_GET_VRING_BASE: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_get_vring_base(dev, &msg.payload.state); =09=09if (ret) =09=09=09break; @@ -1167,28 +1236,46 @@ vhost_user_msg_handler(int vid, int fd) =09=09break; =20 =09case VHOST_USER_SET_VRING_KICK: +=09=09if (validate_msg_fds(&msg, 1) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_vring_kick(dev, &msg); =09=09break; =09case VHOST_USER_SET_VRING_CALL: +=09=09if (validate_msg_fds(&msg, 1) !=3D 0) +=09=09=09return -1; + =09=09vhost_user_set_vring_call(dev, &msg); =09=09break; =20 =09case VHOST_USER_SET_VRING_ERR: +=09=09if (validate_msg_fds(&msg, 1) !=3D 0) +=09=09=09return -1; + =09=09if (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK)) =09=09=09close(msg.fds[0]); =09=09RTE_LOG(INFO, VHOST_CONFIG, "not implemented\n"); =09=09break; =20 =09case VHOST_USER_GET_QUEUE_NUM: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09msg.payload.u64 =3D VHOST_MAX_QUEUE_PAIRS; =09=09msg.size =3D sizeof(msg.payload.u64); =09=09send_vhost_message(fd, &msg); =09=09break; =20 =09case VHOST_USER_SET_VRING_ENABLE: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_set_vring_enable(dev, &msg.payload.state); =09=09break; =09case VHOST_USER_SEND_RARP: +=09=09if (validate_msg_fds(&msg, 0) !=3D 0) +=09=09=09return -1; + =09=09ret =3D vhost_user_send_rarp(dev, &msg); =09=09break; =20 --=20 2.21.0