From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id B16CDA0A0A
	for <public@inbox.dpdk.org>; Thu, 25 Mar 2021 04:03:54 +0100 (CET)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 0D954140DBE;
	Thu, 25 Mar 2021 04:03:52 +0100 (CET)
Received: from mga02.intel.com (mga02.intel.com [134.134.136.20])
 by mails.dpdk.org (Postfix) with ESMTP id 946BA4067B;
 Thu, 25 Mar 2021 04:03:46 +0100 (CET)
IronPort-SDR: bvkHIkQXwsMSpOPCC4qxlqZ0btrpEgxrP7XjP4HDXmbY/J8QZPjseK+iH6QvMiH8JOQ5jvP4Ll
 xOEHrmQFH/4g==
X-IronPort-AV: E=McAfee;i="6000,8403,9933"; a="177953063"
X-IronPort-AV: E=Sophos;i="5.81,276,1610438400"; d="scan'208";a="177953063"
Received: from orsmga008.jf.intel.com ([10.7.209.65])
 by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 24 Mar 2021 20:03:38 -0700
IronPort-SDR: QiXfUrdanv2k3/5cw531iTn90/6oRR/3W1TWcAkaEV2gg4WzVkGYXHlTTzyE4PUq/epHTTTgsW
 11RjPVrByOMA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.81,276,1610438400"; d="scan'208";a="415765145"
Received: from npg-dpdk-virtual-marvin-dev.sh.intel.com ([10.67.119.108])
 by orsmga008.jf.intel.com with ESMTP; 24 Mar 2021 20:03:34 -0700
From: Marvin Liu <yong.liu@intel.com>
To: maxime.coquelin@redhat.com,
	chenbo.xia@intel.com
Cc: dev@dpdk.org,
	Marvin Liu <yong.liu@intel.com>,
	stable@dpdk.org
Date: Thu, 25 Mar 2021 11:01:37 +0800
Message-Id: <20210325030139.2486-1-yong.liu@intel.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20210226073321.66996-1-yong.liu@intel.com>
References: <20210226073321.66996-1-yong.liu@intel.com>
Subject: [dpdk-stable] [PATCH 1/3] vhost: fix split ring potential buffer
 overflow
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

In vhost datapath, descriptor's length are mostly used in two coherent
operations. First step is used for address translation, second step is
used for memory transaction from guest to host. But the iterval between
two steps will give a window for malicious guest, in which can change
descriptor length after vhost calcuated buffer size. Thus may lead to
buffer overflow in vhost side. This potential risk can be eliminated by
accessing the descriptor length once.

Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx")
Cc: stable@dpdk.org

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 583bf379c6..576a0a20c0 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,
 			return -1;
 		}
 
-		len += descs[idx].len;
+		dlen = descs[idx].len;
+		len += dlen;
 
 		if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,
-						descs[idx].addr, descs[idx].len,
+						descs[idx].addr, dlen,
 						perm))) {
 			free_ind_table(idesc);
 			return -1;
-- 
2.17.1