From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id B49F2A0A02 for ; Mon, 17 May 2021 18:13:33 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id AFEC341102; Mon, 17 May 2021 18:13:33 +0200 (CEST) Received: from youngberry.canonical.com (youngberry.canonical.com [91.189.89.112]) by mails.dpdk.org (Postfix) with ESMTP id C000B410EA for ; Mon, 17 May 2021 18:13:31 +0200 (CEST) Received: from 2.general.paelzer.uk.vpn ([10.172.196.173] helo=Keschdeichel.fritz.box) by youngberry.canonical.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.93) (envelope-from ) id 1lifs1-0007wd-Oh; Mon, 17 May 2021 16:13:29 +0000 From: Christian Ehrhardt To: Marvin Liu Cc: Maxime Coquelin , dpdk stable Date: Mon, 17 May 2021 18:08:23 +0200 Message-Id: <20210517161039.3132619-74-christian.ehrhardt@canonical.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517161039.3132619-1-christian.ehrhardt@canonical.com> References: <20210517161039.3132619-1-christian.ehrhardt@canonical.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] patch 'vhost: fix packed ring potential buffer overflow' has been queued to stable release 19.11.9 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to stable release 19.11.9 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 05/19/21. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/cpaelzer/dpdk-stable-queue This queued commit can be viewed at: https://github.com/cpaelzer/dpdk-stable-queue/commit/5075e41779561991f7cf5adbcee149a367deb7a0 Thanks. Christian Ehrhardt --- >From 5075e41779561991f7cf5adbcee149a367deb7a0 Mon Sep 17 00:00:00 2001 From: Marvin Liu Date: Wed, 31 Mar 2021 14:49:38 +0800 Subject: [PATCH] vhost: fix packed ring potential buffer overflow [ upstream commit 93ed2f49dec5bee1dfc221c8644c22b351496776 ] Similar as split ring, the multiple accesses of descriptor length will lead to potential risk. One-time access of descriptor length can eliminate this risk. Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring") Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 32d341fb70..d93c448811 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -667,9 +667,10 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev, return -1; } - *len += descs[i].len; + dlen = descs[i].len; + *len += dlen; if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id, - descs[i].addr, descs[i].len, + descs[i].addr, dlen, perm))) return -1; } @@ -690,6 +691,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, bool wrap_counter = vq->avail_wrap_counter; struct vring_packed_desc *descs = vq->desc_packed; uint16_t vec_id = *vec_idx; + uint64_t dlen; if (avail_idx < vq->last_avail_idx) wrap_counter ^= 1; @@ -722,11 +724,12 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, len, perm) < 0)) return -1; } else { - *len += descs[avail_idx].len; + dlen = descs[avail_idx].len; + *len += dlen; if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id, descs[avail_idx].addr, - descs[avail_idx].len, + dlen, perm))) return -1; } -- 2.31.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2021-05-17 17:40:32.413591888 +0200 +++ 0074-vhost-fix-packed-ring-potential-buffer-overflow.patch 2021-05-17 17:40:29.243810043 +0200 @@ -1 +1 @@ -From 93ed2f49dec5bee1dfc221c8644c22b351496776 Mon Sep 17 00:00:00 2001 +From 5075e41779561991f7cf5adbcee149a367deb7a0 Mon Sep 17 00:00:00 2001 @@ -5,0 +6,2 @@ +[ upstream commit 93ed2f49dec5bee1dfc221c8644c22b351496776 ] + @@ -11 +12,0 @@ -Cc: stable@dpdk.org @@ -20 +21 @@ -index 852b4ec9f5..d07b30ed7f 100644 +index 32d341fb70..d93c448811 100644 @@ -23 +24 @@ -@@ -669,9 +669,10 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev, +@@ -667,9 +667,10 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev, @@ -36 +37 @@ -@@ -692,6 +693,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, +@@ -690,6 +691,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, @@ -44 +45 @@ -@@ -724,11 +726,12 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq, +@@ -722,11 +724,12 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,