From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3D8C0A00C5 for ; Wed, 16 Feb 2022 03:08:43 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 11FE34013F; Wed, 16 Feb 2022 03:08:43 +0100 (CET) Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by mails.dpdk.org (Postfix) with ESMTP id 92E284013F for ; Wed, 16 Feb 2022 03:08:41 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1644977321; x=1676513321; h=from:to:cc:subject:date:message-id; bh=UJtCr2qAdKWQ3UdOHRGWrc0yVGi4MlrPqNKKOEZLY+I=; b=TVzI991O2xLGZqqDhk6HcZFQs4N4r4ogeouS8HD75r1/xUd46gLi2yQ/ MWJs0iFIReYtrmWwSXI+rpSrxaRqfX+Z62tPxXcOaBGllWn7/WyvISiXS Hrpvpivibji5bwio5NFcRBPoaHnQ3Zmqw82z07Dh0JM/+SkYNJkvtmmhU Ca6egbnsHSsMw0MyiKU5wrzOBAkTIQyZEUOt9IspJqFMuhoaaegZmunBb l/MYsBezFwrgACWWlVAyJ4XD4vp+K9yU62zXSO6MatKPCUTe0ySu+4Bd1 jD40CvNHNMNmz8lQwFecV70BgBFEJNWavXLOtFNXCMlRhzJja34Td+yqk Q==; X-IronPort-AV: E=McAfee;i="6200,9189,10259"; a="250241494" X-IronPort-AV: E=Sophos;i="5.88,371,1635231600"; d="scan'208";a="250241494" Received: from orsmga007.jf.intel.com ([10.7.209.58]) by orsmga102.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 15 Feb 2022 18:08:40 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.88,371,1635231600"; d="scan'208";a="529187348" Received: from npg-dpdk-virtio-xiachenbo-nw.sh.intel.com ([10.67.119.253]) by orsmga007.jf.intel.com with ESMTP; 15 Feb 2022 18:08:39 -0800 From: Chenbo Xia To: chenbo.xia@intel.com Cc: stable@dpdk.org Subject: [PATCH] vhost: fix queue number check when setting inflight FD Date: Wed, 16 Feb 2022 09:53:13 +0800 Message-Id: <20220216015313.15615-1-chenbo.xia@intel.com> X-Mailer: git-send-email 2.17.1 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org In function vhost_user_set_inflight_fd, queue number in inflight message is used to access virtqueue. However, queue number could be larger than VHOST_MAX_VRING and cause write OOB as this number will be used to write inflight info in virtqueue structure. This patch checks the queue number to avoid the issue. CVE-2021-3839 Fixes: ad0a4ae491fe ("vhost: checkout resubmit inflight information") Cc: stable@dpdk.org Reported-by: Wenxiang Qian Signed-off-by: Chenbo Xia --- lib/vhost/vhost_user.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c index 1d3f89afd8..b20addd125 100644 --- a/lib/vhost/vhost_user.c +++ b/lib/vhost/vhost_user.c @@ -1718,6 +1718,12 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, num_queues = ctx->msg.payload.inflight.num_queues; queue_size = ctx->msg.payload.inflight.queue_size; + if (num_queues > VHOST_MAX_VRING) { + VHOST_LOG_CONFIG(ERR, "(%s) invalid inflight queue num: %u\n", + dev->ifname, num_queues); + return RTE_VHOST_MSG_RESULT_ERR; + } + if (vq_is_packed(dev)) pervq_inflight_size = get_pervq_shm_size_packed(queue_size); else -- 2.17.1