From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 3BB0C424A0 for ; Fri, 27 Jan 2023 17:55:53 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 2E05542D4B; Fri, 27 Jan 2023 17:55:53 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id F279C40695 for ; Fri, 27 Jan 2023 17:55:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1674838549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=V9Z0HJz9qWMrsj9W7T+wpflV4KppBMokfcd3knnHVIA=; b=AZpOQznoVHNlFkH2z0HCKLhlDVbKga4YYfLr5DwishDgYLdfnr1jpyTBnQ5YNsZee5vHQe Vz5wTQNFQqaw4bA+PgsvsGbSb2TAIZfAG0GlihXcB7houleiv4PNvrSfU3QCm/JF17ETvf ud6NBslt/0kbENFLnxvZcaMU1WCeyeo= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-67-XYMsccopPKyUpaFhGrgcRA-1; Fri, 27 Jan 2023 11:55:45 -0500 X-MC-Unique: XYMsccopPKyUpaFhGrgcRA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 01DFC87A9E2; Fri, 27 Jan 2023 16:55:45 +0000 (UTC) Received: from max-t490s.redhat.com (unknown [10.39.208.33]) by smtp.corp.redhat.com (Postfix) with ESMTP id D2180492B01; Fri, 27 Jan 2023 16:55:43 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, david.marchand@redhat.com, chenbo.xia@intel.com Cc: Maxime Coquelin , stable@dpdk.org Subject: [PATCH v2 1/2] vhost: fix possible FDs leak Date: Fri, 27 Jan 2023 17:55:38 +0100 Message-Id: <20230127165540.37863-2-maxime.coquelin@redhat.com> In-Reply-To: <20230127165540.37863-1-maxime.coquelin@redhat.com> References: <20230127165540.37863-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org On failure, read_vhost_message() only closed the message FDs if the header size was unexpected, but there are other cases where it is required. For exemple in the case the payload size read from the header is greater than the expected maximum payload size. This patch fixes this by closing all messages FDs in all error cases. Fixes: bf472259dde6 ("vhost: fix possible denial of service by leaking FDs") Cc: stable@dpdk.org Signed-off-by: Maxime Coquelin --- lib/vhost/vhost_user.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c index 9902ae9944..943058725e 100644 --- a/lib/vhost/vhost_user.c +++ b/lib/vhost/vhost_user.c @@ -2817,29 +2817,36 @@ read_vhost_message(struct virtio_net *dev, int sockfd, struct vhu_msg_context * ret = read_fd_message(dev->ifname, sockfd, (char *)&ctx->msg, VHOST_USER_HDR_SIZE, ctx->fds, VHOST_MEMORY_MAX_NREGIONS, &ctx->fd_num); - if (ret <= 0) { - return ret; - } else if (ret != VHOST_USER_HDR_SIZE) { + if (ret <= 0) + goto out; + + if (ret != VHOST_USER_HDR_SIZE) { VHOST_LOG_CONFIG(dev->ifname, ERR, "Unexpected header size read\n"); - close_msg_fds(ctx); - return -1; + ret = -1; + goto out; } if (ctx->msg.size) { if (ctx->msg.size > sizeof(ctx->msg.payload)) { VHOST_LOG_CONFIG(dev->ifname, ERR, "invalid msg size: %d\n", ctx->msg.size); - return -1; + ret = -1; + goto out; } ret = read(sockfd, &ctx->msg.payload, ctx->msg.size); if (ret <= 0) - return ret; + goto out; if (ret != (int)ctx->msg.size) { VHOST_LOG_CONFIG(dev->ifname, ERR, "read control message failed\n"); - return -1; + ret = -1; + goto out; } } +out: + if (ret <= 0) + close_msg_fds(ctx); + return ret; } -- 2.39.1