From: Kevin Traynor <ktraynor@redhat.com>
To: David Marchand <david.marchand@redhat.com>
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
dpdk stable <stable@dpdk.org>
Subject: patch 'vhost: fix OOB access for invalid vhost ID' has been queued to stable release 21.11.4
Date: Wed, 15 Mar 2023 14:36:01 +0000 [thread overview]
Message-ID: <20230315143640.677317-8-ktraynor@redhat.com> (raw)
In-Reply-To: <20230315143640.677317-1-ktraynor@redhat.com>
Hi,
FYI, your patch has been queued to stable release 21.11.4
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 03/20/23. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/kevintraynor/dpdk-stable
This queued commit can be viewed at:
https://github.com/kevintraynor/dpdk-stable/commit/7a4cda6e20f9a6e27b015aad864685440a70af84
Thanks.
Kevin
---
From 7a4cda6e20f9a6e27b015aad864685440a70af84 Mon Sep 17 00:00:00 2001
From: David Marchand <david.marchand@redhat.com>
Date: Mon, 27 Feb 2023 11:59:27 +0100
Subject: [PATCH] vhost: fix OOB access for invalid vhost ID
[ upstream commit 1c80a404fd82b816d5c3ebb7cd9e89804ac63984 ]
The net/vhost pmd currently provides a -1 vid when disabling interrupt
after a virtio port got disconnected.
This can be caught when running with ASan.
First, start dpdk-l3fwd-power in interrupt mode with a net/vhost port.
$ ./build-clang/examples/dpdk-l3fwd-power -l0,1 --in-memory \
-a 0000:00:00.0 \
--vdev net_vhost0,iface=plop.sock,client=1\
-- \
-p 0x1 \
--interrupt-only \
--config '(0,0,1)' \
--parse-ptype 0
Then start testpmd with virtio-user.
$ ./build-clang/app/dpdk-testpmd -l0,2 --single-file-segment --in-memory \
-a 0000:00:00.0 \
--vdev net_virtio_user0,path=plop.sock,server=1 \
-- \
-i
Finally stop testpmd.
ASan then splats in dpdk-l3fwd-power:
=================================================================
==3641005==ERROR: AddressSanitizer: global-buffer-overflow on address
0x000005ed0778 at pc 0x000001270f81 bp 0x7fddbd2eee20
sp 0x7fddbd2eee18
READ of size 8 at 0x000005ed0778 thread T2
#0 0x1270f80 in get_device .../lib/vhost/vhost.h:801:27
#1 0x1270f80 in rte_vhost_get_vhost_vring .../lib/vhost/vhost.c:951:8
#2 0x3ac95cb in eth_rxq_intr_disable
.../drivers/net/vhost/rte_eth_vhost.c:647:8
#3 0x170e0bf in rte_eth_dev_rx_intr_disable
.../lib/ethdev/rte_ethdev.c:5443:25
#4 0xf72ba7 in turn_on_off_intr .../examples/l3fwd-power/main.c:881:4
#5 0xf71045 in main_intr_loop .../examples/l3fwd-power/main.c:1061:6
#6 0x17f9292 in eal_thread_loop
.../lib/eal/common/eal_common_thread.c:210:9
#7 0x18373f5 in eal_worker_thread_loop .../lib/eal/linux/eal.c:915:2
#8 0x7fddc16ae12c in start_thread (/lib64/libc.so.6+0x8b12c)
(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
#9 0x7fddc172fbbf in __GI___clone3 (/lib64/libc.so.6+0x10cbbf)
(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
0x000005ed0778 is located 8 bytes to the left of global variable
'vhost_devices' defined in '.../lib/vhost/vhost.c:24'
(0x5ed0780) of size 8192
0x000005ed0778 is located 20 bytes to the right of global variable
'vhost_config_log_level' defined in '.../lib/vhost/vhost.c:2174'
(0x5ed0760) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
.../lib/vhost/vhost.h:801:27 in get_device
Shadow bytes around the buggy address:
0x000080bd2090: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000080bd20a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000080bd20b0: f9 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9
0x000080bd20c0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9
0x000080bd20d0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x000080bd20e0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 04 f9 f9[f9]
0x000080bd20f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080bd2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080bd2110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080bd2120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000080bd2130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T2 created by T0 here:
#0 0xe98996 in __interceptor_pthread_create
(.examples/dpdk-l3fwd-power+0xe98996)
(BuildId: d0b984a3b0287b9e0f301b73426fa921aeecca3a)
#1 0x1836767 in eal_worker_thread_create .../lib/eal/linux/eal.c:952:6
#2 0x1834b83 in rte_eal_init .../lib/eal/linux/eal.c:1257:9
#3 0xf68902 in main .../examples/l3fwd-power/main.c:2496:8
#4 0x7fddc164a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f)
(BuildId: 81daba31ee66dbd63efdc4252a872949d874d136)
==3641005==ABORTING
More generally, any application passing an incorrect vid would trigger
such an OOB access.
Fixes: 4796ad63ba1f ("examples/vhost: import userspace vhost application")
Signed-off-by: David Marchand <david.marchand@redhat.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/vhost/vhost.h | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h
index d4586f3341..4d0adb81b5 100644
--- a/lib/vhost/vhost.h
+++ b/lib/vhost/vhost.h
@@ -687,5 +687,8 @@ static __rte_always_inline struct virtio_net *
get_device(int vid)
{
- struct virtio_net *dev = vhost_devices[vid];
+ struct virtio_net *dev = NULL;
+
+ if (likely(vid >= 0 && vid < MAX_VHOST_DEVICE))
+ dev = vhost_devices[vid];
if (unlikely(!dev)) {
--
2.39.2
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2023-03-15 14:30:20.813881519 +0000
+++ 0008-vhost-fix-OOB-access-for-invalid-vhost-ID.patch 2023-03-15 14:30:20.556123598 +0000
@@ -1 +1 @@
-From 1c80a404fd82b816d5c3ebb7cd9e89804ac63984 Mon Sep 17 00:00:00 2001
+From 7a4cda6e20f9a6e27b015aad864685440a70af84 Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 1c80a404fd82b816d5c3ebb7cd9e89804ac63984 ]
+
@@ -109 +110,0 @@
-Cc: stable@dpdk.org
@@ -118 +119 @@
-index 5750f0c005..954c0ac197 100644
+index d4586f3341..4d0adb81b5 100644
@@ -121 +122 @@
-@@ -799,5 +799,8 @@ static __rte_always_inline struct virtio_net *
+@@ -687,5 +687,8 @@ static __rte_always_inline struct virtio_net *
@@ -127 +128 @@
-+ if (likely(vid >= 0 && vid < RTE_MAX_VHOST_DEVICE))
++ if (likely(vid >= 0 && vid < MAX_VHOST_DEVICE))
next prev parent reply other threads:[~2023-03-15 14:36 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-15 14:35 patch 'eal/windows: fix pedantic build' " Kevin Traynor
2023-03-15 14:35 ` patch 'doc: add gpudev to the Doxygen index' " Kevin Traynor
2023-03-15 14:35 ` patch 'doc: fix reference to event timer header' " Kevin Traynor
2023-03-15 14:35 ` patch 'event/cnxk: fix SSO cleanup' " Kevin Traynor
2023-03-15 14:35 ` patch 'test/bbdev: fix crash for non supported HARQ length' " Kevin Traynor
2023-03-15 14:35 ` patch 'test/bbdev: extend HARQ tolerance' " Kevin Traynor
2023-03-15 14:36 ` patch 'test/bbdev: remove check for invalid opaque data' " Kevin Traynor
2023-03-15 14:36 ` Kevin Traynor [this message]
2023-03-15 14:36 ` patch 'net/virtio: deduce IP length for TSO checksum' " Kevin Traynor
2023-03-15 14:36 ` patch 'examples/ipsec-secgw: fix auth IV length' " Kevin Traynor
2023-03-15 14:36 ` patch 'compress/mlx5: fix decompress xform validation' " Kevin Traynor
2023-03-15 14:36 ` patch 'compress/mlx5: fix output Adler-32 checksum offset' " Kevin Traynor
2023-03-15 14:36 ` patch 'compress/mlx5: fix queue setup for partial transformations' " Kevin Traynor
2023-03-15 14:36 ` patch 'app/testpmd: fix Tx preparation in checksum engine' " Kevin Traynor
2023-03-15 14:36 ` patch 'app/testpmd: fix packet count in IEEE 1588 " Kevin Traynor
2023-03-15 14:36 ` patch 'app/testpmd: fix packet transmission in noisy VNF " Kevin Traynor
2023-03-15 14:36 ` patch 'ethdev: fix build with LTO' " Kevin Traynor
2023-03-15 14:36 ` patch 'net/nfp: fix getting RSS configuration' " Kevin Traynor
2023-03-15 14:36 ` patch 'ethdev: remove telemetry Rx mbuf alloc failed field' " Kevin Traynor
2023-03-15 14:36 ` patch 'app/testpmd: fix secondary process packet forwarding' " Kevin Traynor
2023-03-15 14:36 ` patch 'net/ixgbe: fix IPv6 mask in flow director' " Kevin Traynor
2023-03-15 14:36 ` patch 'net/cnxk: fix LBK BPID usage' " Kevin Traynor
2023-03-15 14:36 ` patch 'common/cnxk: add memory clobber to steor and ldeor' " Kevin Traynor
2023-03-15 14:36 ` patch 'kvargs: add API documentation for process callback' " Kevin Traynor
2023-03-15 14:36 ` patch 'compressdev: fix empty devargs parsing' " Kevin Traynor
2023-03-15 14:36 ` patch 'cryptodev: " Kevin Traynor
2023-03-15 14:36 ` patch 'net/hns3: " Kevin Traynor
2023-03-15 14:36 ` patch 'net/virtio: " Kevin Traynor
2023-03-15 14:36 ` patch 'dma/skeleton: " Kevin Traynor
2023-03-15 14:36 ` patch 'raw/skeleton: " Kevin Traynor
2023-03-15 14:36 ` patch 'table: fix action selector group size log2 setting' " Kevin Traynor
2023-03-15 14:36 ` patch 'regex/mlx5: utilize all available queue pairs' " Kevin Traynor
2023-03-15 14:36 ` patch 'regex/mlx5: fix doorbell record' " Kevin Traynor
2023-03-15 14:36 ` patch 'common/sfc_efx/base: add MAE mark reset action' " Kevin Traynor
2023-03-15 14:36 ` patch 'kni: fix possible starvation when mbufs are exhausted' " Kevin Traynor
2023-03-15 14:36 ` patch 'cmdline: make rdline status not private' " Kevin Traynor
2023-03-15 14:36 ` patch 'cmdline: handle EOF as quit' " Kevin Traynor
2023-03-15 14:36 ` patch 'mem: fix heap ID in telemetry' " Kevin Traynor
2023-03-15 14:36 ` patch 'net/hns3: fix possible truncation of hash key when config' " Kevin Traynor
2023-03-15 14:36 ` patch 'net/hns3: fix possible truncation of redirection table' " Kevin Traynor
2023-03-15 14:36 ` patch 'net/hns3: use hardware config to report " Kevin Traynor
2023-03-15 14:36 ` patch 'net/hns3: separate setting " Kevin Traynor
2023-03-15 14:36 ` patch 'net/hns3: separate setting and clearing RSS rule' " Kevin Traynor
2023-03-15 14:36 ` patch 'net/mlx5: fix Windows build with MinGW GCC 12' " Kevin Traynor
2023-03-15 14:36 ` patch 'app/crypto-perf: fix test file memory leak' " Kevin Traynor
2023-03-15 14:36 ` patch 'app/flow-perf: fix division or module by zero' " Kevin Traynor
2023-03-15 14:36 ` patch 'mailmap: add list of contributors' " Kevin Traynor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230315143640.677317-8-ktraynor@redhat.com \
--to=ktraynor@redhat.com \
--cc=david.marchand@redhat.com \
--cc=maxime.coquelin@redhat.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).