From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id D91E3428F8 for ; Sun, 9 Apr 2023 17:27:20 +0200 (CEST) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D2F6D40A80; Sun, 9 Apr 2023 17:27:20 +0200 (CEST) Received: from NAM04-DM6-obe.outbound.protection.outlook.com (mail-dm6nam04on2060.outbound.protection.outlook.com [40.107.102.60]) by mails.dpdk.org (Postfix) with ESMTP id 315CC4067E for ; Sun, 9 Apr 2023 17:27:19 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=W49i6JBactCJl0OeTdaxjBIE9HxlptMvHbxrE7Jgjj/T0Sw1i+OSu30sWjqPMbEjRl24SzT4LrIXCrBIFYMcaPkFWGEujVNzEdxXLSeZ8vaUfKbnTxFgJgVU443WxkiF++tzHEPUJkEnZTSQDNSBbRqvua38RQFsrcePd9m6hGyKenYZ0FC16yQuv+bBpUXOcCJQacYTX8PexLeWzvAYIG9aANLdIjLTvifRZo+ufrn3vPhnfO9fKAFO8tSyzq13OpjjaDLEYWqt7eRy/fkei50QsSchoYLBIzPWTjQkKVqB2YUwg7Yg+ySE0e2+6NJw3fuRLAk6ksDpbx+LhZq20g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=7F2IXfvMxJY5k0abOQL6j8QoIsg9nRSanMny+cAzmA4=; b=i0RWex/dLZZaaHQqu3cgahJLeG4GEF3KXLSP3CXgk+TagXcI12QCaTLU5cbbqoss0x1b46WroHqy3eRV4NFpt4if4T/w8Qhs/U0EhkaLJQT3/NzvZ3p16wJZEsn6leNYiZuWx6xJkS2Ri+4VcFKrs18VzWfoZhPbSYgbmwncnax5NBmpn03TQR8qoFaUN/Q2upr5HlCb44PiJOsfyE5wNp4A6zh10iyg+okIWBgNtsyjlpRM+LpbWcH3ixDI3KS+vAYSmJhJ2u7BgadL0qLFA5WYrqW1VuS1dnIw1165QXzCJWHdOiudoNalxbS/PxA7k07Sff5qw1eXkAuiwkAh+A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.117.160) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7F2IXfvMxJY5k0abOQL6j8QoIsg9nRSanMny+cAzmA4=; b=iJ8hF0A2gfV6JJsQgL4sD1Fr6vRLGTVUfN/s9PPLNO3RRVSl9/Ph35KFatYzZlCgn8ItIJBRykwY50/Wrve7eCn2c0hj/VlTMyOyGrNil4AdROhrPm6RbCITul0tJrchHwT07l6dmy8ijwCaejdoMaDd9QRUG9eLWQD61JFTT/mztxpuEs8suJIlrxpUGtw2P/vZl0Qkp2NvO3p6k5iBANME3LB/l9AmIzPMtaIEYDaA9sRzjvkojIqstO1MCpNUXf5WEy5Gp6rrsPP2+nt+PeVFEf+jWiERAsIlm9DDoL0fMy7XCgstM5aZotG6nNQY1aP2BVewCDgvBsqJGHgeyQ== Received: from BN0PR02CA0057.namprd02.prod.outlook.com (2603:10b6:408:e5::32) by IA1PR12MB6436.namprd12.prod.outlook.com (2603:10b6:208:3ac::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.36; Sun, 9 Apr 2023 15:27:13 +0000 Received: from BN8NAM11FT006.eop-nam11.prod.protection.outlook.com (2603:10b6:408:e5:cafe::3c) by BN0PR02CA0057.outlook.office365.com (2603:10b6:408:e5::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.34 via Frontend Transport; Sun, 9 Apr 2023 15:27:13 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.160) smtp.mailfrom=nvidia.com; dkim=none (message not signed) header.d=none;dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.117.160 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.117.160; helo=mail.nvidia.com; pr=C Received: from mail.nvidia.com (216.228.117.160) by BN8NAM11FT006.mail.protection.outlook.com (10.13.177.21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.21 via Frontend Transport; Sun, 9 Apr 2023 15:27:12 +0000 Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com (10.129.200.66) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.5; Sun, 9 Apr 2023 08:27:05 -0700 Received: from nvidia.com (10.126.230.37) by rnnvmail201.nvidia.com (10.129.68.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.37; Sun, 9 Apr 2023 08:27:04 -0700 From: Xueming Li To: David Marchand CC: Maxime Coquelin , dpdk stable Subject: patch 'vhost: fix OOB access for invalid vhost ID' has been queued to stable release 22.11.2 Date: Sun, 9 Apr 2023 23:23:25 +0800 Message-ID: <20230409152529.5308-18-xuemingl@nvidia.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20230409152529.5308-1-xuemingl@nvidia.com> References: <20230227062349.13764-1-xuemingl@nvidia.com> <20230409152529.5308-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [10.126.230.37] X-ClientProxiedBy: rnnvmail203.nvidia.com (10.129.68.9) To rnnvmail201.nvidia.com (10.129.68.8) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: BN8NAM11FT006:EE_|IA1PR12MB6436:EE_ X-MS-Office365-Filtering-Correlation-Id: fa3147e4-eaad-4d6f-7a98-08db390ee486 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: y1La1aRvFEfBPDiyalp/WJ1oXJ15CJ0vY61nfY00ERdwv0o5e7apGX8NsdiTx6aYETnP5QVXVoMq7ko3nAXg6JoL6YcGazGdjjIy+bJdwXDncWsBfowTt91N8qjLdawoxrQr1u0LtV9Qc2+NssF0Sy4fQpEjkEDNGKlSehDn76DiqXg9qncf62X+Hh1jRaTAFqzd4epDBhhauQgQn9l139jUpA6jPkGQKLFqvXSoadjuod9EBtslU5IuRi3Eg5zODie9efUCpWh46b66wgq395nsLTdlXyX0dkSelObA9aoIzXh9bCpjsrwz6xZEjl4/9Qj9cpm04vU1z+ZX2igxWQMbMcaILFtFqoI7IB55FmKwNYa6qmhXdTiK/rJl4fZMgTQAQozGjLj/3DdJ8LKxtOi3hZB3lAOqTDe6ek5mnEhzsJ5FpkvrLtrmUpciw3x61oNTZXJyVdHkfncV4lvRN2wM4VCaq3naf9JqyZv3JrWZs095qSWtAMoSEfJqAd3u2zmz8wPsZbOze+q33ix8pvUPtxwF1efBHlMTeigv3bwLL0kdAD+/5Vkzv2erNEJuIypjDqOZi6Y1J6BN/ggs0kCIoi2Fo/HVR/0IYm29rT5rqXDaCfEYkLKmNnif2hr3+s1g+Tp6OBp8Ikk7ZG+S4HQIhEjLF/rMLgIGhBkf0DkO49GQlL2KOnt8jBMDPp7U7/Hld1eUapxlSCBIE4s/Hq4G2m+NBZg71POG56Tab0910HqgUUUKk47C+ayJtM53CObKvwMK4wnamEyq9tP+YFGISYvpP4cHFPohPQRWkjTNCYZDNT4bRhsC4EDYRSuVuq/oMMJF9N1WPQzZJbfaZBIvh7KjDZl0HDPcuF8kdrY= X-Forefront-Antispam-Report: CIP:216.228.117.160; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge1.nvidia.com; CAT:NONE; SFS:(13230028)(4636009)(136003)(396003)(346002)(39860400002)(376002)(451199021)(46966006)(36840700001)(40470700004)(478600001)(7696005)(54906003)(316002)(53546011)(1076003)(26005)(16526019)(6286002)(186003)(966005)(6666004)(2906002)(4326008)(70586007)(70206006)(8676002)(6916009)(41300700001)(8936002)(5660300002)(82310400005)(7636003)(356005)(82740400003)(86362001)(55016003)(40480700001)(36756003)(40460700003)(47076005)(83380400001)(2616005)(426003)(336012)(36860700001)(505234007); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Apr 2023 15:27:12.7213 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: fa3147e4-eaad-4d6f-7a98-08db390ee486 X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.160]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: BN8NAM11FT006.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR12MB6436 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Hi, FYI, your patch has been queued to stable release 22.11.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 04/11/23. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://git.dpdk.org/dpdk-stable/log/?h=22.11-staging This queued commit can be viewed at: https://git.dpdk.org/dpdk-stable/log/?h=22.11-staging/commit/950227315bb4f0266a36bc920c141f36e17a092d Thanks. Xueming Li --- >From 950227315bb4f0266a36bc920c141f36e17a092d Mon Sep 17 00:00:00 2001 From: David Marchand Date: Mon, 27 Feb 2023 11:59:27 +0100 Subject: [PATCH] vhost: fix OOB access for invalid vhost ID Cc: Xueming Li [ upstream commit 1c80a404fd82b816d5c3ebb7cd9e89804ac63984 ] The net/vhost pmd currently provides a -1 vid when disabling interrupt after a virtio port got disconnected. This can be caught when running with ASan. First, start dpdk-l3fwd-power in interrupt mode with a net/vhost port. $ ./build-clang/examples/dpdk-l3fwd-power -l0,1 --in-memory \ -a 0000:00:00.0 \ --vdev net_vhost0,iface=plop.sock,client=1\ -- \ -p 0x1 \ --interrupt-only \ --config '(0,0,1)' \ --parse-ptype 0 Then start testpmd with virtio-user. $ ./build-clang/app/dpdk-testpmd -l0,2 --single-file-segment --in-memory \ -a 0000:00:00.0 \ --vdev net_virtio_user0,path=plop.sock,server=1 \ -- \ -i Finally stop testpmd. ASan then splats in dpdk-l3fwd-power: ================================================================= ==3641005==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000005ed0778 at pc 0x000001270f81 bp 0x7fddbd2eee20 sp 0x7fddbd2eee18 READ of size 8 at 0x000005ed0778 thread T2 #0 0x1270f80 in get_device .../lib/vhost/vhost.h:801:27 #1 0x1270f80 in rte_vhost_get_vhost_vring .../lib/vhost/vhost.c:951:8 #2 0x3ac95cb in eth_rxq_intr_disable .../drivers/net/vhost/rte_eth_vhost.c:647:8 #3 0x170e0bf in rte_eth_dev_rx_intr_disable .../lib/ethdev/rte_ethdev.c:5443:25 #4 0xf72ba7 in turn_on_off_intr .../examples/l3fwd-power/main.c:881:4 #5 0xf71045 in main_intr_loop .../examples/l3fwd-power/main.c:1061:6 #6 0x17f9292 in eal_thread_loop .../lib/eal/common/eal_common_thread.c:210:9 #7 0x18373f5 in eal_worker_thread_loop .../lib/eal/linux/eal.c:915:2 #8 0x7fddc16ae12c in start_thread (/lib64/libc.so.6+0x8b12c) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136) #9 0x7fddc172fbbf in __GI___clone3 (/lib64/libc.so.6+0x10cbbf) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136) 0x000005ed0778 is located 8 bytes to the left of global variable 'vhost_devices' defined in '.../lib/vhost/vhost.c:24' (0x5ed0780) of size 8192 0x000005ed0778 is located 20 bytes to the right of global variable 'vhost_config_log_level' defined in '.../lib/vhost/vhost.c:2174' (0x5ed0760) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow .../lib/vhost/vhost.h:801:27 in get_device Shadow bytes around the buggy address: 0x000080bd2090: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080bd20a0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x000080bd20b0: f9 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 00 f9 f9 f9 0x000080bd20c0: 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 04 f9 f9 f9 0x000080bd20d0: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 =>0x000080bd20e0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 04 f9 f9[f9] 0x000080bd20f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080bd2100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080bd2110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080bd2120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x000080bd2130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Thread T2 created by T0 here: #0 0xe98996 in __interceptor_pthread_create (.examples/dpdk-l3fwd-power+0xe98996) (BuildId: d0b984a3b0287b9e0f301b73426fa921aeecca3a) #1 0x1836767 in eal_worker_thread_create .../lib/eal/linux/eal.c:952:6 #2 0x1834b83 in rte_eal_init .../lib/eal/linux/eal.c:1257:9 #3 0xf68902 in main .../examples/l3fwd-power/main.c:2496:8 #4 0x7fddc164a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) (BuildId: 81daba31ee66dbd63efdc4252a872949d874d136) ==3641005==ABORTING More generally, any application passing an incorrect vid would trigger such an OOB access. Fixes: 4796ad63ba1f ("examples/vhost: import userspace vhost application") Signed-off-by: David Marchand Reviewed-by: Maxime Coquelin --- lib/vhost/vhost.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/vhost/vhost.h b/lib/vhost/vhost.h index ef211ed519..0fd6f4bbf4 100644 --- a/lib/vhost/vhost.h +++ b/lib/vhost/vhost.h @@ -782,7 +782,10 @@ hva_to_gpa(struct virtio_net *dev, uint64_t vva, uint64_t len) static __rte_always_inline struct virtio_net * get_device(int vid) { - struct virtio_net *dev = vhost_devices[vid]; + struct virtio_net *dev = NULL; + + if (likely(vid >= 0 && vid < RTE_MAX_VHOST_DEVICE)) + dev = vhost_devices[vid]; if (unlikely(!dev)) { VHOST_LOG_CONFIG("device", ERR, "(%d) device not found.\n", vid); -- 2.25.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2023-04-09 21:45:39.271481900 +0800 +++ 0017-vhost-fix-OOB-access-for-invalid-vhost-ID.patch 2023-04-09 21:45:38.599042200 +0800 @@ -1 +1 @@ -From 1c80a404fd82b816d5c3ebb7cd9e89804ac63984 Mon Sep 17 00:00:00 2001 +From 950227315bb4f0266a36bc920c141f36e17a092d Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Xueming Li + +[ upstream commit 1c80a404fd82b816d5c3ebb7cd9e89804ac63984 ] @@ -109 +111,0 @@ -Cc: stable@dpdk.org @@ -118 +120 @@ -index 5750f0c005..954c0ac197 100644 +index ef211ed519..0fd6f4bbf4 100644 @@ -121 +123 @@ -@@ -798,7 +798,10 @@ hva_to_gpa(struct virtio_net *dev, uint64_t vva, uint64_t len) +@@ -782,7 +782,10 @@ hva_to_gpa(struct virtio_net *dev, uint64_t vva, uint64_t len)