From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga01.intel.com (mga01.intel.com [192.55.52.88]) by dpdk.org (Postfix) with ESMTP id 89C30A6A for ; Thu, 12 Nov 2015 10:19:02 +0100 (CET) Received: from fmsmga001.fm.intel.com ([10.253.24.23]) by fmsmga101.fm.intel.com with ESMTP; 12 Nov 2015 01:19:01 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.20,281,1444719600"; d="scan'208";a="835335943" Received: from yliu-dev.sh.intel.com (HELO yliu-dev) ([10.239.66.49]) by fmsmga001.fm.intel.com with ESMTP; 12 Nov 2015 01:19:01 -0800 Date: Thu, 12 Nov 2015 17:23:05 +0800 From: Yuanhan Liu To: Rich Lane Message-ID: <20151112092305.GI2326@yliu-dev.sh.intel.com> References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1447315353-42152-1-git-send-email-rlane@bigswitch.com> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: dev@dpdk.org Subject: Re: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in update_secure_len X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Nov 2015 09:19:03 -0000 On Thu, Nov 12, 2015 at 12:02:33AM -0800, Rich Lane wrote: > The guest could trigger this buffer overflow by creating a cycle of descriptors > (which would also cause an infinite loop). The more common case is that > vq->avail->idx jumps out of the range [last_used_idx, last_used_idx+256). This > happens nearly every time when restarting a DPDK app inside a VM connected to a > vhost-user vswitch because the virtqueue memory allocated by the previous run > is zeroed. Hi, I somehow was aware of this issue before while reading the code. Thinking that we never met that, I delayed the fix (it was still in my TODO list). Would you please tell me the steps (commands would be better) to reproduce your issue? I'd like to know more about the isue: I'm guessing maybe we need fix it with a bit more cares. --yliu > > Signed-off-by: Rich Lane > --- > lib/librte_vhost/vhost_rxtx.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/librte_vhost/vhost_rxtx.c b/lib/librte_vhost/vhost_rxtx.c > index 9322ce6..d95b478 100644 > --- a/lib/librte_vhost/vhost_rxtx.c > +++ b/lib/librte_vhost/vhost_rxtx.c > @@ -453,7 +453,7 @@ update_secure_len(struct vhost_virtqueue *vq, uint32_t id, > vq->buf_vec[vec_id].desc_idx = idx; > vec_id++; > > - if (vq->desc[idx].flags & VRING_DESC_F_NEXT) { > + if (vq->desc[idx].flags & VRING_DESC_F_NEXT && vec_id < BUF_VECTOR_MAX) { > idx = vq->desc[idx].next; > next_desc = 1; > } > -- > 1.9.1