From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com [209.85.192.179]) by dpdk.org (Postfix) with ESMTP id 711FB137C for ; Thu, 11 Feb 2016 23:48:16 +0100 (CET) Received: by mail-pf0-f179.google.com with SMTP id e127so36572275pfe.3 for ; Thu, 11 Feb 2016 14:48:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=networkplumber-org.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:subject:message-id:in-reply-to:references :mime-version:content-type:content-transfer-encoding; bh=jdcY5PF8w+qQ9dDhv4b35ENlO/ucFFsHJ7o9HObMVvw=; b=IhwWxuBnLenT6OHkpXjLm61WXkVKBuBrBHXq8xZFMlv8ASu7M6Rxw0jTjx+vVQPwa/ jFow9JT4iKCImepxb/mXMgDOd0LPSihXA6GzVmWAAoaBw6Bbm7jJC9UKRSV/Yyi55F4P RTjiNbzRwjWp1W2asEq1CA5xtLJtAITfkZSIeXtBGgJpJ4IHmBCK0ApSOfhGhjsBNQQj VxNg7//vlSf6V3u9qKOSDhvDCKxs3AV/WrMgm5qRDwvMlvNA+AQeIBs0yRXyHV7aa8iG Ro1JydNaxMUlQLGUbvsamus/ukXxT5mNdkZVJDBkPgC7t2sF77hUtB+JWxfekLqdDdyC xh7Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:in-reply-to :references:mime-version:content-type:content-transfer-encoding; bh=jdcY5PF8w+qQ9dDhv4b35ENlO/ucFFsHJ7o9HObMVvw=; b=ZXfZ78X/CaOp9ItgNPXtp5LwW0r0cB0dq0TUX9k3qylr4cdXgfwYZZmi8SFYMW1fqw KkYz7PxlbmPA3YfPb7bkl9z5tBM4NNCDzLHGVGeAJ8XIr/ZRRN5evN9sZykS4HDIuTZ8 jELIiNOjHQtexdXybiPACW0VmVRzVRTIRTqkQaaIxjqJNVqkEvS0gt9fsl6Gd7V0OaV2 Xb9B+jYQh/SpdhyVr9zPrvwX89pvlH+HCJ1qbAFrVbNQ0muDagmWJfpvNdNP4fLB4059 AZMJwvCqSOuQ5I8f43wxxhFs+aOhJdUtOYOIMTKnWzivMrw60ytg+DckxIZ1Oo+2IZyF 5ACw== X-Gm-Message-State: AG10YOTBkLwDEwX1Gq9ihD57eur8Kb79v9BfaDJNpiMNoUZ3/iOjbiR7tCTgstqIeV1cJA== X-Received: by 10.98.75.196 with SMTP id d65mr19526665pfj.96.1455230895850; Thu, 11 Feb 2016 14:48:15 -0800 (PST) Received: from xeon-e3 (static-50-53-82-155.bvtn.or.frontiernet.net. [50.53.82.155]) by smtp.gmail.com with ESMTPSA id yl1sm14586909pac.35.2016.02.11.14.48.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Feb 2016 14:48:15 -0800 (PST) Date: Thu, 11 Feb 2016 14:48:28 -0800 From: Stephen Hemminger To: Seth Arnold Message-ID: <20160211144828.1404e9c1@xeon-e3> In-Reply-To: <20160211030540.GB25680@hunt> References: <20160211030540.GB25680@hunt> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: dev@dpdk.org Subject: Re: [dpdk-dev] thoughts on DPDK after a few days of reading sources X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches and discussions about DPDK List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Feb 2016 22:48:16 -0000 On Wed, 10 Feb 2016 19:05:40 -0800 Seth Arnold wrote: > - ./drivers/net/virtio/virtio_ethdev.c virtio_set_multiple_queues() calls > virtio_send_command(), which performs: > memcpy(vq->virtio_net_hdr_mz->addr, ctrl, sizeof(struct virtio_pmd_ctrl)); > This copies a potentially huge amount of uninitialized data into ->addr > because the struct virtio_pmd_ctrl ctrl was not zeroed before being > passed. How much of this data leaves the system? Does this require a > CVE? This is not really a security issue. The guest (virtio) has to trust the host to follow the protocol. If the host is malicious there are far worse things it can do. In this case. The onstack variabl ctrl is only partially initialized but only partially used. The hdr part (virtio_net_ctrl_hdr) is fully initialized, and status is set to 0 in virtio_send_command. Although partially unitialized data is copied into region shared with host, only the first part is actually referenced by the ring element: vq->vq_ring.desc[head].flags = VRING_DESC_F_NEXT; vq->vq_ring.desc[head].addr = vq->virtio_net_hdr_mz->phys_addr; vq->vq_ring.desc[head].len = sizeof(struct virtio_net_ctrl_hdr); Therefore it is not a real problem.