From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga09.intel.com (mga09.intel.com [134.134.136.24]) by dpdk.org (Postfix) with ESMTP id F00D11B437 for ; Fri, 4 Jan 2019 05:09:19 +0100 (CET) X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga005.jf.intel.com ([10.7.209.41]) by orsmga102.jf.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 03 Jan 2019 20:09:19 -0800 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.56,437,1539673200"; d="scan'208";a="288727278" Received: from dpdk-tbie.sh.intel.com ([10.67.104.173]) by orsmga005.jf.intel.com with ESMTP; 03 Jan 2019 20:09:18 -0800 From: Tiwei Bie To: maxime.coquelin@redhat.com, zhihong.wang@intel.com, dev@dpdk.org Date: Fri, 4 Jan 2019 12:06:38 +0800 Message-Id: <20190104040642.27463-3-tiwei.bie@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190104040642.27463-1-tiwei.bie@intel.com> References: <20190104040642.27463-1-tiwei.bie@intel.com> Subject: [dpdk-dev] [PATCH 2/6] vhost: fix possible out of bound access in relay helpers X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 04 Jan 2019 04:09:20 -0000 Fixes: b13ad2decc83 ("vhost: provide helpers for virtio ring relay") Signed-off-by: Tiwei Bie --- lib/librte_vhost/vdpa.c | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/lib/librte_vhost/vdpa.c b/lib/librte_vhost/vdpa.c index 77d92f9ad..407d1c363 100644 --- a/lib/librte_vhost/vdpa.c +++ b/lib/librte_vhost/vdpa.c @@ -178,6 +178,9 @@ rte_vdpa_relay_vring_avail(int vid, uint16_t qid, void *vring_m) while (idx_m != idx) { /* avail entry copy */ desc_id = vq->avail->ring[idx_m & (vq->size - 1)]; + if (unlikely(desc_id >= vq->size)) + return -1; + s_vring->avail->ring[idx_m & (vq->size - 1)] = desc_id; desc_ring = vq->desc; @@ -205,15 +208,14 @@ rte_vdpa_relay_vring_avail(int vid, uint16_t qid, void *vring_m) /* check if the buf addr is within the guest memory */ do { + if (unlikely(desc_id >= vq->size)) + goto fail; desc = desc_ring[desc_id]; perm = desc.flags & VRING_DESC_F_WRITE ? VHOST_ACCESS_WO : VHOST_ACCESS_RO; if (invalid_desc_check(dev, vq, desc.addr, desc.len, - perm)) { - if (unlikely(idesc)) - free_ind_table(idesc); - return -1; - } + perm)) + goto fail; desc_id = desc.next; } while (desc.flags & VRING_DESC_F_NEXT); @@ -232,6 +234,11 @@ rte_vdpa_relay_vring_avail(int vid, uint16_t qid, void *vring_m) vhost_avail_event(vq) = idx; return ret; + +fail: + if (unlikely(idesc)) + free_ind_table(idesc); + return -1; } int __rte_experimental @@ -270,6 +277,9 @@ rte_vdpa_relay_vring_used(int vid, uint16_t qid, void *vring_m) desc_id = vq->used->ring[idx & (vq->size - 1)].id; desc_ring = vq->desc; + if (unlikely(desc_id >= vq->size)) + return -1; + if (vq->desc[desc_id].flags & VRING_DESC_F_INDIRECT) { dlen = vq->desc[desc_id].len; desc_ring = (struct vring_desc *)(uintptr_t) @@ -294,6 +304,8 @@ rte_vdpa_relay_vring_used(int vid, uint16_t qid, void *vring_m) /* dirty page logging for DMA writeable buffer */ do { + if (unlikely(desc_id >= vq->size)) + goto fail; desc = desc_ring[desc_id]; if (desc.flags & VRING_DESC_F_WRITE) vhost_log_write(dev, desc.addr, desc.len); @@ -315,4 +327,9 @@ rte_vdpa_relay_vring_used(int vid, uint16_t qid, void *vring_m) vring_used_event(s_vring) = idx_m; return ret; + +fail: + if (unlikely(idesc)) + free_ind_table(idesc); + return -1; } -- 2.17.1