From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 66EABA0093; Mon, 18 May 2020 15:17:50 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 981C51D52A; Mon, 18 May 2020 15:17:22 +0200 (CEST) Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) by dpdk.org (Postfix) with ESMTP id 71FA21D529; Mon, 18 May 2020 15:17:20 +0200 (CEST) IronPort-SDR: fjh6UyfgxGGAzkOZ4aJM3FCyKFPW7KgkHUr9aCMdHNDJ2iOaDOlsyLoh1Znvlc0X2LS7vAGXH4 Qs4HkwmAojeA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga003.jf.intel.com ([10.7.209.27]) by orsmga105.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:17:20 -0700 IronPort-SDR: X3xpz//fxCcwgKG4SA9S9/J2R3GgQuCQ9HHhwYVt1ihsJ08SRoYmTbh61QPaQmndULoZXcJZLV WcwhwnhMwWKg== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="263950737" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga003.jf.intel.com with ESMTP; 18 May 2020 06:17:18 -0700 From: Ferruh Yigit To: dev@dpdk.org Cc: Ferruh Yigit , Marvin Liu , stable@dpdk.org, Maxime Coquelin Date: Mon, 18 May 2020 14:17:02 +0100 Message-Id: <20200518131704.715877-5-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131704.715877-1-ferruh.yigit@intel.com> References: <20200518131704.715877-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-dev] [PATCH 4/6] vhost: fix translated address not checked X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" From: Marvin Liu Malicious guest can construct desc with invalid address and zero buffer length. That will request vhost to check both translated address and translated data length. This patch will add missed address check. CVE-2020-10725 Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue") Fixes: ef861692c398 ("vhost: add packed ring batch enqueue") Cc: stable@dpdk.org Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 1fc30c6819..8504897e7a 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -1072,6 +1072,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev, VHOST_ACCESS_RW); vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { + if (unlikely(!desc_addrs[i])) + return -1; if (unlikely(lens[i] != descs[avail_idx + i].len)) return -1; } @@ -1827,6 +1829,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev, } vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { + if (unlikely(!desc_addrs[i])) + return -1; if (unlikely((lens[i] != descs[avail_idx + i].len))) return -1; } -- 2.25.2