From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 055FFA0A02; Thu, 25 Mar 2021 04:04:00 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id D13E6140DB9; Thu, 25 Mar 2021 04:03:50 +0100 (CET) Received: from mga02.intel.com (mga02.intel.com [134.134.136.20]) by mails.dpdk.org (Postfix) with ESMTP id 946BA4067B; Thu, 25 Mar 2021 04:03:46 +0100 (CET) IronPort-SDR: bvkHIkQXwsMSpOPCC4qxlqZ0btrpEgxrP7XjP4HDXmbY/J8QZPjseK+iH6QvMiH8JOQ5jvP4Ll xOEHrmQFH/4g== X-IronPort-AV: E=McAfee;i="6000,8403,9933"; a="177953063" X-IronPort-AV: E=Sophos;i="5.81,276,1610438400"; d="scan'208";a="177953063" Received: from orsmga008.jf.intel.com ([10.7.209.65]) by orsmga101.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 24 Mar 2021 20:03:38 -0700 IronPort-SDR: QiXfUrdanv2k3/5cw531iTn90/6oRR/3W1TWcAkaEV2gg4WzVkGYXHlTTzyE4PUq/epHTTTgsW 11RjPVrByOMA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.81,276,1610438400"; d="scan'208";a="415765145" Received: from npg-dpdk-virtual-marvin-dev.sh.intel.com ([10.67.119.108]) by orsmga008.jf.intel.com with ESMTP; 24 Mar 2021 20:03:34 -0700 From: Marvin Liu To: maxime.coquelin@redhat.com, chenbo.xia@intel.com Cc: dev@dpdk.org, Marvin Liu , stable@dpdk.org Date: Thu, 25 Mar 2021 11:01:37 +0800 Message-Id: <20210325030139.2486-1-yong.liu@intel.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210226073321.66996-1-yong.liu@intel.com> References: <20210226073321.66996-1-yong.liu@intel.com> Subject: [dpdk-dev] [PATCH 1/3] vhost: fix split ring potential buffer overflow X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" In vhost datapath, descriptor's length are mostly used in two coherent operations. First step is used for address translation, second step is used for memory transaction from guest to host. But the iterval between two steps will give a window for malicious guest, in which can change descriptor length after vhost calcuated buffer size. Thus may lead to buffer overflow in vhost side. This potential risk can be eliminated by accessing the descriptor length once. Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx") Cc: stable@dpdk.org Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 583bf379c6..576a0a20c0 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq, return -1; } - len += descs[idx].len; + dlen = descs[idx].len; + len += dlen; if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id, - descs[idx].addr, descs[idx].len, + descs[idx].addr, dlen, perm))) { free_ind_table(idesc); return -1; -- 2.17.1