From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: dev@dpdk.org, david.marchand@redhat.com, chenbo.xia@intel.com
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>, stable@dpdk.org
Subject: [PATCH v2 1/2] vhost: fix possible FDs leak
Date: Fri, 27 Jan 2023 17:55:38 +0100 [thread overview]
Message-ID: <20230127165540.37863-2-maxime.coquelin@redhat.com> (raw)
In-Reply-To: <20230127165540.37863-1-maxime.coquelin@redhat.com>
On failure, read_vhost_message() only closed the message
FDs if the header size was unexpected, but there are other
cases where it is required. For exemple in the case the
payload size read from the header is greater than the
expected maximum payload size.
This patch fixes this by closing all messages FDs in all
error cases.
Fixes: bf472259dde6 ("vhost: fix possible denial of service by leaking FDs")
Cc: stable@dpdk.org
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/vhost/vhost_user.c | 23 +++++++++++++++--------
1 file changed, 15 insertions(+), 8 deletions(-)
diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c
index 9902ae9944..943058725e 100644
--- a/lib/vhost/vhost_user.c
+++ b/lib/vhost/vhost_user.c
@@ -2817,29 +2817,36 @@ read_vhost_message(struct virtio_net *dev, int sockfd, struct vhu_msg_context *
ret = read_fd_message(dev->ifname, sockfd, (char *)&ctx->msg, VHOST_USER_HDR_SIZE,
ctx->fds, VHOST_MEMORY_MAX_NREGIONS, &ctx->fd_num);
- if (ret <= 0) {
- return ret;
- } else if (ret != VHOST_USER_HDR_SIZE) {
+ if (ret <= 0)
+ goto out;
+
+ if (ret != VHOST_USER_HDR_SIZE) {
VHOST_LOG_CONFIG(dev->ifname, ERR, "Unexpected header size read\n");
- close_msg_fds(ctx);
- return -1;
+ ret = -1;
+ goto out;
}
if (ctx->msg.size) {
if (ctx->msg.size > sizeof(ctx->msg.payload)) {
VHOST_LOG_CONFIG(dev->ifname, ERR, "invalid msg size: %d\n",
ctx->msg.size);
- return -1;
+ ret = -1;
+ goto out;
}
ret = read(sockfd, &ctx->msg.payload, ctx->msg.size);
if (ret <= 0)
- return ret;
+ goto out;
if (ret != (int)ctx->msg.size) {
VHOST_LOG_CONFIG(dev->ifname, ERR, "read control message failed\n");
- return -1;
+ ret = -1;
+ goto out;
}
}
+out:
+ if (ret <= 0)
+ close_msg_fds(ctx);
+
return ret;
}
--
2.39.1
next prev parent reply other threads:[~2023-01-27 16:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-27 16:55 [PATCH v2 0/2] Vhost: fix FD leaks and improve logs Maxime Coquelin
2023-01-27 16:55 ` Maxime Coquelin [this message]
2023-01-29 9:25 ` [PATCH v2 1/2] vhost: fix possible FDs leak David Marchand
2023-01-30 9:46 ` Maxime Coquelin
2023-01-30 14:25 ` David Marchand
2023-02-07 16:18 ` Maxime Coquelin
2023-02-07 5:38 ` Xia, Chenbo
2023-01-27 16:55 ` [PATCH v2 2/2] vhost: fix possible FD leaks on MSG_TRUNC and MSG_CTRUNC Maxime Coquelin
2023-01-29 9:26 ` David Marchand
2023-01-27 16:55 ` [PATCH v2 2/2] vhost: fix possible FD leaks on truncation Maxime Coquelin
2023-02-07 5:38 ` Xia, Chenbo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230127165540.37863-2-maxime.coquelin@redhat.com \
--to=maxime.coquelin@redhat.com \
--cc=chenbo.xia@intel.com \
--cc=david.marchand@redhat.com \
--cc=dev@dpdk.org \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).