From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 04B6A424A0; Fri, 27 Jan 2023 17:55:55 +0100 (CET) Received: from mails.dpdk.org (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 478C5406B4; Fri, 27 Jan 2023 17:55:52 +0100 (CET) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mails.dpdk.org (Postfix) with ESMTP id 2D28D40146 for ; Fri, 27 Jan 2023 17:55:49 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1674838548; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=V9Z0HJz9qWMrsj9W7T+wpflV4KppBMokfcd3knnHVIA=; b=LUHN183wSIflbEv6z0LHrR675L6J6WtuF5y4xMdpPLnC9e9WbBjYjtUYUYw2KObB98T+fa XBBO64e2vjEZmPw4iuJKu5fId4ndwKiZSLXXLnE2dqlRQ47Wa6m0wsIMZo2S6+VcFKZIMn gxYEC0jq0NACh53feFLhWaOIaUdBO9M= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-67-XYMsccopPKyUpaFhGrgcRA-1; Fri, 27 Jan 2023 11:55:45 -0500 X-MC-Unique: XYMsccopPKyUpaFhGrgcRA-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 01DFC87A9E2; Fri, 27 Jan 2023 16:55:45 +0000 (UTC) Received: from max-t490s.redhat.com (unknown [10.39.208.33]) by smtp.corp.redhat.com (Postfix) with ESMTP id D2180492B01; Fri, 27 Jan 2023 16:55:43 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, david.marchand@redhat.com, chenbo.xia@intel.com Cc: Maxime Coquelin , stable@dpdk.org Subject: [PATCH v2 1/2] vhost: fix possible FDs leak Date: Fri, 27 Jan 2023 17:55:38 +0100 Message-Id: <20230127165540.37863-2-maxime.coquelin@redhat.com> In-Reply-To: <20230127165540.37863-1-maxime.coquelin@redhat.com> References: <20230127165540.37863-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.10 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset="US-ASCII"; x-default=true X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On failure, read_vhost_message() only closed the message FDs if the header size was unexpected, but there are other cases where it is required. For exemple in the case the payload size read from the header is greater than the expected maximum payload size. This patch fixes this by closing all messages FDs in all error cases. Fixes: bf472259dde6 ("vhost: fix possible denial of service by leaking FDs") Cc: stable@dpdk.org Signed-off-by: Maxime Coquelin --- lib/vhost/vhost_user.c | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/lib/vhost/vhost_user.c b/lib/vhost/vhost_user.c index 9902ae9944..943058725e 100644 --- a/lib/vhost/vhost_user.c +++ b/lib/vhost/vhost_user.c @@ -2817,29 +2817,36 @@ read_vhost_message(struct virtio_net *dev, int sockfd, struct vhu_msg_context * ret = read_fd_message(dev->ifname, sockfd, (char *)&ctx->msg, VHOST_USER_HDR_SIZE, ctx->fds, VHOST_MEMORY_MAX_NREGIONS, &ctx->fd_num); - if (ret <= 0) { - return ret; - } else if (ret != VHOST_USER_HDR_SIZE) { + if (ret <= 0) + goto out; + + if (ret != VHOST_USER_HDR_SIZE) { VHOST_LOG_CONFIG(dev->ifname, ERR, "Unexpected header size read\n"); - close_msg_fds(ctx); - return -1; + ret = -1; + goto out; } if (ctx->msg.size) { if (ctx->msg.size > sizeof(ctx->msg.payload)) { VHOST_LOG_CONFIG(dev->ifname, ERR, "invalid msg size: %d\n", ctx->msg.size); - return -1; + ret = -1; + goto out; } ret = read(sockfd, &ctx->msg.payload, ctx->msg.size); if (ret <= 0) - return ret; + goto out; if (ret != (int)ctx->msg.size) { VHOST_LOG_CONFIG(dev->ifname, ERR, "read control message failed\n"); - return -1; + ret = -1; + goto out; } } +out: + if (ret <= 0) + close_msg_fds(ctx); + return ret; } -- 2.39.1