From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by dpdk.org (Postfix) with ESMTP id BA5982A5B; Mon, 23 Jan 2017 08:56:07 +0100 (CET) Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 131A83A7683; Mon, 23 Jan 2017 07:56:08 +0000 (UTC) Received: from [10.36.116.152] (ovpn-116-152.ams2.redhat.com [10.36.116.152]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id v0N7u5vk016628 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 23 Jan 2017 02:56:06 -0500 To: Yuanhan Liu , dev@dpdk.org References: <1485074820-8956-1-git-send-email-yuanhan.liu@linux.intel.com> <1485074820-8956-2-git-send-email-yuanhan.liu@linux.intel.com> Cc: stable@dpdk.org From: Maxime Coquelin Message-ID: <99093bd1-0970-b374-5261-7e91d33fe4b6@redhat.com> Date: Mon, 23 Jan 2017 08:56:04 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.6.0 MIME-Version: 1.0 In-Reply-To: <1485074820-8956-2-git-send-email-yuanhan.liu@linux.intel.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.29]); Mon, 23 Jan 2017 07:56:08 +0000 (UTC) Subject: Re: [dpdk-dev] [PATCH 1/3] vhost: fix dead loop in enqueue path X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jan 2017 07:56:08 -0000 On 01/22/2017 09:46 AM, Yuanhan Liu wrote: > If a malicious guest forges a dead loop desc chain (let desc->next point > to itself) and desc->len is zero, this could lead to a dead loop in > copy_mbuf_to_desc(following is a simplified code to show this issue > clearly): > > while (mbuf_is_not_totally_consumed) { > if (desc_avail == 0) { > desc = &descs[desc->next]; > desc_avail = desc->len; > } > > COPY(desc, mbuf, desc_avail); > } > > I have actually fixed a same issue before: a436f53ebfeb ("vhost: avoid > dead loop chain"); it fixes the dequeue path though, leaving the enqueue > path still vulnerable. > > The fix is the same. Add a var nr_desc to avoid the dead loop. > > Fixes: f1a519ad981c ("vhost: fix enqueue/dequeue to handle chained vring descriptors") > > Cc: stable@dpdk.org > Reported-by: Xieming Katty > Signed-off-by: Yuanhan Liu > --- > lib/librte_vhost/virtio_net.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) Thanks for the fix: Reviewed-by: Maxime Coquelin - Maxime