From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 5F9E5A0542; Wed, 5 Oct 2022 17:06:56 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 4245C40694; Wed, 5 Oct 2022 17:06:56 +0200 (CEST) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by mails.dpdk.org (Postfix) with ESMTP id 8FB4940143 for ; Wed, 5 Oct 2022 17:06:54 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1664982414; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=6UjRbVCjly/QNe9qS+1giy/anpGUdl77iQ4Z0Ng21P4=; b=MzYAw4OXULXgivWhze2ejI1uolTA0qR3DANz7T4zgnJfJ3ox/F9f+32qbrpMUq3kjxtk3C GsoyHFKcUyxSSnWHshMtGLBsk5mOUbUTIBP69x8C94g7X9ufhWZVC4mWPp7jjjZ8VjoKTw sHLWpA3oAdPE3mmFJg0zKmJzj2MOF90= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-540-ssLEo6uTNbi8aKL7V-9j1A-1; Wed, 05 Oct 2022 11:06:52 -0400 X-MC-Unique: ssLEo6uTNbi8aKL7V-9j1A-1 Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 483883C0D1AC; Wed, 5 Oct 2022 15:06:51 +0000 (UTC) Received: from [10.39.208.19] (unknown [10.39.208.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id EB1D14A927F; Wed, 5 Oct 2022 15:06:47 +0000 (UTC) Message-ID: <9a8f3fb4-44d1-f437-7065-317bf34748b4@redhat.com> Date: Wed, 5 Oct 2022 17:06:45 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.1 To: Claudio Fontana , Chenbo Xia Cc: dev@dpdk.org References: <20220802004938.23670-1-cfontana@suse.de> <20220802004938.23670-2-cfontana@suse.de> From: Maxime Coquelin Subject: Re: [PATCH v3 1/2] vhost: check for nr_vec == 0 in desc_to_mbuf, mbuf_to_desc In-Reply-To: <20220802004938.23670-2-cfontana@suse.de> X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org On 8/2/22 02:49, Claudio Fontana wrote: > in virtio_dev_split we cannot currently call desc_to_mbuf with > nr_vec == 0, or we end up trying to rte_memcpy from a source address > buf_vec[0] that is an uninitialized stack variable. > > Improve this in general by having desc_to_mbuf and mbuf_to_desc > return -1 when called with an invalid nr_vec == 0, which should > fix any other instance of this problem. > > This should fix errors that have been reported in multiple occasions > from telcos to the DPDK, OVS and QEMU projects, as this affects in > particular the openvswitch/DPDK, QEMU vhost-user setup when the > guest DPDK application abruptly goes away via SIGKILL and then > reconnects. > > The back trace looks roughly like this, depending on the specific > rte_memcpy selected, etc, in any case the "src" parameter is garbage > (in this example containing 0 + dev->host_hlen(12 = 0xc)). > > Thread 153 "pmd-c88/id:150" received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x7f64e5e6b700 (LWP 141373)] > rte_mov128blocks (n=2048, src=0xc , > dst=0x150da4480) at ../lib/eal/x86/include/rte_memcpy.h:384 > (gdb) bt > 0 rte_mov128blocks (n=2048, src=0xc, dst=0x150da4480) > 1 rte_memcpy_generic (n=2048, src=0xc, dst=0x150da4480) > 2 rte_memcpy (n=2048, src=0xc, dst=) > 3 sync_fill_seg > 4 desc_to_mbuf > 5 virtio_dev_tx_split > 6 virtio_dev_tx_split_legacy > 7 0x00007f676fea0fef in rte_vhost_dequeue_burst > 8 0x00007f6772005a62 in netdev_dpdk_vhost_rxq_recv > 9 0x00007f6771f38116 in netdev_rxq_recv > 10 0x00007f6771f03d96 in dp_netdev_process_rxq_port > 11 0x00007f6771f04239 in pmd_thread_main > 12 0x00007f6771f92aff in ovsthread_wrapper > 13 0x00007f6771c1b6ea in start_thread > 14 0x00007f6771933a8f in clone > > Tested-by: Claudio Fontana > Signed-off-by: Claudio Fontana > --- > lib/vhost/virtio_net.c | 11 ++++++++--- > 1 file changed, 8 insertions(+), 3 deletions(-) This patch is also no more necessary since CVE-2022-2132 has been fixed. Latests LTS versions and upstream main branch contain the fixes: dc1516e260a0 ("vhost: fix header spanned across more than two descriptors") 71bd0cc536ad ("vhost: discard too small descriptor chains") desc_to_mbuf callers now check that the descriptors are at least the size of the virtio_net header, so nr_vec cannot be 0 in desc_to_mbuf. Since I cannot reproduce, if you are willing to try please let us know the results. Maxime