From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dev-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 5F9E5A0542;
	Wed,  5 Oct 2022 17:06:56 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 4245C40694;
	Wed,  5 Oct 2022 17:06:56 +0200 (CEST)
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [170.10.133.124])
 by mails.dpdk.org (Postfix) with ESMTP id 8FB4940143
 for <dev@dpdk.org>; Wed,  5 Oct 2022 17:06:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1664982414;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=6UjRbVCjly/QNe9qS+1giy/anpGUdl77iQ4Z0Ng21P4=;
 b=MzYAw4OXULXgivWhze2ejI1uolTA0qR3DANz7T4zgnJfJ3ox/F9f+32qbrpMUq3kjxtk3C
 GsoyHFKcUyxSSnWHshMtGLBsk5mOUbUTIBP69x8C94g7X9ufhWZVC4mWPp7jjjZ8VjoKTw
 sHLWpA3oAdPE3mmFJg0zKmJzj2MOF90=
Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com
 [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-540-ssLEo6uTNbi8aKL7V-9j1A-1; Wed, 05 Oct 2022 11:06:52 -0400
X-MC-Unique: ssLEo6uTNbi8aKL7V-9j1A-1
Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com
 [10.11.54.9])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 483883C0D1AC;
 Wed,  5 Oct 2022 15:06:51 +0000 (UTC)
Received: from [10.39.208.19] (unknown [10.39.208.19])
 by smtp.corp.redhat.com (Postfix) with ESMTPS id EB1D14A927F;
 Wed,  5 Oct 2022 15:06:47 +0000 (UTC)
Message-ID: <9a8f3fb4-44d1-f437-7065-317bf34748b4@redhat.com>
Date: Wed, 5 Oct 2022 17:06:45 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.3.1
To: Claudio Fontana <cfontana@suse.de>, Chenbo Xia <chenbo.xia@intel.com>
Cc: dev@dpdk.org
References: <20220802004938.23670-1-cfontana@suse.de>
 <20220802004938.23670-2-cfontana@suse.de>
From: Maxime Coquelin <maxime.coquelin@redhat.com>
Subject: Re: [PATCH v3 1/2] vhost: check for nr_vec == 0 in desc_to_mbuf,
 mbuf_to_desc
In-Reply-To: <20220802004938.23670-2-cfontana@suse.de>
X-Scanned-By: MIMEDefang 3.1 on 10.11.54.9
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Language: en-US
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DPDK patches and discussions <dev.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org



On 8/2/22 02:49, Claudio Fontana wrote:
> in virtio_dev_split we cannot currently call desc_to_mbuf with
> nr_vec == 0, or we end up trying to rte_memcpy from a source address
> buf_vec[0] that is an uninitialized stack variable.
> 
> Improve this in general by having desc_to_mbuf and mbuf_to_desc
> return -1 when called with an invalid nr_vec == 0, which should
> fix any other instance of this problem.
> 
> This should fix errors that have been reported in multiple occasions
> from telcos to the DPDK, OVS and QEMU projects, as this affects in
> particular the openvswitch/DPDK, QEMU vhost-user setup when the
> guest DPDK application abruptly goes away via SIGKILL and then
> reconnects.
> 
> The back trace looks roughly like this, depending on the specific
> rte_memcpy selected, etc, in any case the "src" parameter is garbage
> (in this example containing 0 + dev->host_hlen(12 = 0xc)).
> 
> Thread 153 "pmd-c88/id:150" received signal SIGSEGV, Segmentation fault.
> [Switching to Thread 0x7f64e5e6b700 (LWP 141373)]
> rte_mov128blocks (n=2048, src=0xc <error: Cannot access memory at 0xc>,
>               dst=0x150da4480) at ../lib/eal/x86/include/rte_memcpy.h:384
> (gdb) bt
> 0  rte_mov128blocks (n=2048, src=0xc, dst=0x150da4480)
> 1  rte_memcpy_generic (n=2048, src=0xc, dst=0x150da4480)
> 2  rte_memcpy (n=2048, src=0xc, dst=<optimized out>)
> 3  sync_fill_seg
> 4  desc_to_mbuf
> 5  virtio_dev_tx_split
> 6  virtio_dev_tx_split_legacy
> 7  0x00007f676fea0fef in rte_vhost_dequeue_burst
> 8  0x00007f6772005a62 in netdev_dpdk_vhost_rxq_recv
> 9  0x00007f6771f38116 in netdev_rxq_recv
> 10 0x00007f6771f03d96 in dp_netdev_process_rxq_port
> 11 0x00007f6771f04239 in pmd_thread_main
> 12 0x00007f6771f92aff in ovsthread_wrapper
> 13 0x00007f6771c1b6ea in start_thread
> 14 0x00007f6771933a8f in clone
> 
> Tested-by: Claudio Fontana <cfontana@suse.de>
> Signed-off-by: Claudio Fontana <cfontana@suse.de>
> ---
>   lib/vhost/virtio_net.c | 11 ++++++++---
>   1 file changed, 8 insertions(+), 3 deletions(-)

This patch is also no more necessary since CVE-2022-2132 has been fixed.
Latests LTS versions and upstream main branch contain the fixes:

dc1516e260a0 ("vhost: fix header spanned across more than two descriptors")
71bd0cc536ad ("vhost: discard too small descriptor chains")

desc_to_mbuf callers now check that the descriptors are at least the
size of the virtio_net header, so nr_vec cannot be 0 in desc_to_mbuf.

Since I cannot reproduce, if you are willing to try please let us know
the results.

Maxime