From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <rich.lane@bigswitch.com>
Received: from mail-yk0-f170.google.com (mail-yk0-f170.google.com
 [209.85.160.170]) by dpdk.org (Postfix) with ESMTP id 4396A9247
 for <dev@dpdk.org>; Thu, 12 Nov 2015 22:46:04 +0100 (CET)
Received: by ykfs79 with SMTP id s79so116304797ykf.1
 for <dev@dpdk.org>; Thu, 12 Nov 2015 13:46:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=bigswitch_com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=ZFekBDuzjWLHUIO2irXmwvsPju9NA+cypoRfjksWI04=;
 b=L0f+MfpmwjbnG/CI22m28IfVSu2D2S9oi5cfYQCooozM5U8zky7DOrfimoPyPoSL+O
 8cxGt/erVmtwZtE7gO33k9dqKKV0nqgFElInGuMz4/qnR/gS1+/scuwDy10hOxucuNOf
 j5VI9l++OEe5fuH76mh88JmkXVvICo8Fn4mvEp7wTjbh2OHsQYDZGWnAJQZ1QoiSQvkJ
 xmLMy05gJ+U3fFgApkuy39vL1tB2HmCwCk5G1s3vqwXe8XkiGW8HoHamsrurKgL1XtVA
 luALG9Ur7vpnHDyS9Uuvjfqu5YdG6v4x4uA2zpf/Qo1uB6gXWm3rsvKUqGHdO+SJRPDY
 Y2oQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:mime-version:in-reply-to:references:date
 :message-id:subject:from:to:cc:content-type;
 bh=ZFekBDuzjWLHUIO2irXmwvsPju9NA+cypoRfjksWI04=;
 b=JhoqDD6DDqArKrI90WJMG1uE6O3YgNCGN97Tg9fv0sz6oi+s6NnNVF0h+4MdCjVsqD
 VPwyz62tZ4WIWW0/iVSoVT1VcXUe8M6l3s+duIoXZkME9Ye303TLyc8xi/+auDKuPXA1
 FkO5PIgV4gOlkvnAFDJdcx9oe4GQJieYTJhY7ro8Qkh5WqfCkFcbAZUJaHS1v4P1rUZu
 0+BmJ+Ab8ligJdWwSXiusdz+YVZ9fNcoogaRNwBDXzbmbiYOuWwIQUbxx5GIBM/eBmxC
 ZZLYgWm4Yb7CvqP2FHIR7UEaugdQZdvVVzua3D3CqpcGfYRJyRjQDjfYZxP2iMSkiO0d
 3Eqw==
X-Gm-Message-State: ALoCoQknX+CU7OfMIdYcdUGlvWgcz4+XkODJfBWGz9pL0rjHz+NsUEUxdrZaKkKOw+wA0oXHEXNl
MIME-Version: 1.0
X-Received: by 10.13.251.66 with SMTP id l63mr16906631ywf.279.1447364763648;
 Thu, 12 Nov 2015 13:46:03 -0800 (PST)
Received: by 10.31.92.72 with HTTP; Thu, 12 Nov 2015 13:46:03 -0800 (PST)
In-Reply-To: <20151112092305.GI2326@yliu-dev.sh.intel.com>
References: <1447315353-42152-1-git-send-email-rlane@bigswitch.com>
 <20151112092305.GI2326@yliu-dev.sh.intel.com>
Date: Thu, 12 Nov 2015 13:46:03 -0800
Message-ID: <CAGSMBPOLNsc-+_Zj7FgBhmD0kpUAoy3fu5urxN74YTfmE20Qzw@mail.gmail.com>
From: Rich Lane <rich.lane@bigswitch.com>
To: Yuanhan Liu <yuanhan.liu@linux.intel.com>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.15
Cc: dev@dpdk.org
Subject: Re: [dpdk-dev] [PATCH] vhost: avoid buffer overflow in
	update_secure_len
X-BeenThere: dev@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2015 21:46:04 -0000

You can reproduce this with l2fwd and the vhost PMD.

You'll need this patch on top of the vhost PMD patches:
--- a/lib/librte_vhost/virtio-net.c
+++ b/lib/librte_vhost/virtio-net.c
@@ -471,7 +471,7 @@ reset_owner(struct vhost_device_ctx ctx)
                return -1;

        if (dev->flags & VIRTIO_DEV_RUNNING)
-               notify_ops->destroy_device(dev);
+               notify_destroy_device(dev);

        cleanup_device(dev);
        reset_device(dev);

1. Start l2fwd on the host: l2fwd -l 0,1 --vdev eth_null --vdev
eth_vhost0,iface=/run/vhost0.sock -- -p3
2. Start a VM using vhost-user and set up uio, hugepages, etc.
3. Start l2fwd inside the VM: l2fwd -l 0,1 --vdev eth_null -- -p3
4. Kill the l2fwd inside the VM with SIGINT.
5. Start l2fwd inside the VM.
6. l2fwd on the host crashes.

I found the source of the memory corruption by setting a watchpoint in
gdb: watch -l rte_eth_devices[1].data->rx_queues

On Thu, Nov 12, 2015 at 1:23 AM, Yuanhan Liu <yuanhan.liu@linux.intel.com>
wrote:

> On Thu, Nov 12, 2015 at 12:02:33AM -0800, Rich Lane wrote:
> > The guest could trigger this buffer overflow by creating a cycle of
> descriptors
> > (which would also cause an infinite loop). The more common case is that
> > vq->avail->idx jumps out of the range [last_used_idx,
> last_used_idx+256). This
> > happens nearly every time when restarting a DPDK app inside a VM
> connected to a
> > vhost-user vswitch because the virtqueue memory allocated by the
> previous run
> > is zeroed.
>
> Hi,
>
> I somehow was aware of this issue before while reading the code.
> Thinking that we never met that, I delayed the fix (it was still
> in my TODO list).
>
> Would you please tell me the steps (commands would be better) to
> reproduce your issue? I'd like to know more about the isue: I'm
> guessing maybe we need fix it with a bit more cares.
>
>         --yliu
> >
> > Signed-off-by: Rich Lane <rlane@bigswitch.com>
> > ---
> >  lib/librte_vhost/vhost_rxtx.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/lib/librte_vhost/vhost_rxtx.c
> b/lib/librte_vhost/vhost_rxtx.c
> > index 9322ce6..d95b478 100644
> > --- a/lib/librte_vhost/vhost_rxtx.c
> > +++ b/lib/librte_vhost/vhost_rxtx.c
> > @@ -453,7 +453,7 @@ update_secure_len(struct vhost_virtqueue *vq,
> uint32_t id,
> >               vq->buf_vec[vec_id].desc_idx = idx;
> >               vec_id++;
> >
> > -             if (vq->desc[idx].flags & VRING_DESC_F_NEXT) {
> > +             if (vq->desc[idx].flags & VRING_DESC_F_NEXT && vec_id <
> BUF_VECTOR_MAX) {
> >                       idx = vq->desc[idx].next;
> >                       next_desc = 1;
> >               }
> > --
> > 1.9.1
>