From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 6791EA0575; Thu, 11 Mar 2021 13:02:45 +0100 (CET) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 9DDA922A429; Thu, 11 Mar 2021 13:02:24 +0100 (CET) Received: from inbox.dpdk.org (inbox.dpdk.org [95.142.172.178]) by mails.dpdk.org (Postfix) with ESMTP id 5ABE222A364 for ; Thu, 11 Mar 2021 13:02:23 +0100 (CET) Received: by inbox.dpdk.org (Postfix, from userid 33) id 4A85CA0578; Thu, 11 Mar 2021 13:02:23 +0100 (CET) From: bugzilla@dpdk.org To: dev@dpdk.org Date: Thu, 11 Mar 2021 12:02:23 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: DPDK X-Bugzilla-Component: vhost/virtio X-Bugzilla-Version: 20.11 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: ferruh.yigit@intel.com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: High X-Bugzilla-Assigned-To: dev@dpdk.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter cc target_milestone bug_group Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://bugs.dpdk.org/ Auto-Submitted: auto-generated X-Auto-Response-Suppress: All MIME-Version: 1.0 Subject: [dpdk-dev] [Bug 656] CVE-YYYY-NNNN State: Report X-BeenThere: dev@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: DPDK patches and discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: dev-bounces@dpdk.org Sender: "dev" https://bugs.dpdk.org/show_bug.cgi?id=3D656 Bug ID: 656 Summary: CVE-YYYY-NNNN State: Report Product: DPDK Version: 20.11 Hardware: All OS: All Status: UNCONFIRMED Severity: normal Priority: High Component: vhost/virtio Assignee: dev@dpdk.org Reporter: ferruh.yigit@intel.com CC: ferruh.yigit@intel.com, maxime.coquelin@redhat.com, security@dpdk.org, stephen@networkplumber.org, thomas@monjalon.net Target Milestone: --- Group: security Report From: dsfasd daf Report Date: Thu, 11 Mar 2021 10:24:24 +0000 Report: Dear maintainers, I=E2=80=99m writing this email to report a security issue.=20 Description: Vhost-user allocates temporary file descriptors when receiving multiple vhost-user messages.=20 However, in some situations where the content of message is abnormal, the f= ile descriptor resources are not cleaned up sometimes. Malicious containers can send endless messages with wrong content to drain = out of the file descriptors. Evidence: For example, in vhost_user_set_mem_table() function, if malicious guest sen= ds the memory table message indicating memory regions exceed the max number, e= rror will be returned without fd clean-up. if (memory->nregions > VHOST_MEMORY_MAX_NREGIONS) { VHOST_LOG_CONFIG(ERR, "too many memory regions (%u)\n", memory->nregions); return RTE_VHOST_MSG_RESULT_ERR; } This issue touches many places that returns =E2=80=98RTE_VHOST_MSG_RESULT_E= RR=E2=80=99 but does not clean up fd resources. After checking, the target functions are vhost_user_set_mem_table(), and vhost_user_set_log_base(). Fix: I also prepared the fixed patch, just add close_msg_fds at these location. Could you help to evaluate if this issue can be qualified as a security vulnerability? So that it can enter the CVE progress. Thank you very much. Best regards, Xuan(Xarvier) --=20 You are receiving this mail because: You are the assignee for the bug.=