From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: dev@dpdk.org, stable@dpdk.org
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
Jason Wang <jasowang@redhat.com>
Subject: [dpdk-stable] [v16.11 PATCH v2 3/4] vhost: fix possible denial of service on SET_VRING_NUM
Date: Tue, 12 Nov 2019 16:18:51 +0100 [thread overview]
Message-ID: <20191112151852.27341-3-maxime.coquelin@redhat.com> (raw)
In-Reply-To: <20191112151852.27341-1-maxime.coquelin@redhat.com>
vhost_user_set_vring_num() performs multiple allocations
without checking whether data were previously allocated.
It may cause a denial of service because of the memory leaks
that happen if a malicious vhost-user master keeps sending
VHOST_USER_SET_VRING_NUM request until the slave runs out
of memory.
This issue has been assigned CVE-2019-14818
Reported-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/librte_vhost/vhost_user.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index b8f6a9fba5..cebc72f78f 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -204,6 +204,8 @@ vhost_user_set_vring_num(struct virtio_net *dev,
vq->nr_zmbuf = 0;
vq->last_zmbuf_idx = 0;
vq->zmbuf_size = vq->size;
+ if (vq->zmbufs)
+ rte_free(vq->zmbufs);
vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size *
sizeof(struct zcopy_mbuf), 0);
if (vq->zmbufs == NULL) {
@@ -213,7 +215,8 @@ vhost_user_set_vring_num(struct virtio_net *dev,
dev->dequeue_zero_copy = 0;
}
}
-
+ if (vq->shadow_used_ring)
+ rte_free(vq->shadow_used_ring);
vq->shadow_used_ring = rte_malloc(NULL,
vq->size * sizeof(struct vring_used_elem),
RTE_CACHE_LINE_SIZE);
--
2.21.0
next prev parent reply other threads:[~2019-11-12 15:19 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <b45c3416-0b1d-0ee4-89eb-c23a69e7cef3@intel.com>
2019-11-12 15:18 ` [dpdk-stable] [v16.11 PATCH v2 1/4] vhost: validate virtqueue size Maxime Coquelin
2019-11-12 15:18 ` [dpdk-stable] [v16.11 PATCH v2 2/4] vhost: add number of fds to vhost-user messages Maxime Coquelin
2019-11-12 15:18 ` Maxime Coquelin [this message]
2019-11-12 15:18 ` [dpdk-stable] [v16.11 PATCH v2 4/4] vhost: fix possible denial of service by leaking FDs Maxime Coquelin
2019-11-12 15:19 ` [dpdk-stable] [v17.11 PATCH v2 1/4] vhost: validate virtqueue size Maxime Coquelin
2019-11-12 15:19 ` [dpdk-stable] [v17.11 PATCH v2 2/4] vhost: add number of fds to vhost-user messages Maxime Coquelin
2019-11-12 15:19 ` [dpdk-stable] [v17.11 PATCH v2 3/4] vhost: fix possible denial of service on SET_VRING_NUM Maxime Coquelin
2019-11-12 15:19 ` [dpdk-stable] [v17.11 PATCH v2 4/4] vhost: fix possible denial of service by leaking FDs Maxime Coquelin
2019-11-12 15:19 ` [dpdk-stable] [v18.11 PATCH v2 1/2] vhost: fix possible denial of service on SET_VRING_NUM Maxime Coquelin
2019-11-12 15:19 ` [dpdk-stable] [v18.11 PATCH v2 2/2] vhost: fix possible denial of service by leaking FDs Maxime Coquelin
2019-11-12 15:29 ` Kevin Traynor
2019-11-12 15:29 ` [dpdk-stable] [v18.11 PATCH v2 1/2] vhost: fix possible denial of service on SET_VRING_NUM Kevin Traynor
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191112151852.27341-3-maxime.coquelin@redhat.com \
--to=maxime.coquelin@redhat.com \
--cc=dev@dpdk.org \
--cc=jasowang@redhat.com \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).