From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 324D0A04B6 for ; Tue, 12 Nov 2019 16:19:16 +0100 (CET) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id 7DB8D2BEA; Tue, 12 Nov 2019 16:19:15 +0100 (CET) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) by dpdk.org (Postfix) with ESMTP id B56D72BBD for ; Tue, 12 Nov 2019 16:19:13 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573571952; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=pTwYAtlciD5eaOrEMOa/82tuR1sjf0NC8wAmQ/V/t/0=; b=DTX9Rwf5lU8F+HhUZDyOq8GkQ1Xjao8Jlyk57mK5fzjR8fqN2ucfKUVCwHMiT0ACx9yxOp rdIBfgZqUpA3ZTBKpoPK4QGSBXH+G5TvYCH5NwWlehcPIUzS61QlBviGf/eX2/U4sbaceL gqmAFPopv66T4e0KPqk1qrduc5Ifys4= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-421-LyEhc0DyOrOzZ8OeBuzvew-1; Tue, 12 Nov 2019 10:19:11 -0500 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0949C1320CD; Tue, 12 Nov 2019 15:19:11 +0000 (UTC) Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com [10.36.112.39]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6F85C63641; Tue, 12 Nov 2019 15:19:08 +0000 (UTC) From: Maxime Coquelin To: dev@dpdk.org, stable@dpdk.org Cc: Maxime Coquelin , Jason Wang Date: Tue, 12 Nov 2019 16:18:51 +0100 Message-Id: <20191112151852.27341-3-maxime.coquelin@redhat.com> In-Reply-To: <20191112151852.27341-1-maxime.coquelin@redhat.com> References: <20191112151852.27341-1-maxime.coquelin@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 X-MC-Unique: LyEhc0DyOrOzZ8OeBuzvew-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable Subject: [dpdk-stable] [v16.11 PATCH v2 3/4] vhost: fix possible denial of service on SET_VRING_NUM X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" vhost_user_set_vring_num() performs multiple allocations without checking whether data were previously allocated. It may cause a denial of service because of the memory leaks that happen if a malicious vhost-user master keeps sending VHOST_USER_SET_VRING_NUM request until the slave runs out of memory. This issue has been assigned CVE-2019-14818 Reported-by: Jason Wang Signed-off-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index b8f6a9fba5..cebc72f78f 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -204,6 +204,8 @@ vhost_user_set_vring_num(struct virtio_net *dev, =09=09vq->nr_zmbuf =3D 0; =09=09vq->last_zmbuf_idx =3D 0; =09=09vq->zmbuf_size =3D vq->size; +=09=09if (vq->zmbufs) +=09=09=09rte_free(vq->zmbufs); =09=09vq->zmbufs =3D rte_zmalloc(NULL, vq->zmbuf_size * =09=09=09=09=09 sizeof(struct zcopy_mbuf), 0); =09=09if (vq->zmbufs =3D=3D NULL) { @@ -213,7 +215,8 @@ vhost_user_set_vring_num(struct virtio_net *dev, =09=09=09dev->dequeue_zero_copy =3D 0; =09=09} =09} - +=09if (vq->shadow_used_ring) +=09=09rte_free(vq->shadow_used_ring); =09vq->shadow_used_ring =3D rte_malloc(NULL, =09=09=09=09vq->size * sizeof(struct vring_used_elem), =09=09=09=09RTE_CACHE_LINE_SIZE); --=20 2.21.0