From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 1BC0AA04B6
	for <public@inbox.dpdk.org>; Tue, 12 Nov 2019 16:20:09 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 4C6AA1BEB5;
	Tue, 12 Nov 2019 16:19:59 +0100 (CET)
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-2.mimecast.com
 [205.139.110.61]) by dpdk.org (Postfix) with ESMTP id AF5E72B99
 for <stable@dpdk.org>; Tue, 12 Nov 2019 16:19:52 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1573571992;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding:
 in-reply-to:in-reply-to:references:references;
 bh=ww/AEYapqWv4x3/nxQTWy8kgwxHTbFNVPekDykTvgm4=;
 b=DZHBwKjOOzJea8y79cyr7qwW5V/yC7MV8nBMRXFx/RyvvEI5G+tS2Z688yBD26/5zZOH1t
 J6fEhH5yH4o/XXGaLRkmBun28dMQ94ntSpKiBP/MbqOK1WKXIB5gDwgecJU+tlIJaoGuNz
 lHG3Q0EfnpbgyJxssc6LENJxlSZASZE=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-42-DEUJne21NLKy3WH8i8uEYQ-1; Tue, 12 Nov 2019 10:19:51 -0500
Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com
 [10.5.11.14])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 2AECA13B327;
 Tue, 12 Nov 2019 15:19:50 +0000 (UTC)
Received: from localhost.localdomain (ovpn-112-39.ams2.redhat.com
 [10.36.112.39])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 39D0F299C0;
 Tue, 12 Nov 2019 15:19:47 +0000 (UTC)
From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: dev@dpdk.org,
	stable@dpdk.org
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Tue, 12 Nov 2019 16:19:27 +0100
Message-Id: <20191112151927.27418-4-maxime.coquelin@redhat.com>
In-Reply-To: <20191112151927.27418-1-maxime.coquelin@redhat.com>
References: <b45c3416-0b1d-0ee4-89eb-c23a69e7cef3@intel.com>
 <20191112151927.27418-1-maxime.coquelin@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14
X-MC-Unique: DEUJne21NLKy3WH8i8uEYQ-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=WINDOWS-1252
Content-Transfer-Encoding: quoted-printable
Subject: [dpdk-stable] [v17.11 PATCH v2 4/4] vhost: fix possible denial of
	service by leaking FDs
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

A malicious Vhost-user master could send in loop hand-crafted
vhost-user messages containing more file descriptors the
vhost-user slave expects. Doing so causes the application using
the vhost-user library to run out of FDs.

This issue has been assigned CVE-2019-14818

Fixes: 8f972312b8f4 ("vhost: support vhost-user")

Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/vhost_user.c | 95 +++++++++++++++++++++++++++++++++++
 1 file changed, 95 insertions(+)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 781734e9e3..d4643dc350 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -81,6 +81,36 @@ static const char *vhost_message_str[VHOST_USER_MAX] =3D=
 {
 =09[VHOST_USER_IOTLB_MSG]  =3D "VHOST_USER_IOTLB_MSG",
 };
=20
+static void
+close_msg_fds(struct VhostUserMsg *msg)
+{
+=09int i;
+
+=09for (i =3D 0; i < msg->fd_num; i++)
+=09=09close(msg->fds[i]);
+}
+
+/*
+ * Ensure the expected number of FDs is received,
+ * close all FDs and return an error if this is not the case.
+ */
+static int
+validate_msg_fds(struct VhostUserMsg *msg, int expected_fds)
+{
+=09if (msg->fd_num =3D=3D expected_fds)
+=09=09return 0;
+
+=09RTE_LOG(ERR, VHOST_CONFIG,
+=09=09" Expect %d FDs for request %s, received %d\n",
+=09=09expected_fds,
+=09=09vhost_message_str[msg->request.master],
+=09=09msg->fd_num);
+
+=09close_msg_fds(msg);
+
+=09return -1;
+}
+
 static uint64_t
 get_blk_size(int fd)
 {
@@ -1458,34 +1488,58 @@ vhost_user_msg_handler(int vid, int fd)
=20
 =09switch (msg.request.master) {
 =09case VHOST_USER_GET_FEATURES:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09msg.payload.u64 =3D vhost_user_get_features(dev);
 =09=09msg.size =3D sizeof(msg.payload.u64);
 =09=09send_vhost_reply(fd, &msg);
 =09=09break;
 =09case VHOST_USER_SET_FEATURES:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_features(dev, msg.payload.u64);
 =09=09break;
=20
 =09case VHOST_USER_GET_PROTOCOL_FEATURES:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_get_protocol_features(dev, &msg);
 =09=09send_vhost_reply(fd, &msg);
 =09=09break;
 =09case VHOST_USER_SET_PROTOCOL_FEATURES:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_protocol_features(dev, msg.payload.u64);
 =09=09break;
=20
 =09case VHOST_USER_SET_OWNER:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_owner();
 =09=09break;
 =09case VHOST_USER_RESET_OWNER:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_reset_owner(dev);
 =09=09break;
=20
 =09case VHOST_USER_SET_MEM_TABLE:
+=09=09if (validate_msg_fds(&msg, msg.payload.memory.nregions) !=3D 0)
+=09=09=09return -1;
+
 =09=09ret =3D vhost_user_set_mem_table(&dev, &msg);
 =09=09break;
=20
 =09case VHOST_USER_SET_LOG_BASE:
+=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_log_base(dev, &msg);
=20
 =09=09/*
@@ -1496,61 +1550,102 @@ vhost_user_msg_handler(int vid, int fd)
 =09=09send_vhost_reply(fd, &msg);
 =09=09break;
 =09case VHOST_USER_SET_LOG_FD:
+=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09=09return -1;
+
 =09=09close(msg.fds[0]);
 =09=09RTE_LOG(INFO, VHOST_CONFIG, "not implemented.\n");
 =09=09break;
=20
 =09case VHOST_USER_SET_VRING_NUM:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_vring_num(dev, &msg);
 =09=09break;
 =09case VHOST_USER_SET_VRING_ADDR:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_vring_addr(&dev, &msg);
 =09=09break;
 =09case VHOST_USER_SET_VRING_BASE:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_vring_base(dev, &msg);
 =09=09break;
=20
 =09case VHOST_USER_GET_VRING_BASE:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_get_vring_base(dev, &msg);
 =09=09msg.size =3D sizeof(msg.payload.state);
 =09=09send_vhost_reply(fd, &msg);
 =09=09break;
=20
 =09case VHOST_USER_SET_VRING_KICK:
+=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_vring_kick(&dev, &msg);
 =09=09break;
 =09case VHOST_USER_SET_VRING_CALL:
+=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_vring_call(dev, &msg);
 =09=09break;
=20
 =09case VHOST_USER_SET_VRING_ERR:
+=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09=09return -1;
+
 =09=09if (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK))
 =09=09=09close(msg.fds[0]);
 =09=09RTE_LOG(INFO, VHOST_CONFIG, "not implemented\n");
 =09=09break;
=20
 =09case VHOST_USER_GET_QUEUE_NUM:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
 =09=09msg.payload.u64 =3D VHOST_MAX_QUEUE_PAIRS;
 =09=09msg.size =3D sizeof(msg.payload.u64);
 =09=09send_vhost_reply(fd, &msg);
 =09=09break;
=20
 =09case VHOST_USER_SET_VRING_ENABLE:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_set_vring_enable(dev, &msg);
 =09=09break;
 =09case VHOST_USER_SEND_RARP:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09vhost_user_send_rarp(dev, &msg);
 =09=09break;
=20
 =09case VHOST_USER_NET_SET_MTU:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09ret =3D vhost_user_net_set_mtu(dev, &msg);
 =09=09break;
=20
 =09case VHOST_USER_SET_SLAVE_REQ_FD:
+=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09=09return -1;
+
 =09=09ret =3D vhost_user_set_req_fd(dev, &msg);
 =09=09break;
=20
 =09case VHOST_USER_IOTLB_MSG:
+=09=09if (validate_msg_fds(&msg, 0) !=3D 0)
+=09=09=09return -1;
+
 =09=09ret =3D vhost_user_iotlb_msg(&dev, &msg);
 =09=09break;
=20
--=20
2.21.0