From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 707E5A04C5
	for <public@inbox.dpdk.org>; Fri, 15 Nov 2019 11:36:43 +0100 (CET)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id 6690A235;
	Fri, 15 Nov 2019 11:36:43 +0100 (CET)
Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com
 [205.139.110.120]) by dpdk.org (Postfix) with ESMTP id DFC0B235
 for <stable@dpdk.org>; Fri, 15 Nov 2019 11:36:42 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
 s=mimecast20190719; t=1573814202;
 h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
 content-transfer-encoding:content-transfer-encoding;
 bh=oHWCkgJHSpnaJfiZVuEJFdKelgDuBfENNt3iAYxYppA=;
 b=PQQ7I0kqTujkJ900/g+XTwIYMS62h//1Zv0OE30Imf8pVmVPtlRo1s0bOo9i74jZqyMMDP
 91jlEzSy076mO66jW2brAd+WGGa5tNzthxtKaxc3jNnxnE1GvCaqKNnLCaKnwB8j9HKxRx
 +Ig9Bulre39/SJ5eajnnaSLWfCFu6oQ=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-222-oPOW2wBEMxaeMuW0It5Plw-1; Fri, 15 Nov 2019 05:36:38 -0500
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com
 [10.5.11.15])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 96BD3107ACCD;
 Fri, 15 Nov 2019 10:36:37 +0000 (UTC)
Received: from localhost.localdomain (unknown [10.36.112.10])
 by smtp.corp.redhat.com (Postfix) with ESMTP id 53A846293B;
 Fri, 15 Nov 2019 10:36:33 +0000 (UTC)
From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: stable@dpdk.org,
	tiwei.bie@intel.com
Cc: Zhike Wang <wangzk320@163.com>,
 Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Fri, 15 Nov 2019 11:36:30 +0100
Message-Id: <20191115103630.17906-1-maxime.coquelin@redhat.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
X-MC-Unique: oPOW2wBEMxaeMuW0It5Plw-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Subject: [dpdk-stable] [17.11 LTS PATCH v2] vhost: fix vring requests
	validation broken if no FD
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

From: Zhike Wang <wangzk320@163.com>

When VHOST_USER_VRING_NOFD_MASK is set, the fd_num is 0,
so validate_msg_fds() will return error. In this case,
the negotiation of vring message between vhost user front end and
back end would fail, and as a result, vhost user link could NOT be up.

How to reproduce:
1.Run dpdk testpmd insides VM, which locates at host with ovs+dpdk.
2.Notice that inside ovs there are endless logs regarding failure to
handle VHOST_USER_SET_VRING_CALL, and link of vm could NOT be up.

Fixes: 1f6147d9a01f ("vhost: fix possible denial of service by leaking FDs"=
)
Cc: stable@dpdk.org

Signed-off-by: Zhike Wang <wangzk320@163.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/vhost_user.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index d4643dc350..155394a6d9 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1409,6 +1409,7 @@ vhost_user_msg_handler(int vid, int fd)
 =09struct VhostUserMsg msg;
 =09int ret;
 =09int unlock_required =3D 0;
+=09int expected_fds;
=20
 =09dev =3D get_device(vid);
 =09if (dev =3D=3D NULL)
@@ -1586,20 +1587,26 @@ vhost_user_msg_handler(int vid, int fd)
 =09=09break;
=20
 =09case VHOST_USER_SET_VRING_KICK:
-=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09expected_fds =3D
+=09=09=09(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
+=09=09if (validate_msg_fds(&msg, expected_fds) !=3D 0)
 =09=09=09return -1;
=20
 =09=09vhost_user_set_vring_kick(&dev, &msg);
 =09=09break;
 =09case VHOST_USER_SET_VRING_CALL:
-=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09expected_fds =3D
+=09=09=09(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
+=09=09if (validate_msg_fds(&msg, expected_fds) !=3D 0)
 =09=09=09return -1;
=20
 =09=09vhost_user_set_vring_call(dev, &msg);
 =09=09break;
=20
 =09case VHOST_USER_SET_VRING_ERR:
-=09=09if (validate_msg_fds(&msg, 1) !=3D 0)
+=09=09expected_fds =3D
+=09=09=09(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK) ? 0 : 1;
+=09=09if (validate_msg_fds(&msg, expected_fds) !=3D 0)
 =09=09=09return -1;
=20
 =09=09if (!(msg.payload.u64 & VHOST_USER_VRING_NOFD_MASK))
--=20
2.21.0