From: Maxime Coquelin <maxime.coquelin@redhat.com>
To: dev@dpdk.org, tiwei.bie@intel.com, zhihong.wang@intel.com
Cc: Maxime Coquelin <maxime.coquelin@redhat.com>,
stable@dpdk.org, Ilja Van Sprundel <ivansprundel@ioactive.com>
Subject: [dpdk-stable] [PATCH] vhost: catch overflow causing mmap of size 0
Date: Thu, 16 Jan 2020 11:44:27 +0100 [thread overview]
Message-ID: <20200116104427.3810-1-maxime.coquelin@redhat.com> (raw)
This patch catches an overflow that could happen if an
invalid region size or page alignement is provided by the
guest via the VHOST_USER_SET_MEM_TABLE request.
If the sum of the size to mmap and the alignment overflows
uint64_t, then RTE_ALIGN_CEIL(mmap_size, alignment) macro
will return 0. This value was passed as is as size argument
to mmap().
While kernel handling of mmap() syscall returns an error
if size is 0, it is better to catch it earlier and provide
a meaningful error log.
Fixes: ec09c280b839 ("vhost: fix mmap not aligned with hugepage size")
Cc: stable@dpdk.org
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/librte_vhost/vhost_user.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 0b7d1e288e..41ec069cb6 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -1145,6 +1145,21 @@ vhost_user_set_mem_table(struct virtio_net **pdev, struct VhostUserMsg *msg,
goto err_mmap;
}
mmap_size = RTE_ALIGN_CEIL(mmap_size, alignment);
+ if (mmap_size == 0) {
+ /*
+ * It could happen if initial mmap_size + alignment
+ * overflows the sizeof uint64, which could happen if
+ * either mmap_size or alignment value is wrong.
+ *
+ * mmap() kernel implementation would return an error,
+ * but better catch it before and provide useful info
+ * in the logs.
+ */
+ VHOST_LOG_CONFIG(ERR, "mmap size (0x%" PRIx64 ") "
+ "or alignment (0x%" PRIx64 ") is invalid\n",
+ reg->size + mmap_offset, alignment);
+ goto err_mmap;
+ }
populate = (dev->dequeue_zero_copy) ? MAP_POPULATE : 0;
mmap_addr = mmap(NULL, mmap_size, PROT_READ | PROT_WRITE,
--
2.21.0
next reply other threads:[~2020-01-16 10:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-16 10:44 Maxime Coquelin [this message]
2020-01-17 7:51 ` Tiwei Bie
2020-02-05 9:49 ` Maxime Coquelin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200116104427.3810-1-maxime.coquelin@redhat.com \
--to=maxime.coquelin@redhat.com \
--cc=dev@dpdk.org \
--cc=ivansprundel@ioactive.com \
--cc=stable@dpdk.org \
--cc=tiwei.bie@intel.com \
--cc=zhihong.wang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).