From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id A34B8A0093 for ; Mon, 18 May 2020 15:18:21 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id A180C1D578; Mon, 18 May 2020 15:18:19 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 94AE41D578 for ; Mon, 18 May 2020 15:18:17 +0200 (CEST) IronPort-SDR: 31vRSDLCNZ0BS2tzH+14KqwpXMgw2x2bMfjEPc4/zuItKStvq5r9IcEpd0jSbL3XPqaNylHw4D 8EewFGYhoq1w== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:18:17 -0700 IronPort-SDR: JgiV/3MnZuqrhQIaOSiG3zZgSjL6Iji+1uxxLFlxjR4ujkijyIzNVlrb5ov4Cof3APfNc7hJL/ 4YEJrYV/loXA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="281970150" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga002.jf.intel.com with ESMTP; 18 May 2020 06:18:16 -0700 From: Ferruh Yigit To: stable@dpdk.org Cc: Ferruh Yigit , Marvin Liu , Maxime Coquelin Date: Mon, 18 May 2020 14:18:03 +0100 Message-Id: <20200518131805.716052-5-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131805.716052-1-ferruh.yigit@intel.com> References: <20200518131805.716052-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] [PATCH v20.02 4/6] vhost: fix translated address not checked X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" From: Marvin Liu Malicious guest can construct desc with invalid address and zero buffer length. That will request vhost to check both translated address and translated data length. This patch will add missed address check. Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue") Fixes: ef861692c398 ("vhost: add packed ring batch enqueue") Cc: stable@dpdk.org This issue has been assigned CVE-2020-10725 Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 37c47c7dc0..6b06a3229a 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -1086,6 +1086,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev, VHOST_ACCESS_RW); vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { + if (unlikely(!desc_addrs[i])) + return -1; if (unlikely(lens[i] != descs[avail_idx + i].len)) return -1; } @@ -1841,6 +1843,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev, } vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) { + if (unlikely(!desc_addrs[i])) + return -1; if (unlikely((lens[i] != descs[avail_idx + i].len))) return -1; } -- 2.25.2