From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dpdk.org (dpdk.org [92.243.14.124]) by inbox.dpdk.org (Postfix) with ESMTP id 21C5EA0093 for ; Mon, 18 May 2020 15:18:36 +0200 (CEST) Received: from [92.243.14.124] (localhost [127.0.0.1]) by dpdk.org (Postfix) with ESMTP id C20241BF9E; Mon, 18 May 2020 15:18:27 +0200 (CEST) Received: from mga05.intel.com (mga05.intel.com [192.55.52.43]) by dpdk.org (Postfix) with ESMTP id 7CBD11D514 for ; Mon, 18 May 2020 15:18:25 +0200 (CEST) IronPort-SDR: 2MWyALJ6UoBxR0/KzUxIbtIk/3ZMMkjyc4re7klccRv0BrFCb4ATds6e0kFwQWYS0RdQMvYjcE kQ8f+UTWqdYA== X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga105.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 18 May 2020 06:18:25 -0700 IronPort-SDR: /oNT3BKJmjsvV8bMooKDXeDUio8X3XZE5GanEH0ZKHiXcXsUSS5uezNYPoLQgtnjLnZjlTSe0G pTZVOfxOjNgA== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="281970238" Received: from silpixa00399752.ir.intel.com (HELO silpixa00399752.ger.corp.intel.com) ([10.237.222.180]) by orsmga002.jf.intel.com with ESMTP; 18 May 2020 06:18:23 -0700 From: Ferruh Yigit To: stable@dpdk.org Cc: Ferruh Yigit , Xuan Ding , Xiaolong Ye , Maxime Coquelin Date: Mon, 18 May 2020 14:18:05 +0100 Message-Id: <20200518131805.716052-7-ferruh.yigit@intel.com> X-Mailer: git-send-email 2.25.4 In-Reply-To: <20200518131805.716052-1-ferruh.yigit@intel.com> References: <20200518131805.716052-1-ferruh.yigit@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Subject: [dpdk-stable] [PATCH v20.02 6/6] vhost: fix potential fd leak X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" From: Xuan Ding Vhost will create temporary file when receiving VHOST_USER_GET_INFLIGHT_FD message. Malicious guest can send endless this message to drain out the resource of host. When receiving VHOST_USER_GET_INFLIGHT_FD message repeatedly, closing the file created during the last handling of this message. Fixes: d87f1a1cb7b666550 ("vhost: support inflight info sharing") Cc: stable@dpdk.org This issue has been assigned CVE-2020-10726 Signed-off-by: Xuan Ding Signed-off-by: Xiaolong Ye Reviewed-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 0424e49cb8..0916f5abc0 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -206,7 +206,7 @@ vhost_backend_cleanup(struct virtio_net *dev) dev->inflight_info->addr = NULL; } - if (dev->inflight_info->fd > 0) { + if (dev->inflight_info->fd >= 0) { close(dev->inflight_info->fd); dev->inflight_info->fd = -1; } @@ -1408,6 +1408,7 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, "failed to alloc dev inflight area\n"); return RTE_VHOST_MSG_RESULT_ERR; } + dev->inflight_info->fd = -1; } num_queues = msg->payload.inflight.num_queues; @@ -1438,6 +1439,11 @@ vhost_user_get_inflight_fd(struct virtio_net **pdev, dev->inflight_info->addr = NULL; } + if (dev->inflight_info->fd >= 0) { + close(dev->inflight_info->fd); + dev->inflight_info->fd = -1; + } + dev->inflight_info->addr = addr; dev->inflight_info->size = msg->payload.inflight.mmap_size = mmap_size; dev->inflight_info->fd = msg->fds[0] = fd; @@ -1520,6 +1526,7 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, "failed to alloc dev inflight area\n"); return RTE_VHOST_MSG_RESULT_ERR; } + dev->inflight_info->fd = -1; } if (dev->inflight_info->addr) { @@ -1534,8 +1541,10 @@ vhost_user_set_inflight_fd(struct virtio_net **pdev, VhostUserMsg *msg, return RTE_VHOST_MSG_RESULT_ERR; } - if (dev->inflight_info->fd) + if (dev->inflight_info->fd >= 0) { close(dev->inflight_info->fd); + dev->inflight_info->fd = -1; + } dev->inflight_info->fd = fd; dev->inflight_info->addr = addr; -- 2.25.2