patches for DPDK stable branches
 help / color / mirror / Atom feed
From: Ferruh Yigit <>
Cc: Ferruh Yigit <>,
	Maxime Coquelin <>,
	Ilja Van Sprundel <>,
	Xiaolong Ye <>
Subject: [dpdk-stable] [PATCH v18.11 2/3] vhost: fix vring index check
Date: Mon, 18 May 2020 14:18:49 +0100
Message-ID: <> (raw)
In-Reply-To: <>

From: Maxime Coquelin <>

vhost_user_check_and_alloc_queue_pair() is used to extract
a vring index from a payload. This function validates the
index and is called early on in when performing message
handling. Most message handlers depend on it correctly
validating the vring index.

Depending on the message type the vring index is in
different parts of the payload. The function contains a
switch/case for each type and copies the index. This is
stored in a uint16. This index is then validated. Depending
on the message, the source index is an unsigned int. If
integer truncation occurs (uint->uint16) the top 16 bits
of the index are never validated.

When they are used later on  (e.g. in
vhost_user_set_vring_num() or vhost_user_set_vring_addr())
it can lead to out of bound indexing. The out of bound
indexed data gets written to, and hence this can cause
memory corruption.

This patch fixes this vulnerability by declaring vring
index as an unsigned int in

Fixes: 160cbc815b41 ("vhost: remove a hack on queue allocation")

This issue has been assigned CVE-2020-10723

Reported-by: Ilja Van Sprundel <>
Signed-off-by: Maxime Coquelin <>
Reviewed-by: Xiaolong Ye <>
Reviewed-by: Ilja Van Sprundel <>
 lib/librte_vhost/vhost_user.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 8d78c11b9b..e4f72ba876 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -2062,7 +2062,7 @@ static int
 vhost_user_check_and_alloc_queue_pair(struct virtio_net *dev,
 			struct VhostUserMsg *msg)
-	uint16_t vring_idx;
+	uint32_t vring_idx;
 	switch (msg->request.master) {

  parent reply	other threads:[~2020-05-18 13:19 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-05-18 13:18 [dpdk-stable] [PATCH v18.11 0/3] Fix vhost security issues Ferruh Yigit
2020-05-18 13:18 ` [dpdk-stable] [PATCH v18.11 1/3] vhost: check log mmap offset and size overflow Ferruh Yigit
2020-05-18 13:18 ` Ferruh Yigit [this message]
2020-05-18 13:18 ` [dpdk-stable] [PATCH v18.11 3/3] vhost/crypto: validate keys lengths Ferruh Yigit

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

patches for DPDK stable branches

This inbox may be cloned and mirrored by anyone:

	git clone --mirror stable/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 stable stable/ \
	public-inbox-index stable

Example config snippet for mirrors.
Newsgroup available over NNTP:

AGPL code for this site: git clone