From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from dpdk.org (dpdk.org [92.243.14.124])
	by inbox.dpdk.org (Postfix) with ESMTP id C4922A0093
	for <public@inbox.dpdk.org>; Mon, 18 May 2020 15:19:27 +0200 (CEST)
Received: from [92.243.14.124] (localhost [127.0.0.1])
	by dpdk.org (Postfix) with ESMTP id BDDAB1BFA4;
	Mon, 18 May 2020 15:19:27 +0200 (CEST)
Received: from mga03.intel.com (mga03.intel.com [134.134.136.65])
 by dpdk.org (Postfix) with ESMTP id 3782F1D54D
 for <stable@dpdk.org>; Mon, 18 May 2020 15:19:26 +0200 (CEST)
IronPort-SDR: 0XQeH/ZStnsAckcphBxOLMXe6H60xdzUIZr12+wdtdo+8fxW1WdFCkSkjxEEwMwxGouOM9i5Tq
 Uhw5a3zAQzPg==
X-Amp-Result: SKIPPED(no attachment in message)
X-Amp-File-Uploaded: False
Received: from fmsmga002.fm.intel.com ([10.253.24.26])
 by orsmga103.jf.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384;
 18 May 2020 06:19:25 -0700
IronPort-SDR: e0fMGj74dLxxZu2J7DVzT10WZps1JqsJBtkGGQH8L1hQd5pIcd7j53Ug7cgNlTsQ2Bd4V+Lt7D
 SdokJJIErJzA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.73,407,1583222400"; d="scan'208";a="299214113"
Received: from silpixa00399752.ir.intel.com (HELO
 silpixa00399752.ger.corp.intel.com) ([10.237.222.180])
 by fmsmga002.fm.intel.com with ESMTP; 18 May 2020 06:19:24 -0700
From: Ferruh Yigit <ferruh.yigit@intel.com>
To: stable@dpdk.org
Cc: Ferruh Yigit <ferruh.yigit@intel.com>, Marvin Liu <yong.liu@intel.com>,
 Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Mon, 18 May 2020 14:19:11 +0100
Message-Id: <20200518131913.716252-5-ferruh.yigit@intel.com>
X-Mailer: git-send-email 2.25.4
In-Reply-To: <20200518131913.716252-1-ferruh.yigit@intel.com>
References: <20200518131913.716252-1-ferruh.yigit@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [dpdk-stable] [PATCH v19.11 4/6] vhost: fix translated address not
	checked
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

From: Marvin Liu <yong.liu@intel.com>

Malicious guest can construct desc with invalid address and zero buffer
length. That will request vhost to check both translated address and
translated data length. This patch will add missed address check.

Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue")
Fixes: ef861692c398 ("vhost: add packed ring batch enqueue")
Cc: stable@dpdk.org

This issue has been assigned CVE-2020-10725

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/virtio_net.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index ac2842b2d2..33f10258cf 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -1086,6 +1086,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev,
 						  VHOST_ACCESS_RW);
 
 	vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+		if (unlikely(!desc_addrs[i]))
+			return -1;
 		if (unlikely(lens[i] != descs[avail_idx + i].len))
 			return -1;
 	}
@@ -1841,6 +1843,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev,
 	}
 
 	vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+		if (unlikely(!desc_addrs[i]))
+			return -1;
 		if (unlikely((lens[i] != descs[avail_idx + i].len)))
 			return -1;
 	}
-- 
2.25.2