From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124]) by inbox.dpdk.org (Postfix) with ESMTP id 16723A0A0E for ; Mon, 10 May 2021 18:15:21 +0200 (CEST) Received: from [217.70.189.124] (localhost [127.0.0.1]) by mails.dpdk.org (Postfix) with ESMTP id 0D42C40140; Mon, 10 May 2021 18:15:21 +0200 (CEST) Received: from NAM10-DM6-obe.outbound.protection.outlook.com (mail-dm6nam10on2079.outbound.protection.outlook.com [40.107.93.79]) by mails.dpdk.org (Postfix) with ESMTP id 1516740140 for ; Mon, 10 May 2021 18:15:20 +0200 (CEST) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lZa7Zpk2epq53xWutsr1p8w45gCxoZIB8HXyGP/DhOqZskwXa1eOD95As7zQ9xoa+trqWF6ZSYhsCQtCKnINzIjtbR0H6Nvf8I5MJgHiw2Wqo0E73VNzRY3WHG8xJOomTV03W7pSmkM0UgD9MVn8lxGZAdoT4/mIz8gomDHwIW2yeB3Aq9FloLEBcMaB5gOgN2GE6fQjS0xPlcfe2YOGtv23QkNr8fpQFEzopT6ro5WPLNfBsAzr8Z/lIQsIEeC2oKcQMZfuhzG1SE08tZR/lN8NGP9Lu6eMpsx1SPIrmb0wJNfjVVNxQ8pgshvOqsmzRa7jvCo+e5RnEZ7+Uzyq3A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J1jIZy8VmBWRqrAJFFuv8dssZ0rW6o2aJrx9Ee610eA=; b=RYzolfoo9VnX0etA4gY5MJIwYAknnRLuQFtvuK7vwTfcXlj2p8uB7vdP1AcSYKB54TRHAldA3dsmE4mGGBdf6aSyyj6KW5SYAIZkCCD9p0NbPSL4LC1EEtTzIeK8zAgqaNn/AE6m4hwJ/fT0lNa0H+/cltRDJiaph1c1lQEftPUOhn89buZDSrfFahVfvtZ621SRmmW9n6fwdmJLE4oV/V2f398T+67hzG2umvB7oYW+NAEP5mGZivECw3HFJM+jPRNSQ/5QzJRhWibGuI9NXdG7zqOt7t2t4M6QhR/rV2TOzqpBL5SEaZjeM/b5iEVI0Skokx/rONO6XuEQCW6Gxg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is 216.228.112.34) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com; dmarc=pass (p=none sp=none pct=100) action=none header.from=nvidia.com; dkim=none (message not signed); arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=J1jIZy8VmBWRqrAJFFuv8dssZ0rW6o2aJrx9Ee610eA=; b=G0+t0/+xfPufhbttO/rsDHMem3goVJxr02DJoe+ilBcOEJLt3gQZxkXjW/4bS0EuPP7ukDsTPLm9QUb/REDnBTO/UqnvPKrwKOXnGeNwbKaEWOcA4oqkJYk8i0LbEWTY1VvlSEk5fzNY/vlALAb2yCFPaBKYtCdfXvpHwEhgo5r07TnUMJ/czJEr7vbag+PoH/V+85Rt6R76ChnvbzTnc5gSJOD/UygicSOmbQbBMbr/qcsk4rsWF95cbJom6G2AGrMMT6i9IFG6v95QRp9bGt7fsgLxm/PCXGyKTuJzFi5vmDkggaZfGv3dS65KP/H1LjAqDJWXGhUye2HuSyZ/fQ== Received: from MW2PR2101CA0031.namprd21.prod.outlook.com (2603:10b6:302:1::44) by BN8PR12MB3476.namprd12.prod.outlook.com (2603:10b6:408:63::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.28; Mon, 10 May 2021 16:15:18 +0000 Received: from CO1NAM11FT064.eop-nam11.prod.protection.outlook.com (2603:10b6:302:1:cafe::6) by MW2PR2101CA0031.outlook.office365.com (2603:10b6:302:1::44) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.3 via Frontend Transport; Mon, 10 May 2021 16:15:18 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.112.34) smtp.mailfrom=nvidia.com; redhat.com; dkim=none (message not signed) header.d=none;redhat.com; dmarc=pass action=none header.from=nvidia.com; Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates 216.228.112.34 as permitted sender) receiver=protection.outlook.com; client-ip=216.228.112.34; helo=mail.nvidia.com; Received: from mail.nvidia.com (216.228.112.34) by CO1NAM11FT064.mail.protection.outlook.com (10.13.175.77) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.4108.25 via Frontend Transport; Mon, 10 May 2021 16:15:18 +0000 Received: from nvidia.com (172.20.145.6) by HQMAIL107.nvidia.com (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 10 May 2021 16:15:16 +0000 From: Xueming Li To: Marvin Liu CC: Luca Boccassi , Maxime Coquelin , dpdk stable Date: Tue, 11 May 2021 00:01:10 +0800 Message-ID: <20210510160258.30982-121-xuemingl@nvidia.com> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20210510160258.30982-1-xuemingl@nvidia.com> References: <20210510160258.30982-1-xuemingl@nvidia.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Originating-IP: [172.20.145.6] X-ClientProxiedBy: HQMAIL111.nvidia.com (172.20.187.18) To HQMAIL107.nvidia.com (172.20.187.13) X-EOPAttributedMessage: 0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 84dfcabf-c101-4a5d-cc05-08d913cecdbb X-MS-TrafficTypeDiagnostic: BN8PR12MB3476: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 1SdoO6sFTz028JyactOzQWK6S8rfQSEgePMdX5yVGB9D6qN49PyOMbn0Njhw82ImghFwp9ZJuhMO0NgZwkkzXLUMiNgSBd/ACQMJhe1BwsrTdDoZbvDTmPqEoxN1n7GA/OozBRbnwzGIpxFXzD19OoAKHTJswNZ00a5G1YlP0raLFsBKv5JbiryeooE05qNY83/RV42cAaadIIf5qTznxXIwnerwgSrh6xCFyfjufGRcfizWYJkEBzN5vSRncucKPEy+KEbfhjBGIzgLD/D3p1Z7caHaUgn9Llvo7YgcOZsdIZLg/2pdFtE9VVcf3d9Vy+N24+mC8xI+oYgmBoIMAKKY5bxSaSiCvifyOigjPGzU0UANOIcnLh+vL/A1FC7i6KsbQK0VR1pS03T3tBm+AwOOgFeLPpv5LC+nbfwQqppqOD4EapoLubLDyFAqwstOY7Cj6+sMfMhkvEbkd7J1g7JOXdQMX2PnenFcXNKiQdBQEtYZGoOVHaapeVZiTI4Zbpbcgeulsl9jMT8t1D7roTSSZuXjNYnO+a9ADXwd1YnJlKSgoQQqCXBa4uTkLI+Lzy0+yk945T1pNB5v/LXl3CTSGvBAp4I5sOYpR/VnTOjPeeUnrcRwOk+GCMMWO5HwxdRZPMAlofUxMWXdYz83PkNicl4CTOpJVOQzwz4Mm7YUzcBkZ6kLKJTdbCWVVvT1/9svSJ6cND//7b3FtnquofbI0HT89eOvPujntl8eCaF7vHaJnuOrF0Q0kL032n14LX1OPOH4mQkaOrCA7K92Vg== X-Forefront-Antispam-Report: CIP:216.228.112.34; CTRY:US; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:schybrid03.nvidia.com; CAT:NONE; SFS:(4636009)(39860400002)(346002)(396003)(376002)(136003)(46966006)(36840700001)(82310400003)(966005)(478600001)(54906003)(1076003)(7696005)(2616005)(36860700001)(55016002)(426003)(70586007)(5660300002)(36756003)(83380400001)(47076005)(70206006)(186003)(6916009)(2906002)(8936002)(336012)(86362001)(316002)(53546011)(36906005)(6286002)(82740400003)(6666004)(26005)(7636003)(16526019)(356005)(8676002)(4326008); DIR:OUT; SFP:1101; X-OriginatorOrg: Nvidia.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2021 16:15:18.4353 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 84dfcabf-c101-4a5d-cc05-08d913cecdbb X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.112.34]; Helo=[mail.nvidia.com] X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT064.eop-nam11.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR12MB3476 Subject: [dpdk-stable] patch 'vhost: fix split ring potential buffer overflow' has been queued to stable release 20.11.2 X-BeenThere: stable@dpdk.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: patches for DPDK stable branches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: stable-bounces@dpdk.org Sender: "stable" Hi, FYI, your patch has been queued to stable release 20.11.2 Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet. It will be pushed if I get no objections before 05/12/21. So please shout if anyone has objections. Also note that after the patch there's a diff of the upstream commit vs the patch applied to the branch. This will indicate if there was any rebasing needed to apply to the stable branch. If there were code changes for rebasing (ie: not only metadata diffs), please double check that the rebase was correctly done. Queued patches are on a temporary branch at: https://github.com/steevenlee/dpdk This queued commit can be viewed at: https://github.com/steevenlee/dpdk/commit/25d53e1eb8d8b88503e606361900fac7215edf52 Thanks. Xueming Li --- >From 25d53e1eb8d8b88503e606361900fac7215edf52 Mon Sep 17 00:00:00 2001 From: Marvin Liu Date: Wed, 31 Mar 2021 14:49:37 +0800 Subject: [PATCH] vhost: fix split ring potential buffer overflow Cc: Luca Boccassi [ upstream commit 134228ca39ef0cfe325bc5f1d0df38c733ec9752 ] In vhost datapath, descriptor's length are mostly used in two coherent operations. First step is used for address translation, second step is used for memory transaction from guest to host. But the interval between two steps will give a window for malicious guest, in which can change descriptor length after vhost calculated buffer size. Thus may lead to buffer overflow in vhost side. This potential risk can be eliminated by accessing the descriptor length once. Fixes: 1be4ebb1c464 ("vhost: support indirect descriptor in mergeable Rx") Signed-off-by: Marvin Liu Reviewed-by: Maxime Coquelin --- lib/librte_vhost/virtio_net.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c index 55bfc161b5..891a089f75 100644 --- a/lib/librte_vhost/virtio_net.c +++ b/lib/librte_vhost/virtio_net.c @@ -571,10 +571,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq, return -1; } - len += descs[idx].len; + dlen = descs[idx].len; + len += dlen; if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id, - descs[idx].addr, descs[idx].len, + descs[idx].addr, dlen, perm))) { free_ind_table(idesc); return -1; -- 2.25.1 --- Diff of the applied patch vs upstream commit (please double-check if non-empty: --- --- - 2021-05-10 23:59:29.748036400 +0800 +++ 0122-vhost-fix-split-ring-potential-buffer-overflow.patch 2021-05-10 23:59:26.520000000 +0800 @@ -1 +1 @@ -From 134228ca39ef0cfe325bc5f1d0df38c733ec9752 Mon Sep 17 00:00:00 2001 +From 25d53e1eb8d8b88503e606361900fac7215edf52 Mon Sep 17 00:00:00 2001 @@ -4,0 +5,3 @@ +Cc: Luca Boccassi + +[ upstream commit 134228ca39ef0cfe325bc5f1d0df38c733ec9752 ] @@ -15 +17,0 @@ -Cc: stable@dpdk.org @@ -24 +26 @@ -index 3d8e29df09..852b4ec9f5 100644 +index 55bfc161b5..891a089f75 100644 @@ -27 +29 @@ -@@ -548,10 +548,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq, +@@ -571,10 +571,11 @@ fill_vec_buf_split(struct virtio_net *dev, struct vhost_virtqueue *vq,