From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-bounces@dpdk.org>
Received: from mails.dpdk.org (mails.dpdk.org [217.70.189.124])
	by inbox.dpdk.org (Postfix) with ESMTP id 3C08BA0A0E
	for <public@inbox.dpdk.org>; Mon, 10 May 2021 18:15:24 +0200 (CEST)
Received: from [217.70.189.124] (localhost [127.0.0.1])
	by mails.dpdk.org (Postfix) with ESMTP id 36E0B40140;
	Mon, 10 May 2021 18:15:24 +0200 (CEST)
Received: from NAM12-BN8-obe.outbound.protection.outlook.com
 (mail-bn8nam12on2055.outbound.protection.outlook.com [40.107.237.55])
 by mails.dpdk.org (Postfix) with ESMTP id B447F4014E
 for <stable@dpdk.org>; Mon, 10 May 2021 18:15:22 +0200 (CEST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=mlKBAYmelj8c+S+v1AgguOdYJyA5sAr9tKg0saHz4W26kH3eUIMcjOgyxh3YQhbPFHyZhFloMyN6pq91AZQBdXW7RSY/YoaGSG3BNtsSmsiAmELMsr8dxqBjn+kYkuodyE3mcEUcr71aqIZHg55rIHJc31BbuPbVG7fdnZ/zRe0V5fgCe9I7Fv1mouju33kXAZgL2OyVlUyqfqRWSBt++kMEj/0o3dd7fEUBzo+gGcs/2svVfNPiijbH1cn5s2ml4XEWFnp3PKQDFMkoDm7/vMSk4dxnHcqfmG2VaWpn8b7d3Us4hgzL0irDoz6QU9zC7XEG4auZD4rC6JZYssSifA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; 
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=dHkujrUGZ4VaRYKwzG+osVx6I121Nx9hHhCfq5s8BTY=;
 b=KolAaLN9V+eBiTnexrkU9lArHa8YWziOdw6UtyrP5FYcIfKsTsoUm29eocATdAFgf7XhrpP/RGqqFAIx4246QYnGTjdVXi0dXLT7fTOUmQ8NNGuf3qUmg7ImMvZ9KS7IIW+2nVQ0vXxf5zjgf04vUktLpPlK2QNEOe3GPU3XfZNFBzX8lcRYSGlft0Kfl+ZzlcPTs0cjPgeFDR9+1IzeTDe2LBnkD2vLe4lqJ1m/tdK2GwsKmppP3xHr1kVqG29edk+6oCGzlX8GM8hijm/fAz0cDrFYKfr0q4o0dfglHpJg/Pw6QYqUZorvL4+VzjZFCFNioLJZv2cGzre3dRIUZA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
 216.228.112.34) smtp.rcpttodomain=redhat.com smtp.mailfrom=nvidia.com;
 dmarc=pass (p=none sp=none pct=100) action=none header.from=nvidia.com;
 dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
 s=selector2;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=dHkujrUGZ4VaRYKwzG+osVx6I121Nx9hHhCfq5s8BTY=;
 b=F7PrdIbIQrOqK1TivGmSRI5KlhpBO7MAbIpRAduW3zuO9WjQwHygpObq186HgabZDPAb9xe5rlm0heC6EhPRdmBo+c0LbZ5UDO5lcVfoOxVn0v4giOkw0DxLZYM29PGXe/jxNHg0PrmZeJAOE2GfQtOLvmiGCUaou18YS7d1m5RH5pJzo+mGkrbCxeR5DPouQcWmijXyRUR93ilpHsx1IHsKdTUyG0fbO0UeRkawYqq/WJe9o8iKneCG+Q6UBz1OG/9oVutrp7FzE+gXivgUkC0EA4JsidP3az+KlhdGPmlMCCuzYuQcBHsi6po2bjOm7OB1mDFav8Np/0h/cIW9uw==
Received: from MWHPR22CA0037.namprd22.prod.outlook.com (2603:10b6:300:69::23)
 by BL0PR12MB2387.namprd12.prod.outlook.com (2603:10b6:207:44::15)
 with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25; Mon, 10 May
 2021 16:15:20 +0000
Received: from CO1NAM11FT027.eop-nam11.prod.protection.outlook.com
 (2603:10b6:300:69:cafe::a9) by MWHPR22CA0037.outlook.office365.com
 (2603:10b6:300:69::23) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25 via Frontend
 Transport; Mon, 10 May 2021 16:15:20 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.112.34)
 smtp.mailfrom=nvidia.com; redhat.com; dkim=none (message not signed)
 header.d=none;redhat.com; dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
 216.228.112.34 as permitted sender) receiver=protection.outlook.com;
 client-ip=216.228.112.34; helo=mail.nvidia.com;
Received: from mail.nvidia.com (216.228.112.34) by
 CO1NAM11FT027.mail.protection.outlook.com (10.13.174.224) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
 15.20.4108.25 via Frontend Transport; Mon, 10 May 2021 16:15:20 +0000
Received: from nvidia.com (172.20.145.6) by HQMAIL107.nvidia.com
 (172.20.187.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 10 May
 2021 16:15:18 +0000
From: Xueming Li <xuemingl@nvidia.com>
To: Marvin Liu <yong.liu@intel.com>
CC: Luca Boccassi <bluca@debian.org>, Maxime Coquelin
 <maxime.coquelin@redhat.com>, dpdk stable <stable@dpdk.org>
Date: Tue, 11 May 2021 00:01:11 +0800
Message-ID: <20210510160258.30982-122-xuemingl@nvidia.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20210510160258.30982-1-xuemingl@nvidia.com>
References: <20210510160258.30982-1-xuemingl@nvidia.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Originating-IP: [172.20.145.6]
X-ClientProxiedBy: HQMAIL111.nvidia.com (172.20.187.18) To
 HQMAIL107.nvidia.com (172.20.187.13)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d00f98a7-612c-4569-98e4-08d913cecf02
X-MS-TrafficTypeDiagnostic: BL0PR12MB2387:
X-Microsoft-Antispam-PRVS: <BL0PR12MB2387DD3D40333BACC3BB5672A1549@BL0PR12MB2387.namprd12.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: znQmD2ydrcFgcuu+do4OukfW1IPtA8ig5XYT8EZlDrz/CwZBO3rr5FWMG3X6eLnYowmEF9MY8W35dpj0gGZs3q1fjNMcdMgJt5CpKYGRyHZzhm9NoKXa9CnToR0zNS2oyhzVgRPnfBUAIb8k+t+LmvQDCyL6eHm1FiPeBLaDH0e+GZSFD+79fIOZRT0LzHSLDAIaGZXaa/yDAo6cjDlC3i1OjUd6pTIAZgVA/6iGu5A1ARqwG6nPpYXaZI2gUom+oNd/PrbvsWCyTwaWHRkupUfR2y0Rn1GSTr7NpfYqYMBmz5BJEvx9hh7iqyZsUv7k/nToiXs08SAV8Vp1/mmFSoa6Xjn7tM2YzA3VWG/vSYV0Z7/Kod7UfgdMrfEu/IIKRW7h6hgvtoba3q/8XOfL8oBitQ+8A5XWjpF9yD3UKma5JU9osOODjOQCgwrlMIMagWmcR/AVDCcFF1M0u12Nk83lWeXDMHki+3XDxgqSGdbm9rA7wiXMR2MS4XLOe0FwnuVP3fy7B1EMXS2yHzghABKAuq5Am+by29eJcXI60s+T6huzYQ3DZ713Cfsbv+NggZTsQesTG3TuD+xPGj5ZVa+2bnxhubQGPqoaJNQ7vTUJOU8VHszJxBHPioBsaj12FS8daLOmkNXUZugnECVZoqJK5TlWljTJIDITSxD0h4OqH3vSCF9kW+i3rPW1As66NAf0GIQOtR0F9oESnMoADuGZO+EWdQsRjwJ6hdPYbEM=
X-Forefront-Antispam-Report: CIP:216.228.112.34; CTRY:US; LANG:en; SCL:1; SRV:;
 IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:schybrid03.nvidia.com; CAT:NONE;
 SFS:(4636009)(396003)(376002)(39860400002)(136003)(346002)(36840700001)(46966006)(82310400003)(16526019)(316002)(186003)(5660300002)(6666004)(8676002)(1076003)(36906005)(8936002)(2906002)(7636003)(82740400003)(6916009)(83380400001)(7696005)(36756003)(36860700001)(478600001)(356005)(47076005)(55016002)(6286002)(53546011)(54906003)(966005)(4326008)(336012)(426003)(70206006)(2616005)(70586007)(86362001)(26005);
 DIR:OUT; SFP:1101; 
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 May 2021 16:15:20.5831 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: d00f98a7-612c-4569-98e4-08d913cecf02
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.112.34];
 Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource: CO1NAM11FT027.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR12MB2387
Subject: [dpdk-stable] patch 'vhost: fix packed ring potential buffer
 overflow' has been queued to stable release 20.11.2
X-BeenThere: stable@dpdk.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: patches for DPDK stable branches <stable.dpdk.org>
List-Unsubscribe: <https://mails.dpdk.org/options/stable>,
 <mailto:stable-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://mails.dpdk.org/archives/stable/>
List-Post: <mailto:stable@dpdk.org>
List-Help: <mailto:stable-request@dpdk.org?subject=help>
List-Subscribe: <https://mails.dpdk.org/listinfo/stable>,
 <mailto:stable-request@dpdk.org?subject=subscribe>
Errors-To: stable-bounces@dpdk.org
Sender: "stable" <stable-bounces@dpdk.org>

Hi,

FYI, your patch has been queued to stable release 20.11.2

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 05/12/21. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/steevenlee/dpdk

This queued commit can be viewed at:
https://github.com/steevenlee/dpdk/commit/358cba78c0bb02a9e0a1692d5735f633bafdae1b

Thanks.

Xueming Li <xuemingl@nvidia.com>

---
>From 358cba78c0bb02a9e0a1692d5735f633bafdae1b Mon Sep 17 00:00:00 2001
From: Marvin Liu <yong.liu@intel.com>
Date: Wed, 31 Mar 2021 14:49:38 +0800
Subject: [PATCH] vhost: fix packed ring potential buffer overflow
Cc: Luca Boccassi <bluca@debian.org>

[ upstream commit 93ed2f49dec5bee1dfc221c8644c22b351496776 ]

Similar as split ring, the multiple accesses of descriptor length will
lead to potential risk. One-time access of descriptor length can
eliminate this risk.

Fixes: 2f3225a7d69b ("vhost: add vector filling support for packed ring")

Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
 lib/librte_vhost/virtio_net.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 891a089f75..8baabe75ec 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -692,9 +692,10 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev,
 			return -1;
 		}
 
-		*len += descs[i].len;
+		dlen = descs[i].len;
+		*len += dlen;
 		if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,
-						descs[i].addr, descs[i].len,
+						descs[i].addr, dlen,
 						perm)))
 			return -1;
 	}
@@ -715,6 +716,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 	bool wrap_counter = vq->avail_wrap_counter;
 	struct vring_packed_desc *descs = vq->desc_packed;
 	uint16_t vec_id = *vec_idx;
+	uint64_t dlen;
 
 	if (avail_idx < vq->last_avail_idx)
 		wrap_counter ^= 1;
@@ -747,11 +749,12 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
 							len, perm) < 0))
 				return -1;
 		} else {
-			*len += descs[avail_idx].len;
+			dlen = descs[avail_idx].len;
+			*len += dlen;
 
 			if (unlikely(map_one_desc(dev, vq, buf_vec, &vec_id,
 							descs[avail_idx].addr,
-							descs[avail_idx].len,
+							dlen,
 							perm)))
 				return -1;
 		}
-- 
2.25.1

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2021-05-10 23:59:29.772858700 +0800
+++ 0123-vhost-fix-packed-ring-potential-buffer-overflow.patch	2021-05-10 23:59:26.520000000 +0800
@@ -1 +1 @@
-From 93ed2f49dec5bee1dfc221c8644c22b351496776 Mon Sep 17 00:00:00 2001
+From 358cba78c0bb02a9e0a1692d5735f633bafdae1b Mon Sep 17 00:00:00 2001
@@ -4,0 +5,3 @@
+Cc: Luca Boccassi <bluca@debian.org>
+
+[ upstream commit 93ed2f49dec5bee1dfc221c8644c22b351496776 ]
@@ -11 +13,0 @@
-Cc: stable@dpdk.org
@@ -20 +22 @@
-index 852b4ec9f5..d07b30ed7f 100644
+index 891a089f75..8baabe75ec 100644
@@ -23 +25 @@
-@@ -669,9 +669,10 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev,
+@@ -692,9 +692,10 @@ fill_vec_buf_packed_indirect(struct virtio_net *dev,
@@ -36 +38 @@
-@@ -692,6 +693,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -715,6 +716,7 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
@@ -44 +46 @@
-@@ -724,11 +726,12 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,
+@@ -747,11 +749,12 @@ fill_vec_buf_packed(struct virtio_net *dev, struct vhost_virtqueue *vq,