pool/dpdk
SHA256
4
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
77d026e94b
dpdk/0004-vhost-fix-translated-address-not-checked.patch
Madhu Mohan Nelemane ebd2e5f1b0 Accepting request 807340 from home:jaicaa:branches:network 
- Update to v19.11.1. For a list of changes, check:
  * https://doc.dpdk.org/guides/rel_notes/release_19_11.html#new-features 
- Removed patches no longer applying to the code base:
  * 0001-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch
  * 0002-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch
  * 0002-fix-cpu-compatibility.patch
- Rebased patches:
  * 0001-fix-cpu-compatibility.patch
- Add patches to fix vulnerability where malicious guest/container can
  cause resource leak resulting a Denial-of-Service, or memory corruption
  and crash, or information leak in vhost-user backend application
  (bsc#1171477, CVE-2020-10722, CVE-2020-10723, CVE-2020-10724,
  CVE-2020-10725, CVE-2020-10726).
  * 0001-vhost-check-log-mmap-offset-and-size-overflow.patch
  * 0002-vhost-fix-vring-index-check.patch
  * 0003-vhost-crypto-validate-keys-lengths.patch
  * 0004-vhost-fix-translated-address-not-checked.patch
  * 0005-vhost-fix-potential-memory-space-leak.patch
  * 0006-vhost-fix-potential-fd-leak.patch

OBS-URL: https://build.opensuse.org/request/show/807340
OBS-URL: https://build.opensuse.org/package/show/network/dpdk?expand=0&rev=115
2020-05-20 09:15:07 +00:00

47 lines
1.5 KiB
Diff
Raw Blame History

From c74f5a29dbb505bb31bec932a9bd77325e2ceea6 Mon Sep 17 00:00:00 2001
From: Marvin Liu <yong.liu@intel.com>
Date: Wed, 8 Apr 2020 17:13:55 +0800
Subject: [PATCH 4/6] vhost: fix translated address not checked
Malicious guest can construct desc with invalid address and zero buffer
length. That will request vhost to check both translated address and
translated data length. This patch will add missed address check.
Fixes: 75ed51697820 ("vhost: add packed ring batch dequeue")
Fixes: ef861692c398 ("vhost: add packed ring batch enqueue")
Cc: stable@dpdk.org
This issue has been assigned CVE-2020-10725
Signed-off-by: Marvin Liu <yong.liu@intel.com>
Reviewed-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/librte_vhost/virtio_net.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index ac2842b2d2..33f10258cf 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -1086,6 +1086,8 @@ virtio_dev_rx_batch_packed(struct virtio_net *dev,
VHOST_ACCESS_RW);
vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+ if (unlikely(!desc_addrs[i]))
+ return -1;
if (unlikely(lens[i] != descs[avail_idx + i].len))
return -1;
}
@@ -1841,6 +1843,8 @@ vhost_reserve_avail_batch_packed(struct virtio_net *dev,
}
vhost_for_each_try_unroll(i, 0, PACKED_BATCH_SIZE) {
+ if (unlikely(!desc_addrs[i]))
+ return -1;
if (unlikely((lens[i] != descs[avail_idx + i].len)))
return -1;
}
--
2.25.2
Reference in New Issue View Git Blame Copy Permalink