From f110daae0d7d033db151d2791f6555546d5144ac Mon Sep 17 00:00:00 2001 From: Maxime Coquelin Date: Fri, 23 Aug 2019 15:17:05 +0200 Subject: [v18.11 PATCH v2 1/2] vhost: fix possible denial of service on SET_VRING_NUM vhost_user_set_vring_num() performs multiple allocations without checking whether data were previously allocated. It may cause a denial of service because of the memory leaks that happen if a malicious vhost-user master keeps sending VHOST_USER_SET_VRING_NUM request until the slave runs out of memory. This issue has been assigned CVE-2019-14818 Reported-by: Jason Wang Signed-off-by: Maxime Coquelin --- lib/librte_vhost/vhost_user.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c index 5552f8bbfb..457e62d97e 100644 --- a/lib/librte_vhost/vhost_user.c +++ b/lib/librte_vhost/vhost_user.c @@ -346,6 +346,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev, vq->nr_zmbuf = 0; vq->last_zmbuf_idx = 0; vq->zmbuf_size = vq->size; + if (vq->zmbufs) + rte_free(vq->zmbufs); vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size * sizeof(struct zcopy_mbuf), 0); if (vq->zmbufs == NULL) { @@ -358,6 +360,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev, } if (vq_is_packed(dev)) { + if (vq->shadow_used_packed) + rte_free(vq->shadow_used_packed); vq->shadow_used_packed = rte_malloc(NULL, vq->size * sizeof(struct vring_used_elem_packed), @@ -369,6 +373,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev, } } else { + if (vq->shadow_used_split) + rte_free(vq->shadow_used_split); vq->shadow_used_split = rte_malloc(NULL, vq->size * sizeof(struct vring_used_elem), RTE_CACHE_LINE_SIZE); @@ -379,6 +385,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev, } } + if (vq->batch_copy_elems) + rte_free(vq->batch_copy_elems); vq->batch_copy_elems = rte_malloc(NULL, vq->size * sizeof(struct batch_copy_elem), RTE_CACHE_LINE_SIZE); -- 2.21.0