rpm/dpdk
SHA256
1
0
Fork 0
forked from pool/dpdk
Code Pull Requests Activity
0c625acfc9
dpdk/0001-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch
Tomáš Chvátal 0ad0608403 Accepting request 749659 from home:jaicaa:branches:network 
- Add version to the PMD driver directory to avoid loading previous
  version drivers (bsc#1157179).
- Update to 18.11.3 (bsc#1156146). For a list of fixes check:
  * https://doc.dpdk.org/guides-18.11/rel_notes/release_18_11.html#fixes
- Add patches to fix vulnerability where malicious container can trigger
  a denial of service (CVE-2019-14818, bsc#1156146)
  * 0001-vhost-fix-possible-denial-of-service-on-SET_VRING_NU.patch
  * 0002-vhost-fix-possible-denial-of-service-by-leaking-FDs.patch
- Removed patrches already included upstream:
  * dpdk-fix-implicit-fallthrough-warning.patch

OBS-URL: https://build.opensuse.org/request/show/749659
OBS-URL: https://build.opensuse.org/package/show/network/dpdk?expand=0&rev=111
2019-11-20 06:22:42 +00:00

66 lines
2.1 KiB
Diff
Raw Blame History

From f110daae0d7d033db151d2791f6555546d5144ac Mon Sep 17 00:00:00 2001
From: Maxime Coquelin <maxime.coquelin@redhat.com>
Date: Fri, 23 Aug 2019 15:17:05 +0200
Subject: [v18.11 PATCH v2 1/2] vhost: fix possible denial of service on
SET_VRING_NUM
vhost_user_set_vring_num() performs multiple allocations
without checking whether data were previously allocated.
It may cause a denial of service because of the memory leaks
that happen if a malicious vhost-user master keeps sending
VHOST_USER_SET_VRING_NUM request until the slave runs out
of memory.
This issue has been assigned CVE-2019-14818
Reported-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
---
lib/librte_vhost/vhost_user.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/lib/librte_vhost/vhost_user.c b/lib/librte_vhost/vhost_user.c
index 5552f8bbfb..457e62d97e 100644
--- a/lib/librte_vhost/vhost_user.c
+++ b/lib/librte_vhost/vhost_user.c
@@ -346,6 +346,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
vq->nr_zmbuf = 0;
vq->last_zmbuf_idx = 0;
vq->zmbuf_size = vq->size;
+ if (vq->zmbufs)
+ rte_free(vq->zmbufs);
vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size *
sizeof(struct zcopy_mbuf), 0);
if (vq->zmbufs == NULL) {
@@ -358,6 +360,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
}
if (vq_is_packed(dev)) {
+ if (vq->shadow_used_packed)
+ rte_free(vq->shadow_used_packed);
vq->shadow_used_packed = rte_malloc(NULL,
vq->size *
sizeof(struct vring_used_elem_packed),
@@ -369,6 +373,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
}
} else {
+ if (vq->shadow_used_split)
+ rte_free(vq->shadow_used_split);
vq->shadow_used_split = rte_malloc(NULL,
vq->size * sizeof(struct vring_used_elem),
RTE_CACHE_LINE_SIZE);
@@ -379,6 +385,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
}
}
+ if (vq->batch_copy_elems)
+ rte_free(vq->batch_copy_elems);
vq->batch_copy_elems = rte_malloc(NULL,
vq->size * sizeof(struct batch_copy_elem),
RTE_CACHE_LINE_SIZE);
--
2.21.0
View Git Blame Copy Permalink