From: Yuanhan Liu <yuanhan.liu@linux.intel.com>
To: dev@dpdk.org
Cc: Yuanhan Liu <yuanhan.liu@linux.intel.com>, stable@dpdk.org
Subject: [PATCH 1/3] vhost: fix dead loop in enqueue path
Date: Sun, 22 Jan 2017 16:46:58 +0800 [thread overview]
Message-ID: <1485074820-8956-2-git-send-email-yuanhan.liu@linux.intel.com> (raw)
In-Reply-To: <1485074820-8956-1-git-send-email-yuanhan.liu@linux.intel.com>
If a malicious guest forges a dead loop desc chain (let desc->next point
to itself) and desc->len is zero, this could lead to a dead loop in
copy_mbuf_to_desc(following is a simplified code to show this issue
clearly):
while (mbuf_is_not_totally_consumed) {
if (desc_avail == 0) {
desc = &descs[desc->next];
desc_avail = desc->len;
}
COPY(desc, mbuf, desc_avail);
}
I have actually fixed a same issue before: a436f53ebfeb ("vhost: avoid
dead loop chain"); it fixes the dequeue path though, leaving the enqueue
path still vulnerable.
The fix is the same. Add a var nr_desc to avoid the dead loop.
Fixes: f1a519ad981c ("vhost: fix enqueue/dequeue to handle chained vring descriptors")
Cc: stable@dpdk.org
Reported-by: Xieming Katty <katty.xieming@huawei.com>
Signed-off-by: Yuanhan Liu <yuanhan.liu@linux.intel.com>
---
lib/librte_vhost/virtio_net.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/lib/librte_vhost/virtio_net.c b/lib/librte_vhost/virtio_net.c
index 595f67c..143c0fa 100644
--- a/lib/librte_vhost/virtio_net.c
+++ b/lib/librte_vhost/virtio_net.c
@@ -195,6 +195,8 @@ static inline int __attribute__((always_inline))
struct vring_desc *desc;
uint64_t desc_addr;
struct virtio_net_hdr_mrg_rxbuf virtio_hdr = {{0, 0, 0, 0, 0, 0}, 0};
+ /* A counter to avoid desc dead loop chain */
+ uint16_t nr_desc = 1;
desc = &descs[desc_idx];
desc_addr = gpa_to_vva(dev, desc->addr);
@@ -233,7 +235,7 @@ static inline int __attribute__((always_inline))
/* Room in vring buffer is not enough */
return -1;
}
- if (unlikely(desc->next >= size))
+ if (unlikely(desc->next >= size || ++nr_desc > size))
return -1;
desc = &descs[desc->next];
--
1.9.0
next prev parent reply other threads:[~2017-01-22 8:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-22 8:46 [PATCH 0/3] few virtio/vhost fixes Yuanhan Liu
2017-01-22 8:46 ` Yuanhan Liu [this message]
2017-01-23 7:56 ` [PATCH 1/3] vhost: fix dead loop in enqueue path Maxime Coquelin
2017-01-22 8:46 ` [PATCH 2/3] vhost: fix long stall of vhost-user negotiation Yuanhan Liu
2017-01-23 8:25 ` Maxime Coquelin
2017-01-22 8:47 ` [PATCH 3/3] net/virtio: fix crash when number of virtio devices > 1 Yuanhan Liu
2017-01-23 7:58 ` Maxime Coquelin
2017-01-23 10:57 ` [PATCH 0/3] few virtio/vhost fixes Yuanhan Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1485074820-8956-2-git-send-email-yuanhan.liu@linux.intel.com \
--to=yuanhan.liu@linux.intel.com \
--cc=dev@dpdk.org \
--cc=stable@dpdk.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.