From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: thoughts on DPDK after a few days of reading sources
Date: Thu, 11 Feb 2016 14:48:28 -0800
Message-ID: <20160211144828.1404e9c1@xeon-e3>
References: <20160211030540.GB25680@hunt>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Cc: dev@dpdk.org
To: Seth Arnold <seth.arnold@canonical.com>
Return-path: <dev-bounces@dpdk.org>
Received: from mail-pf0-f179.google.com (mail-pf0-f179.google.com
 [209.85.192.179]) by dpdk.org (Postfix) with ESMTP id 711FB137C
 for <dev@dpdk.org>; Thu, 11 Feb 2016 23:48:16 +0100 (CET)
Received: by mail-pf0-f179.google.com with SMTP id e127so36572275pfe.3
 for <dev@dpdk.org>; Thu, 11 Feb 2016 14:48:16 -0800 (PST)
In-Reply-To: <20160211030540.GB25680@hunt>
List-Id: patches and discussions about DPDK <dev.dpdk.org>
List-Unsubscribe: <http://dpdk.org/ml/options/dev>,
 <mailto:dev-request@dpdk.org?subject=unsubscribe>
List-Archive: <http://dpdk.org/ml/archives/dev/>
List-Post: <mailto:dev@dpdk.org>
List-Help: <mailto:dev-request@dpdk.org?subject=help>
List-Subscribe: <http://dpdk.org/ml/listinfo/dev>,
 <mailto:dev-request@dpdk.org?subject=subscribe>
Errors-To: dev-bounces@dpdk.org
Sender: "dev" <dev-bounces@dpdk.org>

On Wed, 10 Feb 2016 19:05:40 -0800
Seth Arnold <seth.arnold@canonical.com> wrote:

> - ./drivers/net/virtio/virtio_ethdev.c virtio_set_multiple_queues() calls
>   virtio_send_command(), which performs:
>   memcpy(vq->virtio_net_hdr_mz->addr, ctrl, sizeof(struct virtio_pmd_ctrl));
>   This copies a potentially huge amount of uninitialized data into ->addr
>   because the struct virtio_pmd_ctrl ctrl was not zeroed before being
>   passed. How much of this data leaves the system? Does this require a
>   CVE?

This is not really a security issue.
The guest (virtio) has to trust the host to follow the protocol.
If the host is malicious there are far worse things it can do.

In this case. The onstack variabl ctrl is only partially initialized
but only partially used. The hdr part (virtio_net_ctrl_hdr) is fully
initialized, and status is set to 0 in virtio_send_command.

Although partially unitialized data is copied into region shared with host,
only the first part is actually referenced by the ring element:

 	vq->vq_ring.desc[head].flags = VRING_DESC_F_NEXT;
	vq->vq_ring.desc[head].addr = vq->virtio_net_hdr_mz->phys_addr;
	vq->vq_ring.desc[head].len = sizeof(struct virtio_net_ctrl_hdr);

Therefore it is not a real problem.