d/numam-dpdk
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

vhost: fix possible denial of service on SET_VRING_NUM

Browse Source 
vhost_user_set_vring_num() performs multiple allocations
without checking whether data were previously allocated.

It may cause a denial of service because of the memory leaks
that happen if a malicious vhost-user master keeps sending
VHOST_USER_SET_VRING_NUM request until the slave runs out
of memory.

This issue has been assigned CVE-2019-14818

Fixes: b0a985d1f340 ("vhost: add dequeue zero copy")

Reported-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Maxime Coquelin <maxime.coquelin@redhat.com>
This commit is contained in:
Maxime Coquelin 2019-08-23 15:17:05 +02:00 committed by David Marchand
parent 31aa07759e
commit 612e17cf6d
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/librte_vhost/vhost_user.c
View File

@ -386,6 +386,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
vq->nr_zmbuf = 0;
vq->last_zmbuf_idx = 0;
vq->zmbuf_size = vq->size;
if (vq->zmbufs)
rte_free(vq->zmbufs);
vq->zmbufs = rte_zmalloc(NULL, vq->zmbuf_size *
sizeof(struct zcopy_mbuf), 0);
if (vq->zmbufs == NULL) {
@ -398,6 +400,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
}
if (vq_is_packed(dev)) {
if (vq->shadow_used_packed)
rte_free(vq->shadow_used_packed);
vq->shadow_used_packed = rte_malloc(NULL,
vq->size *
sizeof(struct vring_used_elem_packed),
@ -409,6 +413,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
}
} else {
if (vq->shadow_used_split)
rte_free(vq->shadow_used_split);
vq->shadow_used_split = rte_malloc(NULL,
vq->size * sizeof(struct vring_used_elem),
RTE_CACHE_LINE_SIZE);
@ -419,6 +425,8 @@ vhost_user_set_vring_num(struct virtio_net **pdev,
}
}
if (vq->batch_copy_elems)
rte_free(vq->batch_copy_elems);
vq->batch_copy_elems = rte_malloc(NULL,
vq->size * sizeof(struct batch_copy_elem),
RTE_CACHE_LINE_SIZE);